B.3.5 Security+ SY0-601 Domain 5: Governance, Risk, and Compliance Flashcards

72 questions (plus some of my own)

1
Q

Which type of control makes use of policies, disaster recovery plans (DPRs), and business continuity plans (BCPs)?

A

Managerial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Encryption is which type of access control?

A

Technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following are control categories? (Select three.)

A

Technical
Operational
Managerial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is an example of a preventative control type?

A

An advanced network appliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Audit trails produced by auditing activities are which type of security control?

A

Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which access control type is used to implement short-term repairs to restore basic functionality following an attack?

A

Corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which type of control is used to discourage malicious actors from attempting to breach a network?

A

Deterrent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following BEST describes compensating controls?

A

Partial control solution that is implemented when a control cannot fully meet a requirement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which security control, if not applied, can allow an attacker to bypass other security controls?

A

Physical access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following standards relates to the use of credit cards?

A

Personal Card Industry Data Security Standard
(PCI DSS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following government acts protects medical records and personal health information?

A

HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

HIPAA is a set of federal regulations that define security guidelines. What do HIPAA guidelines protect?

A

Privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is a government audit by the SEC that relates to internal controls and focuses on IT security, access controls, data backup, change management, and physical security?

A

Sarbanes-Oxley (SOX)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following laws was designed to protect a child’s information on the internet?

A

Children’s Online Privacy Protection Act (COPPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following security frameworks is used by the federal government and all its departments, including the Department of Defense?

A

National Institute of Standards and Technology (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which ISO publication lays out guidelines for selecting and implementing security controls?

A

27002

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the ISO 27001?

A

It is the publication that covers implementing and improving a security management system as well as an assessment guideline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does the ISO 31000 do?

A

Covers risk management as it pertains to business continuity, safety, environmental results, and the professional reputation of a company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does the ISO 27701 do?

A

Covers establishing, implementing, and improving a privacy information management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which SOC type reports focus on predetermined controls that are audited and a detailed report that attests to a company’s compliance?

A

II

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a SOC Type I report?

A

An attestation of controls at an organization for a specific point in time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a SOC Type III report?

A

A non-detailed report attesting to a company’s compliance. This type of report is used for marketing and letting future partners know that compliance has been met

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which type of report is used for marketing and letting future partners know that compliance has been met?

A

SOC Type III

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following frameworks introduced the first cloud-centric individual certification?

A

Cloud Security Alliance (CSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

The Policies, Procedures, and Awareness layer of the security model includes which of the following? (Select two.)

A

Employee onboarding
User education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following is a policy that defines appropriate and inappropriate usage of company resources, assets, and communications?

A

Acceptable use policy (AUP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following defines an acceptable use agreement?

A

An agreement that identifies employees’ rights to use company property, such as internet access and computer equipment, for personal use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Your organization allows employees to bring their own devices into work, but management is concerned that a malicious internal user could use a mobile device to conduct an insider attack.

Which of the following should be implemented to help mitigate this threat?

A

Implement an AUP that specifies where and when mobile devices can be possessed within the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

You are concerned that the accountant in your organization might have the chance to modify financial information and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities.

Which security principle are you implementing by periodically shifting accounting responsibilities?

A

Job rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Separation of duties is an example of which type of access control?

A

Preventive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?

A

Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which security principle should you implement to accomplish this goal?

A

Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the primary purpose of separation of duties?

A

Prevent conflicts of interest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following is the BEST example of the principle of least privilege?

A

Wanda has been given access to the files that she needs for her job

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?

A

Principle of least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone who is not on the list?

A

Implicit deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

You want to implement an access control list in which only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access.

Which of the following methods of access control should the access list use?

A

Explicit allow, implicit deny

38
Q

When training your employees on how to identify various attacks, which of the following policies should you be sure to have and enforce? (Select two.)

A

Clean desk policies
Password policies

39
Q

When you inform an employee that he or she is being terminated, which of the following is the most important activity?

A

Disable his or her network access

40
Q

Your organization has started receiving phishing emails. You suspect that an attacker is attempting to find an employee workstation they can compromise. You know that a workstation can be used as a pivot point to gain access to more sensitive systems.

Which of the following is the MOST important aspect of maintaining network security against this type of attack?

A

User education and training

41
Q

Which of the following would you do to help protect against phishing?

A

Only open emails if you recognize the sender

42
Q

Your company is preparing to enter into a partner relationship with another organization. It will be necessary for the information systems used by each organization to connect and integrate with each other.

Which of the following is of primary importance as you take steps to enter into this partner relationship?

A

Ensure that the integration process maintains the security of each organization’s network

43
Q

Which of the following is defined as a contract that prescribes the technical support or business parameters a provider bestows to its client?

A

Service level agreement

44
Q

What is a service level agreement (SLA)?

A

A guarantee of a specific level of service

45
Q

Your organization entered into an interoperability agreement (IA) with another organization a year ago. As a part of this agreement, a federated trust was established between your domain and the partner domain.

The partnership has been in the ongoing operations phase for almost nine months now. As a security administrator, which tasks should you complete during this phase? (Select two.)

A

Verify compliance with the IA documents
Conduct periodic vulnerability assessments

46
Q

What specifies exactly which services are to be performed by the third party?

A

Service Level Agreement (SLA)

47
Q

What creates an agreement with a vendor to provide services on an ongoing basis?

A

Blanket Purchase Order (BPO)

48
Q

What summarizes which party is responsible for performing specific tasks?

A

Memorandum of Understanding (MOU)

49
Q

What documents how data is to be shared?

A

Interconnection Security Agreement (ISA)

50
Q

What defines how disputes are managed?

A

SLA

51
Q

What specifies a preset discounted pricing structure?

A

BPO

52
Q

If you lose your wallet or purse and it ends up in the wrong hands, several pieces of information could be used to do personal harm to you. These pieces of information include the following:

  • Name and address
  • Driver license number
  • Credit card numbers
  • Date of birth

Which of the following classifications does this information fall into?

A

Personally identifiable information (PII)

53
Q

In a high-security environment, which of the following is the most important concern when removable media is no longer needed?

A

Destruction

54
Q

How often should change-control management be implemented?

A

Any time a production system is altered

55
Q

You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?

A

Change management

56
Q

Which of the following is the primary purpose of change control?

A

Prevent unmanaged change

57
Q

Change control should be used to oversee and manage changes over which aspect of an organization?

A

Every aspect

58
Q

A file server with data is consider which of the following asset types?

A

Both tangible and intangible

59
Q

Which of the following types of auditing verifies that systems are utilized appropriately and in accordance with written organizational policies?

A

Usage audit

60
Q

Which of the following is an example of an internal threat?

A

An employee accidentally deletes the new product designs

61
Q

Perpetrators attempt to compromise or affect the operations of a system.
Is this an Active, Passive, External, or Inside attack?

A

Active Attack

62
Q

Unauthorized individuals try to breach a network from off-site.
Is this an Active, Passive, External, or Inside attack?

A

External Attack

63
Q

Attempting to find the root password on a web server by brute force.
Is this an Active, Passive, External, or Inside attack?

A

Active Attack

64
Q

Attempting to gather information without affecting the flow of information on the network.
Is this an Active, Passive, External, or Inside attack?

A

Passive Attack

65
Q

Sniffing network packets or performing a port scan.
Is this an Active, Passive, External, or Inside attack?

A

Passive Attack

66
Q

In healthcare, regulations often dictate that important systems remain unpatched to maintain compliance. Which kind of vulnerability does this introduce?

A

Inherent vulnerabilities

67
Q

Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there is still some risk left. What is the remaining risk called?

A

Residual risk

68
Q

When analyzing assets, which analysis method assigns financial values to assets?

A

Quantitative

69
Q

Which of the following best defines single loss expectancy (SLE)?

A

The total monetary loss associated with a single occurrence of a threat

70
Q

You have conducted a risk analysis to protect a key company asset. You identify the following values:

  • Asset value = 400
  • Exposure factor = 75
  • Annualized rate of occurrence = .25

What is the single loss expectancy (SLE)?

A

300
SLE = 400 * 75% = 300

71
Q

You have conducted a risk analysis to protect a key company asset. You identify the following values:

  • Asset value = 400
  • Exposure factor = 75
  • Annualized rate of occurrence = .25

What is the annualized loss expectancy (ALE)?

A

75
ALE = 400 * 75% * .25 = 75

72
Q

You have conducted a risk analysis to protect a key company asset. You identify the following values:

  • Asset value = 400
  • Exposure factor = 75
  • Annualized rate of occurrence (ARO) = .25

Countermeasure A has a cost of 320 and protects the asset for four years. Countermeasure B has an annual cost of 85. An insurance policy to protect the asset has an annual premium of 90.

What should you do?

A

Accept the risk or find another countermeasure

73
Q

What is the average number of times that a specific risk is likely to be realized in a single year?

A

Annualized rate of occurrence

74
Q

When conducting a risk assessment, how is the annualized rate of occurrence (ARO) calculated?

A

Through historical data provided by insurance companies and crime statistics

75
Q

A broken water pipe that floods the reception area would be considered which type of threat?

A

Natural

76
Q

Which of the following terms describes the actual time required to successfully recover operations in the event of an incident?

A

Recovery time objective (RTO)

77
Q

When should a hardware device be replaced in order to minimize downtime?

A

Just before its mean time between failures (MTBF) is reached

78
Q

When recovering from a disaster, which services should you stabilize first?

A

Mission-critical services

79
Q

Your organization has suffered a data breach, and it was made public. As a result, stock prices have fallen, as consumers no longer trust the organization.

Which of the following BEST describes the type of consequence your organization has suffered due to the breach?

A

Reputation damage

80
Q

Your organization has discovered that an overseas company has reverse-engineered and copied your main product and is now selling a counterfeit version.

Which of the following BEST describes the type of consequence your organization has suffered?

A

IP theft

81
Q

A user copies files from her desktop computer to a USB flash device and puts the device into her pocket. Which of the following security risks is most pressing?

A

Confidentiality

82
Q

The lowest level of classified information used by the military. Release of this information could cause damage to military efforts.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

A

Confidential

83
Q

If this information is released, it poses high risks to national security.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

A

Top Secret

84
Q

This information can be access by the public and poses no security threat.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

A

Unclassified

85
Q

If this information is disclosed, it could cause some harm, but not a national disaster.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

A

Sensitive But Unclassified

86
Q

If this information is disclosed, it could cause high risk and permanent damage to military actions.

Is this Unclassified, Sensitive But Unclassified, Confidential, Secret, or Top Secret information?

A

Secret

87
Q

Which DLP method works by replacing sensitive data with realistic fictional data?

A

Masking

88
Q

Your organization is having a third party come in and perform an audit on the financial records. You want to ensure that the auditor has access to the data they need while keeping the customers’ data secure. To accomplish this goal, you plan to implement a mask that replaces the client names and account numbers with fictional data.

Which masking method are you implementing?

A

Dynamic

89
Q

Which of the following BEST describes dynamic data masking? (Select two.)

A

It replaces original information with a mask that mimics the original in form and function

It can be used to control which users can see the actual data

90
Q

Tokenization is another effective tool in data loss prevention. Tokenization does which of the following? (Select two.)

A

Protects data on its server with authentication and authorization protocols

Replaces actual data with a randomly generated alphanumeric character set