Chapter 1: Security and Risk Management Domain 1 Questions

Question 1

Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?

A. Confidentiality
B. Integrity
C. Availability
D. Safety

Answer 1

C. Availability

Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.

Question 2

Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:

A. Shareholders
B. Management
C. Users
D. Humanity

Answer 2

D. Humanity

00Answer: D Aisha’s primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of the other options, answer D is correct.

Question 3

Ian’s private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?

A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address

Answer 3

A. Password

Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password

Question 4

Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?

A. Data owner
B. Data subject
C. Data custodian
D. Data processor

Answer 4

C. Data custodian

Answer: C Gwendolyn’s job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.

Question 5

Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.’s policy is to not provide credentials via technical support. What is his next BEST step?

A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.

Answer 5

A. Scour the dark web for the credentials.

Answer: A Usain’s next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.

Question 6

Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?

A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements

Answer 6

C. Due care

Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu’s firm is required to follow specific regulations.

Question 7

Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?

A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter

Answer 7

D. In a typed or handwritten letter

Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.

Question 8

Which of the following is it only recommended to follow?

A. Policies
B. Procedures
C. Standards
D. Guidelines

Question 9

Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?

A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)

Answer 9

A. The IT Infrastructure Library (ITIL)

Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.

Question 10

Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?

A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)

Answer 10

D. The Payment Card Industry Data Security Standard (PCI-DSS)

Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.

Question 11

Teecee is running the computer sales department and sees that her team has sold $600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?

A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.

Answer 11

A. The KPI is 60%, and the KGI is $600,000.

Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.

Question 12

Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?

A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004

Answer 12

B. ISO 27002

Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.

Question 13

Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?

A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
D. Implement data leak prevention (DLP)

Answer 13

C. Implement job rotation

Answer: C Nina’s next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.

Question 14

Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?

A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income

Answer 14

A. Collusion

Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility.

Question 15

What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?

A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)

Answer 15

A. Total cost of ownership (TCO)

Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage

Question 16

Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:

A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule

Question 17

Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi’s BEST next step?

A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.

Question 18

Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed records of the loan agreement?

A. Common access card (CAC)
B. Password
C. Mother’s maiden name
D. His birthday

Question 19

Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?

A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. The Sarbanes-Oxley Act (SOX)

Question 19

Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):

A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)

Question 20

Trevor is considering transferring much of his organization’s data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?

A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
C. Amazon Web Services (AWS) certification
D. Red Hat (RH) cloud certification

Question 21

Shewan’s credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?

A. The PCI-DSS is a contractual agreement between the store owner and the credit card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5 years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5 years in state prison.

Question 22

Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?

A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)

Question 23

Tara’s computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?

A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)

Question 24

Karthik receives a threatening email stating that they have a video of him performing lewd acts while watching porn. They will release the videos unless he pays them $1,000. This type of attack is BEST called:

A. Social engineering
B. Sextortion
C. Ransomware
D. Spam

Question 25

Alexis is a security engineer and must secure her network from outside attackers. Which is the first BEST step she can take?

A. Disable File Transfer Protocol (FTP) and Telnet services.
B. Install the latest security update patches.
C. Remove default logins and passwords.
D. Implement security-hardening standards.

Question 26

Zosimo works for Maximo Smartphones, and for years, their new smartphone plans have been leaked to the public 2 years ahead of time, hurting sales. What is the BEST administrative control he can use to stop this?

A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers’ briefcases when they leave for the day

Question 27

Angalina has noticed that several books have gone missing from the corporate library. She would like to install security controls but is on a budget. Which is the BEST solution for her?

A. Add radio-frequency identification (RFID) to books.
B. Security guards
C. Dummy cameras
D. Security cameras

Question 28

Coop, a security manager, practices decrypting secure documents. He has plain text of some of the files and needs to decrypt the rest. Which attack should he use?

A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext

Question 29

Which of the following is NOT a directive control type?

A. Privacy policy (PP)
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign

Question 30

Ysaline has discovered her staff is spending over 80% of their time on IT-related issues, instead of designing and engineering smartphones. She wants to outsource IT-related issues to AXQO Corp. Which type of risk management is this?

A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance

Question 31

Levi has purchased tablets for his staff for $2,000 each. Insurance will cover 50% if they are lost, stolen, or damaged. On an average year, five laptops are lost, stolen, or damaged. What would be the annualized loss expectancy (ALE) calculation?

A. $10,000
B. $5,000
C. $2,000
D. $1,000

Question 32

Zulene has spent weeks collecting pricing, performance, and tuning data to conduct her risk assessment meeting. Now that she has all the data, her team will perform which type of risk analysis?

A. Quantitative
B. Qualitative
C. Likelihood
D. Impact

Question 33

Zhenyu advises on security matters, helps draft security policy, and sits on the configuration management board. What is his role in the organization?

A. Senior management
B. Security director
C. Security personnel
D. Systems administrator

Question 34

Bianca has already contacted SGI News regarding the use of her copyrighted images on their website, but they refuse to take them down. What is her BEST next step to have her images removed from the site?

A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
D. Submit a Digital Millennium Copyright Act (DMCA) takedown request to the hosting provider.

Question 35

Roger, the chief financial officer (CFO) of NUS Micro, just received an email from his boss requesting he immediately wire $50 million to China to close a business deal. He calls his boss but cannot reach him. The email looks genuine, including the email address and domain name. He wires the money, only to find out later that his boss did not make this request. This represents which type of attack?

A. Phishing
B. Spear phishing
C. Business email compromise (BEC)
D. Whaling

Question 36

Sloane received a phone call from her administrator to confirm an email received from her. She then gets a phone call from her CFO that he received a message from her to transfer $1 million overseas. What has MOST LIKELY occurred?

A. Email account compromise (EAC)
B. Spear phishing
C. Phishing
D. Whaling

Question 37

Rafael, a systems administrator, notices that spam and phishing attacks are increasing. Which is the next BEST step he can take to safeguard the organization?

A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server

Question 38

Which of the following represents an acceptable amount of data loss measured in time?

A. RPO
B. RTO
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)

Question 39

Individuals from all departments of the organization meet to prioritize risks based on impact, likelihood, and exposure. Which process is this?

A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
D. BIA

Question 40

Attacks such as dumpster diving, phishing, baiting, and piggybacking all represent a class of attacks called:

A. MitM
B. DoS
C. Social engineering
D. Doxxing

Question 41

Unexpectedly, Coco has been given 2 weeks of paid time off. What is the security purpose of this event?

A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
D. Mandatory vacation as part of a disaster recovery (DR) simulation

Question 42

Qiang has been assigned to find recovery sites as a result of the DR planning meeting. Her job is to find sites with heating, cooling, electricity, internet access, and power. The site will require no computers. Which type of recovery site is this?

A. Mirrored site
B. Hot site
C. Warm site
D. Cold site

Question 42

Simon needs to calculate risk. Which formula will he use?

A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact

Question 43

Milos is the chief security officer (CSO) of the organization and is designing a policy that includes fences, secured parking, security policies, firewalls, account management, and patch management. This is an example of which strategy?

A. Defense-in-depth (DiD)
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls.

Question 44

Arthur, chief executive officer (CEO) of Funutek, wishes to implement online purchasing via their website. The chief marketing officer (CMO) likes the idea because the new system can double sales. The CSO fears internet attacks and suggests NOT moving forward. How should Arthur proceed?

A. Implement the website once certain there is no risk of attack.
B. Implement the website after the CMO collects research on securing websites.
C. Implement the website and secure it within acceptable risk levels.
D. Listen to the CSO and do not implement the website.

Question 44

NIST outlines security controls to put in place of federal agencies in which Special Publication (SP)?

A. 800-50
B. 800-51
C. 800-52
D. 800-53

Question 45

As part of a disaster strategy, Caty asks management for approval of deploying a warm site. Warm sites are which type of control functionality?

A. Recovery
B. Deterrent
C. Detective
D. Preventative

Question 46

Bud has just learned about hacking, knows a little about programming, and likes to bring misery to others. He decides to attempt hacking into his school website to change his grades. This puts him in which class of hackers?

A. Advanced persistent threat (APT)
B. Script kiddie
C. Ethical hacker
D. Internal threat

Question 47

When it comes to dual-use goods (items that can be used by the military and ordinary citizens), there are special requirements and agreements for import and export. One that seeks to limit military buildup that could threaten international security is called Conventional Arms and Dual-Use Goods and Technologies, or the:

A. Arms Agreement
B. Wassenaar Arrangement
C. Dual-Use Agreement
D. Import/Export Law

Question 48

Taylor just won her court case through the benefit of the doubt. Her case falls under which legal system?

A. Contract
B. Administrative
C. Civil
D. Criminal

Question 48

Gael and his team have developed the perfect advertising algorithm so that when users search on his website, it leads them exactly to the information they need to reach. What is his BEST approach to assuring the secrecy of this algorithm?

A. Trade secret
B. Patent
C. Copyright
D. Trademark

Question 49

Su-wei uses the Linux operating system, and freely copies it and gives it to friends. She is allowed to do this because of which of the following licenses?

A. Shareware
B. Commercial
C. End-user license agreement (EULA)
D. Academic

Question 50

The area of United States (US) copyright law that makes it a crime to copy and distribute stolen software is called:

A. DMCA
B. EULA
C. Privacy Act
D. Business Software Alliance (BSA)

Question 51

Fritz works with a document providing him step-by-step instructions. Which of the following is he working with?

A. Policies
B. Procedures
C. Standards
D. Guideline

Question 52

Naomi needs to calculate the TCO. Which of the following will she NOT use to complete the calculation?

A. Support costs
B. Cost to replace the unit
C. Cost of maintenance
D. Asset cost

Question 53

Viktor is conducting a risk assessment and needs to determine the percentage of risk his organization would suffer if an asset is compromised. Which of the following signifies this aspect of risk?

A. Safeguards
B. Vulnerabilities
C. Exposure factor
D. Risk

Question 54

Ons, a security manager, is working with her team to develop and update policies for staff and vendors. Controls in this area are considered which of the following?

A. Management
B. Operational
C. Technical
D. Logical

Question 55

Which of these is NOT true?

A. Procedures are the same as written directions.
B. Strategic documents would be considered policies.
C. Guidelines contain step-by-step instructions that must be followed.
D. Standards can define KPIs.

Question 56

Kei, a security manager, just completed a risk assessment with his team, and they determined that the new planned plant location was too dangerous, so they decided not to expand there. Which risk response did his team use?

A. Mitigation
B. Avoidance
C. Transfer
D. Acceptance

Question 57

Molla, a project engineer, puts together a project, and she adds security according to which of the following life cycles?

A. Requirements, planning, design, test, develop, production, disposal
B. Planning, requirements, design, develop, test, production, disposal
C. Design, develop, requirements, planning, test, production, disposal
D. Planning, design, requirements, test, develop, production, disposal

Question 58

Wilfried is the security administrator of a store and is preparing for the PCI-DSS audit. Which is NOT one of the PCI-DSS requirements?

A. Configure switch settings
B. Maintain the firewall
C. Encrypt transmission of credit card transactions
D. Use antivirus software

Question 59

Vania, an administrative assistant, has discovered that her employer has been listening to her telephone conversations and reading her emails. She approaches her boss, and she shows her that she signed the reasonable expectation of privacy (REP) agreement. Which steps can Vania take next?

A. Report the supervisor to human resources (HR).
B. File a civil lawsuit.
C. Nothing—she waived her rights to phone privacy while at work.
D. Contact the police or federal authorities and open a criminal case.

Question 60

Grigor fears he will lose his job if his employer learns of his cancer diagnosis. He does not want which of the following to leak?

A. Health and Human Services (HHS)
B. Health Information Technology for Economic and Clinical Health Act (HITECH)
C. HIPAA
D. Personal health information (PHI)

Question 61

Martina seeks to press criminal charges against the CEO of RMS Foods Inc. because their employee stole her credit card. What happens next?

A. The government will press charges against the CEO.
B. Conflicts are managed under PCI-DSS agreements, not the government.
C. Conflicts are managed under ISO or NIST certification, not the government.
D. Conflicts are managed under GDPR laws, so there will only be fines.

Question 62

Boris is working to complete a design project. He decides to hire a contractor to help complete the project on time. Which type of risk response is he using?

A. Transfer
B. Acceptance
C. Division
D. Avoidance

Question 63

Petra uses her own secret formula to manufacturer her synthetic gut tennis string. This is then stolen by the SGI Strings Company. Which law or agreement has been broken?

A. Patent
B. Trade secret
C. Copyright
D. Trademark

Question 64

As Bjorn leaves the office this day, Steffi tells him she overheard men starting to break in earlier that evening to steal documents. The men are later caught, and Bjorn is brought onto the witness stand in court to mention what he heard. This type of evidence is termed which of the following?

A. Conclusive
B. Admissible
C. Hearsay
D. Best evidence

Question 65

Garbine performs inspections of whether security policies, procedures, standards, and guidelines are followed according to the organization’s security objectives. What is her role for the firm?

A. Auditor
B. Chief information security officer (CISO)
C. Information security manager (ISM)
D. Data owner

Question 66

Which is critical for proper incident response?

A. Evidence handling
B. Security information and event management (SIEM)
C. Intrusion detection system (IDS)
D. Incident response policy

Question 67

Novak is preparing a DR exercise and emails the emergency task lists to the DR teams for review. Which type of exercise is he running?

A. Full interruption test
B. Parallel test
C. Tabletop test
D. Checklist test

Question 68

Simona is a space fleet lieutenant putting together classifications for her computer system. Which of the following sensitivity systems will she follow?

A. Confidential, private, sensitive, public
B. Top-secret, secret, confidential, unclassified
C. Highly sensitive, sensitive, classified, unclassified
D. Top-secret, secret, classified, unclassified

Question 69

Andre has provided his phone number, email address, and home address to Pyramid Grocer so that they can deliver groceries to his home. He is considered to be which of the following?

A. Data owner
B. Data custodian
C. Data subject
D. Data auditor

Question 70

Venus needs an administrative control to enhance the confidentiality of data. Which should she choose?

A. DLP system
B. Fencing
C. Security guards
D. NDA

Question 71

Juan plans to perform testing on his website and generate random input to see if it is vulnerable to which type of attack?

A. Fuzzing
B. DoS
C. Malware
D. Input validation

Question 72

Victoria has worked in several departments of the company, including marketing, quality, and production. An audit found she still has privileges in all of her past departments even though she works in finance. This is called:

A. SoD
B. Collusion
C. Privilege creep
D. Least privilege

Question 73

Stan wishes to set up secure authentication for his users. Which of the following is NOT BEST for authentication?

A. Retinal scan
B. Username
C. Palm vein scan
D. CAC

Question 74

Billie needs to determine how much risk her organization can handle and still operate efficiently. She will first conduct a?

A. Risk assessment
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance

Question 75

Which of the following does NOT require an AUP?

A. Consultant
B. Contractor
C. Employee
D. Computer

Question 76

Stefanos has just signed an SLA with NUS Systems. Which of the following is NOT part of the agreement?

A. Financial credit for downtime
B. Alpha services
C. Covered service
D. Service-level objectives (SLOs)

Question 77

Madison received an email from Justine stating that $1,000 in funds had been transferred to her. Justine states she never sent the email. Which process would prove Justine sent the email?

A. Fingerprinting
B. Encryption
C. Non-repudiation
D. Hashing

Question 78

Security education should be required for whom in an organization?

A. Computer users
B. Everyone
C. Senior executives
D. Security teams

Question 79

Lleyton is planning on hiring 50 new engineers. What should be his FIRST step when reviewing new candidates?

A. Make sure prospects pass lie-detector screening.
B. Conduct thorough background checks.
C. Follow the employment candidate-screening process.
D. Perform drug screenings.

Question 80

Non-compete agreements (NCAs) are generally unenforceable because:

A. NCAs are illegal.
B. Courts value a citizen’s right to earn a reasonable income.
C. Competition is covered in the NDA.
D. NCAs are always enforceable.

Question 81

Ana, a systems engineer, caught Bud stealing corporate financial documents and informed her manager. Which department handles Bud’s termination?

A. HR
B. Security
C. Engineering
D. Finance

Question 82

Daniil has finished a successful career with DDA Motors. As part of the exit interview, he’s required to return everything Except for:

A. Last week’s paycheck
B. Smart card
C. Corporate smartphone
D. Employee identifier (ID) card

Question 83

Which of the following does NOT represent an asset for an organization?

A. Sunk costs
B. Computer
C. Trademark
D. Staff

Question 84

Which is BEST represented as the product of a threat and vulnerability?

A. Safeguard
B. Exposure
C. Risk
D. Breach

Question 85

What is the biggest threat to any organization?

A. Pandemics
B. Malware
C. Clear text
D. Disgruntled employees

Question 86

Elina is interviewing risk consulting firms. What is the main item she should NOT look for in a qualified firm?

A. Can assist in defining the scope and purpose of risk assessments
B. Categorizes and prioritizes assets
C. Helps in defining acceptable levels of risk.
D. Years of experience in bringing organizations’ risk to zero

Question 87

What represents the product of the asset value (AV) and exposure factor (EF)?

A. Annual rate of occurrence (ARO)
B. Single loss expectancy (SLE)
C. ALE
D. Annual cost of a safeguard (ACS)

Question 88

An organization is initiating the qualitative risk analysis process. Which of the following is NOT part of the process?

A. Cost versus benefit analysis
B. Educated guesses
C. Opinions considered
D. Multiple experts

Question 89

The Risk Management Framework (RMF) is also known as which NIST SP?

A. 800-35
B. 800-36
C. 800-37
D. 800-38

Question 90

Feliciano has applied multiple risk mitigations to protect an asset. When should he stop?

A. When risk reaches an acceptable level
B. When the asset becomes unusable
C. After purchasing insurance for the asset.
D. When the risk is reduced to zero.

Question 91

According to the Cisco 2020 CISO Benchmark Report, cyber (security) fatigue is defined as virtually giving up on proactively defending against malicious actors. What is the number 1 source of cyber fatigue?

A. Malware
B. Phishing attacks
C. Shadow IT
D. Password management

Question 92

Sofia, a senior manager, needs to get a Linux update installed on her team’s server. Central IT has not performed the update even after being asked three times. Sofia selects a team member to install it and work around the IT department. This is BEST referred to as:

A. Self-help
B. Delegation of IT
C. Policy violation
D. Shadow IT

Question 93

Benoit, the company CISO, is researching high-security systems that authenticate everything attempting connections to the corporate network. Such an architecture is called:

A. Zed trust
B. No trust
C. Zero trust
D. Null trust

Question 94

The following type of security learning yields a credential such as a certificate or a degree:

A. Awareness
B. Education
C. Training
D. Birds of a feather (BOAF) sessions

Question 95

For most organizations, which is the most important asset when a firm enters into BCP or DRP mode?

A. People
B. Network
C. Server room
D. Cash

Question 96

Eugenie is the production manager at FAUX Widgets, and the lights went out for the entire building. Which action does she execute FIRST?

A. Contact the electric company.
B. Check the fuse box.
C. Follow the DRP plan.
D. Follow the BCP plan.