B.3.5 Security+ SY0-601 Domain 5: Governance, Risk, and Compliance Flashcards
72 questions (plus some of my own)
Which type of control makes use of policies, disaster recovery plans (DPRs), and business continuity plans (BCPs)?
Managerial
Encryption is which type of access control?
Technical
Which of the following are control categories? (Select three.)
Technical
Operational
Managerial
Which of the following is an example of a preventative control type?
An advanced network appliance
Audit trails produced by auditing activities are which type of security control?
Detective
Which access control type is used to implement short-term repairs to restore basic functionality following an attack?
Corrective
Which type of control is used to discourage malicious actors from attempting to breach a network?
Deterrent
Which of the following BEST describes compensating controls?
Partial control solution that is implemented when a control cannot fully meet a requirement
Which security control, if not applied, can allow an attacker to bypass other security controls?
Physical access control
Which of the following standards relates to the use of credit cards?
Personal Card Industry Data Security Standard
(PCI DSS)
Which of the following government acts protects medical records and personal health information?
HIPAA
HIPAA is a set of federal regulations that define security guidelines. What do HIPAA guidelines protect?
Privacy
Which of the following is a government audit by the SEC that relates to internal controls and focuses on IT security, access controls, data backup, change management, and physical security?
Sarbanes-Oxley (SOX)
Which of the following laws was designed to protect a child’s information on the internet?
Children’s Online Privacy Protection Act (COPPA)
Which of the following security frameworks is used by the federal government and all its departments, including the Department of Defense?
National Institute of Standards and Technology (NIST)
Which ISO publication lays out guidelines for selecting and implementing security controls?
27002
What is the ISO 27001?
It is the publication that covers implementing and improving a security management system as well as an assessment guideline
What does the ISO 31000 do?
Covers risk management as it pertains to business continuity, safety, environmental results, and the professional reputation of a company
What does the ISO 27701 do?
Covers establishing, implementing, and improving a privacy information management system
Which SOC type reports focus on predetermined controls that are audited and a detailed report that attests to a company’s compliance?
II
What is a SOC Type I report?
An attestation of controls at an organization for a specific point in time
What is a SOC Type III report?
A non-detailed report attesting to a company’s compliance. This type of report is used for marketing and letting future partners know that compliance has been met
Which type of report is used for marketing and letting future partners know that compliance has been met?
SOC Type III
Which of the following frameworks introduced the first cloud-centric individual certification?
Cloud Security Alliance (CSA)
The Policies, Procedures, and Awareness layer of the security model includes which of the following? (Select two.)
Employee onboarding
User education
Which of the following is a policy that defines appropriate and inappropriate usage of company resources, assets, and communications?
Acceptable use policy (AUP)
Which of the following defines an acceptable use agreement?
An agreement that identifies employees’ rights to use company property, such as internet access and computer equipment, for personal use
Your organization allows employees to bring their own devices into work, but management is concerned that a malicious internal user could use a mobile device to conduct an insider attack.
Which of the following should be implemented to help mitigate this threat?
Implement an AUP that specifies where and when mobile devices can be possessed within the organization
You are concerned that the accountant in your organization might have the chance to modify financial information and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities.
Which security principle are you implementing by periodically shifting accounting responsibilities?
Job rotation
Separation of duties is an example of which type of access control?
Preventive
Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?
Separation of duties
You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which security principle should you implement to accomplish this goal?
Separation of duties
What is the primary purpose of separation of duties?
Prevent conflicts of interest
Which of the following is the BEST example of the principle of least privilege?
Wanda has been given access to the files that she needs for her job
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?
Principle of least privilege
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone who is not on the list?
Implicit deny
You want to implement an access control list in which only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access.
Which of the following methods of access control should the access list use?
Explicit allow, implicit deny
When training your employees on how to identify various attacks, which of the following policies should you be sure to have and enforce? (Select two.)
Clean desk policies
Password policies
When you inform an employee that he or she is being terminated, which of the following is the most important activity?
Disable his or her network access
Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems.
Which of the following is the MOST important aspect of maintaining network security against this type of attack?
User education and training
Which of the following would you do to help protect against phishing?
Only open emails if you recognize the sender
Your company is preparing to enter into a partner relationship with another organization. It will be necessary for the information systems used by each organization to connect and integrate with each other.
Which of the following is of primary importance as you take steps to enter into this partner relationship?
Ensure that the integration process maintains the security of each organization’s network
Which of the following is defined as a contract that prescribes the technical support or business parameters a provider bestows to its client?
Service level agreement
What is a service level agreement (SLA)?
A guarantee of a specific level of service
Your organization entered into an interoperability agreement (IA) with another organization a year ago. As a part of this agreement, a federated trust was established between your domain and the partner domain.
The partnership has been in the ongoing operations phase for almost nine months now. As a security administrator, which tasks should you complete during this phase? (Select two.)
Verify compliance with the IA documents
Conduct periodic vulnerability assessments
What specifies exactly which services are to be performed by the third party?
Service Level Agreement (SLA)
What creates an agreement with a vendor to provide services on an ongoing basis?
Blanket Purchase Order (BPO)
What summarizes which party is responsible for performing specific tasks?
Memorandum of Understanding (MOU)
What documents how data is to be shared?
Interconnection Security Agreement (ISA)
What defines how disputes are managed?
SLA
What specifies a preset discounted pricing structure?
BPO
If you lose your wallet or purse and it ends up in the wrong hands, several pieces of information could be used to do personal harm to you. These pieces of information include the following:
- Name and address
- Driver license number
- Credit card numbers
- Date of birth
Which of the following classifications does this information fall into?
Personally identifiable information (PII)
In a high-security environment, which of the following is the most important concern when removable media is no longer needed?
Destruction
How often should change-control management be implemented?
Any time a production system is altered
You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?
Change management
Which of the following is the primary purpose of change control?
Prevent unmanaged change
Change control should be used to oversee and manage changes over which aspect of an organization?
Every aspect
A file server with data is consider which of the following asset types?
Both tangible and intangible
Which of the following types of auditing verifies that systems are utilized appropriately and in accordance with written organizational policies?
Usage audit
Which of the following is an example of an internal threat?
An employee accidentally deletes the new product designs
Perpetrators attempt to compromise or affect the operations of a system.
Is this an Active, Passive, External, or Inside attack?
Active Attack
Unauthorized individuals try to breach a network from off-site.
Is this an Active, Passive, External, or Inside attack?
External Attack
Attempting to find the root password on a web server by brute force.
Is this an Active, Passive, External, or Inside attack?
Active Attack
Attempting to gather information without affecting the flow of information on the network.
Is this an Active, Passive, External, or Inside attack?
Passive Attack
Sniffing network packets or performing a port scan.
Is this an Active, Passive, External, or Inside attack?
Passive Attack
In healthcare, regulations often dictate that important systems remain unpatched to maintain compliance. Which kind of vulnerability does this introduce?
Inherent vulnerabilities
Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there is still some risk left. What is the remaining risk called?
Residual risk
When analyzing assets, which analysis method assigns financial values to assets?
Quantitative
Which of the following best defines single loss expectancy (SLE)?
The total monetary loss associated with a single occurrence of a threat
You have conducted a risk analysis to protect a key company asset. You identify the following values:
- Asset value = 400
- Exposure factor = 75
- Annualized rate of occurrence = .25
What is the single loss expectancy (SLE)?
300
SLE = 400 * 75% = 300
You have conducted a risk analysis to protect a key company asset. You identify the following values:
- Asset value = 400
- Exposure factor = 75
- Annualized rate of occurrence = .25
What is the annualized loss expectancy (ALE)?
75
ALE = 400 * 75% * .25 = 75
You have conducted a risk analysis to protect a key company asset. You identify the following values:
- Asset value = 400
- Exposure factor = 75
- Annualized rate of occurrence (ARO) = .25
Countermeasure A has a cost of 320 and protects the asset for four years. Countermeasure B has an annual cost of 85. An insurance policy to protect the asset has an annual premium of 90.
What should you do?
Accept the risk or find another countermeasure
What is the average number of times that a specific risk is likely to be realized in a single year?
Annualized rate of occurrence
When conducting a risk assessment, how is the annualized rate of occurrence (ARO) calculated?
Through historical data provided by insurance companies and crime statistics
A broken water pipe that floods the reception area would be considered which type of threat?
Natural
Which of the following terms describes the actual time required to successfully recover operations in the event of an incident?
Recovery time objective (RTO)
When should a hardware device be replaced in order to minimize downtime?
Just before its mean time between failures (MTBF) is reached
When recovering from a disaster, which services should you stabilize first?
Mission-critical services
Your organization has suffered a data breach, and it was made public. As a result, stock prices have fallen, as consumers no longer trust the organization.
Which of the following BEST describes the type of consequence your organization has suffered due to the breach?
Reputation damage
Your organization has discovered that an overseas company has reverse-engineered and copied your main product and is now selling a counterfeit version.
Which of the following BEST describes the type of consequence your organization has suffered?
IP theft
A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing?
Confidentiality
The lowest level of classified information used by the military. Release of this information could cause damage to military efforts.
Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?
Confidential
If this information is released, it poses high risks to national security.
Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?
Top Secret
This information can be access by the public and poses no security threat.
Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?
Unclassified
If this information is disclosed, it could cause some harm, but not a national disaster.
Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?
Sensitive But Unclassified
If this information is disclosed, it could cause high risk and permanent damage to military actions.
Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?
Secret
Which DLP method works by replacing sensitive data with realistic fictional data?
Masking
Your organization is having a third party come in and perform an audit on the financial records. You want to ensure that the auditor has access to the data they need while keeping the customers’ data secure. To accomplish this goal, you plan to implement a mask that replaces the client names and account numbers with fictional data.
Which masking method are you implementing?
Dynamic
Which of the following BEST describes dynamic data masking? (Select two.)
It replaces original information with a mask that mimics the original in form and function
It can be used to control which users can see the actual data
Tokenization is another effective tool in data loss prevention. Tokenization does which of the following? (Select two.)
Protects data on its server with authentication and authorization protocols
Replaces actual data with a randomly generated alphanumeric character set
