CAS-002 Online Practice Questions and Answers

Company ABC is planning to outsource its Customer Relationship Management system (CRM) and marketing / leads management to Company XYZ.

Which of the following is the MOST important to be considered before going ahead with the service?

A. Internal auditors have approved the outsourcing arrangement.

B. Penetration testing can be performed on the externally facing web system.

C. Ensure there are security controls within the contract and the right to audit.

D. A physical site audit is performed on Company XYZ's management / operation.

An architect has been engaged to write the security viewpoint of a new initiative. Which of the following BEST describes a repeatable process that can be used for establishing the security architecture?

A. Inspect a previous architectural document. Based on the historical decisions made, consult the architectural control and pattern library within the organization and select the controls that appear to best fit this new architectural need.

B. Implement controls based on the system needs. Perform a risk analysis of the system. For any remaining risks, perform continuous monitoring.

C. Classify information types used within the system into levels of confidentiality, integrity, and availability. Determine minimum required security controls. Conduct a risk analysis. Decide on which security controls to implement.

D. Perform a risk analysis of the system. Avoid extreme risks. Mitigate high risks. Transfer medium risks and accept low risks. Perform continuous monitoring to ensure that the system remains at an adequate security posture.

Company ABC's SAN is nearing capacity, and will cause costly downtimes if servers run out disk space. Which of the following is a more cost effective alternative to buying a new SAN?

A. Enable multipath to increase availability

B. Enable deduplication on the storage pools

C. Implement snapshots to reduce virtual disk size

D. Implement replication to offsite datacenter

An accountant at a small business is trying to understand the value of a server to determine if the business can afford to buy another server for DR. The risk manager only provided the accountant with the SLE of $24,000, ARO of 20% and the exposure factor of 25%. Which of the following is the correct asset value calculated by the accountant?

A. $4,800

B. $24,000

C. $96,000

D. $120,000

A recently hired security administrator is advising developers about the secure integration of a legacy in- house application with a new cloud based processing system. The systems must exchange large amounts of fixed format data such as names, addresses, and phone numbers, as well as occasional chunks of data in unpredictable formats. The developers want to construct a new data format and create custom tools to parse and process the data. The security administrator instead suggests that the developers:

A. Create a custom standard to define the data.

B. Use well formed standard compliant XML and strict schemas.

C. Only document the data format in the parsing application code.

D. Implement a de facto corporate standard for all analyzed data.

As part of a new wireless implementation, the Chief Information Officer's (CIO's) main objective is to immediately deploy a system that supports the 802.11r standard, which will help wireless VoIP devices in moving vehicles. However, the 802.11r standard was not ratified by the IETF. The wireless vendor's products do support the pre-ratification version of 802.11r. The security and network administrators have tested the product and do not see any security or compatibility issues; however, they are concerned that the standard is not yet final. Which of the following is the BEST way to proceed?

A. Purchase the equipment now, but do not use 802.11r until the standard is ratified.

B. Do not purchase the equipment now as the client devices do not yet support 802.11r.

C. Purchase the equipment now, as long as it will be firmware upgradeable to the final 802.11r standard.

D. Do not purchase the equipment now; delay the implementation until the IETF has ratified the final 802.11r standard.

A university Chief Information Security Officer is analyzing various solutions for a new project involving the upgrade of the network infrastructure within the campus. The campus has several dorms (two-four person rooms) and administrative buildings. The network is currently setup to provide only two network ports in each dorm room and ten network ports per classroom. Only administrative buildings provide 2.4 GHz wireless coverage.

The following three goals must be met after the new implementation:

1.

Provide all users (including students in their dorms) connections to the Internet.

2.

Provide IT department with the ability to make changes to the network environment to improve performance.

3.

Provide high speed connections wherever possible all throughout campus including sporting event areas.

Which of the following risk responses would MOST likely be used to reduce the risk of network outages and financial expenditures while still meeting each of the goals stated above?

A. Avoid any risk of network outages by providing additional wired connections to each user and increasing the number of data ports throughout the campus.

B. Transfer the risk of network outages by hiring a third party to survey, implement and manage a 5.0 GHz wireless network.

C. Accept the risk of possible network outages and implement a WLAN solution to provide complete 5.0 GHz coverage in each building that can be managed centrally on campus.

D. Mitigate the risk of network outages by implementing SOHO WiFi coverage throughout the dorms and upgrading only the administrative buildings to 5.0 GHz coverage using a one for one AP replacement.

Which of the following provides the HIGHEST level of security for an integrated network providing services to authenticated corporate users?

A. Point to point VPN tunnels for external users, three-factor authentication, a cold site, physical security guards, cloud based servers, and IPv6 networking.

B. IPv6 networking, port security, full disk encryption, three-factor authentication, cloud based servers, and a cold site.

C. Port security on switches, point to point VPN tunnels for user server connections, two- factor cryptographic authentication, physical locks, and a standby hot site.

D. Port security on all switches, point to point VPN tunnels for user connections to servers, two-factor authentication, a sign-in roster, and a warm site.

A network security engineer would like to allow authorized groups to access network devices with a shell restricted to only show information while still authenticating the administrator's group to an unrestricted shell. Which of the following can be configured to authenticate and enforce these shell restrictions? (Select TWO).

A. Single Sign On

B. Active Directory

C. Kerberos

D. NIS+

E. RADIUS

F. TACACS+

A security administrator of a large private firm is researching and putting together a proposal to purchase an IPS. The specific IPS type has not been selected, and the security administrator needs to gather information from several vendors to determine a specific product. Which of the following documents would assist in choosing a specific brand and model?

A. RFC

B. RTO

C. RFQ

D. RFI