A security engineer is implementing a new solution designed to process e-business transactions and record them in a corporate audit database. The project has multiple technical stakeholders. The database team controls the physical database resources, the internal audit division controls the audit records in the database, the web hosting team is responsible for implementing the website front end and shopping cart application, and the accounting department is responsible for processing the transaction and interfacing with the payment processor. As the solution owner, the security engineer is responsible for ensuring which of the following?
A. Ensure the process functions in a secure manner from customer input to audit review.
B. Security solutions result in zero additional processing latency.
C. Ensure the process of storing audit records is in compliance with applicable laws.
D. Web transactions are conducted in a secure network channel.
The Chief Information Security Officer (CISO) of a small bank wants to embed a monthly testing regiment into the security management plan specifically for the development area. The CISO's requirements are that testing must have a low risk of impacting system stability, can be scripted, and is very thorough. The development team claims that this will lead to a higher degree of test script maintenance and that it would be preferable if the testing was outsourced to a third party. The CISO still maintains that third-party testing would not be as thorough as the third party lacks the introspection of the development team. Which of the following will satisfy the CISO requirements?
A. Grey box testing performed by a major external consulting firm who have signed a NDA.
B. Black box testing performed by a major external consulting firm who have signed a NDA.
C. White box testing performed by the development and security assurance teams.
D. Grey box testing performed by the development and security assurance teams.
Which of the following is the BEST place to contractually document security priorities, responsibilities, guarantees, and warranties when dealing with outsourcing providers?
A. NDA
B. OLA
C. MOU
D. SLA
The security administrator at a company has received a subpoena for the release of all the email received and sent by the company Chief Information Officer (CIO) for the past three years. The security administrator is only able to find one year's worth of email records on the server and is now concerned about the possible legal implications of not complying with the request. Which of the following should the security administrator check BEFORE responding to the request?
A. The company data privacy policies
B. The company backup logs and archives
C. The company data retention policies and guidelines
D. The company data retention procedures
An administrator is notified that contract workers will be onsite assisting with a new project. The administrator wants each worker to be aware of the corporate policy pertaining to USB storage devices. Which of the following should each worker review and understand before beginning work?
A. Interconnection Security Agreement
B. Memorandum of Understanding
C. Business Partnership Agreement
D. Non-Disclosure Agreement
A security consultant is hired by a company to determine if an internally developed web application is vulnerable to attacks. The consultant spent two weeks testing the application, and determines that no vulnerabilities are present. Based on the results of the tools and tests available, which of the following statements BEST reflects the security status of the application?
A. The company's software lifecycle management improved the security of the application.
B. There are no vulnerabilities in the application.
C. The company should deploy a web application firewall to ensure extra security.
D. There are no known vulnerabilities at this time.
The Linux server at Company A hosts a graphical application widely used by the company designers. One designer regularly connects to the server from a Mac laptop in the designer's office down the hall. When the security engineer learns of this it is discovered the connection is not secured and the password can easily be obtained via network sniffing. Which of the following would the security engineer MOST likely implement to secure this connection?
Linux Server: 192.168.10.10/24 Mac Laptop: 192.168.10.200/24
A. From the server, establish an SSH tunnel to the Mac and VPN to 192.168.10.200.
B. From the Mac, establish a remote desktop connection to 192.168.10.10 using Network Layer Authentication and the CredSSP security provider.
C. From the Mac, establish a VPN to the Linux server and connect the VNC to 127.0.0.1.
D. From the Mac, establish a SSH tunnel to the Linux server and connect the VNC to 127.0.0.1.
After three vendors submit their requested documentation, the CPO and the SPM can better understand what each vendor does and what solutions that they can provide. But now they want to see the intricacies of how these solutions can adequately match the requirements needed by the firm. Upon the directive of the CPO, the CISO should submit which of the following to the three submitting firms?
A. A TandM contract
B. An RFP
C. A FFP agreement
D. A new RFQ
The Chief Information Officer (CIO) of a technology company is likely to move away from a de- perimeterized model for employee owned devices. This is because there were too many issues with lack of patching, malware incidents, and data leakage due to lost/stolen devices which did not have full-disk encryption. The `bring your own computing' approach was originally introduced because different business units preferred different operating systems and application stacks. Based on the issues and user needs, which of the following is the BEST recommendation for the CIO to make?
A. The de-perimeterized model should be kept as this is major industry trend and other companies are following this direction. Advise that the issues being faced are standard business as usual concerns in a modern IT environment.
B. Update the policy to disallow non-company end-point devices on the corporate network. Develop security-focused standard operating environments (SOEs) for all required operating systems and ensure the needs of each business unit are met.
C. The de-perimeterized model should be kept but update company policies to state that non-company end-points require full disk encryption, anti-virus software, and regular patching.
D. Update the policy to disallow non-company end-point devices on the corporate network. Allow only one type of outsourced SOE to all users as this will be easier to provision, secure, and will save money on operating costs.
A company receives a subpoena for email that is four years old. Which of the following should the company consult to determine if it can provide the email in question?
A. Data retention policy
B. Business continuity plan
C. Backup and archive processes
D. Electronic inventory
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CAS-002 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.