53ABCD54ABC55ABCD56ABC

Name: ID:

Email:

53ABCD54ABC55ABCD56ABC_120

Multiple Choice
Identify the choice that best completes the statement or answers the question.

(1 point) A payroll manager is actively editing employees' salary data in a web app. Which data state applies, and what control best limits harm if the account is compromised?

a.	Data at rest; full disk encryption only.
b.	Data in use; disable all software updates.
c.	Data in use; access controls that limit who can view or edit (least privilege).
d.	Data in transit; replace IPv4 with IPv6.

(1 point) An organization ranks data as Low, Moderate, or High sensitivity. What is the main reason for doing this classification?

a.	To prioritize stronger protections for more sensitive information.
b.	To reduce the need for backups.
c.	To increase internet speed for all users.
d.	To eliminate the need for access controls.

(1 point) A company collects customers' full names, phone numbers, and home addresses for deliveries. Which regulated data type is this most closely associated with?

a.	Payment card information (PCI) only.
b.	Personally identifiable information (PII).
c.	Individually identifiable health information.
d.	Non-repudiation logs.

(1 point) A hospital stores doctor visit notes and treatment records. Which law is most directly connected to protecting this type of data?

a.	Payment Card Industry Data Security Standard (PCI-DSS).
b.	The Internet Engineering Task Force (IETF) standards.
c.	Children's Online Privacy Protection Act (COPPA).
d.	Health Insurance Portability and Accountability Act (HIPAA).

(1 point) A business collects regulated data (like PCI). What is a key reason the organization should label that data and create handling policies?

a.	To comply with legal or regulatory requirements for safe storage, transmission, and handling.
b.	To ensure employees can reuse passwords safely.
c.	To make the data easier for vendors to access.
d.	To avoid needing encryption on any network traffic.

(1 point) A laptop containing unencrypted customer files is stolen from a car. Which statement best explains why encryption matters for this scenario?

a.	It prevents ARP poisoning on the office network.
b.	It guarantees the laptop cannot be physically stolen.
c.	It increases WiFi signal strength.
d.	It protects data at rest so stolen storage cannot be read immediately.

(1 point) A student uses public WiFi to submit a scholarship form containing their date of birth and address. Which data state is involved during submission, and what control is most important?

a.	Data in use; disable the keyboard.
b.	Data in transit; use encryption such as HTTPS.
c.	Data at rest; lock the router in a cabinet.
d.	Data at rest; reduce file permissions with chmod 777.

(1 point) A district stores cafeteria payment history and student essay drafts. Which should typically receive stronger protections, and why?

a.	Both, because any data is equally sensitive.
b.	Neither, because the data belongs to students.
c.	Essay drafts, because they are longer files.
d.	Payment history, because it may contain more sensitive, regulated information.

(1 point) A child under 13 signs up for an educational app using name and email address. Which law is most directly associated with protecting this data for that age group?

a.	Children's Online Privacy Protection Act (COPPA).
b.	The Privacy Act of 1974 only.
c.	PCI-DSS.
d.	HIPAA.

10.

(1 point) An organization transfers backups on external drives to an offsite storage facility. Which data state is most relevant during the physical transport, and what protection is most appropriate?

a.	Data in use; require facial recognition for all staff.
b.	Data in use; change the default gateway.
c.	Data in transit; protect the physical media (and encrypt the data).
d.	Data at rest; disable all USB ports permanently.

11.

(1 point) Why can data in use be more challenging to protect than data at rest?

a.	Because data typically must be unencrypted to be processed or viewed.
b.	Because it can never be accessed by users.
c.	Because routers drop packets addressed to private IPs.
d.	Because hashing makes the data unreadable forever.

12.

(1 point) A company uses a USB drive to move a file containing PII from one computer to another. Which statement best describes what must be protected?

a.	Only the user's password complexity settings.
b.	Only the destination computer's firewall rules.
c.	Only the company's public IP address.
d.	The data in transit and the physical media carrying it.

13.

(1 point) Which set of items is the best example of PII in a school database?

a.	CPU model, RAM size, and disk capacity.
b.	WiFi SSID, router model, and switch port numbers.
c.	Student name, date of birth, and email address.
d.	MAC address table entries only.

14.

(1 point) An organization has limited budget for security upgrades. Which approach best matches how data classification should influence spending?

a.	Spend more on protections for higher-sensitivity data and less on low-sensitivity data.
b.	Spend more on low-sensitivity data because it is accessed more.
c.	Avoid encryption entirely and focus only on new laptops.
d.	Spend equally on all data types to avoid bias.

15.

(1 point) Which scenario best shows how sensitivity affects security controls?

a.	All files are made public to reduce complexity.
b.	Security is only applied when a breach occurs.
c.	A public newsletter is encrypted, but PII is left unencrypted for convenience.
d.	A public newsletter is stored with basic access, while a customer PII database requires strict access controls and encryption.

16.

(1 point) Which data type is most directly connected to the Privacy Act of 1974 in this framework context?

a.	PCI.	c.	PII.
b.	Router configuration files.	d.	Health provider payment records only.

17.

(1 point) A student saves a spreadsheet of grades on a USB drive with no encryption. If someone steals the drive, what best explains the main risk?

a.	The thief can open and read the files because they are unencrypted.
b.	The thief can read the file only after the USB drive is scanned by antivirus.
c.	The thief can only read the file if they know the student's login password.
d.	The thief must connect to the school WiFi to view the file contents.

18.

(1 point) An organization gives all employees local admin rights "to make installs easier." How can an adversary exploit this if they phish one employee's password?

a.	The adversary must first crack the computer's BIOS password to do anything.
b.	The adversary loses access because admin accounts block remote logins.
c.	The adversary can use the compromised account's admin privileges to change system settings and access more files.
d.	The adversary can only view the employee's web browsing history.

19.

(1 point) A shared folder has permissions set to "Everyone can edit." What best explains how weak access control can help an adversary?

a.	Weak permissions make the folder invisible to standard users.
b.	Weak permissions automatically encrypt the folder with a weak key.
c.	Weak permissions prevent backups from running on that folder.
d.	An adversary who gains any access can steal, change, or delete files in the folder.

20.

(1 point) What is the key difference between a standard user and an administrative user on a computer system?

a.	Administrative users can only access the internet, not local files.
b.	Administrative users can control system settings and typically access more files and applications.
c.	Standard users can change firewall rules, but admins cannot.
d.	Standard users can install any software, but admins cannot.

21.

(1 point) A company stores customer contracts on an external hard drive. The drive is not encrypted. If a contractor takes the drive home and it is lost, what is the most direct consequence?

a.	The contracts become unreadable because the drive is outside the office.
b.	The contracts will automatically delete after 24 hours.
c.	Anyone who finds the drive may be able to read the contracts.
d.	The contracts can be opened only on the company's computers.

22.

(1 point) A hospital stores patient forms on a laptop that is not encrypted. Which statement best explains why this is risky?

a.	If the laptop is stolen, the thief cannot read anything because Windows is installed.
b.	If the laptop is stolen, the forms can be read directly from the drive.
c.	If the laptop is stolen, the thief must be on the hospital network to open files.
d.	If the laptop is stolen, the forms are automatically backed up and erased.

23.

(1 point) Why can giving a user administrative privileges make malware infections worse?

a.	Admin accounts prevent software updates from installing.
b.	Malware cannot run at all on an admin account.
c.	Administrative privileges encrypt all malware automatically.
d.	Malware can run with higher permissions and change critical system settings.

24.

(1 point) A company sets a database to "public read" for convenience. How can an adversary exploit this configuration?

a.	They must first connect a USB drive to the database server.
b.	They can access and copy the data without needing special permissions.
c.	They can access the data only if they are inside the building.
d.	They can only access the data after completing a CAPTCHA once.

25.

(1 point) Which control most directly reduces the risk described in EK 5.1.B.1?

a.	Encrypting files at rest on the device or drive.
b.	Turning off the monitor when leaving a desk.
c.	Using a longer Ethernet cable.
d.	Installing a faster CPU in the computer.

26.

(1 point) An attacker gains access to a standard user account. The account has no admin rights. What best explains why limiting privileges helps?

a.	The attacker's password becomes visible to security staff.
b.	The attacker is automatically logged out after one minute.
c.	The attacker has fewer permissions, making it harder to change system settings or access protected files.
d.	The attacker cannot connect to the internet from that account.

27.

(1 point) A school uses shared logins for a lab computer, and the account can access the staff shared drive. Why is this a weak access control practice?

a.	It forces everyone to use stronger passwords.
b.	It gives broad access and makes it easier for an adversary to steal or destroy shared files.
c.	It encrypts the staff shared drive automatically.
d.	It prevents malware from running in the lab.

28.

(1 point) A company stores sensitive PDFs on a cloud drive with no encryption, but the link is set to "anyone with the link." What is the main issue?

a.	Anyone who gets the link can read the unencrypted files.
b.	Cloud drives cannot store PDFs securely.
c.	The PDFs will only open on a company phone.
d.	Links automatically expire before an adversary can use them.

29.

(1 point) Which scenario best shows an adversary benefiting from compromised admin privileges?

a.	After stealing one user's credentials, the adversary can only change their profile picture.
b.	After stealing one user's credentials, the adversary installs a remote access tool systemwide.
c.	After stealing one user's credentials, the adversary cannot run any programs.
d.	After stealing one user's credentials, the adversary must wait for a reboot to log in.

30.

(1 point) A file share allows "Everyone: Full Control." What is a likely impact if one account is compromised?

a.	The adversary may delete, alter, or copy many files across the share.
b.	The adversary is blocked by the printer driver.
c.	The adversary can only view file names, not contents.
d.	The adversary can only access files during business hours.

31.

(1 point) A student's phone backups are saved to a laptop in a folder that is not encrypted. The laptop is stolen. What is the best explanation of the risk?

a.	The thief can only read the backups after the student changes their password.
b.	The thief must be connected to the student's home router to access backups.
c.	The thief cannot read backups because phones always encrypt backups automatically.
d.	The thief can read the backup data because it is stored unencrypted.

32.

(1 point) An employee copies confidential files to a personal, unencrypted USB drive for convenience. Which statement best explains why this can lead to loss or damage?

a.	If the drive is lost or stolen, the files can be accessed and copied by others.
b.	USB drives cannot hold confidential files.
c.	Unencrypted USB drives automatically block file copying.
d.	Confidential files delete themselves when moved off a company computer.

33.

(1 point) An adversary compromises an account with admin privileges. Which action is most likely possible because of those privileges?

a.	Changing the MAC address table on a network switch remotely without access.
b.	Disabling security software or changing firewall settings on the device.
c.	Preventing the ISP from routing traffic to the organization.
d.	Decrypting any file without the key.

34.

(1 point) A company's file permissions allow editing of a critical spreadsheet by anyone in the organization. Which best explains how an adversary could exploit this?

a.	They could only view the spreadsheet but not change it.
b.	They could access the spreadsheet only from the CEO's laptop.
c.	They could change the spreadsheet only if the firewall is stateless.
d.	They could alter or delete the spreadsheet to disrupt operations or hide fraud.

35.

(1 point) What is the best explanation for why unencrypted backups stored on an external drive are risky?

a.	If an adversary gets the drive, they can restore and read the data without needing system access.
b.	Backups cannot be opened without an internet connection.
c.	External drives cannot be stolen because they are too large.
d.	Backups are always encrypted automatically by external drives.

36.

(1 point) A school computer lab uses one shared admin account for all students. Why is this especially dangerous if the password leaks?

a.	Admin accounts prevent any software from being installed.
b.	Shared admin accounts make it easier to track which student did what.
c.	Anyone with the password gains full control and can access or change many systems and files.
d.	A leaked password only affects one computer at a time.

37.

(1 point) Which statement best describes a web application compared with a locally installed application?

a.	A web application runs on a server and users access it over a network (often through a browser).
b.	A web application cannot store or process data.
c.	A locally installed app always requires an internet connection to run.
d.	A web application must be installed on every user's device to work.

38.

(1 point) A student uses an online gradebook through a browser. Where does the application's main code most likely run?

a.	Only inside the database, not on a server.
b.	Only inside the school's wireless access point.
c.	Only on the student's laptop CPU with no server involved.
d.	On a server that the student's device connects to over the network.

39.

(1 point) Which is an example of a locally installed application?

a.	A cloud email service accessed in a browser.
b.	A desktop word processor installed on one computer.
c.	An online shopping cart hosted by a retailer.
d.	A website's login page accessed through HTTPS.

40.

(1 point) Why does calling applications "executable data" matter for security?

a.	Because executable data cannot be copied by an attacker.
b.	Because executable data is automatically encrypted by the operating system.
c.	Because executable data never takes input from users.
d.	Because attackers can try to change an application's instructions to do harmful actions.

41.

(1 point) A form asks for the number of items to order. Which input check best matches data sanitization?

a.	Disable the submit button so no one can enter data.
b.	Accept any text because the user might include comments.
c.	Reject entries that contain letters or symbols and only accept valid numbers.
d.	Convert every entry into a long text string to store it safely.

42.

(1 point) A password reset form accepts an email address. Which input would most clearly be outside expected parameters?

a.	b) student123@school.edu
b.	a) admin@example.com; DROP TABLE users;
c.	c) parent.name@provider.net
d.	d) info@company.org

43.

(1 point) A comment box allows text, but the site wants to block scripts. Which is a strong sanitization approach?

a.	Only accept comments that include at least one emoji.
b.	Only block numbers because they are often used in attacks.
c.	Escape or strip characters that would be treated as code (like < and >) before saving/displaying the comment.
d.	Allow all characters and trust that browsers will ignore scripts.

44.

(1 point) Which best explains why applications should reject input outside expected parameters?

a.	Unexpected input is automatically corrected by the firewall.
b.	Unexpected input can change how the application behaves and may trigger an attack.
c.	Unexpected input only affects the look of the webpage, not security.
d.	Unexpected input always crashes the user's computer.

45.

(1 point) What is SQL most commonly used for?

a.	Scanning computers for malware signatures.
b.	Creating wireless network passwords.
c.	Requesting information from databases and making changes to database data.
d.	Encrypting network traffic between browsers and servers.

46.

(1 point) Which action is an example of a database change that SQL can perform?

a.	Encrypting a file with AES.
b.	Installing a host-based firewall rule.
c.	Changing the router's SSID broadcast setting.
d.	Updating a user's shipping address record.

47.

(1 point) Why does user input matter when an application uses SQL to query a database?

a.	Unsanitized input can be interpreted as part of a SQL command.
b.	User input is automatically converted into safe SQL by the browser.
c.	SQL cannot read user input from forms.
d.	SQL only runs on the user's computer, not on servers.

48.

(1 point) An SQL injection causes an application to return all customer records instead of one. Which CIA element is most directly impacted?

a.	Availability	c.	Nonrepudiation
b.	Confidentiality	d.	Integrity

49.

(1 point) An SQL injection deletes rows in a product database. Which CIA element is most directly impacted?

a.	Confidentiality	c.	Authentication
b.	Availability	d.	Integrity

50.

(1 point) Why can JavaScript be risky on a website from a security perspective?

a.	Because it only runs on the server and never touches user data.
b.	Because it runs in the user's browser and can access sensitive browser-stored data.
c.	Because it prevents users from logging in.
d.	Because it automatically disables encryption.

51.

(1 point) Which item could be targeted if malicious JavaScript runs in a browser?

a.	The physical lock on a server cabinet
b.	The power supply inside the server rack
c.	Session tokens or stored credentials in the browser
d.	The MAC address table on a switch

52.

(1 point) A student logs into a web app. Which browser-stored data might an attacker try to capture using malicious script?

a.	The CPU model of the server
b.	The student's monitor resolution
c.	The router's public IP address only
d.	A session cookie/token that keeps the user logged in

53.

(1 point) Which describes a reflected (Type I) XSS attack?

a.	Malicious code changes ARP tables on the default gateway.
b.	Malicious code is permanently saved on the website and affects every visitor.
c.	Malicious code is embedded in a link and runs when a user clicks it.
d.	Malicious code floods a Wi-Fi frequency to block traffic.

54.

(1 point) Which describes a stored (Type II) XSS attack?

a.	Malicious code only affects the DNS server's cache.
b.	Malicious code is inserted into a comment field and later runs for any visitor to that page.
c.	Malicious code only runs on the attacker's computer, not the victim's.
d.	Malicious code requires plugging in a USB drive to execute.

55.

(1 point) A forum post contains hidden script that runs for every user who views the thread. What type of XSS is this?

a.	Stored (Type II) XSS	c.	Buffer overflow
b.	SQL injection	d.	Reflected (Type I) XSS

56.

(1 point) A URL sent by email contains a script in a parameter. When the victim clicks it, the page runs the script and steals a session token. What type of XSS is this?

a.	DNS poisoning	c.	Credential stuffing
b.	Stored (Type II) XSS	d.	Reflected (Type I) XSS

57.

(1 point) In software, what is a buffer?

a.	A firewall rule that blocks outbound traffic.
b.	A database table that stores user accounts.
c.	A fixed-size section of memory used to hold data temporarily.
d.	A tool that encrypts web traffic.

58.

(1 point) Why can open-ended input be dangerous when an application uses a fixed-size buffer?

a.	Buffers grow automatically to any size the user needs.
b.	Too much input can exceed the buffer size and spill into nearby memory.
c.	Extra input automatically gets hashed and becomes harmless.
d.	A buffer only stores images, not text.

59.

(1 point) A program allocates 50 characters for a username field. What is the risk if it accepts 500 characters?

a.	The user will be automatically logged out.
b.	The network switch will reboot.
c.	The input may overflow the buffer and overwrite adjacent memory.
d.	The database will permanently delete itself.

60.

(1 point) Which situation most directly creates the condition needed for a buffer overflow?

a.	A router broadcasts its SSID.
b.	User input exceeds the fixed memory space allocated for that input.
c.	A firewall denies traffic on port 80.
d.	A user forgets to enable multifactor authentication.

61.

(1 point) What can a buffer overflow attack cause?

a.	Improved performance due to extra memory.
b.	Guaranteed protection against SQL injection.
c.	Automatic encryption of all files on the computer.
d.	A crash or execution of unauthorized code that breaks the program's security policy.

62.

(1 point) An attacker sends extremely long input that makes a service crash repeatedly. Which outcome is most closely related to availability?

a.	The attacker changes database records quietly.
b.	The attacker reads confidential data without permission.
c.	The service becomes unavailable due to repeated crashes.
d.	The attacker increases password strength requirements.

63.

(1 point) A buffer overflow lets an attacker run code outside the program's intended permissions. Which is a realistic result?

a.	The attacker disables all physical locks in the building.
b.	The attacker gains unauthorized actions such as accessing or deleting files.
c.	The attacker forces a collision in SHA-256 instantly.
d.	The attacker changes the ISP's routing protocols automatically.

64.

(1 point) A school stores student PII (names, addresses, emails) in a spreadsheet that is shared with "Anyone with the link." The spreadsheet is not encrypted. Which risk level is MOST appropriate?

a.	High risk	c.	Low risk
b.	Moderate risk	d.	No risk

65.

(1 point) A manufacturing company stores top-secret design files for a new jet engine on an unencrypted external hard drive kept in an unlocked desk drawer. Which choice BEST explains why this is high risk?

a.	The files are not sensitive because they are engineering documents.
b.	Encryption is only needed when data are in transit.
c.	The data are highly sensitive and can be stolen easily, leading to major confidentiality and competitive impacts.
d.	Physical storage cannot affect cybersecurity risk.

66.

(1 point) A retailer stores payment card information (PCI data) in a database. Access is limited to two employees, but the database backups are stored unencrypted in cloud storage. What risk level is MOST appropriate?

a.	Moderate risk	c.	Low risk
b.	No risk	d.	High risk

67.

(1 point) A company encrypts its customer PII spreadsheet with a strong key, but shares the decryption password through an unencrypted group chat used by many employees. Which CIA area is MOST directly threatened?

a.	Confidentiality, because the password exposure can lead to unauthorized access.
b.	Integrity, because chat messages change the spreadsheet.
c.	Availability, because chat messages slow down the network.
d.	None, because encryption is used.

68.

(1 point) A web app allows any logged-in user to download all customer records because access controls were set too broadly. Which risk description BEST applies?

a.	Only integrity risk because downloads change data.
b.	Low confidentiality risk because users are logged in.
c.	Only availability risk because downloads use bandwidth.
d.	High confidentiality risk due to weak access controls exposing sensitive data.

69.

(1 point) A small business stores internal meeting notes (not regulated data) in a shared folder with read access for all staff. The folder is unencrypted. Which risk level is MOST appropriate?

a.	Low risk	c.	High risk
b.	Moderate risk	d.	No risk

70.

(1 point) An attacker gains access to a file server and changes payroll amounts in a spreadsheet. Which CIA component is MOST clearly compromised?

a.	Confidentiality	c.	Availability
b.	Integrity	d.	CHOICE BLANK

71.

(1 point) Which scenario BEST fits MODERATE risk from data vulnerabilities?

a.	Customer PII is encrypted, but the encryption key length is weak.
b.	A public brochure is stored without access controls.
c.	Top-secret defense plans are stored unencrypted on a USB drive.
d.	A device has no internet connection and stores no data.

72.

(1 point) Which scenario BEST fits LOW risk from data vulnerabilities?

a.	Credit card data is stored in plaintext in a shared folder.
b.	Unencrypted health records are emailed to personal accounts.
c.	A password database is posted publicly online.
d.	Non-sensitive internal memos are on an unencrypted drive with loose access controls.

73.

(1 point) A company has sensitive design documents encrypted at rest, but employees frequently email the files as attachments without encryption. What is the primary risk?

a.	Integrity risk increases because email forces file edits.
b.	Confidentiality risk increases because data in transit can be intercepted and read.
c.	Risk decreases because emailing adds redundancy.
d.	Availability risk increases because email deletes attachments.

74.

(1 point) An organization stores regulated PCI data and follows PCI-DSS rules. Why does this typically increase security requirements?

a.	PCI data is not sensitive, so fewer controls are needed.
b.	Laws/standards require specific protections, raising the needed level of controls.
c.	Following standards increases risk because it adds complexity.
d.	Standards only apply to paper records.

75.

(1 point) A company encrypts a customer PII file, but gives the decryption password to all employees "just in case." Which statement BEST describes the risk?

a.	Integrity risk is removed because everyone has the password.
b.	Risk is low because the file is encrypted.
c.	Confidentiality risk remains high because access controls are too broad.
d.	Availability risk is removed because many people can open the file.

76.

(1 point) A company uses a shared admin account for a database so everyone can "get work done." What is the MOST accurate risk analysis?

a.	Low risk: admin accounts improve efficiency.
b.	No risk: shared accounts are standard practice.
c.	Only availability risk: admin accounts slow down the server.
d.	High risk: weak access controls increase unauthorized access and make accountability difficult.

77.

(1 point) An organization stores data at rest on an encrypted drive. Which additional control BEST reduces risk of data loss if the drive is stolen?

a.	Turning off WiFi on all devices.
b.	Strong access control limiting who can decrypt and access the files.
c.	Using older software versions to avoid change.
d.	Disabling all passwords to reduce lockouts.

78.

(1 point) An unpatched file-sharing application has a known vulnerability that allows unauthorized file download. The app stores employee tax forms (PII). Which risk level is MOST appropriate?

a.	High risk	c.	Moderate risk
b.	No risk	d.	Low risk

79.

(1 point) A user can edit a shared spreadsheet containing customer addresses because the file permissions are set to "edit for everyone." What is the MOST likely CIA impact if a malicious insider changes addresses?

a.	Confidentiality is compromised because data are encrypted.
b.	Availability is compromised because the file becomes smaller.
c.	Integrity is compromised because the data are altered.
d.	None, because edits are normal.

80.

(1 point) Which choice BEST explains why risk is not only about vulnerability but also about impact?

a.	Any vulnerability is always high risk no matter what.
b.	Impact only matters if an attack has already happened.
c.	Risk is determined only by the number of users on the system.
d.	A vulnerability affecting critical or regulated data can cause much greater harm than the same vulnerability affecting non-sensitive data.

81.

(1 point) A company stores marketing images on an unencrypted drive with loose access controls. Which risk level is MOST appropriate?

a.	Low risk	c.	No risk
b.	Moderate risk	d.	High risk

82.

(1 point) Which option best describes the purpose of required data training for employees who access or manage organizational data?

a.	To increase internet speed by reducing network traffic
b.	To ensure employees understand what data the organization handles and how to protect it appropriately
c.	To teach employees how to write new software features
d.	To eliminate the need for access controls and encryption

83.

(1 point) In data training, which information helps employees identify who is accountable for protecting specific datasets?

a.	The company's social media posting schedule
b.	The office cafeteria menu
c.	The brand of printers used in the office
d.	The responsible parties for collecting, processing, and storing the data

84.

(1 point) Which item is an example of an operational security consideration that might be covered in data training?

a.	When and how sensitive data may be handled or shared
b.	How to increase monitor brightness
c.	How to create a new email signature
d.	Which video games are allowed at lunch

85.

(1 point) Which training detail would BEST help employees recognize what types of information the organization stores?

a.	An overview of the types of data collected, processed, and stored
b.	A list of office parking spaces
c.	A list of approved web browsers
d.	A map of network cabling in the building

86.

(1 point) Which scenario shows a gap that data training is meant to reduce?

a.	A student forgets a classroom password for a day
b.	An employee shares sensitive data without understanding approved handling rules
c.	A printer runs out of paper
d.	A user forgets how to open a PDF file

87.

(1 point) An organization wants employees to know who to contact if they suspect data exposure. Which part of data training supports this goal?

a.	Replacing passwords with biometrics everywhere
b.	Teaching advanced router configuration
c.	Identifying responsible parties for the data and related processes
d.	Turning off all logging to avoid alerts

88.

(1 point) Which statement BEST summarizes what data training should accomplish?

a.	Educate employees on data types, responsibilities, legal concerns, and safe handling practices
b.	Teach employees to bypass access controls to work faster
c.	Focus only on hardware repairs for servers
d.	Require employees to memorize all IP addresses in the network

89.

(1 point) Which item would MOST likely appear in a cryptography policy?

a.	The color scheme for the company website
b.	Minimum key lengths for approved encryption algorithms
c.	A list of cafeteria food allergies
d.	The maximum number of emails employees can send

90.

(1 point) A policy states: 'Use AES with at least a 256-bit key for stored customer data.' This policy statement is an example of what?

a.	A rule for web application vulnerability scanning
b.	A rule for password complexity
c.	Minimum key length requirements for a specific encryption algorithm
d.	A rule for disabling unused switch ports

91.

(1 point) Which combination best matches what a cryptography policy may include?

a.	Approved algorithms, key lengths, key-generation requirements, and key-storage requirements
b.	Only a list of employee job titles
c.	Only firewall placement diagrams
d.	Only incident response contact numbers

92.

(1 point) An IT team wants to start using a new encryption algorithm. Which managerial control should they consult first?

a.	The building evacuation plan
b.	The cryptography policy's list of approved encryption algorithms for specific uses
c.	The sports team schedule
d.	The acceptable use policy for social media

93.

(1 point) Which policy statement best fits a cryptography policy?

a.	All network traffic must use Telnet for troubleshooting
b.	All servers must disable logging to improve performance
c.	All employees must use personal devices for work
d.	Cryptographic keys must be stored in an approved key management system, not in code repositories

94.

(1 point) Which outcome is MOST likely when an organization has clear cryptography policy requirements?

a.	Consistent encryption choices that meet security standards across teams
b.	All data automatically becomes unencrypted when stored
c.	No need to protect encryption keys
d.	Random encryption methods chosen by each employee

95.

(1 point) What is the primary purpose of a web application security policy?

a.	To require all users to disable browser updates
b.	To set rules for office parking and building access
c.	To define requirements for testing and mitigating web application vulnerabilities
d.	To specify the brand of laptops employees must use

96.

(1 point) Which item would MOST likely be included in a web application security policy?

a.	Timelines for remediating vulnerabilities based on level of risk
b.	How to label network switch ports
c.	How to configure Wi-Fi channels in a school
d.	How to create strong passwords for end users

97.

(1 point) Which choice best describes how a web application security policy supports risk management?

a.	It removes the need for access controls
b.	It sets clear expectations for assessment and fixes based on risk level
c.	It allows developers to ignore security findings
d.	It guarantees no vulnerabilities will ever exist

98.

(1 point) A company uses a framework to guide security testing for web apps. Where would this requirement most likely be documented?

a.	In the building access control policy
b.	In the cafeteria sanitation policy
c.	In the email signature policy
d.	In the web application security policy under assessment parameters

99.

(1 point) Which scenario best shows a web application security policy in action?

a.	A team disables all logs so attackers leave no evidence
b.	A team shares admin passwords to speed up development
c.	A team schedules a security assessment and fixes critical findings before a release deadline
d.	A team publishes encryption keys in public documentation

100.

(1 point) An organization wants consistent rules for how web app vulnerabilities are tested and addressed. Which managerial control best provides this?

a.	A web application security policy that sets assessment and remediation requirements
b.	A policy requiring longer lunch breaks
c.	A policy requiring all devices to use the same wallpaper
d.	A policy allowing personal phone use during meetings

101.

(1 point) An organization wants access to a payroll app to depend on job roles (HR, Manager, Employee). Which access control model best fits this requirement?

a.	Mandatory access control (MAC)
b.	Role-based access control (RBAC)
c.	Rule-based access control (RuBAC) only
d.	Discretionary access control (DAC)

102.

(1 point) A database allows the file owner to decide who can view or edit their own files, and admins can override permissions. Which model is being used?

a.	Mandatory access control (MAC)	c.	Discretionary access control (DAC)
b.	Bell-LaPadula	d.	Role-based access control (RBAC)

103.

(1 point) Which option best describes access control in general?

a.	Encrypting files so only the owner can read them
b.	Logging network traffic to find IoCs
c.	Detecting malware using signatures
d.	Enforcing which subjects can perform operations on which objects

104.

(1 point) Bell-LaPadula: A user with 'Top Secret' clearance wants to write to a 'Confidential' document. What is the correct decision?

a.	Deny the write because subjects may not write down
b.	Allow the write because subjects may read down
c.	Allow the write if it is outside business hours
d.	Allow the write if the user owns the document

105.

(1 point) A school uses roles (Student, Teacher, Principal). A Teacher can edit grades, Students can only view their own grades, and Principals can view all grades. Which model should the school choose?

a.	Single sign-on (SSO)	c.	Role-based access control (RBAC)
b.	Discretionary access control (DAC)	d.	Mandatory access control (MAC)

106.

(1 point) A company wants to prevent lateral movement by ensuring users only get the minimum permissions needed for their job. Which principle should guide the design?

a.	The principle of least privilege	c.	Data sanitization
b.	Defense in depth	d.	Open access for convenience

107.

(1 point) A firewall decides whether traffic is allowed using a list of 'if/then' rules like time-of-day and source IP. Which access control model is most similar to this approach?

a.	Discretionary access control (DAC)	c.	Role-based access control (RBAC)
b.	Rule-based access control (RuBAC)	d.	Mandatory access control (MAC)

108.

(1 point) An enterprise wants access based on job function AND requires a rule that denies access from outside the company network. Which combination is best?

a.	RuBAC alone with no other model	c.	RBAC with RuBAC layered on top
b.	DAC with RuBAC layered on top	d.	MAC with DAC layered on top

109.

(1 point) A military system uses WURD. Which choice correctly explains WURD?

a.	Subjects may write down and read up
b.	Subjects may only write at the same level
c.	Subjects may read and write at any level if authenticated
d.	Subjects may write up and read down

110.

(1 point) A company wants to limit who can change access permissions so that individual users cannot freely share sensitive files. Which model is most appropriate?

a.	Guest access control	c.	Mandatory access control (MAC)
b.	Discretionary access control (DAC)	d.	Role-based access control (RBAC) only

111.

(1 point) A cloud storage system assigns every user to a role. Only the 'Finance' role can open the budget folder. Which model is being used?

a.	Role-based access control (RBAC)
b.	Mandatory access control (MAC)
c.	Discretionary access control (DAC)
d.	Rule-based access control (RuBAC) only

112.

(1 point) A system checks the subject's level and the object's level before allowing access. That is an example of which model?

a.	Role-based access control (RBAC)	c.	Password complexity policy
b.	Mandatory access control (MAC)	d.	Discretionary access control (DAC)

113.

(1 point) A company wants a simple way to manage access for 5,000 employees by job role, not by individual file owner choices. Which model is best?

a.	Discretionary access control (DAC)	c.	Role-based access control (RBAC)
b.	Mandatory access control (MAC)	d.	Bell-LaPadula only

114.

(1 point) An access control policy states: 'Only the database service account may delete records; analysts may only read.' In this statement, what is the 'operation'?

a.	Records	c.	Analysts
b.	Delete	d.	Database service account

115.

(1 point) A company stores regulated health data and wants strict, label-based controls that users cannot override. Which model best meets this goal?

a.	Role-based access control (RBAC)
b.	Rule-based access control (RuBAC) only
c.	Mandatory access control (MAC)
d.	Discretionary access control (DAC)

116.

(1 point) Bell-LaPadula: A user with 'Confidential' clearance wants to write to a 'Secret' file. What should happen?

a.	Deny the write only if it is during business hours
b.	Allow the write only if the user owns the file
c.	Deny the write because writing up is not permitted
d.	Allow the write because writing up is permitted

117.

(1 point) Which access control model is MOST likely to be layered on top of RBAC to add extra conditions like time, location, or device type?

a.	Mandatory access control (MAC)	c.	Rule-based access control (RuBAC)
b.	Bell-LaPadula	d.	Discretionary access control (DAC)

118.

(1 point) An organization is redesigning permissions so interns can view tickets but cannot change system settings or export customer data. What principle is being applied?

a.	Buffer overflow prevention	c.	Open networking
b.	The principle of least privilege	d.	Data in transit protection

119.

(1 point) A company blocks all access to a sensitive app from outside the U.S. using IP geolocation rules. This is an example of which model type?

a.	Role-based access control (RBAC)	c.	Discretionary access control (DAC)
b.	Mandatory access control (MAC)	d.	Rule-based access control (RuBAC)

120.

(1 point) A team is choosing between RBAC and MAC for a startup. They want the lowest management overhead while still limiting access by job function. Which model should they choose?

a.	Mandatory access control (MAC)	c.	Discretionary access control (DAC) only
b.	Role-based access control (RBAC)	d.	Bell-LaPadula