B.3.5 Security+ SY0-601 Domain 5: Governance, Risk, and Compliance

Question 1

Which type of control makes use of policies, disaster recovery plans (DPRs), and business continuity plans (BCPs)?

Answer 1

Managerial

Question 2

Encryption is which type of access control?

Answer 2

Technical

Question 3

Which of the following are control categories? (Select three.)

Answer 3

Technical
Operational
Managerial

Question 4

Which of the following is an example of a preventative control type?

Answer 4

An advanced network appliance

Question 5

Audit trails produced by auditing activities are which type of security control?

Answer 5

Detective

Question 6

Which access control type is used to implement short-term repairs to restore basic functionality following an attack?

Answer 6

Corrective

Question 7

Which type of control is used to discourage malicious actors from attempting to breach a network?

Answer 7

Deterrent

Question 8

Which of the following BEST describes compensating controls?

Answer 8

Partial control solution that is implemented when a control cannot fully meet a requirement

Question 9

Which security control, if not applied, can allow an attacker to bypass other security controls?

Answer 9

Physical access control

Question 10

Which of the following standards relates to the use of credit cards?

Answer 10

Personal Card Industry Data Security Standard
(PCI DSS)

Question 11

Which of the following government acts protects medical records and personal health information?

Answer 11

HIPAA

Question 12

HIPAA is a set of federal regulations that define security guidelines. What do HIPAA guidelines protect?

Answer 12

Privacy

Question 13

Which of the following is a government audit by the SEC that relates to internal controls and focuses on IT security, access controls, data backup, change management, and physical security?

Answer 13

Sarbanes-Oxley (SOX)

Question 14

Which of the following laws was designed to protect a child’s information on the internet?

Answer 14

Children’s Online Privacy Protection Act (COPPA)

Question 15

Which of the following security frameworks is used by the federal government and all its departments, including the Department of Defense?

Answer 15

National Institute of Standards and Technology (NIST)

Question 16

Which ISO publication lays out guidelines for selecting and implementing security controls?

Answer 16

27002

Question 17

What is the ISO 27001?

Answer 17

It is the publication that covers implementing and improving a security management system as well as an assessment guideline

Question 18

What does the ISO 31000 do?

Answer 18

Covers risk management as it pertains to business continuity, safety, environmental results, and the professional reputation of a company

Question 19

What does the ISO 27701 do?

Answer 19

Covers establishing, implementing, and improving a privacy information management system

Question 20

Which SOC type reports focus on predetermined controls that are audited and a detailed report that attests to a company’s compliance?

Answer 20

II

Question 21

What is a SOC Type I report?

Answer 21

An attestation of controls at an organization for a specific point in time

Question 22

What is a SOC Type III report?

Answer 22

A non-detailed report attesting to a company’s compliance. This type of report is used for marketing and letting future partners know that compliance has been met

Question 23

Which type of report is used for marketing and letting future partners know that compliance has been met?

Answer 23

SOC Type III

Question 24

Which of the following frameworks introduced the first cloud-centric individual certification?

Answer 24

Cloud Security Alliance (CSA)

Question 25

The Policies, Procedures, and Awareness layer of the security model includes which of the following? (Select two.)

Answer 25

Employee onboarding
User education

Question 26

Which of the following is a policy that defines appropriate and inappropriate usage of company resources, assets, and communications?

Answer 26

Acceptable use policy (AUP)

Question 27

Which of the following defines an acceptable use agreement?

Answer 27

An agreement that identifies employees’ rights to use company property, such as internet access and computer equipment, for personal use

Question 28

Your organization allows employees to bring their own devices into work, but management is concerned that a malicious internal user could use a mobile device to conduct an insider attack.

Which of the following should be implemented to help mitigate this threat?

Answer 28

Implement an AUP that specifies where and when mobile devices can be possessed within the organization

Question 29

You are concerned that the accountant in your organization might have the chance to modify financial information and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities.

Which security principle are you implementing by periodically shifting accounting responsibilities?

Answer 29

Job rotation

Question 30

Separation of duties is an example of which type of access control?

Answer 30

Preventive

Question 31

Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?

Answer 31

Separation of duties

Question 32

You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which security principle should you implement to accomplish this goal?

Answer 32

Separation of duties

Question 33

What is the primary purpose of separation of duties?

Answer 33

Prevent conflicts of interest

Question 34

Which of the following is the BEST example of the principle of least privilege?

Answer 34

Wanda has been given access to the files that she needs for her job

Question 35

You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?

Answer 35

Principle of least privilege

Question 36

An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone who is not on the list?

Answer 36

Implicit deny

Question 37

You want to implement an access control list in which only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access.

Which of the following methods of access control should the access list use?

Answer 37

Explicit allow, implicit deny

Question 38

When training your employees on how to identify various attacks, which of the following policies should you be sure to have and enforce? (Select two.)

Answer 38

Clean desk policies
Password policies

Question 39

When you inform an employee that he or she is being terminated, which of the following is the most important activity?

Answer 39

Disable his or her network access

Question 40

Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems.

Which of the following is the MOST important aspect of maintaining network security against this type of attack?

Answer 40

User education and training

Question 41

Which of the following would you do to help protect against phishing?

Answer 41

Only open emails if you recognize the sender

Question 42

Your company is preparing to enter into a partner relationship with another organization. It will be necessary for the information systems used by each organization to connect and integrate with each other.

Which of the following is of primary importance as you take steps to enter into this partner relationship?

Answer 42

Ensure that the integration process maintains the security of each organization’s network

Question 43

Which of the following is defined as a contract that prescribes the technical support or business parameters a provider bestows to its client?

Answer 43

Service level agreement

Question 44

What is a service level agreement (SLA)?

Answer 44

A guarantee of a specific level of service

Question 45

Your organization entered into an interoperability agreement (IA) with another organization a year ago. As a part of this agreement, a federated trust was established between your domain and the partner domain.

The partnership has been in the ongoing operations phase for almost nine months now. As a security administrator, which tasks should you complete during this phase? (Select two.)

Answer 45

Verify compliance with the IA documents
Conduct periodic vulnerability assessments

Question 46

What specifies exactly which services are to be performed by the third party?

Answer 46

Service Level Agreement (SLA)

Question 47

What creates an agreement with a vendor to provide services on an ongoing basis?

Answer 47

Blanket Purchase Order (BPO)

Question 48

What summarizes which party is responsible for performing specific tasks?

Answer 48

Memorandum of Understanding (MOU)

Question 49

What documents how data is to be shared?

Answer 49

Interconnection Security Agreement (ISA)

Question 50

What defines how disputes are managed?

Answer 50

SLA

Question 51

What specifies a preset discounted pricing structure?

Answer 51

BPO

Question 52

If you lose your wallet or purse and it ends up in the wrong hands, several pieces of information could be used to do personal harm to you. These pieces of information include the following:

• Name and address
• Driver license number
• Credit card numbers
• Date of birth

Which of the following classifications does this information fall into?

Answer 52

Personally identifiable information (PII)

Question 53

In a high-security environment, which of the following is the most important concern when removable media is no longer needed?

Answer 53

Destruction

Question 54

How often should change-control management be implemented?

Answer 54

Any time a production system is altered

Question 55

You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?

Answer 55

Change management

Question 56

Which of the following is the primary purpose of change control?

Answer 56

Prevent unmanaged change

Question 57

Change control should be used to oversee and manage changes over which aspect of an organization?

Answer 57

Every aspect

Question 58

A file server with data is consider which of the following asset types?

Answer 58

Both tangible and intangible

Question 59

Which of the following types of auditing verifies that systems are utilized appropriately and in accordance with written organizational policies?

Answer 59

Usage audit

Question 60

Which of the following is an example of an internal threat?

Answer 60

An employee accidentally deletes the new product designs

Question 61

Perpetrators attempt to compromise or affect the operations of a system.
Is this an Active, Passive, External, or Inside attack?

Answer 61

Active Attack

Question 62

Unauthorized individuals try to breach a network from off-site.
Is this an Active, Passive, External, or Inside attack?

Answer 62

External Attack

Question 63

Attempting to find the root password on a web server by brute force.
Is this an Active, Passive, External, or Inside attack?

Answer 63

Active Attack

Question 64

Attempting to gather information without affecting the flow of information on the network.
Is this an Active, Passive, External, or Inside attack?

Answer 64

Passive Attack

Question 65

Sniffing network packets or performing a port scan.
Is this an Active, Passive, External, or Inside attack?

Answer 65

Passive Attack

Question 66

In healthcare, regulations often dictate that important systems remain unpatched to maintain compliance. Which kind of vulnerability does this introduce?

Answer 66

Inherent vulnerabilities

Question 67

Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there is still some risk left. What is the remaining risk called?

Answer 67

Residual risk

Question 68

When analyzing assets, which analysis method assigns financial values to assets?

Answer 68

Quantitative

Question 69

Which of the following best defines single loss expectancy (SLE)?

Answer 69

The total monetary loss associated with a single occurrence of a threat

Question 70

You have conducted a risk analysis to protect a key company asset. You identify the following values:

• Asset value = 400
• Exposure factor = 75
• Annualized rate of occurrence = .25

What is the single loss expectancy (SLE)?

Answer 70

300
SLE = 400 * 75% = 300

Question 71

You have conducted a risk analysis to protect a key company asset. You identify the following values:

• Asset value = 400
• Exposure factor = 75
• Annualized rate of occurrence = .25

What is the annualized loss expectancy (ALE)?

Answer 71

75
ALE = 400 * 75% * .25 = 75

Question 72

You have conducted a risk analysis to protect a key company asset. You identify the following values:

• Asset value = 400
• Exposure factor = 75
• Annualized rate of occurrence (ARO) = .25

Countermeasure A has a cost of 320 and protects the asset for four years. Countermeasure B has an annual cost of 85. An insurance policy to protect the asset has an annual premium of 90.

What should you do?

Answer 72

Accept the risk or find another countermeasure

Question 73

What is the average number of times that a specific risk is likely to be realized in a single year?

Answer 73

Annualized rate of occurrence

Question 74

When conducting a risk assessment, how is the annualized rate of occurrence (ARO) calculated?

Answer 74

Through historical data provided by insurance companies and crime statistics

Question 75

A broken water pipe that floods the reception area would be considered which type of threat?

Answer 75

Natural

Question 76

Which of the following terms describes the actual time required to successfully recover operations in the event of an incident?

Answer 76

Recovery time objective (RTO)

Question 77

When should a hardware device be replaced in order to minimize downtime?

Answer 77

Just before its mean time between failures (MTBF) is reached

Question 78

When recovering from a disaster, which services should you stabilize first?

Answer 78

Mission-critical services

Question 79

Your organization has suffered a data breach, and it was made public. As a result, stock prices have fallen, as consumers no longer trust the organization.

Which of the following BEST describes the type of consequence your organization has suffered due to the breach?

Answer 79

Reputation damage

Question 80

Your organization has discovered that an overseas company has reverse-engineered and copied your main product and is now selling a counterfeit version.

Which of the following BEST describes the type of consequence your organization has suffered?

Answer 80

IP theft

Question 81

A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing?

Answer 81

Confidentiality

Question 82

The lowest level of classified information used by the military. Release of this information could cause damage to military efforts.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

Answer 82

Confidential

Question 83

If this information is released, it poses high risks to national security.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

Answer 83

Top Secret

Question 84

This information can be access by the public and poses no security threat.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

Answer 84

Unclassified

Question 85

If this information is disclosed, it could cause some harm, but not a national disaster.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

Answer 85

Sensitive But Unclassified

Question 86

If this information is disclosed, it could cause high risk and permanent damage to military actions.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

Answer 86

Secret

Question 87

Which DLP method works by replacing sensitive data with realistic fictional data?

Answer 87

Masking

Question 88

Your organization is having a third party come in and perform an audit on the financial records. You want to ensure that the auditor has access to the data they need while keeping the customers’ data secure. To accomplish this goal, you plan to implement a mask that replaces the client names and account numbers with fictional data.

Which masking method are you implementing?

Answer 88

Dynamic

Question 89

Which of the following BEST describes dynamic data masking? (Select two.)

Answer 89

It replaces original information with a mask that mimics the original in form and function

It can be used to control which users can see the actual data

Question 90

Tokenization is another effective tool in data loss prevention. Tokenization does which of the following? (Select two.)

Answer 90

Protects data on its server with authentication and authorization protocols

Replaces actual data with a randomly generated alphanumeric character set