Chapter 4 (SYbex)

Question 1

Your senior management wants to measure how risky an activity will be. This metric is used to provide a signal of increasing risk exposure. You need to identify which of the following?

A. Key Risk Indicators (KRIs)
B. Key Performance Indicators
C. Total Cost of Ownership
D. Risk Assessment

Answer 1

A. Key Risk Indicators (KRIs)

Explanation:
KRI identification measures how risky an activity can be. TO identify a KRI, you need to identify existing metrics, assess gaps, establish a control environment and track changes in the risk profile

Question 2

With traditional network architecture, one best practice is to limit network access points. This limitation allowed for a concentration of network security resources and a protected attack surface. With the introduction of 802.11x into enterprise network architecture, what was introduced into the network?

A. Increased capability and increased risk and higher TCO
B. Decreased capability and increased risk and higher TCO
C. Increased capability and decreased risk and lower TCO
D. Decreased capability and decreased risk and lower TCO

Answer 2

A. Increased capability and increased risk and higher TCO

Explanation:
With the evolution of adding wireless access (802.11x) to any network, you have increased capability due to its ease of use and movement. You also have an increased risk due to your data traveling over the airwaves, a higher total cost of ownership due to more security, increased head count and more assets being purchased and maintained on the network

Question 3

One of the requirements for a new device you’re adding to the network is an availability of 99.8 percent. According to the vendor, the newly acquired device has been rated with an MTBF of 20,000 hours and an MTTR of 3 hours. What is the most accurate statement?

A. The device will meet availability because it will be at 99.985 percent
B. The device will not meet availability because it will be at 99.85 percent
D. The device will meet availability because it will be at 99.958 percent

Answer 3

A. The device will meet availability because it will be at 99.985 percent

Explanation:
Mean time between failures = Total up time/Number of breakdowns
Mean time to repair = Total downtime/number of breakdowns
Availability od device = MTBF / MTBF + MTTR

Question 4

You need to calculate the annual loss expectancy (ALE) for an important server on your network. Which of these is the proper formula?

A. ARO X EF X AV
B. ARO X AV
C. EF X SLE
D. EF X SLE X AV

Answer 4

A. ARO X EF X AV

Explanation: The asset can be hardware, software or people. The value of the asset (AV) is assessed first. The Single Loss Expectancy contains information about the potential loss when a threat occurs. It is calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat which will be a percentage

Question 5

Your company began the process of evaluating different technologies for a technical security focused project. You narrowed down the selection to three organizations from which you received formal requests for information (RFIs)
What is the next request that you will make of those three vendors if you want to discover the total value required for purchase with items and deliverables?

A. RFQ
B. RFP
C. RFC
D. RFI

Answer 5

A. RFQ

Explanation:
After you receive the RFI, you can then request a quote (RFQ) so that you know approximately how much the service/asset will cost. After you decided on a vendor, you can formally ask them for a request for proposal (RFP) which should supply a firm cost, an SLA and other requirements

Question 6

Edgar has been tasked with reviewing existing technology security policies. Which of these should not be covered in his security policy?

A. Details and procedures
B. Exceptions to the policy
C. Password policy
D. Scope

Answer 6

B. Exceptions to the policy

Explanation:
A procedure consists of step by step instructions. it defines the technical aspects of your program, in addition to any hardware or software that is required. A baseline is a fixed point of reference so that you can make comparisons. Scope is the requirements and objectives of a project

Question 7

If you wanted to require that employees follow certain steps to avoid malware, you would create a procedure. If you wanted to require employees to use specific software to avoid malware, which of the following would you create?

A. Policy
B. Standard
C. Baseline
D. Scope

Answer 7

B. Standard

Explanation:
A procedure consists of step by step instructions. It defines the technical aspects of your program, in addition to any hardware or software that is required. A baseline is a fixed point of reference so that you can make comparisons. Scope is the requirements and objectives of a project

Question 8

What is the customary practice2 of responsible of an asset that affects an organization or community?

A. Due diligence
B. Risk mitigation
C. Insurance
D. Due care

Answer 8

D. Due care

Explanation:
Due diligence is verifying that those responsible are doing the right thing. Due care is acting responsible. It is creating policies, procedures and guidelines to protect information or assets in a way that is reasonable.

Question 9

Your department started to plan for next year. You need to clarify what your key performance indicators are for the current year. Which of the following is not found in a KPI?

A. Measurement
B. Target
C. Risk register
D. Data source

Answer 9

C. Risk register

Explanation:
Every KPI has a measure, a target that matches your measure, and a time period, as well as a clearly defined data source so that you know how each is being measured and tracked. Examples of KPI are growth in revenue, percentage of market share, and time to market. A risk register is a document used as a risk management tool to fulfill regulatory compliance. It can act as a repo for all risks identified and includes additional information like the nature of the risk and mitigation measures.

Question 10

Your company purchased new computers and wants consistent reliability and performance out of them. You recommend that an operating system and software application configuration be installed on these systems prior to the addition programs. What is this process called?

A. Base configuration
B. Production operating environment
C. Standard operating environment
D. Standard configuration

Answer 10

D. Standard configuration

Explanation:
A standard operating environment (SOE) is a standardized base configuration of systems that normally consists of a basic operating system and software application installation. The SOE is installed on the computers, and additional features are added

Question 11

You live and work in an area with many hurricanes. What best describes the consequence of a disruption due to this natural disaster?

A. Business impact analysis
B. Risk assessment
C. Tabletop exercise
D. Mitigating control analysis

Answer 11

A. Business impact analysis

Explanation:
A hurricane is a natural disaster that should be accounted for in a business impact analysis document (BIA) document. The risk appetite or risk tolerance of an organization should be considered in a BIA. A BIA should provide a plan for resuming operations after a disaster and identify which events could impact the organizations operations

Question 12

Your organization has a new policy to implement security based on least privilege and separation of duties. A key component is deciding on data access. They decided it is best made by which of the following roles?

A. Data steward
B. Data owner
C. User/manager
D. Senior management

Answer 12

B. Data owner

Explanation:
The data owner has administrative control over the data and is accountable for who has access. A data custodian has technical control of that data

Question 13

You are leading a project for your organization moving to a thin client with the server architecture hosted in the cloud. You are meeting with upper management, and they have asked for your advice of using thin clients. Which of the following is a security advantage?

A. Thin clients are economical and require less security. There is no storage, and the server is protected in the cloud.
B. Thin clients are encrypted with AES, both at rest and in transit.
C. Attackers will have less opportunity to extract data from thin clients
D. Thin clients do not require external security auditing.

Answer 13

A. Thin clients are economical and require less security. There is no storage, and the server is protected in the cloud.

Explanation:
A thin client is economical because you do not have to purchase a lot of processing power; in addition IT support costs are negligible because there is no PC to support. There is no storage, and the server is protected through cloud management features and settings

Question 14

You need an agreement that lets your business implement a comprehensive risk allocation strategy and provides indemnification, the methods that holds one party harmless against existing or future losses. What contract should you negotiate?

A. Master service agreement
B. Business impact agreement
C. Interconnection security agreement
D. Memorandum of understanding

Answer 14

A. Master service agreement

Explanation:
A master service agreement (MSA) provides a strong foundation for future business. It typically specifies payment terms, warranties, geographic location and intellectual property ownership

Question 15

As a security engineer, you were asked to recommend a disk encryption technology that your end users can use to secure an entire disk or partition. All the end users have Microsoft Windows 10 systems. Which of the following is the best option available?

A. EFS
B. FAT32
C. NTFS
D.BitLocker

Answer 15

D.BitLocker

Explanation:
BitLocker is a Microsoft file encryption technology that enables a user to encrypt an entire disk and/or partitions

Question 16

You completed a vulnerability scan on your network without using any type of SMB or SSH service credentials. It gives you an idea of what your network looks like to the outside world. The next step is to use shared IT service account credentials. What type of vulnerability scan is this called?

A. Authenticated
B. Unauthenticated
C. Secured
D. Accessible

Answer 16

A. Authenticated

Explanation:
IN an authenticated scan, the vulnerability manager logs in as a network user, and the scan shows vulnerabilities that are accessible to trusted insiders or an attacker who has gained access to the network and taken over a trusted user’s account

Question 17

One of salespeople has been asked to travel overseas on business and wants to make sure the corporate Windows laptop will be secure if it were stolen or lost. What do you tell the salesperson?

A. Make sure they change their password before they leave
B. The laptop has a TPM chip and BitLocker enabled
C. Always use VPN
D. Install WS Security and enable RDP

Answer 17

B. The laptop has a TPM chip and BitLocker enabled

Explanation:
Windows OS that utilizes BitLocker on computers are dependent on having a Trust Platform Module (TPM) chip on the motherboard for full disk encryption. This chip generates and stores the actual encryption keys.

Question 18

Your CISO tasks you with conducting a white box test. The advantage include optimization and thoroughness, given the fact that the developer has full knowledge of the code and libraries used. Which of the following should be considered a disadvantage to a white box test?

A. Complexity and duration
B. Simplicity and impartiality
C. Redundancy and simplicity
D. Accuracy and superficiality

Answer 18

A. Complexity and duration

Explanation:
A white box test requires the expertise of testers. These tests demand competences in programming and full knowledge of the code tested. Because of the knowledge and length of code, these tests can take a long time

Question 19

Your organization finds if difficult to distinguish what data can be shared with a customer and what should remain internal. They assigned you the task of data classification. What is the primary purpose of this task?

A. Justifying the expenses
B. Assigning value to data
C. Defining necessary security protection
D. Controlling user access

Answer 19

C. Defining necessary security protection

Explanation:
The primary purpose of data classification is to define necessary security protection. Data classification is based on the objects value rather than the opposite - being used to assign value. Data classification does not control user access. User classification to clearance controls user access

Question 20

Your company holds large amounts of company data in electronic databases as well as personally identifiable information (PII) of customers and employees. What do you do to ensure that implemented controls provide the right amount of protection?

A. Best practices
B. Forensics
C. Due Diligence
D. Auditing

Answer 20

C. Due Diligence

Explanation:
Due diligence has the mean of required carefulness. Due diligence is exercising informed care that is expected of reasonable people. performing this kind of process ensures that the proper information is systematically and deliberately protected.

Question 21

As a marketing analyst for a large retail enterprise organization, you want to deploy a technology that will responsibly personalize the in person shopping experience. What technology do you explore using with your retail app?

A. Home delivery
B. Personal Shoppers
C. Geotagging
D. Customer feedback

Answer 21

C. Geotagging

Explanation:
Large retailers are experimenting with location sensing tech by tracking a customers location through their phones GPS capability.

Question 22

You would like to periodically update records in multiple remote locations to ensure the appropriate levels of fault tolerance and redundancy. What is this known as?

A. Shadowing
B. Mirroring
C. Archiving
D. Fail Safe

Answer 22

A. Shadowing

Explanation:
A shadow copy allows for manual or automatic copies of computer files to a local or remote location

Question 23

Your objective and key results (OKR) being measured for this quarter include realizing the benefits of a mutlitenancy cloud architecture. Which one of these results is not applicable to a mutltitenancy cloud service?

A. Financial
B. Usage
C. Location
D. On boarding

Answer 23

C. Location

Explanation:
Although the multi tenancy cloud services would be less expensive because of usage and resources shared, they operate at maximum usage, making for best efficiency. They are easier to set up because of the high volume of customers with good experience on-boarding. The limitations of multi-tenancy are multiple access points, less control and if one tenant is affected, all tenants are affected, so it leaves some risk for vulnerabilities to be exposed.

Question 24

Your company hired a third party company to fulfill compliance requirements to test for weaknesses in your company’s security before an audit. The contractor attempted to hack wireless networks and enter secure areas without authorization and used phishing to gain access to credentials. What describes this process?

A. Vulnerability Scans
B. Active Reconnaissance
C. Penetration test
D. Passive reconnaissance

Answer 24

C. Penetration test

Explanation:
A pentest is one of the most intrusive types of vulnerability testing that will actively find and exploit weaknesses. A pentest attempts to gain access physically and digitally without proper authorization

Question 25

Your healthcare organization decided to begin outsourcing some IT systems. Which of the following statements is true?

A. All outsourcing frees your organization from any rules or requirements
B. All compliance and regulatory requirements are passed on to the provider
C. The IT systems are no longer configured, maintained or evaluated by your organization
D. The outsourcing is free from any rules or regulations

Answer 25

When the decision is made to outsource any IT function, process or system, there is a risk to operations and process flows, confidentiality, continuity and compliance. You cannot use the excuse that it is not you. Regulators and compliance auditors will still hold your organization accountable for performing the correct level of due diligence to confirm that a third party service has the right people, processes and technology in place to support your business needs.

Question 26

Your organization must comply with PCI DSS and regulations that mandate annual and ongoing penetration testing after any system changes at both the network and applications. What is the primary purpose of penetration testing?

A. Creates security awareness
B. Evaluates IDS
C. Tests the security perimeter
D. Accesses the internal guidelines

Answer 26

C. Tests the security perimeter

Explanation:
The primary purpose of pentest is to test the effectiveness of your security policies, procedures and guidelines. It is important to obtain the proper approval before beginning a penetrationtest

Question 27

You are hired by a burgeoning retail startup that needs to evolve their IT operations into a more mature model. Which of the following frameworks is best to use while doing the first internal audit of the organization?
A. ITIL
B. CISA
C. COBIT
D. ISO 23007

Answer 27

C. COBIT

Explanation:
COBIT defines requirements for governance, management and c4ontrol of IT processes. Components of COBIT include process descriptions/objectives

Question 28

You are using a process where the product oir system being evaluated is called the target of evaluation and rater on evaluation levels of E0 through E6. What is this process called?

A. COPPA
B. CSA STAR
C ITSEC
D. Common Criteria .

Answer 28

C ITSEC

Explanation:
Organization still use Information Technology Security Evaluation Criteria. ITSEC uses the terminology target of evaluation and has seven evaluation levels.

Question 29

Your organization was breached but you have been able to prove that sufficient due care was taken. What burden is eliminated?

A. Liability
B. Investigation
C. Financial loss
D. Negligence

Answer 29

B. Investigation

Explanation:
Due care is acting responsible. Due diligence is verifying those actions are sufficient. An organization that shows due care means they took every reasonable precaution to protect their assets and environment. If a breach occurs, the organization is not help negligent for losses but can still be held liable.

Question 30

Your company has a new CIO, who has a favorite vulnerability management tool and a relationship with that software company. You are migrating to the new software. What document would require the most changes?

A. Policies
B. Guidelines
C. Baselines
D. Procedures

Answer 30

D. Procedures

Explanation:
The software is likely very different from a use standpoint. Policy documentation would state that vulnerability management would be done. Procedures would be a checklist of the step by step procedures and processes that you will take to run the new software

Question 31

You want to gather your team together to evaluate potential corrective and recovery controls for your company. You want to encourage them to contribute and evaluate, taking an active role in the discussion. The three-tiered approach consists of brainstorming ideas for solutions, evaluating the best possible solutions and which of the following?

A. Deciding
B. Committing
C. Administering
D. Recovering

Answer 31

A. Deciding

Explanation:
The three tiered approach consists of brainstorming session, evaluating the ideas that come out of the brainstorming session, and then deciding which solution is best. more than one solution can work in a situation, but you will want to take into account factors such as cost and complexity. Doing so will help you work these security controls into the budget and timeline