Chapter 1: Security and Risk Management Domain 1 Questions Flashcards
Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?
A. Confidentiality
B. Integrity
C. Availability
D. Safety
C. Availability
Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.
Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:
A. Shareholders
B. Management
C. Users
D. Humanity
D. Humanity
00Answer: D Aisha’s primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of the other options, answer D is correct.
Ian’s private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?
A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
A. Password
Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password
Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
C. Data custodian
Answer: C Gwendolyn’s job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.
Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.’s policy is to not provide credentials via technical support. What is his next BEST step?
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
A. Scour the dark web for the credentials.
Answer: A Usain’s next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.
Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
C. Due care
Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu’s firm is required to follow specific regulations.
Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
D. In a typed or handwritten letter
Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.
Which of the following is it only recommended to follow?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Guidelines are only recommended to follow, meaning they are not mandatory but provide suggested best practices or actions to take in a specific situation.
Key points about guidelines in the CISSP context:
Based on policies and standards:
Guidelines are derived from and support established policies and standards. They offer further elaboration on how to implement those requirements.’
Flex1ible application:
Depending on the specific circumstances, guidelines can be adapted or adjusted to fit the needs of the organization.
Not enforceable:
Unlike policies and standards, there are no formal consequences for not adhering to guidelines. However, they still serve as valuable guidance for good security practices.
Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?
A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
A. The IT Infrastructure Library (ITIL)
Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.
Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?
A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)
D. The Payment Card Industry Data Security Standard (PCI-DSS)
Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.
Teecee is running the computer sales department and sees that her team has sold $600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
A. The KPI is 60%, and the KGI is $600,000.
Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.
Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
B. ISO 27002
Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.
Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
D. Implement data leak prevention (DLP)
C. Implement job rotation
Answer: C Nina’s next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.
Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?
A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
A. Collusion
Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility.
What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
A. Total cost of ownership (TCO)
Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage
Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
C. Prudent Person Principle
This principle is a standard of care that a reasonably prudent person would follow in certain situations. Due care focuses more on preventing harm to people.
Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi’s BEST next step?
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
Answer: D Follow corporate policies on staff management.
Randi must always follow the corporate policy. Getting customer feedback is good, and rewarding inside information can be beneficial, but following management policy is always the most important. Transferring Percy exposes the client to the threat of an immediate bad hire; for example, the new hire may get searched by the Federal Bureau of Investigation (FBI).
Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed records of the loan agreement?
A. Common access card (CAC)
B. Password
C. Mother’s maiden name
D. His birthday
Answer: A. Common access card (CAC)
Scoop will use the CAC. This is the best authentication type to combine something-that-you-know authentication with. Since your password, mother’s maiden name, and birthday are all something you know, these combined with a PIN would simply be single-factor authentication (SFA)
Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?
A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. The Sarbanes-Oxley Act (SOX)
C. General Data Protection Regulation (GDPR)
Answer: C Yaza needs to consider the GDPR because she wants to sell masks to EU clients and to do that, she must abide by GDPR law. (A key tenet of GDPR is the data subject’s right to be forgotten, which is not a part of most other privacy acts). The FTC focuses on US trade and consumer protections. HIPAA affects hospitals and other medical providers. SOX makes corporate fraud a criminal act.
Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):
A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
Answer: B Contract
If Greg provides a written contract, Dito will have a signed document stating what was expected. If the opportunity fell through, Dito could ask for alternatives by enforcing the contract. An NDA states that Dito keeps corporate secrets private. An AUP states Dito will use the product in an acceptable manner. Intellectual property (IP) is works or inventions that have value to an organization.
Trevor is considering transferring much of his organization’s data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
C. Amazon Web Services (AWS) certification
D. Red Hat (RH) cloud certification
Answer: A Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
Trevor would consider CSA STAR certification, which demonstrates the cloud service provider’s (CSP) adherence to privacy and security best practices and is the only vendor-neutral option. Azure certification is a Microsoft-only standard. AWS is an Amazon-only standard. RH cloud certification is a Red Hat-only standard.
Shewan’s credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?
A. The PCI-DSS is a contractual agreement between the store owner and the credit card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5 years in federal prison.
C. The PCI-DSS is an industry-standard. At worst, the owner will lose their credit card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5 years in state prison.
Answer: A PCI-DSS is a contractual standard between stores and credit card providers. Vendors agree to provide minimal security measures to protect customer PII. Results from poor audits risk the shop owner losing the ability to accept credit cards. Federal and legal standards may include fines and even prison time, but PCI-DSS is a contractual standard. PCI-DSS is not an industry standard, and there is no credit card license. Industry standards are non-contractual agreements - for example, automotive manufacturers deciding to put steering wheels on the right if selling to Japan.
Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?
A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)
Answer: D Service-level agreement (SLA)
Pat would use an SLA to monitor the effectiveness of the service provider. KRIs, KGIs, and KPIs are part of SLAs.
Tara’s computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?
A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
Karthik receives a threatening email stating that they have a video of him performing lewd acts while watching porn. They will release the videos unless he pays them $1,000. This type of attack is BEST called:
A. Social engineering
B. Sextortion
C. Ransomware
D. Spam
Alexis is a security engineer and must secure her network from outside attackers. Which is the first BEST step she can take?
A. Disable File Transfer Protocol (FTP) and Telnet services.
B. Install the latest security update patches.
C. Remove default logins and passwords.
D. Implement security-hardening standards.
Zosimo works for Maximo Smartphones, and for years, their new smartphone plans have been leaked to the public 2 years ahead of time, hurting sales. What is the BEST administrative control he can use to stop this?
A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers’ briefcases when they leave for the day
Angalina has noticed that several books have gone missing from the corporate library. She would like to install security controls but is on a budget. Which is the BEST solution for her?
A. Add radio-frequency identification (RFID) to books.
B. Security guards
C. Dummy cameras
D. Security cameras
Coop, a security manager, practices decrypting secure documents. He has plain text of some of the files and needs to decrypt the rest. Which attack should he use?
A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext
Which of the following is NOT a directive control type?
A. Privacy policy (PP)
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign
Ysaline has discovered her staff is spending over 80% of their time on IT-related issues, instead of designing and engineering smartphones. She wants to outsource IT-related issues to AXQO Corp. Which type of risk management is this?
A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance
Levi has purchased tablets for his staff for $2,000 each. Insurance will cover 50% if they are lost, stolen, or damaged. On an average year, five laptops are lost, stolen, or damaged. What would be the annualized loss expectancy (ALE) calculation?
A. $10,000
B. $5,000
C. $2,000
D. $1,000
Zulene has spent weeks collecting pricing, performance, and tuning data to conduct her risk assessment meeting. Now that she has all the data, her team will perform which type of risk analysis?
A. Quantitative
B. Qualitative
C. Likelihood
D. Impact
Zhenyu advises on security matters, helps draft security policy, and sits on the configuration management board. What is his role in the organization?
A. Senior management
B. Security director
C. Security personnel
D. Systems administrator
Bianca has already contacted SGI News regarding the use of her copyrighted images on their website, but they refuse to take them down. What is her BEST next step to have her images removed from the site?
A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
D. Submit a Digital Millennium Copyright Act (DMCA) takedown request to the hosting provider.
Roger, the chief financial officer (CFO) of NUS Micro, just received an email from his boss requesting he immediately wire $50 million to China to close a business deal. He calls his boss but cannot reach him. The email looks genuine, including the email address and domain name. He wires the money, only to find out later that his boss did not make this request. This represents which type of attack?
A. Phishing
B. Spear phishing
C. Business email compromise (BEC)
D. Whaling
Sloane received a phone call from her administrator to confirm an email received from her. She then gets a phone call from her CFO that he received a message from her to transfer $1 million overseas. What has MOST LIKELY occurred?
A. Email account compromise (EAC)
B. Spear phishing
C. Phishing
D. Whaling
Rafael, a systems administrator, notices that spam and phishing attacks are increasing. Which is the next BEST step he can take to safeguard the organization?
A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server
Which of the following represents an acceptable amount of data loss measured in time?
A. RPO
B. RTO
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)
Individuals from all departments of the organization meet to prioritize risks based on impact, likelihood, and exposure. Which process is this?
A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
D. BIA
Attacks such as dumpster diving, phishing, baiting, and piggybacking all represent a class of attacks called:
A. MitM
B. DoS
C. Social engineering
D. Doxxing
Unexpectedly, Coco has been given 2 weeks of paid time off. What is the security purpose of this event?
A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
D. Mandatory vacation as part of a disaster recovery (DR) simulation
Qiang has been assigned to find recovery sites as a result of the DR planning meeting. Her job is to find sites with heating, cooling, electricity, internet access, and power. The site will require no computers. Which type of recovery site is this?
A. Mirrored site
B. Hot site
C. Warm site
D. Cold site
Simon needs to calculate risk. Which formula will he use?
A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact
Milos is the chief security officer (CSO) of the organization and is designing a policy that includes fences, secured parking, security policies, firewalls, account management, and patch management. This is an example of which strategy?
A. Defense-in-depth (DiD)
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls.
Arthur, chief executive officer (CEO) of Funutek, wishes to implement online purchasing via their website. The chief marketing officer (CMO) likes the idea because the new system can double sales. The CSO fears internet attacks and suggests NOT moving forward. How should Arthur proceed?
A. Implement the website once certain there is no risk of attack.
B. Implement the website after the CMO collects research on securing websites.
C. Implement the website and secure it within acceptable risk levels.
D. Listen to the CSO and do not implement the website.
NIST outlines security controls to put in place of federal agencies in which Special Publication (SP)?
A. 800-50
B. 800-51
C. 800-52
D. 800-53
As part of a disaster strategy, Caty asks management for approval of deploying a warm site. Warm sites are which type of control functionality?
A. Recovery
B. Deterrent
C. Detective
D. Preventative
Bud has just learned about hacking, knows a little about programming, and likes to bring misery to others. He decides to attempt hacking into his school website to change his grades. This puts him in which class of hackers?
A. Advanced persistent threat (APT)
B. Script kiddie
C. Ethical hacker
D. Internal threat
When it comes to dual-use goods (items that can be used by the military and ordinary citizens), there are special requirements and agreements for import and export. One that seeks to limit military buildup that could threaten international security is called Conventional Arms and Dual-Use Goods and Technologies, or the:
A. Arms Agreement
B. Wassenaar Arrangement
C. Dual-Use Agreement
D. Import/Export Law
Taylor just won her court case through the benefit of the doubt. Her case falls under which legal system?
A. Contract
B. Administrative
C. Civil
D. Criminal
Gael and his team have developed the perfect advertising algorithm so that when users search on his website, it leads them exactly to the information they need to reach. What is his BEST approach to assuring the secrecy of this algorithm?
A. Trade secret
B. Patent
C. Copyright
D. Trademark
Su-wei uses the Linux operating system, and freely copies it and gives it to friends. She is allowed to do this because of which of the following licenses?
A. Shareware
B. Commercial
C. End-user license agreement (EULA)
D. Academic
The area of United States (US) copyright law that makes it a crime to copy and distribute stolen software is called:
A. DMCA
B. EULA
C. Privacy Act
D. Business Software Alliance (BSA)
Fritz works with a document providing him step-by-step instructions. Which of the following is he working with?
A. Policies
B. Procedures
C. Standards
D. Guideline
Naomi needs to calculate the TCO. Which of the following will she NOT use to complete the calculation?
A. Support costs
B. Cost to replace the unit
C. Cost of maintenance
D. Asset cost
Viktor is conducting a risk assessment and needs to determine the percentage of risk his organization would suffer if an asset is compromised. Which of the following signifies this aspect of risk?
A. Safeguards
B. Vulnerabilities
C. Exposure factor
D. Risk
Ons, a security manager, is working with her team to develop and update policies for staff and vendors. Controls in this area are considered which of the following?
A. Management
B. Operational
C. Technical
D. Logical
Which of these is NOT true?
A. Procedures are the same as written directions.
B. Strategic documents would be considered policies.
C. Guidelines contain step-by-step instructions that must be followed.
D. Standards can define KPIs.
Kei, a security manager, just completed a risk assessment with his team, and they determined that the new planned plant location was too dangerous, so they decided not to expand there. Which risk response did his team use?
A. Mitigation
B. Avoidance
C. Transfer
D. Acceptance
Molla, a project engineer, puts together a project, and she adds security according to which of the following life cycles?
A. Requirements, planning, design, test, develop, production, disposal
B. Planning, requirements, design, develop, test, production, disposal
C. Design, develop, requirements, planning, test, production, disposal
D. Planning, design, requirements, test, develop, production, disposal
Wilfried is the security administrator of a store and is preparing for the PCI-DSS audit. Which is NOT one of the PCI-DSS requirements?
A. Configure switch settings
B. Maintain the firewall
C. Encrypt transmission of credit card transactions
D. Use antivirus software
Vania, an administrative assistant, has discovered that her employer has been listening to her telephone conversations and reading her emails. She approaches her boss, and she shows her that she signed the reasonable expectation of privacy (REP) agreement. Which steps can Vania take next?
A. Report the supervisor to human resources (HR).
B. File a civil lawsuit.
C. Nothing—she waived her rights to phone privacy while at work.
D. Contact the police or federal authorities and open a criminal case.
Grigor fears he will lose his job if his employer learns of his cancer diagnosis. He does not want which of the following to leak?
A. Health and Human Services (HHS)
B. Health Information Technology for Economic and Clinical Health Act (HITECH)
C. HIPAA
D. Personal health information (PHI)
Martina seeks to press criminal charges against the CEO of RMS Foods Inc. because their employee stole her credit card. What happens next?
A. The government will press charges against the CEO.
B. Conflicts are managed under PCI-DSS agreements, not the government.
C. Conflicts are managed under ISO or NIST certification, not the government.
D. Conflicts are managed under GDPR laws, so there will only be fines.
Boris is working to complete a design project. He decides to hire a contractor to help complete the project on time. Which type of risk response is he using?
A. Transfer
B. Acceptance
C. Division
D. Avoidance
Petra uses her own secret formula to manufacturer her synthetic gut tennis string. This is then stolen by the SGI Strings Company. Which law or agreement has been broken?
A. Patent
B. Trade secret
C. Copyright
D. Trademark
As Bjorn leaves the office this day, Steffi tells him she overheard men starting to break in earlier that evening to steal documents. The men are later caught, and Bjorn is brought onto the witness stand in court to mention what he heard. This type of evidence is termed which of the following?
A. Conclusive
B. Admissible
C. Hearsay
D. Best evidence
Garbine performs inspections of whether security policies, procedures, standards, and guidelines are followed according to the organization’s security objectives. What is her role for the firm?
A. Auditor
B. Chief information security officer (CISO)
C. Information security manager (ISM)
D. Data owner
Which is critical for proper incident response?
A. Evidence handling
B. Security information and event management (SIEM)
C. Intrusion detection system (IDS)
D. Incident response policy
Novak is preparing a DR exercise and emails the emergency task lists to the DR teams for review. Which type of exercise is he running?
A. Full interruption test
B. Parallel test
C. Tabletop test
D. Checklist test
Simona is a space fleet lieutenant putting together classifications for her computer system. Which of the following sensitivity systems will she follow?
A. Confidential, private, sensitive, public
B. Top-secret, secret, confidential, unclassified
C. Highly sensitive, sensitive, classified, unclassified
D. Top-secret, secret, classified, unclassified
Andre has provided his phone number, email address, and home address to Pyramid Grocer so that they can deliver groceries to his home. He is considered to be which of the following?
A. Data owner
B. Data custodian
C. Data subject
D. Data auditor
Venus needs an administrative control to enhance the confidentiality of data. Which should she choose?
A. DLP system
B. Fencing
C. Security guards
D. NDA
Juan plans to perform testing on his website and generate random input to see if it is vulnerable to which type of attack?
A. Fuzzing
B. DoS
C. Malware
D. Input validation
Victoria has worked in several departments of the company, including marketing, quality, and production. An audit found she still has privileges in all of her past departments even though she works in finance. This is called:
A. SoD
B. Collusion
C. Privilege creep
D. Least privilege
Stan wishes to set up secure authentication for his users. Which of the following is NOT BEST for authentication?
A. Retinal scan
B. Username
C. Palm vein scan
D. CAC
Billie needs to determine how much risk her organization can handle and still operate efficiently. She will first conduct a?
A. Risk assessment
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance
Which of the following does NOT require an AUP?
A. Consultant
B. Contractor
C. Employee
D. Computer
Stefanos has just signed an SLA with NUS Systems. Which of the following is NOT part of the agreement?
A. Financial credit for downtime
B. Alpha services
C. Covered service
D. Service-level objectives (SLOs)
Madison received an email from Justine stating that $1,000 in funds had been transferred to her. Justine states she never sent the email. Which process would prove Justine sent the email?
A. Fingerprinting
B. Encryption
C. Non-repudiation
D. Hashing
Security education should be required for whom in an organization?
A. Computer users
B. Everyone
C. Senior executives
D. Security teams
Lleyton is planning on hiring 50 new engineers. What should be his FIRST step when reviewing new candidates?
A. Make sure prospects pass lie-detector screening.
B. Conduct thorough background checks.
C. Follow the employment candidate-screening process.
D. Perform drug screenings.
Non-compete agreements (NCAs) are generally unenforceable because:
A. NCAs are illegal.
B. Courts value a citizen’s right to earn a reasonable income.
C. Competition is covered in the NDA.
D. NCAs are always enforceable.
Ana, a systems engineer, caught Bud stealing corporate financial documents and informed her manager. Which department handles Bud’s termination?
A. HR
B. Security
C. Engineering
D. Finance
Daniil has finished a successful career with DDA Motors. As part of the exit interview, he’s required to return everything Except for:
A. Last week’s paycheck
B. Smart card
C. Corporate smartphone
D. Employee identifier (ID) card
Which of the following does NOT represent an asset for an organization?
A. Sunk costs
B. Computer
C. Trademark
D. Staff
Which is BEST represented as the product of a threat and vulnerability?
A. Safeguard
B. Exposure
C. Risk
D. Breach
What is the biggest threat to any organization?
A. Pandemics
B. Malware
C. Clear text
D. Disgruntled employees
Elina is interviewing risk consulting firms. What is the main item she should NOT look for in a qualified firm?
A. Can assist in defining the scope and purpose of risk assessments
B. Categorizes and prioritizes assets
C. Helps in defining acceptable levels of risk.
D. Years of experience in bringing organizations’ risk to zero
What represents the product of the asset value (AV) and exposure factor (EF)?
A. Annual rate of occurrence (ARO)
B. Single loss expectancy (SLE)
C. ALE
D. Annual cost of a safeguard (ACS)
An organization is initiating the qualitative risk analysis process. Which of the following is NOT part of the process?
A. Cost versus benefit analysis
B. Educated guesses
C. Opinions considered
D. Multiple experts
The Risk Management Framework (RMF) is also known as which NIST SP?
A. 800-35
B. 800-36
C. 800-37
D. 800-38
Feliciano has applied multiple risk mitigations to protect an asset. When should he stop?
A. When risk reaches an acceptable level
B. When the asset becomes unusable
C. After purchasing insurance for the asset.
D. When the risk is reduced to zero.
According to the Cisco 2020 CISO Benchmark Report, cyber (security) fatigue is defined as virtually giving up on proactively defending against malicious actors. What is the number 1 source of cyber fatigue?
A. Malware
B. Phishing attacks
C. Shadow IT
D. Password management
Sofia, a senior manager, needs to get a Linux update installed on her team’s server. Central IT has not performed the update even after being asked three times. Sofia selects a team member to install it and work around the IT department. This is BEST referred to as:
A. Self-help
B. Delegation of IT
C. Policy violation
D. Shadow IT
Benoit, the company CISO, is researching high-security systems that authenticate everything attempting connections to the corporate network. Such an architecture is called:
A. Zed trust
B. No trust
C. Zero trust
D. Null trust
The following type of security learning yields a credential such as a certificate or a degree:
A. Awareness
B. Education
C. Training
D. Birds of a feather (BOAF) sessions
For most organizations, which is the most important asset when a firm enters into BCP or DRP mode?
A. People
B. Network
C. Server room
D. Cash
Eugenie is the production manager at FAUX Widgets, and the lights went out for the entire building. Which action does she execute FIRST?
A. Contact the electric company.
B. Check the fuse box.
C. Follow the DRP plan.
D. Follow the BCP plan.
