CISSP Exam Free Practice Questions

In contrast, storing baseline images on a shared network drive with restricted access may limit unauthorized access but does not provide a mechanism for tracking changes or reverting to previous versions. This could lead to potential integrity issues if an authorized user inadvertently modifies the image. Regularly backing up images to an external storage device without change tracking does not protect against unauthorized modifications, as it lacks the ability to identify and revert changes. Lastly, using a single, static baseline image without any update or patch management process poses significant risks, as it leaves systems vulnerable to known exploits and does not adapt to evolving security threats. In summary, a version control system provides a robust framework for managing baseline images, ensuring that they remain secure and up-to-date while allowing for necessary modifications in a controlled manner. This approach aligns with best practices in information security management, as outlined in frameworks such as ISO/IEC 27001, which emphasizes the importance of maintaining the integrity and availability of information assets.

When a software update is deployed, there is always a risk that it may not function as intended due to various factors such as compatibility issues, bugs, or user errors. A rollback plan provides a structured approach to revert to the previous version of the software, thereby minimizing disruption to business operations. This is particularly important in environments where system availability is crucial, as it helps maintain service continuity. While documenting changes for compliance (option b) is important, it does not directly address the immediate need to restore functionality. Minimizing downtime during deployment (option c) is a goal of effective change management but does not encompass the purpose of a rollback plan. Lastly, providing a detailed analysis of the software update’s performance (option d) is more related to post-implementation review rather than the immediate need to revert changes. In summary, a rollback plan is essential for ensuring that organizations can quickly and effectively respond to issues that arise from changes, thereby safeguarding system integrity and operational continuity. This aligns with best practices outlined in frameworks such as ITIL (Information Technology Infrastructure Library), which emphasizes the importance of change management processes in maintaining service quality and reliability.

A risk assessment should include an analysis of the current encryption methods, the proposed asymmetric encryption algorithm, and how the change will affect data integrity, confidentiality, and availability. It should also consider the potential for operational disruptions, compliance with regulatory requirements (such as GDPR or PCI DSS), and the implications for customer trust and data protection. Implementing the new encryption algorithm without prior assessment could lead to unforeseen vulnerabilities, such as compatibility issues with existing systems or inadequate training for staff, which could compromise security. While informing employees and developing a communication plan are important steps in the change management process, they should follow the risk assessment to ensure that all stakeholders are adequately prepared for the transition based on a clear understanding of the risks involved. In summary, a thorough risk assessment lays the groundwork for a successful change management strategy, enabling the organization to proactively address potential challenges and ensure that the new encryption protocols enhance security without introducing new risks.

In contrast, the second option allows for weak passwords as long as they are changed regularly, which does not effectively mitigate the risk of password guessing or brute-force attacks. The third option is reactive rather than proactive; waiting for a user to suspect a compromise before changing their password can lead to significant security breaches. Lastly, the fourth option only partially addresses password complexity by requiring a special character, but it does not enforce other critical aspects such as length or the inclusion of numbers and uppercase letters, which are essential for creating strong passwords. Overall, a comprehensive approach that combines the use of technology (password managers) with user education is the most effective strategy for enhancing account security in this context. This aligns with best practices outlined in various security frameworks, such as NIST SP 800-63, which emphasizes the importance of strong authentication mechanisms and user awareness in safeguarding sensitive information.

The relationship between CIs and the CMDB is foundational; CIs are the individual elements that are tracked within the CMDB. Each CI is documented with relevant attributes, such as its status, relationships with other CIs, and historical changes. This documentation is essential for understanding the impact of changes, facilitating audits, and ensuring that all components are accounted for during the change management process. The incorrect options highlight common misconceptions. For instance, the idea that the CMDB only stores hardware information is misleading, as it encompasses all types of CIs. Similarly, the notion that CIs are temporary records contradicts the purpose of the CMDB, which is to maintain a persistent record of all configuration items over time. Lastly, the claim that the CMDB serves merely as a backup is inaccurate; it is an active tool used in change management to assess the implications of changes and maintain operational integrity. Understanding the role of CIs within the CMDB is crucial for effective configuration management, as it allows organizations to maintain control over their IT assets and ensure that changes are made in a structured and documented manner. This structured approach is vital for minimizing risks associated with changes and ensuring that the IT environment remains stable and secure.

Understanding the context of the open port is essential for risk assessment. For instance, if the port is associated with a service that is necessary for business operations, the administrator may need to implement additional security measures, such as access controls or monitoring, rather than simply closing it. Conversely, if the port is found to be unnecessary or potentially harmful, it should be closed to mitigate the risk of unauthorized access or exploitation. Immediate closure of the port without investigation could lead to disruption of legitimate services, which may impact business operations. Ignoring the open port is also a poor choice, as it leaves the organization vulnerable to potential attacks. Lastly, documenting the open port and postponing action until the next audit cycle is insufficient, as it does not address the immediate risk posed by the open port. In summary, the most prudent approach is to prioritize a thorough investigation of the open port to assess its purpose and associated risks, ensuring that any necessary actions are taken to protect the organization’s network security. This aligns with best practices in risk management and incident response, emphasizing the importance of understanding the security posture before making decisions that could impact the organization.

By evaluating the likelihood and impact of various security threats, the team can better understand the necessity of implementing robust security measures like MFA. Additionally, they should consider the potential costs associated with decreased productivity, such as increased helpdesk calls, user errors, and time lost during the login process. Furthermore, the team should engage with users to gather feedback on their experiences with the authentication process. This feedback can provide valuable insights into how the MFA system affects daily operations and user satisfaction. However, it is crucial to ensure that user feedback does not overshadow the importance of security; thus, a balanced approach is necessary. Ultimately, the decision should be informed by both quantitative data from the risk assessment and qualitative insights from user feedback. This dual approach allows the team to make a well-rounded decision that prioritizes security while also considering the usability implications, leading to a more effective and user-friendly security posture.

In contrast, ensuring that the imaging tool is compatible with all hardware configurations is important but does not directly address the security of the image itself. While compatibility issues can lead to deployment failures, they do not inherently protect against vulnerabilities within the image. Similarly, using a standard operating system installation without additional security measures is a risky approach, as it may leave the system exposed to threats that could have been mitigated through proper configuration and patching. Finally, deploying the image directly to all workstations without testing is a dangerous practice that can lead to widespread vulnerabilities being propagated across the network. In summary, the critical step of conducting a vulnerability assessment ensures that the captured image is secure and compliant with organizational security standards, thereby protecting the integrity of the entire network. This aligns with best practices in information security, which emphasize the importance of proactive risk management and continuous monitoring of system vulnerabilities.

In this scenario, the analyst has assigned the following values: – Threat level = 4 – Vulnerability = 3 – Impact = 5 Substituting these values into the formula gives: $$ \text{Risk} = 4 \times 3 \times 5 $$ Calculating this step-by-step: 1. First, multiply the threat level by the vulnerability: $$ 4 \times 3 = 12 $$ 2. Next, multiply the result by the impact: $$ 12 \times 5 = 60 $$ Thus, the calculated risk score for the cloud service is 60. Understanding this calculation is crucial for security analysts as it helps them prioritize risks and allocate resources effectively. A higher risk score indicates a greater need for mitigation strategies, such as implementing stronger access controls, encryption, or regular audits. This approach aligns with the principles outlined in the CISSP domains, particularly in risk management and security assessment. By quantifying risks, organizations can make informed decisions about their security posture and compliance with regulations such as GDPR or HIPAA, which mandate the protection of sensitive data.

Testing and validation are essential because they help identify any defects or issues that could impact the service’s performance or user experience. By thoroughly validating the service against its requirements, the organization can ensure that it aligns with the agreed-upon service levels, which are critical for maintaining customer satisfaction and trust. While developing a marketing strategy, establishing a financial plan, and creating user manuals are important activities, they do not directly address the readiness of the service for deployment. Marketing strategies focus on promoting the service, financial plans manage costs, and user manuals assist users in understanding the service. However, without a robust testing and validation process, the service may not function as intended, leading to potential failures and dissatisfaction among users. In summary, the most critical activity during the service transition phase is to conduct a thorough testing and validation process, as it ensures that the service is ready for deployment and meets the necessary performance and quality standards. This aligns with ITIL’s best practices, which emphasize the importance of quality assurance in service management.

An impact analysis helps in assessing both the positive and negative implications of the change. It allows the change management team to evaluate how the upgrade will interact with current systems, what resources will be required, and how it aligns with the organization’s strategic objectives. This step is vital in risk management as it provides a framework for identifying potential vulnerabilities that could arise from the change, ensuring that the organization can mitigate risks effectively. In contrast, immediately implementing the change without assessment can lead to unforeseen disruptions and security vulnerabilities. Gathering feedback from employees, while valuable, should come after a thorough analysis to ensure that their concerns are based on a well-understood context. Lastly, creating a budget without assessing risks is imprudent, as it may lead to financial overruns if the change introduces unexpected complications. Therefore, conducting a comprehensive impact analysis is the foundational step that aligns with best practices in change management and risk assessment.

In the context of the financial institution, the CAB’s role is crucial as it provides a forum for stakeholders to discuss and evaluate proposed changes. By thoroughly reviewing the implications of the database management system upgrade, the CAB can identify potential risks and develop mitigation strategies. This aligns with best practices outlined in frameworks such as ITIL (Information Technology Infrastructure Library), which emphasizes the importance of risk assessment and stakeholder involvement in the change management process. The other options present misconceptions about the change management process. For instance, implementing changes as quickly as possible without proper assessment can lead to significant disruptions, especially in a sensitive environment like finance, where data integrity and compliance are paramount. Similarly, merely documenting changes without evaluating their impact undermines the purpose of change management, which is to ensure that changes do not adversely affect the organization. Lastly, allowing any team member to implement changes without formal approval can lead to chaos and unmanageable risks, highlighting the necessity of a structured change management process. In summary, effective change management is about balancing the need for change with the need to minimize risk, ensuring that all changes are carefully considered and approved by relevant stakeholders before implementation. This structured approach helps organizations maintain operational stability and compliance with industry regulations.

In contrast, regularly backing up images to a secure cloud storage solution without encryption poses a significant risk, as it leaves sensitive data vulnerable during transmission and storage. While restricting access to physical storage devices may reduce the risk of unauthorized access, it does not address the fundamental issue of data encryption. Password protection on files is also insufficient, as it can be easily bypassed by attackers, especially if the password is weak or compromised. Therefore, the most effective strategy involves a comprehensive approach that includes full-disk encryption, which not only protects the data at rest but also ensures compliance with relevant regulations. This strategy minimizes the risk of data breaches and enhances the overall security posture of the organization.

TLS supports a range of encryption algorithms and can be configured to work with older systems that may not support the latest protocols, making it a versatile choice for environments with mixed technology. Additionally, TLS is actively maintained and updated to address emerging security threats, ensuring that the organization remains protected against vulnerabilities. On the other hand, IPsec is primarily used for securing Internet Protocol communications by authenticating and encrypting each IP packet in a communication session. While it provides strong security, its implementation can be complex, especially in environments with legacy systems that may not support it natively. SSH is a protocol used primarily for secure remote access to servers and does not provide the same level of interoperability for general internal communications as TLS. WEP, while historically used for wireless security, is now considered obsolete and insecure due to its vulnerabilities, making it an unsuitable choice for any modern security policy. In summary, TLS stands out as the most suitable encryption protocol for this scenario due to its balance of strong security features and compatibility with both modern and legacy systems, ensuring that the organization can effectively secure its internal communications without sacrificing functionality.

Implementing changes immediately without adequate communication can lead to confusion, resistance, and potential failures in the transition. Focusing solely on training IT staff neglects the importance of other stakeholders, such as compliance officers and customer service representatives, who play critical roles in the successful adoption of the new system. Limiting communication to compliance officers disregards the need for a holistic approach that considers the perspectives and needs of all stakeholders involved. Effective change management is guided by principles such as the ADKAR model (Awareness, Desire, Knowledge, Ability, and Reinforcement), which emphasizes the importance of awareness and communication in facilitating successful transitions. By prioritizing stakeholder engagement and communication, the change management team can mitigate risks, enhance collaboration, and ultimately achieve a smoother transition to the new core banking system.

To effectively quantify these impacts, organizations often use metrics such as the expected monetary value (EMV), which combines the probability of an event occurring with its potential impact. For example, if the likelihood of a data breach is estimated at 10% and the potential financial impact is $1,000,000, the EMV would be calculated as: $$ EMV = Probability \times Impact = 0.10 \times 1,000,000 = 100,000 $$ This calculation helps the organization understand the financial implications of the risk and prioritize resources accordingly. While qualitative assessments, communication plans, and training programs are important components of a comprehensive risk management strategy, they do not directly contribute to the quantification of risk. Qualitative assessments provide valuable insights but lack the numerical precision needed for quantitative analysis. Communication and training are essential for fostering a security-aware culture but do not address the immediate need to quantify risks in financial terms. Therefore, prioritizing the identification and quantification of potential impacts is crucial for effective risk management in this scenario.

On the other hand, an active-passive configuration, while simpler, does not provide the same level of availability since the passive site is only activated when the primary site fails. This can lead to longer recovery times and potential data loss if not managed properly. A hot site, while beneficial, may still require manual intervention to switch operations, which can introduce delays. Lastly, relying solely on cloud-based services without any on-premises infrastructure can create vulnerabilities, especially if there are connectivity issues or if the cloud provider experiences outages. In summary, the active-active configuration not only ensures high availability during disasters but also maximizes resource efficiency, making it the most suitable choice for organizations that prioritize continuous service delivery and resilience against disruptions. This aligns with best practices in disaster recovery planning, emphasizing the importance of redundancy, geographic diversity, and proactive resource management.

While increasing the frequency of employee training sessions (option b) is important for raising awareness and ensuring that employees understand data handling procedures, it does not directly address the technical vulnerabilities that could lead to a data breach. Similarly, conducting regular audits of the IT infrastructure (option c) is a valuable practice for identifying and mitigating risks, but it is more of a reactive measure rather than a proactive one that directly protects the data itself. Establishing a third-party vendor management program (option d) is also crucial, especially in environments where external partners handle sensitive data, but it does not provide immediate protection for the data itself. In summary, while all options contribute to a robust security posture, the implementation of a comprehensive data encryption strategy is the most effective means of mitigating the risks associated with the handling of PII. This approach not only protects the data but also complies with various regulations and standards, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), which mandate stringent measures for the protection of sensitive information.

Additionally, the implementation of a robust incident response plan is essential for minimizing the impact of any security incidents that may occur despite preventive measures. This plan ensures that the organization can quickly and effectively respond to breaches, thereby reducing potential damage and recovery time. In contrast, the other options present less effective strategies. Accepting risks due to budget constraints implies a passive approach that could leave the organization exposed to significant threats. Transferring risks to third-party vendors may not be feasible or effective if those vendors do not have adequate security measures in place. Lastly, avoiding risks by discontinuing outdated software could be impractical, especially if the software is critical to business operations and no suitable alternatives are available. Thus, the primary focus of the risk management strategy in this scenario is on the proactive mitigation of identified risks, which is essential for maintaining the security and integrity of sensitive customer data. This approach aligns with best practices in risk management as outlined in frameworks such as NIST SP 800-30 and ISO 31000, which advocate for a proactive stance in identifying and addressing risks.

The correct strategy involves assigning access levels that align with the principle of least privilege, which states that users should only have the minimum level of access necessary to perform their job functions. By granting the Accountant role read-only access, the organization ensures that these users can view financial reports without the ability to alter them, thereby protecting the integrity of sensitive data. The Senior Accountant, who likely has more responsibilities, is granted read-write access, allowing them to modify reports as needed while still maintaining oversight. The Accounting Manager, who oversees the entire department, is given full control, enabling them to manage all aspects of financial data, including creating, modifying, and deleting records. The other options present significant security risks. Providing all roles full control (option b) could lead to unauthorized changes or data breaches, as it does not enforce any restrictions based on role responsibilities. Granting the Accountant full control while limiting the Senior Accountant (option c) contradicts the expected hierarchy of access and could hinder the Senior Accountant’s ability to perform their duties effectively. Lastly, implementing a flat access control model (option d) disregards the need for differentiated access based on roles, which can lead to severe security vulnerabilities and potential data loss. In summary, the chosen access control strategy not only aligns with the principles of RBAC and least privilege but also ensures that sensitive financial data is adequately protected while allowing necessary access for each role within the accounting department.

By evaluating changes based on their risk and potential impact, the organization can ensure that critical changes receive the necessary attention and resources, thereby minimizing disruptions. This approach also fosters a culture of accountability and thoroughness, as it requires teams to consider the broader implications of their changes rather than simply processing requests in a linear fashion. In contrast, adopting a first-come, first-served approach (option b) can lead to significant risks, as it does not take into account the urgency or potential impact of changes. Focusing solely on documentation without assessing impact (option c) undermines the purpose of change management, which is to ensure that changes are beneficial and do not introduce new risks. Allowing immediate implementation of low-risk changes (option d) can lead to a lack of oversight and potential issues if the definition of “low-risk” is not consistently applied or understood. In summary, a structured risk assessment framework is essential for effective change management, ensuring that changes are not only documented but also evaluated for their potential impact on the organization’s operations. This approach enhances decision-making and aligns with industry best practices, ultimately supporting the organization’s goals for stability and reliability in its IT services.

The most prudent course of action is to conduct a thorough review of the hardening measures. This involves analyzing which specific configurations or services may be causing conflicts with the applications. By identifying and adjusting these settings, the IT security team can ensure that security is maintained without compromising the performance of essential business functions. This approach aligns with best practices in security management, which advocate for a risk-based approach to security configurations that considers both security and operational impacts. Reverting all hardening measures would expose the organization to increased security risks, as it would negate the benefits gained from the initial hardening efforts. Increasing the frequency of security scans without addressing the underlying performance issues would not resolve the conflicts and could lead to a false sense of security. Lastly, implementing additional hardening measures without assessing their impact could exacerbate the existing performance issues, leading to further operational disruptions. In summary, the key to effective security management lies in the ability to adapt and refine security measures based on real-world impacts, ensuring that both security and business operations can coexist effectively. This nuanced understanding is critical for CISSP candidates, as it reflects the complexities of managing security in dynamic environments.

When services are left running without a legitimate purpose, they can be exploited by attackers to gain unauthorized access or launch attacks. By closing these ports, the administrator effectively reduces the risk of exploitation. This action aligns with the principle of least privilege, which advocates for limiting access rights for accounts and services to the bare minimum necessary for functionality. While implementing firewall rules (as suggested in option b) can provide an additional layer of security, it does not eliminate the underlying risk associated with running unnecessary services. Monitoring open ports (option c) without taking proactive measures does not address the root cause of the vulnerability. Conducting a vulnerability assessment (option d) is a valuable step in identifying risks, but it should not replace the immediate action of disabling unused services. In summary, the most effective approach to securing the servers involves a proactive strategy of disabling unused services and closing the corresponding logical ports, thereby minimizing potential vulnerabilities and enhancing the overall security posture of the organization. This practice is supported by various security frameworks and guidelines, including the CISSP Common Body of Knowledge (CBK), which emphasizes the importance of reducing unnecessary exposure in network security management.

By systematically analyzing user roles and their associated permissions, the organization can pinpoint discrepancies and make informed decisions about which permissions to revoke. This step is foundational because it establishes a baseline from which further actions can be taken, such as redefining roles or implementing stricter access controls. While implementing a new access control system (option b) may seem beneficial, it is premature without first understanding the existing permissions landscape. Training employees (option c) is important for fostering a security-aware culture, but it does not directly address the immediate issue of excessive permissions. Increasing the frequency of access reviews (option d) may help in the long run, but without first rectifying the current permissions, it could lead to a cycle of ongoing issues rather than a resolution. In summary, the initial focus should be on reviewing and rectifying existing permissions to ensure that the principle of least privilege is effectively implemented, thereby enhancing the overall security posture of the organization.

Additionally, the inclusion of rollback procedures is essential. These procedures outline the steps to revert to the previous state in case the new changes lead to unforeseen issues or failures. This aspect of change management is crucial for maintaining system integrity and availability, particularly in a financial institution where downtime can lead to significant financial losses and reputational damage. While the other options may seem relevant, they do not provide the same level of assurance regarding risk management and compliance with organizational policies. A list of hardware components, for instance, is useful but does not address the broader implications of the change. Similarly, a project timeline is important for project management but does not inherently mitigate risks associated with the change. Lastly, user feedback, while valuable for future improvements, does not directly contribute to the risk assessment and management process during the rebuild. In summary, a comprehensive change request that includes impact analysis and rollback procedures is the most critical element in ensuring that the system rebuild aligns with organizational policies and minimizes risks during the change implementation. This approach adheres to best practices in change management and aligns with the principles outlined in frameworks such as ITIL and COBIT, which emphasize the importance of structured change processes in maintaining operational stability and security.

By addressing the vulnerability promptly, the organization mitigates the risk of data exposure, which is critical given the potential impact on sensitive information. This action also demonstrates compliance with regulatory requirements, such as those outlined in frameworks like ISO/IEC 27001, which mandate that organizations must manage risks associated with information security effectively. Delaying the implementation for a full risk assessment (option b) could lead to increased exposure to risks, as the vulnerability remains unaddressed. Continuing with the implementation as planned (option c) disregards the immediate threat posed by the vulnerability and could result in severe consequences, including data breaches and loss of stakeholder trust. Lastly, informing stakeholders without taking action (option d) does not resolve the issue and could lead to reputational damage if the vulnerability is exploited. In summary, the change management team must prioritize addressing vulnerabilities through emergency change requests, ensuring that all changes are documented, tracked, and audited to uphold the integrity of the change management process and protect the organization from potential threats.

Moreover, the potential impact on the organization must be assessed, considering factors such as regulatory compliance, reputational damage, and financial implications in the event of a breach. This holistic approach aligns with the principles outlined in the CISSP Common Body of Knowledge (CBK), particularly in the domains of Security Risk Management and Security Architecture and Engineering. By prioritizing a thorough risk assessment, the analyst can make an informed decision that balances the benefits of adopting the cloud service against the potential risks, ensuring that the organization maintains a strong security posture while leveraging new technologies. In contrast, relying solely on the provider’s claims, focusing only on cost savings, or implementing the service without proper evaluation would expose the organization to significant risks and potential liabilities.

Change management can be approached through various frameworks such as Agile, Lean, or even custom methodologies that align with an organization’s unique culture and operational requirements. Each of these frameworks provides different tools and techniques that can be tailored to fit the specific context of the organization. For instance, Agile emphasizes iterative progress and flexibility, which can be beneficial in fast-paced environments, while Lean focuses on efficiency and waste reduction. Moreover, the success of change management is often more dependent on the organization’s culture, leadership support, and stakeholder engagement than on the specific framework used. Organizations should assess their needs, existing processes, and the specific challenges they face during transformation to choose the most suitable approach. Therefore, while ITIL can provide valuable guidance, it is not a prerequisite for effective change management, allowing organizations the freedom to explore and implement alternative methodologies that may better suit their objectives and operational realities. This understanding is critical for CISSP candidates as it emphasizes the importance of adaptability and critical thinking in the realm of information security and organizational management.

An effective impact analysis allows stakeholders to assess the implications of the changes, ensuring that all potential issues are identified and addressed before implementation. It also facilitates informed decision-making by providing a clear picture of how the new system will interact with existing infrastructure, which is vital for minimizing disruptions during the transition. While the other options—such as listing personnel involved, creating a timeline, and summarizing previous performance metrics—are important, they do not carry the same weight in terms of immediate operational impact. A list of personnel may help in accountability but does not directly address the risks associated with the changes. A timeline is useful for scheduling but does not provide insight into the effects of the changes. Similarly, performance metrics from the previous system can offer context but do not inform the necessary adjustments required for the new system. In summary, the inclusion of a detailed impact analysis in change management documentation is essential for ensuring that all stakeholders understand the implications of the changes, thereby facilitating a smoother transition and reducing the likelihood of unforeseen complications during the system rebuild. This aligns with best practices in change management as outlined in frameworks such as ITIL and COBIT, which emphasize the importance of thorough analysis and stakeholder engagement in managing change effectively.

In contrast, prioritizing the design of service specifications without understanding the business context (as suggested in option b) can lead to misaligned services that do not meet user needs. Similarly, jumping straight into operational processes (option c) without a strategic foundation can result in reactive rather than proactive service management, potentially exacerbating existing issues rather than resolving them. Lastly, focusing solely on continual improvement (option d) without a structured framework can lead to improvements that are not aligned with business priorities, resulting in wasted resources and efforts. Therefore, the correct approach is to begin with Service Strategy, ensuring that all subsequent phases—Service Design, Service Transition, Service Operation, and Continual Service Improvement—are informed by a solid understanding of the business context. This strategic alignment is fundamental to achieving effective service management and delivering value to the organization.