Security Assessment and Testing QUESTION 12 Suppose you want to study the action
ID: 3904163 • Letter: S
Question
Security Assessment and Testing
QUESTION 12
Suppose you want to study the actions an adversary may attempt against your system and test the effectiveness of the controls you have emplaced to mitigate the associated risks. Which of the following approaches would best allow you to accomplish this goal?
Fuzzing
Misuse case testing
Use case testing
Real user monitoring (RUM)
3.85 points
QUESTION 13
Choose the term that describes an audit report that covers the information security controls of a service organization and is intended for public release.
SOC 1
SOC 2
SOC 3
Both B and C.
3.85 points
QUESTION 14
All of the following are types of tests for disaster recovery and business continuity plans except which one?
Null hypothesis test
Structured walk-through test
Simulation test
Full-interruption test
3.85 points
QUESTION 15
Interface testing could involve which of the following?
The application programming interface (API)
The graphical user interface (GUI)
Both of the above
None of the above
3.85 points
QUESTION 16
Which of the following is an assessment that affords the auditor detailed knowledge of the system’s architecture before conducting the test?
Black box testing
Zero knowledge testing
White box testing
Gray box testing
3.85 points
QUESTION 17
What is the difference between security training and security awareness training?
There is no difference. These terms refer to the same process.
Security training is focused on skills, while security awareness training is focused on recognizing and responding to issues.
Security awareness training is focused on security personnel, while security training is geared toward all users.
Security training must be performed, while security awareness training is an aspirational goal.
3.85 points
QUESTION 18
Which of the following is true about key risk indicators (KRIs)?
They tell managers where an organization stands with regard to its risk appetite.
They tell managers where an organization stands with regard to its goals.
An interpretation of one or more metrics that describes the effectiveness of the ISMS.
They are inputs to the calculation of single loss expectancy (SLE).
3.85 points
QUESTION 19
All of the following are normally legitimate reasons to suspend rather than delete user accounts except which one?
Protection of the user’s privacy
Regulatory compliance
Data retention policy
Investigation of a subsequently discovered event
3.85 points
QUESTION 20
Which of the following is not a form of social engineering?
Whaling
Fishing
Pretexting
Blackmailing
a.Fuzzing
b.Misuse case testing
c.Use case testing
d.Real user monitoring (RUM)
Explanation / Answer
----------------------------------------------------------------------------------------------------------------
12. Fuzzing
13. SOC3
14. a)
15 a)
16 c)
17 b)
18 a)
19 d)
20 a)