As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following actions should be taken first? A. Select controls B. Categorize the system C. Assess risk to the system D. Determine the impact of data
As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following is the best source to inform the scoping decision? A. The assessment of risk to the system B. The result of business impact analysis (BIA) C. The design of the security architecture D. The detailed plan for certification and accreditation
As the customer relationship management (CRM) system owner, you collaborate with data owners and otherstakeholders to determine the compensating security control for replacing a baseline control. Which of the following best describes the process you are conducting? A. Validation B. Verification C. Tailoring D. Scoping
According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)? A. Software Assurance Maturity Model (SAMM) B. Capability Maturity Model Integration (CMMI) C. Cybersecurity Maturity Model Certification (CMMC) D. Systems Security Engineering Capability Maturity Model (SSE-CMM)
A client sent a Kerberos authentication request to the authentication server (AS) and received a response with an encrypted part containing the session key and ticket-granting ticket (TGT). Which of the following should the client use to decrypt the ciphertext? A. The client’s secret key B. The client’s private key C. The authentication server’s public key D. The session key shared by the client and the ticket-granting server (TGS)
A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism? A. A password transmitted in clear text B. A timestamp encrypted by the hash of the password C. A nonce from the IdP encrypted by the subject’s private key D. An attribute sent over TLS/SSL that uniquely identifies the subject
A software development team is concerned with the integrity of the access token received from the web site after users logging in. Which of the following is least likely considered? A. Is the access token altered? B. Is the web site the genuine origin of the access token? C. Is the web site signs the access token? D. Is the access token in transit lost?
Alice is a newly recruited employee. The Human Resource department is conducting her identity proofing and enrollment process. Which of the following should be conducted first? A. Validation B. Resolution C. Verification D. Authentication
A client submits a user’s identity in the clear textalone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process? A. Identification B. Authentication C. Pre-authentication D. The TGT (Ticket-granting ticket)
A session is a temporary logical connection between two end-user application processesfor message exchange. Which of the following statements about the sessionis not true? A. The session layer in the ISO OSI model maps to the application layer in TCP/IP. B. The establishment of a session is independent of underlying transports. C. The RESTful-style architecture prescribes how a session is managed. D. A session can maintain state information even if the transport is connectionless.