B.3.5 Security+ SY0-601 Domain 5: Governance, Risk, and Compliance Flashcards
72 questions (plus some of my own)
Which type of control makes use of policies, disaster recovery plans (DPRs), and business continuity plans (BCPs)?
Managerial
Encryption is which type of access control?
Technical
Which of the following are control categories? (Select three.)
Technical
Operational
Managerial
Which of the following is an example of a preventative control type?
An advanced network appliance
Audit trails produced by auditing activities are which type of security control?
Detective
Which access control type is used to implement short-term repairs to restore basic functionality following an attack?
Corrective
Which type of control is used to discourage malicious actors from attempting to breach a network?
Deterrent
Which of the following BEST describes compensating controls?
Partial control solution that is implemented when a control cannot fully meet a requirement
Which security control, if not applied, can allow an attacker to bypass other security controls?
Physical access control
Which of the following standards relates to the use of credit cards?
Personal Card Industry Data Security Standard
(PCI DSS)
Which of the following government acts protects medical records and personal health information?
HIPAA
HIPAA is a set of federal regulations that define security guidelines. What do HIPAA guidelines protect?
Privacy
Which of the following is a government audit by the SEC that relates to internal controls and focuses on IT security, access controls, data backup, change management, and physical security?
Sarbanes-Oxley (SOX)
Which of the following laws was designed to protect a child’s information on the internet?
Children’s Online Privacy Protection Act (COPPA)
Which of the following security frameworks is used by the federal government and all its departments, including the Department of Defense?
National Institute of Standards and Technology (NIST)
Which ISO publication lays out guidelines for selecting and implementing security controls?
27002
What is the ISO 27001?
It is the publication that covers implementing and improving a security management system as well as an assessment guideline
What does the ISO 31000 do?
Covers risk management as it pertains to business continuity, safety, environmental results, and the professional reputation of a company
What does the ISO 27701 do?
Covers establishing, implementing, and improving a privacy information management system
Which SOC type reports focus on predetermined controls that are audited and a detailed report that attests to a company’s compliance?
II
What is a SOC Type I report?
An attestation of controls at an organization for a specific point in time
What is a SOC Type III report?
A non-detailed report attesting to a company’s compliance. This type of report is used for marketing and letting future partners know that compliance has been met
Which type of report is used for marketing and letting future partners know that compliance has been met?
SOC Type III
Which of the following frameworks introduced the first cloud-centric individual certification?
Cloud Security Alliance (CSA)
The Policies, Procedures, and Awareness layer of the security model includes which of the following? (Select two.)
Employee onboarding
User education
Which of the following is a policy that defines appropriate and inappropriate usage of company resources, assets, and communications?
Acceptable use policy (AUP)
Which of the following defines an acceptable use agreement?
An agreement that identifies employees’ rights to use company property, such as internet access and computer equipment, for personal use
Your organization allows employees to bring their own devices into work, but management is concerned that a malicious internal user could use a mobile device to conduct an insider attack.
Which of the following should be implemented to help mitigate this threat?
Implement an AUP that specifies where and when mobile devices can be possessed within the organization
You are concerned that the accountant in your organization might have the chance to modify financial information and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities.
Which security principle are you implementing by periodically shifting accounting responsibilities?
Job rotation
Separation of duties is an example of which type of access control?
Preventive
Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?
Separation of duties
You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which security principle should you implement to accomplish this goal?
Separation of duties
What is the primary purpose of separation of duties?
Prevent conflicts of interest
Which of the following is the BEST example of the principle of least privilege?
Wanda has been given access to the files that she needs for her job
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?
Principle of least privilege
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone who is not on the list?
Implicit deny