26 Flashcards

1
Q

Statement on Standards for Attestation Engagements 18 (SSAE 18) is a standard from the American Institute of Certified Public Accountants (AICPA). The standard defines three types of System and Organization Controls (SOC) audit reports that review different aspects of a company’s operations. A SOC 2 audit report provides detailed information and assurance about a service organization’s security, availability, processing integrity, confidentiality and/or privacy controls, based on their compliance with the AICPA’s TSC (Trust Services Criteria). Furthermore, a SOC 2 Type I audit provides a snapshot of the organization’s control landscape in a specific point in time, SOC 2 Type II audit evaluates the effectiveness of controls over a period of time of at least six consecutive calendar months (in simple terms, “SOC” defines the scope of the audit, “Type” defines the time covered during the audit).

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following answers refers to a nonprofit organization promoting best security practices related to cloud computing environments?

A

** CSA **

Cloud Security Alliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following answers refers to a cybersecurity control framework for cloud computing?

A

** CCM **

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A type of document stipulating rules of behavior to be followed by users of computers, networks, and associated resources is referred to as:

A

** AUP **

An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

From the security standpoint, the job rotation policy enables detection of fraudulent activity within the company/organization.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

One of the goals behind the mandatory vacations policy is to mitigate the occurrence of fraudulent activity within the company/organization.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the answers listed below refers to a concept of having more than one person required to complete a given task?

A

Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A sticky note with a password kept on sight in user’s cubicle would be a violation of which of the following policies?

A

Clean desk policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A legal contract between the holder of confidential information and another person to whom that information is disclosed prohibiting that other person from disclosing the confidential information to any other party is known as:

A

** NDA **

A non-disclosure agreement is a legal document which sets rules and principles for the confidentiality of the information to be exchanged.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An agreement between a service provider and users defining the nature, availability, quality, and scope of the service to be provided is known as:

A

** SLA **

A service-level agreement (SLA) is a contract between a service provider and its customers that documents what services the provider will furnish and defines the service standards the provider is obligated to meet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following terms refers to an agreement that specifies performance requirements for a vendor?

A

** SLA **

A service-level agreement (SLA) is a contract between a service provider and its customers that documents what services the provider will furnish and defines the service standards the provider is obligated to meet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following answers refer to a general document established between two or more parties to define their respective responsibilities and expectations in accomplishing a particular goal or mission? (Select 2 answers)

A
  • MOU (Memorandum of Understanding)
  • MOA (Memorandum of Agreement)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A type of agreement that specifies generic terms to simplify the negotiation of future contracts between the signing parties is called:

A

** MSA **

In business and legal contexts, MSA often stands for Master Services Agreement. It is a contract that establishes the overarching terms and conditions between a service provider and a client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following answers refers to a key document governing the relationship between two business organizations?

A

** BPA **

Business partnership agreements (BPA) are legal agreements between partners.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the terms listed below refer to a product/service that no longer receives continuing support? (Select 2 answers)

A

EOL (End of Life)

EOSL (End of Service Life)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The “Run as administrator” option in MS Windows allows users with lower-level permissions to perform tasks reserved for system administrators. This feature requires providing Administrator account credentials and temporarily elevates the current user’s privileges to perform a given task. A Linux command that temporarily modifies security privileges to allow an execution of a single command that requires root access permissions is called sudo.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following terms relates closely to the concept of residual risk?

A

** Risk acceptance **

Risk acceptance is a risk management strategy in which an organization acknowledges the existence of a risk but chooses not to take any specific action to mitigate or transfer it. Instead, the organization is willing to accept the consequences if the risk materializes. This approach is typically chosen when the cost or effort of risk mitigation outweighs the potential impact of the risk, or when the organization has a high tolerance for the risk. Risk acceptance should be a conscious and well-documented decision in a risk management plan.

18
Q

Disabling certain system functions or shutting down the system when risks are identified is an example of:

A

** Risk avoidance **

Risk avoidance is a risk management strategy in which an organization takes actions to eliminate or entirely avoid certain risks. This approach involves making decisions and implementing measures to prevent specific activities or situations that could lead to adverse consequences or harm.

19
Q

Contracting out a specialized technical component when the company’s employees lack the necessary skills is an example of:

A

** Risk transference **

Risk transference is a risk management strategy in which an organization shifts the responsibility for managing a specific risk to another party. This is typically done through contractual agreements, insurance policies, or other arrangements. When an organization transfers risk, it essentially transfers some or all of the financial or operational consequences of a risk to another entity. like Insurance

20
Q

Cybersecurity insurance is an example of which risk management strategy?

A

** Risk transference **

Risk transference is a risk management strategy in which an organization shifts the responsibility for managing a specific risk to another party. This is typically done through contractual agreements, insurance policies, or other arrangements. When an organization transfers risk, it essentially transfers some or all of the financial or operational consequences of a risk to another entity. like Insurance

21
Q

Which of the following is an example of a risk mitigation strategy?

A

Implementation of security controls

22
Q

Which of the following answers refers to a document containing detailed information on potential cybersecurity risks?

A

** Risk register **

A risk register is a document or tool used in risk management to systematically identify, assess, track, and manage risks within an organization or a specific project. It serves as a central repository for all relevant information about risks and their potential impact on an organization’s objectives.

23
Q

Which of the following answers refer to an assessment tool used for prioritizing the severity of different risks? (Select 2 answers)

A
  • Risk heat map
  • Risk matrix

A risk heat map and a risk matrix are commonly used tools in risk management to visually represent and prioritize risks based on their severity or impact and likelihood or probability. These tools help organizations make informed decisions about which risks to address first and how to allocate resources for risk mitigation.

24
Q

Which of the following statements are not true with regards to Risk? (Select 2 answers)

A
  • Inherent risk is the remaining risk after implementing controls
  • Residual risk is the original level of risk that exist before implementing any controls
25
Q

Assessment of risk probability and its impact based on subjective judgment falls into the category of:

A

** Qualitative risk assessment **

Assessment of risk probability and its impact based on subjective judgment falls into the category of “Qualitative risk assessment.”

Qualitative risk assessment relies on expert judgment and qualitative data to evaluate risks. It typically uses scales or categories (e.g., low, medium, high) to assess the likelihood and impact of risks subjectively.

26
Q

A calculation of the Single Loss Expectancy (SLE) is an example of

A

** Qualitative risk assessment **

Assessment of risk probability and its impact based on subjective judgment falls into the category of “Qualitative risk assessment.”

Qualitative risk assessment relies on expert judgment and qualitative data to evaluate risks. It typically uses scales or categories (e.g., low, medium, high) to assess the likelihood and impact of risks subjectively.

27
Q

In quantitative risk assessment, this term is used for estimating the likelihood of occurrence of a future threat.

A

** ARO **

In quantitative risk assessment, the term used for estimating the likelihood of occurrence of a future threat is “ARO,” which stands for “Annualized Rate of Occurrence.” The ARO represents the probability or frequency of a specific risk event happening within a given year. It is a key component in calculating the Annualized Loss Expectancy (ALE) and is used to quantify the risk associated with that event.

28
Q

Which term describes the predicted loss of value to an asset based on a single security incident?

A

** SLE **

Single Loss Expectancy (SLE) tells us what kind of monetary loss we can expect if an asset is compromised because of a risk

29
Q

Which of the acronyms listed below refers to a risk assessment formula defining probable financial loss due to a risk over a one-year period?

A

** ALE **

The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as: ALE = SLE * ARO.

30
Q

Which of the following answers refers to the correct formula for calculating probable financial loss due to a risk over a one-year period?

A

ALE = ARO * SLE

The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as: ALE = SLE * ARO.

31
Q

An estimate based on the historical data of how often a threat would be successful in exploiting a vulnerability is known as:

A

** ARO **

Annualized Rate of Occurrence, also known as ARO, refers to the expected frequency with which a risk or a threat is expected to occur

32
Q

Which of the acronyms listed below refers to a maximum tolerable period of time required for restoring business functions after a failure or disaster?

A

** RTO **

The recovery time objective (RTO) is the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

33
Q

In Business Continuity Planning (BCP), the maximum tolerable point in time to which systems and data must be recovered after an outage is called

A

** RPO **

Recovery point objective (RPO) generally refers to calculating how much data loss a company can experience within a period most relevant to its business before significant harm occurs, from the point of a disruptive event to the last data backup.

34
Q

Which of the following terms is used to describe an average time required to repair a failed component or device?

A

** MTTR **

MTTR (mean time to respond) is the average time it takes to recover from a product or system failure from the time when you are first alerted to that failure.

35
Q

High MTBF value indicates that a component or system provides low reliability and is more likely to fail.

A

False

36
Q

Which of the solutions listed below add(s) redundancy in areas identified as single points of failure? (Select all that apply)

A
  • RAID
  • Dual-power supply
  • Failover clustering
  • Load balancing
37
Q

Which of the following acronyms refers to any type of information pertaining to an individual that can be used to uniquely identify that person?

A

** PII **

Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.

38
Q

The US Health Insurance Portability and Accountability Act (HIPAA) provides privacy protection for: (Select best answer)

A

** PHI **

Protected health information (PHI) is the past, present and future of physical and mental health data and the condition of an individual created, received, stored or transmitted by HIPAA-covered entities and their business associates.

39
Q

In the context of IT security, the term “Data minimization” refers to the process of removing all unnecessary characters from the source code to make it less intelligible for humans and faster to process by machines.

A

** False **

In the context of IT security, “Data minimization” does not refer to removing unnecessary characters from source code.

40
Q

Replacing password characters in a password field with a series of asterisks is an example of:

A

** Data masking **

Replacing password characters in a password field with a series of asterisks is an example of “Data masking.” Data masking is a security technique used to hide or obfuscate sensitive data, such as passwords or credit card numbers, by replacing it with fictional or masked characters. This helps protect the confidentiality of the data and prevents unauthorized access to sensitive information.

41
Q

Which of the following privacy-enhancing technologies replaces actual data with a substitute that holds a reference to it but by itself does not represent any valuable information that could be used by an attacker?

A

** Tokenization **

The privacy-enhancing technology that replaces actual data with a substitute that holds a reference to it but by itself does not represent any valuable information that could be used by an attacker is “Tokenization.”

42
Q

The term “Anonymized data” refers to data that is made anonymous in such a way that the original subject or person described by the data can no longer be identified. This type of privacy-enhancing technology is used for example during mass population surveys to protect the identity of participants. Pseudo-anonymization (a.k.a. pseudonymization) replaces personal data with artificial identifiers (a.k.a. pseudonyms). The main difference between anonymization and pseudo-anonymization is that in case of the latter the original data can be restored to its original state with the use of additional reference information enabling the identification of the original subject or person the data pertains to.

A

True