New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium GIAC G2700 Dumps Questions Answers

Page: 1 / 17
Total 453 questions

GIAC Certified ISO-2700 Specialist Practice Test Questions and Answers

Question 1

Which of the following are implemented in the Do phase of the PDCA model?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Information security policy

B.

Development of an information security policy

C.

Underlying procedures and measures of the information security policy

D.

Documentation of an information security policy

Buy Now
Question 2

Mark works as a Network Security Administrator for uCertify Inc. He is responsible for securing and analyzing the network of the organization. Mark is concerned about the current network security, as individuals can access the network with bypass authentication, thus allowing them to get more permissions than allotted. Which of the following is responsible for this type of privilege escalation?

Options:

A.

Rootkit

B.

Backdoor

C.

Boot sector

D.

Master Boot Record

Question 3

Which of the following statements is true about single loss expectancy?

Options:

A.

It is defined as the cost related to a single realized risk against a particular asset.

B.

It is defined as the yearly cost of all instances of a particular threat against a particular ass et.

C.

It is defined as the expected frequency of occurrence of a particular threat or risk in a singl e year.

D.

It is defined as the percentage of loss experienced by an organization when a particular asset is violated by a realized risk.

Question 4

In which of the following social engineering attacks does an attacker first damage any part of the target's equipment and then advertise himself as an authorized person who can help fix the problem.

Options:

A.

Reverse social engineering attack

B.

Impersonation attack

C.

Important user posing attack

D.

In person attack

Question 5

You work as an Information Security Manager for uCertify Inc. The company has made a contract with a third party software company to make a software program for personal use. You have been assigned the task to share organization's personal requirements regarding the tool to the third party using a non disclosure agreement (NDA). Which of the following is the purpose of using NDA?

Options:

A.

To ensure that the third-party organization respects the security of information to be share d

B.

To be used as an acknowledgement

C.

To ensure the protection of intellectual copyright of information

D.

To be used as a legal disclaimer

Question 6

You work as an Information Security Manager for uCertify Inc. You are working on asset management. You need to differentiate various assets of your organization. Which of the following is an intangible asset?

Options:

A.

Personal data

B.

Electricity

C.

Reputation of the company

D.

Equipment

Question 7

Mark is the project manager of the NHQ project in StarTech Inc. The project has an asset valued at $195,000 and is subjected to an exposure factor of 35 percent. What will be the Single Loss Expectancy of the project?

Options:

A.

$72,650

B.

$67,250

C.

$68,250

D.

$92,600

Question 8

You work as an Information Security Manager for uCertify Inc. You are implementing an asset management strategy. Which of the following should you include in your strategy to make it effective?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Software assets

B.

Organization's reputation

C.

Outage duration

D.

IT equipment

Question 9

Which of the following is the prime concern of ISO 27005?

Options:

A.

Asset Management

B.

Human resource security

C.

Information security risk management

D.

DR planning

Question 10

David works as the Network Administrator for uCertify Inc. He has been assigned the task to analyze and manage risks in the computer network of the organization. Which of the following are the stages of the CRAMM review that David will go through?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

To identify and prioritize countermeasures

B.

To identify threats and vulnerabilities and calculate risks

C.

To remove risks and install antivirus

D.

To identify and value assets

Question 11

You work as a Security Administrator for uCertify Inc. You have made a plan to increase the security of the organization and you want to show this to the CEO of the organization. But, you do not want to share this information with others. Therefore, you want to classify this information.

Which of the following will be the suitable classification to accomplish the task?

Options:

A.

Private or confidential

B.

Management only

C.

Department specific

D.

Classified

Question 12

How can you calculate the Annualized Loss Expectancy (ALE) that may occur due to a threat?

Options:

A.

Asset Value X Exposure Factor (EF)

B.

Single Loss Expectancy (SLE)/ Exposure Factor (EF)

C.

Exposure Factor (EF)/Single Loss Expectancy (SLE)

D.

Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO)

Question 13

Which of the following is used for improving the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation?

Options:

A.

CBAC

B.

MAC

C.

UAC

D.

Implicit deny

Question 14

Which of the following identifies a company's exposure to threats and provides effective prevention and recovery for the company?

Options:

A.

Business Delegate

B.

Business impact assessment

C.

Business continuity planning

D.

Business intelligence

Question 15

The System Management department has the pass to enter the computer room. The access to that computer room is closed off using the pass reader. Which of the following categories of security defines the above scenario?

Options:

A.

Repressive security measure

B.

Physical security measure

C.

Corrective security measure

D.

Logical security measure

Question 16

You work as an Information Security Manager for uCertify Inc. You have been assigned the task to create the documentation on control A.7.1.3. Which of the following is the chief concern of control A.7.1.3?

Options:

A.

Classification of information

B.

Identification of assets

C.

Identification of inventory

D.

Acceptable use of information assets

Question 17

Which of the following are the elements of Information Security Management System framework?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Implement

B.

Reset

C.

Plan

D.

Control

Question 18

You work as a Security Administrator for uCertify Inc. You have installed ten separate applications for your employees to work. All the applications require users to log in before working on them; however, this takes a lot of time. Therefore, you decide to use SSO to resolve this issue. Which of the following

are the other benefits of Single Sign-On (SSO)?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Centralized reporting for compliance adherence

B.

Reducing IT costs due to lower number of IT help desk calls about passwords

C.

Reduces the user experience

D.

Reduces phishing success, because users are not trained to enter password everywhere without thinking

Question 19

Which of the following are the various domains in the ISO/IEC 27002?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Management policy

B.

Security policy

C.

Access security

D.

Compliance

Question 20

Which of the following paragraphs of the Turnbull Guidance provide clear description of the principles of a risk treatment plan?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

16

B.

18

C.

17

D.

19

Question 21

By gaining full control of a router, hackers often acquire full control of the network. Which of the following methods are commonly used to attack routers?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Launching a Max Age attack

B.

Route table poisoning

C.

Launching a Sequence++ attack

D.

Launching a social engineering attack

Question 22

Which of the following indicates that the project team has decided not to change the project management plan to deal with a risk?

Options:

A.

Risk avoidance

B.

Risk mitigation

C.

Risk transference

D.

Risk acceptance

Question 23

Which of the following is the method of hiding data within another media type such as graphic or document?

Options:

A.

Packet sniffing

B.

Spoofing

C.

Cryptanalysis

D.

Steganography

Question 24

Which of the following statements is true about pattern matching IDS?

Options:

A.

IDS can match empty list only.

B.

IDS can only be effective unless the company's security policies are not defined and followed in practice.

C.

IDS can trigger only on signatures that are stored in the database of the IDS.

D.

IDS can detect only when an attacker is passively sniffing data.

Question 25

Which of the following are the primary rules defined for RBAC?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Transaction authorization

B.

Role authorization

C.

Role assignment

D.

Transaction assignment

Question 26

Which of the following activities are performed by the 'Do' cycle component of PDCA (plan-docheck- act)?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

It manages resources that are required to achieve a goal.

B.

It determines controls and their objectives.

C.

It performs security awareness training.

D.

It detects and responds to incidents properly.

E.

It operates the selected controls.

Question 27

You work as a Network Security Administrator for uCertify Inc. Your organization has set up a new Internet connection in place of the previous one. It is your responsibility to ensure that employees use the Internet only for official purposes. While reviewing Internet usages, you find that a few people have traversed and downloaded some inappropriate and illegal information. You want to make a policy to stop all these activities in the future. Which of the following policies will you implement to accomplish the task?

Options:

A.

Security policy

B.

Privacy policy

C.

Acceptable use policy

D.

Due care policy

Question 28

Which of the following is a list of specific actions being taken to deal with specific risks associated with the threats?

Options:

A.

Risk acceptance

B.

Risk transference

C.

Risk avoidance

D.

Risk mitigation

Question 29

Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using?

Options:

A.

Risk transfer

B.

Risk mitigation

C.

Risk avoidance

D.

Risk acceptance

Question 30

Mark works as a Security Administrator for uCertify Inc. Somehow Mark comes to know that an employee is keeping illegal software on his workstation. After investigating, Mark finds that this is indeed true. Therefore, Mark decides to file a law suit against the organization, as it is against organization's norms to store illegal information. Now, the organization decides to call the police and suspend Mark from work till further internal inquiries. Which of the following practices has been implemented in this scenario?

Options:

A.

Due diligence

B.

Due process

C.

Privacy

D.

Due care

Question 31

Which of the following statements about incremental backup are true?

Each correct answer represents a complete solution. Choose two.

Options:

A.

It is the slowest method for taking a data backup.

B.

It is the fastest method of backing up data.

C.

It backs up the entire database, including the transaction log.

D.

It backs up only the files changed since the most recent backup and clears the archive bit.

Question 32

Which of the following statements are true about Regulation of Investigatory Powers Act 2000?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

It enables certain public bodies to demand ISPs fit equipment to facilitate surveillance.

B.

It enables mass surveillance of communications in transit.

C.

It enables certain private bodies to demand that someone hand over keys to protected information.

D.

It allows certain public bodies to monitor people's Internet activities.

Question 33

A helpdesk technician received a phone call from an administrator at a remote branch office. The administrator claimed to have forgotten the password for the root account on UNIX servers and asked for it. Although the technician didn't know any administrator at the branch office, the guy sounded really friendly and since he knew the root password himself, he supplied the caller with the password.

What type of attack has just occurred?

Options:

A.

Brute Force attack

B.

War dialing attack

C.

Social Engineering attack

D.

Replay attack

Question 34

You work as an Information Security Manager for uCertify Inc. You are working on asset management. You need to differentiate various assets of your organization. Which of the following is an intangible asset?

Options:

A.

Equipment

B.

Electricity

C.

Reputation of the company

D.

Personal data

Question 35

You work as a Network Administrator for uCertify Inc. The organization has constructed a cafeteria for their employees and you are responsible to select the access control method for the cafeteria.

There are a few conditions for giving access to the employees, which are as follows:

1. Top level management can get access any time.

2. Staff members can get access during the specified hours.

3. Guests can get access only in working hours.

Which of the following access control methods is suitable to accomplish the task?

Options:

A.

Discretionary access control

B.

Lattice-based access control

C.

Attribute-based access control

D.

Rule-based access control

Question 36

You work as an Information Security Manager for uCertify Inc. You are working on a document regarding the PDCA methodology. Which of the following elements of the PDCA (Plan-Do-Check- Act) methodology is used to continually improve the process performance?

Options:

A.

Act

B.

Check

C.

Do

D.

Plan

Question 37

You work as a Security Administrator for uCertify Inc. You have been assigned a task to implement information classification levels. You want to put the highly sensitive documents that should only be accessed by few people of the organization. In which of the following information classification levels should you put those documents?

Options:

A.

Department specific

B.

High security levels

C.

Not to be copied

D.

Classified

Question 38

Which of the following should be considered while calculating the costs of the outage?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Sales aspect of the business

B.

Cost of low productivity

C.

Innovations in electronic funds transfer

D.

Cost of lost income from missed sales

Question 39

Fill in the blank with the appropriate term.

___________is the built-in file encryption tool for Windows file systems. It protects encrypted files from those who have physical possession of the computer where the encrypted files are stored.

Options:

Question 40

Which of the following types of attack can be used to break the best physical and logical security mechanism to gain access to a system?

Options:

A.

Mail bombing

B.

Cross site scripting attack

C.

Social engineering attack

D.

Password guessing attack

Question 41

Which of the following documents is developed along the risk management processes to monitor and control risks?

Options:

A.

Fault tree

B.

Risk mitigation

C.

Decision tree

D.

Risk register

Question 42

Which of the following are the basics of Business Continuity Management?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Implementation of a risk assessment technique to identify the causes and consequences of failures

B.

Regular checking of business continuity plans

C.

Identification of authentication techniques according to the requirements

D.

Identification of human resources according to the requirements

Question 43

Which of the following is a formal state transition model of computer security policy that is used to describe a set of access control rules which use security labels on objects and clearances for subjects?

Options:

A.

Five Pillars model

B.

Classic information security model

C.

Bell-LaPadula model

D.

Clark-Wilson integrity model

Question 44

Which of the following administrative policy controls is usually associated with government classifications of materials and the clearances of individuals to access those materials?

Options:

A.

Separation of Duties

B.

Due Care

C.

Acceptable Use

D.

Need to Know

Question 45

Which of the following are the major tasks of risk management?

Each correct answer represents a complete solution. Choose two.

Options:

A.

Assuring the integrity of organizational data

B.

Building Risk free systems

C.

Risk identification

D.

Risk control

Question 46

Andrew is the CEO of uCertify Inc. He wants to improve the resources and revenue of the company. He uses the PDCA methodology to accomplish the task. Which of the following are the phases of the PDCA methodology?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Deviate

B.

Plan

C.

Calculate

D.

Act

Question 47

Which of the following is a list of specific actions being taken to deal with specific risks associated with the threats?

Options:

A.

Risk transference

B.

Risk avoidance

C.

Risk acceptance

D.

Risk mitigation

Question 48

You work as an Information Security Manager for uCertify Inc. You are working on asset management. You have been assigned the task to secure information labeling and handling within the organization. Which of the following controls of the ISO standard is concerned with information labeling and handling?

Options:

A.

Control A.7.1.3

B.

Control A.7.1.2

C.

Control A.7.2.2

D.

Control A.7.1.1

Question 49

Which of the following states that a user should never be given more privileges than are required to carry out a task?

Options:

A.

Principle of least privilege

B.

Role-based security

C.

Security through obscurity

D.

Segregation of duties

Question 50

You work as a Network Administrator for Net Perfect Inc. The company has a TCP/IP-based Windows NT network. You are configuring a computer that will be used as a file server on the network. You have to decide the disk configuration for the computer to obtain better performance.

A fault tolerant disk configuration is not a requirement. Which of the following RAID levels will you choose to fulfil the requirement?

Options:

A.

RAID-1

B.

RAID-5

C.

RAID-4

D.

RAID-3

E.

RAID-0

Question 51

David works as the Chief Information Security Officer for uCertify Inc. Which of the following are the responsibilities that should be handled by David?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Information security

B.

Information risk management

C.

Information privacy

D.

Information development

Question 52

Which of the following should be considered while calculating the costs of the outage?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Cost of lost income from missed sales

B.

Sales aspect of the business

C.

Cost of low productivity

D.

Innovations in electronic funds transfer

Question 53

Which of the following specifies value of each asset?

Options:

A.

Asset importance

B.

Asset protection

C.

Asset responsibility

D.

Asset identification

Question 54

You are consulting with a small budget conscious accounting firm. Each accountant keeps individual records on their PC and checks them in and out of a server. They are concerned about losing data should the server hard drive crash. Which of the following RAID levels would you recommend?

Options:

A.

RAID 1

B.

RAID 6

C.

RAID 5

D.

RAID 0

Question 55

Sam uses Monte Carlo simulation to quantitatively assess cost and schedule risks of his project during planning processes. During risk monitoring and control, Sam repeats the technique, but it leads to different results. Which of the following cannot be the reason for the difference in results?

Options:

Question 56

Single Loss Expectancy (SLE) represents an organization's loss from a single threat. Which of the following formulas best describes the Single Loss Expectancy (SLE)?

Options:

A.

SLE = Asset Value (AV) * Annualized Rate of Occurrence (ARO)

B.

SLE = Annualized Loss Expectancy (ALE) * Exposure Factor (EF)

C.

SLE = Asset Value (AV) * Exposure Factor (EF)

D.

SLE = Annualized Loss Expectancy (ALE) * Annualized Rate of Occurrence

Question 57

John, a novice web user, makes a new e-mail account and keeps his password as "apple", his favorite fruit. John's password is vulnerable to which of the following password cracking attacks?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Hybrid attack

B.

Brute Force attack

C.

Dictionary attack

D.

Rule based attack

Question 58

Which of the following statements is related to residual risks?

Options:

A.

It can be considered as an indicator of threats coupled with vulnerability.

B.

It is the probabilistic risk before implementing all security measures.

C.

It is a weakness or lack of safeguard that can be exploited by a threat.

D.

It is the probabilistic risk after implementing all security measures.

Question 59

You work as a Security Administrator for uCertify Inc. You observe that an employee is spreading personal data of your organization. Human resource security deals with the employees handling personal data in an organization. Which section of ISO 27002 describes human resource security?

Options:

A.

Section 4

B.

Section 8

C.

Section 3

D.

Section 5

Question 60

You are the project manager for a construction project. The project involves casting of a column in a very narrow space. Because of the lack of space, casting is highly dangerous. High technical skill will be required for casting that column. You decide to hire a local expert team for casting that column. Which of the following types of risk response are you following?

Options:

A.

Avoidance

B.

Transference

C.

Mitigation

D.

Acceptance

Question 61

You work as an Information Security Manager for uCertify Inc. You need to make the documentation on change management. What are the advantages of change management?

Each correct answer represents a complete solution. Choose all that apply.

Options:

A.

Improved adverse impact of changes on the quality of IT services

B.

Improved IT personnel productivity, since there is a reduced number of urgent changes and a back-out of erroneous changes

C.

Improved productivity of users due to more stable and better IT services

D.

Increased ability to absorb frequent changes without making an unstable IT environment

Question 62

Which of the following protects original works of authorship including literary, dramatic, musical, artistic, and other intellectual works?

Options:

A.

Criminal law

B.

Civil law

C.

Copyright law

D.

Administrative law

Question 63

Which of the following are computer clusters that are implemented primarily for the purpose of providing high availability of services which the cluster provides?

Options:

A.

Load balancing clusters

B.

Globular clusters

C.

Tightly-coupled compute clusters

D.

High-availability clusters

Question 64

Which of the following is a measure taken by a program to protect the system against misuse of itself?

Options:

A.

Privilege separation

B.

Privilege bracketing

C.

Privilege escalation

D.

Privilege revocation

Question 65

What does CRAMM stand for?

Options:

A.

CCTA Risk Analyzer and Manager Methodology

B.

Continuous Risk Analysis and Management Method

C.

CCTA Risk Analysis and Management Method

D.

Continuous Risk Analyzer and Manager Methodology

Question 66

Which of the following policies defines the goals and elements of an organization's computer systems?

Options:

A.

Public

B.

Corporate

C.

Human resource

D.

Computer security

Question 67

Which of the following is NOT a module of FaultTree+?

Options:

A.

Kerchief Analysis

B.

Fault Tree Analysis

C.

Event Tree Analysis

D.

Markov Analysis

Page: 1 / 17
Total 453 questions