var quiz = {
	questions : [
		{
			text : 'Which of the following controls might force a person in operations into collusion with personnel assigned organizationally within a different function for the sole purpose of gaining access to data he is not authorized to access?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Limiting the local access of operations personnel',
				'B.	Enforcing auditing',
				'C.	Enforcing separation of duties',
				'D.	Limiting control of management personnel'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nIf operations personnel were limited from what they can access, they would need to participate in collusion with someone who actually has access to the resource. This is a very painful question in the way that it is written, but very close to the way many CISSP exam questions are formatted.',
			moreInfo : ''
		},
		{
			text : 'Which of the following is not an attack that the operations department usually has to be concerned with?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Brute force',
				'B.	Denial of service',
				'C.	Buffer overflow',
				'D.	Known plaintext attack'
			],
			answer : 3,
			score : 1,
			expandedAnswer : '<br>\nThe first three are attacks that can directly affect security operations, but known plaintext attack is an attack against cryptography used in the environment, not a direct attack on operations.',
			moreInfo : ''
		},
		{
			text : 'There are several ways of truly erasing data from different types of media. Which is not a method of secure media sanitation?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Deleting a file from a hard drive',
				'B.	Degaussing',
				'C.	Overwriting',
				'D.	Physical destruction'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nPermanently erasing the contents from a medium is called sanitation. Just deleting a file does not mean that the data is actually erased. It is still there until the operating system overwrites it. There are several ways to accomplish this:\n<ul><li>Degaussing: Erasing data magnetically.</li>\n<li>Overwriting: Replacing old content with new content. This is also called     zeroization when the new contents contain null values.</li>\n<li>Physical destruction:  If the medium cannot be properly sanitized, it must be destroyed.</li></ul>',
			moreInfo : ''
		},
		{
			text : 'Which of the following security practices is often compared to as the "prudent person" concept?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Least privilege',
				'B.	Man-in-the-middle',
				'C.	Due care',
				'D.	Proximate causation'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nA prudent person is responsible, careful, cautious and practical. This is a legal concept used to determine if individuals or companies are liable for specific types of activities. Companies are required to execute due care in order to protect the security of the business and the employees.',
			moreInfo : ''
		},
		{
			text : 'Which is not true regarding "authorization creep?"',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Typically occurs when employees transfer to new departments or change positions',
				'B.	Is a violation of least privilege',
				'C.	Enforces the need-to-know concept',
				'D.	Is the tendency of users to request additional privileges but seldom ask for them to be taken away'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nAuthorization creep is the process of an individual continually gaining privileges or rights that are not necessary to perform his job function. This is commonly caused by employees moving from one role to another role within an organization and continually obtaining more rights. This results in employees having too many rights, which is a risk to a company. Authorization creep violates both the least privilege and need-to-know concepts.',
			moreInfo : ''
		},
		{
			text : 'A senior member of the IT programming staff, who has been loyal and is extremely valuable, is suspected of fraud by a vice president. But the executive has no proof and does not want to make unfound allegations. What operations control would be best to identify if the programmer is committing fraud?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Separation of duties',
				'B.	Mandatory vacation',
				'C.	Least privilege',
				'D.	Need-to-know'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nEnforcing the mandatory vacation control is the best option for the vice president. This will allow another person to perform the job function and identify potential fraud while the original programmer is on vacation. The good thing about mandatory vacations is that executives can spin it in a positive light. Telling an employee to take a vacation can usually be interpreted in a positive way. Instituting a job rotation, on the other hand, may clue in the programmer of the executive\'s suspicion.',
			moreInfo : ''
		},
		{
			text : 'Reviewing audit logs is an example of what type of a security control?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Deterrent',
				'B.	Detective -- Physical',
				'C.	Detective -- Technical',
				'D.	Preventive -- Technical'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nDetective controls help to identify breakdowns in access controls. Reviewing audit logs is one example of a type of technical detective control. For example, a security professional who reviews a long distance telephone billing sheet in an operations center can uncover potential fraud by operations employees.',
			moreInfo : ''
		},
		{
			text : 'Which of the following controls are used to amend a situation after an attack has occurred or vulnerability has been identified?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Deterrent',
				'B.                 Corrective',
				'C.	Preventive',
				'D.	Recovery'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nCorrective controls are used to fix a problem. For example, when it is determined that an unauthorized user gained access to a network segment, a corrective control would address the access control vulnerability that allowed the user access.',
			moreInfo : ''
		},
		{
			text : 'A reservationist at a travel agency is allowed to commit two mistakes per month without consequence. An automated system tracks these errors and alerts appropriate personnel when this limit is exceeded. What is the limit referred to as?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Clipping level',
				'B.	Maximum tolerable downtime',
				'C.	Proximate causation',
				'D.	Due care'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nClipping levels are thresholds that indicate the number of acceptable user errors or anomalies. The reason a clipping level is set is to notify security or management when innocent mistakes become routine enough to suspect fraudulent behavior.',
			moreInfo : ''
		},
		{
			text : 'Operations departments should back up data in all of the following situations except which?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Once per year',
				'B.	Immediately following a reorganization',
				'C.	After a system upgrade',
				'D.	For authorized on-demand requests'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nBacking up data is critical within operations organizations. The most important step to take is to create a backup plan. This will detail when and what to back up, as well as where to store the files. Even though each entity will require different phases of backups, it is not realistic to provide proper data security when only backing up data once per year.',
			moreInfo : ''
		},
		{
			text : 'An operations control that identifies potential fraudulent activity by requiring different personnel to switch job functions on a regular basis is called _______________.',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Mandatory vacation',
				'B.	Need-to-know',
				'C.	Separation of duties',
				'D.	Job rotation'
			],
			answer : 3,
			score : 1,
			expandedAnswer : '<br>\nJob rotation is the correct answer. It involves training more than one person for a specific job. This is a control used to identify potential fraud. Separation of duties ensures that one person is not solely responsible for a critical task.',
			moreInfo : ''
		},
		{
			text : 'Generating magnetic fields to erase the content on a type of media is called what?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Sniffing',
				'B.	Degaussing',
				'C.	Wiretapping',
				'D.	Magnetizing'
			],
			answer : 1,
			score : 1,
			expandedAnswer : '<br>\nDegaussing is an effective way of erasing data on media. The process creates strong magnetic fields that return the flux of the electrons back to their original state. ',
			moreInfo : ''
		},
		{
			text : 'If a company has been contacted because its mail server has been used to spread spam, what is most likely the problem?',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	The internal mail server has been compromised by an internal hacker.',
				'B.	The mail server in the DMZ has private and public resource records.',
				'C.	The mail server has e-mail relaying enabled.',
				'D.	The mail server has SMTP enabled.'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nSpammers will identify the mail servers on the Internet that have relaying enabled and are "wide open," meaning the server will forward any email messages it receives. These servers are put on a blacklist, and the servers are used by many different spammers to hide the true origin of the spam messages.',
			moreInfo : ''
		},
		{
			text : 'Enabling Tier I network technicians read-only access to border routers is an example of ____________.',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Biba model concept',
				'B.	Separation of duties',
				'C.	Least privilege',
				'D.	Due care'
			],
			answer : 2,
			score : 1,
			expandedAnswer : '<br>\nLeast privilege ensures that individuals have permissions to only what is required to do their job and no more. In this question, Tier I technicians would only need read access to network devices. Having the ability to make changes to a border router would violate the least privilege policy.',
			moreInfo : ''
		},
		{
			text : 'A tool used to detect penetration of a computer system and to identify misuse is called ____________.',
			img : 'http://media.techtarget.com/WhatIs/images/spacer.gif',
			responses : [
				'A.	Audit trail',
				'B.	Documentation',
				'C.	Security policy',
				'D.	Security model'
			],
			answer : 0,
			score : 1,
			expandedAnswer : '<br>\nAudit trails are effective tools and are considered detective-technical controls. They can be used to display commands that have been entered into a system, authentication attempts into a network, or systems and files that have been accessed or modified.',
			moreInfo : ''
		}
	]
};