21. A project team has just completed building the organization's business continuity plan. Which of the following tests should be performed first?
Correct answer: (A)
Walkthrough
22. A qualitative risk assessment is used to identify:
Correct answer: (B)
Vulnerabilities, threats, threat probabilities, and countermeasures
23. A resource server contains an access control system. When a user requests access to an object, the system examines the permission settings for the object and the permission settings for the user, and then makes a decision whether the user may access the object. The access control model that most closely resembles this is:
Correct answer: (A)
Mandatory access control (MAC)
24. A risk manager has completed a risk analysis for an asset valued at $4000. Two threats were identified; the ALE for one threat is $400, and the ALE for the second threat is $500. What is the amount of loss that the organization should estimate for an entire year?
Correct answer: (C)
$900
25. A running-key cipher can be used when:
Correct answer: (A)
The plaintext is longer than the encryption key
26. A secure facility needs to control incoming vehicle traffic and be able to stop determined attacks. What control should be implemented:
Correct answer: (A)
Crash gate
27. A security analyst has a system evaluation criteria manual called the "Orange Book". This is a part of:
Correct answer: (B)
Trusted Computer Security Evaluation Criteria (TCSEC)
28. A security assessment discovered back doors in an application, and the security manager needs to develop a plan for detecting and removing back doors in the future. The most effective countermeasures that should be chosen are:
Correct answer: (C)
Outside code reviews
29. A security door has been designed so that it will ignore signals from the building's door entry system in the event of a power failure. This is known as:
Correct answer: (C)
Fail closed
30. A security engineer has recently installed a biometric system, and needs to tune it. Currently the biometric system is rejecting too many valid, registered users. What adjustment does the security engineer need to make?
Correct answer: (D)
Reduce the False Reject Rate