- (Topic 6)
A Wide Area Network (WAN) is basically everything outside of:

1. A. a Local Area Network (LAN).
2. B. a Campus Area Network (CAN).
3. C. a Metropolitan Area Network (MAN).
4. D. the Internet.

Correct Answer: A
A WAN is basically everything outside of a LAN.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 99.

- (Topic 6)
Layer 4 of the OSI stack is known as:

1. A. the data link layer
2. B. the transport layer
3. C. the network layer
4. D. the presentation layer

Correct Answer: B
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

- (Topic 2)
Which of the following statements pertaining to a security policy is incorrect?

1. A. Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets.
2. B. It specifies how hardware and software should be used throughout the organization.
3. C. It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective.
4. D. It must be flexible to the changing environment.

Correct Answer: B
A security policy would NOT define how hardware and software should be used throughout the organization. A standard or a procedure would provide such details but not a policy.
A security policy is a formal statement of the rules that people who are given access to anorganization's technology and information assets must abide. The policy communicates the security goals to all of the users, the administrators, and the managers. The goals will be largely determined by the following key tradeoffs: services offered versus security provided, ease of use versus security, and cost of security versus risk of loss.
The main purpose of a security policy is to inform the users, the administrators and the managers of their obligatory requirements for protecting technology and information assets.
The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy. In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization. A good security policy must:
• Be able to be implemented through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods
• Be able to be enforced with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible
• Clearly define the areas of responsibility for the users, the administrators, and the managers
• Be communicated to all once it is established
• Be flexible to the changing environment of a computer network since it is a living document
Reference(s) used for this question:
National Security Agency, Systems and Network Attack Center (SNAC),The 60 Minute Network Security Guide, February 2002, page 7.
or
A local copy is kept at: https://www.freepracticetests.org/documents/The%2060%20Minute%20Network%20Security%20Guide.pdf

- (Topic 5)
Compared to RSA, which of the following is true of Elliptic Curve Cryptography(ECC)?

1. A. It has been mathematically proved to be more secure.
2. B. It has been mathematically proved to be less secure.
3. C. It is believed to require longer key for equivalent security.
4. D. It is believed to require shorter keys for equivalent security.

Correct Answer: D
The following answers are incorrect: It has been mathematically proved to be less secure. ECC has not been proved to be more or less secure than RSA. Since ECC is newer than RSA, it is considered riskier by some, but that is just a general assessment, not based on mathematical arguments.
It has been mathematically proved to be more secure. ECC has not been proved to be more or less secure than RSA. Since ECC is newer than RSA, it is considered riskier by some, but that is just a general assessment, not based on mathematical arguments.
It is believed to require longer key for equivalent security. On the contrary, it is believed to require shorter keys for equivalent security of RSA.
Shon Harris, AIO v5 pg719 states:
"In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter that what RSA requires"
The following reference(s) were/was used to create this question: ISC2 OIG, 2007 p. 258
Shon Harris, AIO v5 pg719

- (Topic 6)
A DMZ is also known as a

1. A. screened subnet
2. B. three legged firewall
3. C. a place to attract hackers
4. D. bastion host

Correct Answer: A
This is another name for the demilitarized zone (DMZ) of a network.
"Three legged firewall" is incorrect. While a DMZ can be implemented on one leg of such a device, this is not the best answer.
"A place to attract hackers" is incorrect. The DMZ is a way to provide limited public access to an organization's internal resources (DNS, EMAIL, public web, etc) not as an attractant for hackers.
"Bastion host" is incorrect. A bastion host serves as a gateway between trusted and untrusted network.
References: CBK, p. 434
AIO3, pp. 495 - 496