CISM Final Review Questions Flashcards

Question 1

Q

What are the security principles?

Answer

A

Need to know
Least Privilege
Seperation of duties

Question 2

Q

Risk proximity

Answer

A

Risk proximity is the time period before a risk might have an impact on one or more project objectives. It is an important factor to consider when prioritizing risks, as risks that are more likely to occur in the near future should be addressed first.

Risk proximity can be determined by a number of factors, including the following:

The nature of the risk. Some risks are more likely to occur sooner than others. For example, the risk of a supplier failing to deliver a critical component is more likely to occur in the near future if the delivery date is approaching.
The current state of the project. Some risks are more likely to occur if the project is in a certain phase or if certain milestones have not yet been met. For example, the risk of a project going over budget is more likely to occur if the project is already behind schedule.
External factors. Some risks are more likely to occur if certain external factors are present. For example, the risk of a project being delayed due to bad weather is more likely to occur if the project is being carried out during the winter months.
Project managers can use risk proximity to develop a risk management plan that focuses on mitigating the risks that are most likely to occur in the near future. This can help to reduce the overall risk to the project and improve its chances of success.

Here are some examples of risk proximity:

A supplier failing to deliver a critical component within the next week.
A new regulation being introduced that could impact the project’s scope or budget.
A key employee leaving the company in the next month.
A bad weather forecast for the week of a major project milestone.
Project managers should regularly review their risk management plan and update it as needed to reflect changes in risk proximity.

Question 3

Q

Which one of the following individuals would be the most effective organizational owner for an information security program?

A. CISM-certified analyst
B. Chief information officer (CIO)
C. Director of networking and infrastructure
D. President and CEO

Answer

A

The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

Question 4

Q

Paul is designing a compensating control for an issue that is preventing his organization from achieving PCI DSS compliance. Which one of the following statements about compensating controls is incorrect?
A. The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
B. The control must meet the intent and rigor of the original requirement.
C. The organizations CISO (or other senior-most security executive) must personally approve the control.
D. The control must be “above and beyond” other PCI DSS requirements.
1

Answer

A

There are three requirements for PCI DSS compensating controls. First, the control must meet the intent and rigor of the original requirement. Second, the control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. Third, the control must be “above and beyond” other PCI DSS requirements. There is no requirement that the CISO personally approve the use of any compensating control.

Question 5

Q

Evan is reviewing the reporting structure for cybersecurity leaders within a client organization. He notes that the CISO reports to the director of infrastructure and technology, who reports to the CIO. What statement is most accurate about this reporting relationship?
A. This is an appropriate reporting relationship because the CIO must keep a narrow span of control.
B. This is an appropriate reporting relationship because most cybersecurity issues involve networking and infrastructure.
C. This is not an appropriate reporting relationship because most cybersecurity issues do not involve networking and infrastructure.
D. This is not an appropriate reporting relationship because it creates a potential conflict of interest.

Answer

A

This approach creates a potential conflict of interest when the information security team disagrees with an approach endorsed by the director to whom they report. It would be far more appropriate for the CISO to report directly to the CIO, regardless of issues with span of control. It is irrelevant whether most cybersecurity issues in the organization include topics of networking and infrastructure.

Question 6

Q

Which one of the following statements is true about social media in the wake of a cybersecurity incident?
A. Social media use should be prohibited for incident response team members.
B. Management should always issue regular updates on social media.
C. Social media provides a good means of communication for team members during an incident.
D. Customers and other stakeholders are likely to discuss incidents on social media.

Answer

A

D
Incident responders must be aware of the impact of social media, regardless of whether they use it directly. Even if your organization does not directly discuss cybersecurity issues on social media, rest assured that your customers and other stakeholders will. Management may, but does not have to, provide updates on social media. Social media is not an effective communications mechanism for internal conversations, as it is not secure, but it is not reasonable for the organization to issue a complete ban on social media use.

Question 7

Q

A hierarchical management system?

Answer

A

A hierarchical management system is an organizational structure with different levels of authority, where instructions and decisions flow from senior management down to lower-ranking employees. This structure is common in larger businesses and organizations[4].

Question 8

Q

What is the standards of evidence for civil litigation and criminal litigation?

Answer

A

Most civil cases do not follow the beyond-a-reasonable-doubt standard of proof. Instead, they use the weaker preponderance of the evidence standard. Meeting this standard simply requires that the evidence demonstrate that the outcome of the case is more likely than not. For this reason, evidence collection standards for civil investigations are not as rigorous as those used in criminal investigations. You’ll learn more about security investigations and evidence standards in Chapter 8.

The standard of evidence for civil litigation in the United States is the preponderance of the evidence. This means that the plaintiff must prove that their claims are more likely than not to be true, or that they have a greater than 50% chance of being correct.

The preponderance of the evidence standard is a lower standard of proof than the beyond a reasonable doubt standard used in criminal cases. This is because the consequences of a civil lawsuit are typically less severe than the consequences of a criminal conviction.

The preponderance of the evidence standard is also a lower standard of proof than the clear and convincing evidence standard used in some civil cases, such as those involving fraud or child custody.

In order to meet the preponderance of the evidence standard, the plaintiff must present evidence that is credible, reliable, and persuasive. The plaintiff must also show that their evidence is more likely than not to be true than the defendant’s evidence.

The preponderance of the evidence standard is applied by the judge or jury in a civil trial. If the judge or jury finds that the plaintiff has met the preponderance of the evidence standard, then they will rule in favor of the plaintiff.

Here are some examples of evidence that may be considered in a civil trial:

Witness testimony
Expert testimony
Documents
Photographs
Video recordings
Physical evidence
The judge or jury will weigh all of the evidence presented in a civil trial before making a decision. The judge or jury will also consider the credibility of the witnesses and the persuasiveness of the evidence.

If you are involved in a civil lawsuit, it is important to understand the standard of evidence that applies to your case. This will help you to prepare your case and to understand what you need to do in order to win.

Question 9

Q

Jackie is concerned that her organization’s vulnerability scanning program might interfere with the operation of production systems. She would like to conduct the scans without installing any software on the systems that will be scanned. What type of scan should she avoid?
A. Server-based scans
B. Agent-based scans
C. Credentialed scans
D. Noncredentialed scans

Answer

A

B

Agent-based scans require installing scanning agents on the systems to be scanned, whereas server-based scans run using software on the scanning server. Alice wants to avoid installing any software, so she should stick with a server-based scan. These scans may be run in either credentialed or noncredentialed mode.

Question 10

Q

describe the pros and cons of the three different approaches to containment of a comprised host on a network.

Answer

A

Here is a description of the pros and cons of the three different approaches to containment of a compromised host on a network: segmentation, isolation, and removal:

Segmentation

Segmentation involves dividing the network into different segments and restricting communication between the segments. This can be done using firewalls, VLANs, and other networking technologies.

Pros:

Segmentation can help to prevent the spread of malware to other hosts on the network.
Segmentation can also help to improve the performance of the network by reducing traffic between the segments.
Cons:

Segmentation can be complex and expensive to implement.
Segmentation can also make it difficult to manage and troubleshoot the network.
Isolation

Isolation involves isolating the compromised host from the rest of the network. This can be done by moving the host to a dedicated network segment or by using a virtual machine to contain the host.

Pros:

Isolation is a simple and effective way to contain a compromised host.
Isolation is also relatively inexpensive to implement.
Cons:

Isolation can make it difficult to access the compromised host for remediation purposes.
Isolation can also disrupt the services that are provided by the compromised host.
Removal

Removal involves removing the compromised host from the network altogether. This is the most drastic measure, but it is also the most effective way to contain a compromised host.

Pros:

Removal is the most effective way to contain a compromised host.
Removal is also relatively simple to implement.
Cons:

Removal can disrupt the services that are provided by the compromised host.
Removal can also be expensive, especially if the compromised host is a critical server.
Which approach is right for you?

The best approach to containment will depend on the specific circumstances of the situation. If the compromised host is not providing any critical services, then removal may be the best option. If the compromised host is providing critical services, then segmentation or isolation may be a better option.

It is important to note that all three approaches to containment may have some impact on the availability of services. It is important to weigh the risks and benefits of each approach before making a decision.

Here are some additional considerations:

Segmentation: Segmentation can be a good option if you have a large network and you can afford to implement it. However, it is important to note that segmentation can be complex and difficult to manage.
Isolation: Isolation is a good option if you have a small network or if you cannot afford to implement segmentation. However, it is important to note that isolation can make it difficult to access the compromised host for remediation purposes.
Removal: Removal is a good option if the compromised host is not providing any critical services. However, it is important to note that removal can disrupt the services that are provided by the compromised host.
It is also important to have a plan in place for remediating the compromised host. Once the host has been contained, you will need to clean it up and restore it to service.

Question 11

Q

what is the difference between a security awareness tool and security education

Answer

A

A security awareness tool is a software application that helps organizations to educate and train their employees about security best practices. Security awareness tools typically provide users with a variety of resources, such as interactive training modules, quizzes, and games.

Security education is a broader concept that encompasses all of the activities that an organization undertakes to help its employees learn about security. Security education can include formal training programs, informal workshops, and on-the-job training.

The main difference between security awareness tools and security education is that security awareness tools are typically more focused on providing users with information about security threats and best practices, while security education is more focused on helping users to develop the skills and knowledge they need to implement security best practices.

Security awareness tools can be a valuable part of an organization’s security education program. They can help to provide users with the information they need to be aware of security threats and to take steps to protect themselves and their organizations. However, security awareness tools should not be seen as a replacement for security education. Security education is necessary to help users to develop the skills and knowledge they need to implement security best practices effectively.

Here are some examples of security awareness tools:

KnowBe4
PhishMe
Security Awareness Training by Proofpoint
SANS Institute Security Awareness Training
Awareness by KnowBe4
Here are some examples of security education programs:

Certified Information Systems Security Professional (CISSP) certification program
Offensive Security Certified Professional (OSCP) certification program
GIAC Security Essentials Certification (GSEC) certification program
SANS Institute security courses
Security+ certification program
Organizations should choose the security awareness tools and security education programs that are right for their needs. The best approach will depend on the size of the organization, the industry in which the organization operates, and the specific security risks that the organization faces.

Question 12

Q

Which one of the following technologies would be most helpful in managing the configuration of devices brought into an organization under a BYOD computing approach?
A. MDM
B. Firewall
C. IPS
D. DLP

Answer

A

obile device management (MDM) solutions manage the secure configuration of mobile devices, including those brought into the organization under a Bring Your Own Device (BYOD) policy. Data loss prevention (DLP) systems do protect the organization against the accidental or intentional exfiltration of data, but they do not manage system configurations.

Intrusion prevention systems (IPSs) do protect the organization against potentially malicious network traffic, but they do not manage system configurations. Firewalls do protect the organization against potentially malicious network traffic, but they do not manage system configurations.

Question 13

Q

What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running?
A. Checklist review
B. Full interruption test
C. Parallel test
D. Tabletop exercise

Answer

A

C
During a parallel test, the team actually activates the disaster recovery site for testing but the primary site remains operational. During a full interruption test, the team takes down the primary site and confirms that the disaster recovery site is capable of handling regular operations. The full interruption test is the most thorough test but also the most disruptive. The checklist review is the least disruptive type of disaster recovery test. During a checklist review, team members each review the contents of their disaster recovery checklists on their own and suggest any necessary changes. During a tabletop exercise, team members come together and walk through a scenario without making any changes to information systems.

Question 14

Q

Sure, here is a rewritten summary of the pros and cons of each disaster recovery test, including a description of each test:

Answer

A

Read-through test

Description: A read-through test is a walkthrough of the disaster recovery plan to identify any gaps or potential problems. It involves reading the plan carefully and thinking about how it would be implemented in a real disaster.

Pros:

Least expensive and disruptive type of disaster recovery test
Can help to identify gaps and potential problems in the plan
Cons:

Does not test the disaster recovery plan in a real-world environment
May not be able to identify all of the potential problems that could occur during a real disaster
Structured walk-through

Description: A structured walk-through is a more in-depth review of the disaster recovery plan. It involves gathering all of the people who would be involved in responding to a disaster and walking through the plan step-by-step.

Pros:

More realistic test of the disaster recovery plan than a read-through test
Can help to identify problems in the plan that may not be identified in a read-through test
Can help to train employees on how to implement the disaster recovery plan
Cons:

More expensive and disruptive than a read-through test
May not be as realistic as other types of disaster recovery tests
Simulation test

Description: A simulation test is a more realistic test of the disaster recovery plan than a read-through test or structured walk-through. It involves creating a simulated disaster environment and then testing the disaster recovery plan to see how it performs.

Pros:

More realistic test of the disaster recovery plan than a read-through test or structured walk-through
Can help to identify problems in the plan that may not be identified in other types of tests
Can help to train employees on how to implement the disaster recovery plan in a real-world environment
Cons:

More expensive and disruptive than other types of disaster recovery tests
May not be as realistic as a full interruption test
Parallel test

Description: A parallel test is a more realistic test of the disaster recovery plan than a read-through test, structured walk-through, or simulation test. It involves running the disaster recovery plan in parallel with the production environment. This allows you to test the disaster recovery plan without disrupting operations.

Pros:

More realistic test of the disaster recovery plan than a read-through test, structured walk-through, or simulation test
Can help to identify problems in the plan that may not be identified in other types of tests
Can help to train employees on how to implement the disaster recovery plan in a real-world environment
Cons:

More expensive and disruptive than other types of disaster recovery tests
May not be as realistic as a full interruption test
Full interruption test

Description: A full interruption test is the most realistic test of the disaster recovery plan. It involves failing over to the disaster recovery site and testing the disaster recovery plan in a real-world environment.

Pros:

Most realistic test of the disaster recovery plan
Can help to identify any problems in the plan that were not identified in other types of tests
Cons:

Most expensive and disruptive type of disaster recovery test
Can have a significant impact on operations
Which type of test is right for you?

The best type of disaster recovery test for you will depend on your organization’s budget, risk tolerance, and the complexity of your disaster recovery plan. If you are on a tight budget, then a read-through test or structured walk-through may be the best option. If you have a more complex disaster recovery plan, then a simulation test, parallel test, or full interruption test may be necessary.

It is important to note that disaster recovery testing should be conducted on a regular basis to ensure that the disaster recovery plan is still effective. The frequency of testing will depend on the organization’s industry and the specific security risks that the organization faces.

Here are some additional considerations:

Read-through tests and structured walk-throughs: These tests are a good way to start testing your disaster recovery plan. They can help you to identify any gaps or potential problems in the plan.
Simulation tests and parallel tests: These tests are a good way to test your disaster recovery plan in a more realistic environment. They can help you to identify problems in the plan that may not be identified in read-through tests or structured walk-throughs.
Full interruption tests: These tests are the most realistic tests of your disaster recovery plan. However, they are also the most expensive and disruptive type of test. You should only conduct full interruption tests if you are confident that your disaster recovery plan is ready for production.

Question 15

Q

Alexis is working to develop standard language for use with vendors that will ensure that her organization retains ownership of data handled by the vendor. Where would be the best location to include this language?
A. Contract
B. NDA
C. MOU
D. SOW

Answer

A

A
Data ownership language should be legally binding and part of the master agreement with the vendor. As it is such an important topic, it should be included in the formal contract with the vendor. It is not appropriate subject matter for a nondisclosure agreement (NDA) that focuses on confidentiality or a less formal vehicle, such as a memorandum of understanding (MOU) or statement of work (SOW).

Question 16

Q

What are KRIs?

Answer

A

Key risk indicators (KRIs) are measures that are intended to quantify the security risk facing an organization. KRIs, unlike KPIs and KGIs, are a look forward. They attempt to show how much risk exists that may jeopardize the future security of the organization. Key performance indicators (KPIs) are metrics that demonstrate the success of the security program in achieving its objectives. KPIs are mutually agreed-upon measures that evaluate whether a security program is meeting its defined goals. Generally speaking, KPIs are a look backwards at historical performance, providing a measuring stick to evaluate the past success of the program. Key goal indicators (KGIs) are similar to KPIs but measure progress toward defined goals. For example, if an organization has a goal to eliminate all stored social security numbers, a KGI might track the percentage of SSNs removed. KMIs are not a standard metric for cybersecurity programs.

Question 17

Q

Kyle is conducting a penetration test. After gaining access to an organization’s database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action?
A. Privilege escalation
B. Lateral movement
C. Maneuver
D. Persistence

Answer

A

You Answered Correctly!
Backdoors are a persistence tool, designed to make sure that the attacker’s access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

Question 18

Q

Renee is a cybersecurity hobbyist. She receives an email about a new web-based grading system being used by her son’s school and she visits the site. She notices that the URL for the site looks like this:

https://www.myschool.edu/grades.php&studentID=1023425

She realizes that 1023425 is her son’s student ID number and then attempts to access the following similar URLs:

https://www.myschool.edu/grades.php&studentID=1023423

https://www.myschool.edu/grades.php&studentID=1023424

https://www.myschool.edu/grades.php&studentID=1023426

https://www.myschool.edu/grades.php&studentID=1023427

When she does so, she accesses the records of other students. She closes the records and immediately informs the school principal of the vulnerability. What term best describes Renee’s work?

A. White-hat hacking
B. Green-hat hacking
C. Gray-hat hacking
D. Black-hat hacking

Answer

A

C
Renee was not authorized to perform this security testing, so her work does not fit into the category of white-hat hacking. However, she also does not have malicious intent, so her work cannot be categorized as a black-hat attack. Instead, it fits somewhere in between the two extremes and would best be described as gray-hat hacking.

Question 19

Q

Different types of hackers?

Answer

A

Hackers are people who use their computer skills to gain unauthorized access to computer systems or networks. There are three main types of hackers: white hat, black hat, and gray hat.

White hat hackers are also known as ethical hackers. They use their skills to find and report security vulnerabilities in computer systems and networks. White hat hackers help organizations to improve their security posture and protect themselves from cyberattacks.

Black hat hackers are malicious hackers who use their skills to gain unauthorized access to computer systems and networks for personal gain. Black hat hackers may steal data, install malware, or disrupt operations. Black hat hacking is illegal and can have serious consequences for both individuals and organizations.

Gray hat hackers are somewhere in between white hat and black hat hackers. They may use their skills to find and report security vulnerabilities in computer systems and networks, but they may also do so for their own personal gain. Gray hat hackers may also use their skills to hack into computer systems and networks without permission, but they may not do so with malicious intent.

The following table summarizes the key differences between white hat, black hat, and gray hat hackers:

Type of hacker Motivation Actions
White hat Ethical Finds and reports security vulnerabilities in computer systems and networks to help organizations improve their security posture.
Black hat Malicious Gains unauthorized access to computer systems and networks for personal gain, such as stealing data, installing malware, or disrupting operations.
Gray hat Somewhere in between white hat and black hat May find and report security vulnerabilities in computer systems and networks, but may also do so for their own personal gain. May also hack into computer systems and networks without permission, but may not do so with malicious intent.
It is important to note that the distinction between white hat, black hat, and gray hat hackers is not always clear-cut. Some hackers may start out as white hat hackers, but may turn to black hat hacking if they are not able to make a living from white hat hacking. Other hackers may start out as black hat hackers, but may eventually turn to white hat hacking if they realize that they can do more good than harm with their skills.

Question 20

Q

provide details about electronic discovery reference model

Answer

A

Sure. Here is a rewritten version of my previous response, with an example for each stage of the Electronic Discovery Reference Model (EDRM):

Information governance: This stage involves developing and implementing policies and procedures for managing electronic information. For example, an organization may have a policy that requires all employees to retain all work-related emails for a period of five years.

Identification: This stage involves identifying the electronically stored information (ESI) that is relevant to a legal proceeding. For example, if an organization is sued for wrongful termination, the ESI that may be relevant to the case may include email messages, text messages, and social media posts.

Preservation: This stage involves taking steps to preserve the ESI that has been identified. For example, an organization may need to implement a litigation hold to prevent employees from deleting or modifying relevant ESI.

Collection: This stage involves collecting the ESI that has been identified and preserved. For example, an organization may need to collect email messages, text messages, and social media posts from relevant employees.

Processing: This stage involves processing the ESI to make it searchable and reviewable. For example, an organization may need to convert email messages to a searchable format and index them.

Review: This stage involves reviewing the ESI to identify the relevant and responsive documents. For example, an organization may need to hire attorneys to review the ESI and identify the documents that are relevant to the case.

Analysis: This stage involves analyzing the ESI to identify trends and patterns. For example, attorneys may use data analysis software to identify trends in the ESI, such as who was communicating with whom and what topics they were discussing.

Production: This stage involves producing the ESI to the opposing party or the court. For example, an organization may need to produce email messages, text messages, and social media posts to the opposing party.

Presentation: This stage involves presenting the ESI at trial or during other legal proceedings. For example, attorneys may use email messages, text messages, and social media posts to support their case at trial.

The EDRM is a valuable tool that can help organizations to manage the e-discovery process more effectively and efficiently.

Question 21

Q

What phase of the Electronic Discovery Reference Model examines information to remove information subject to attorney-client privilege?
A. Collection
B. Processing
C. Review
D. Identification

Answer

A

Review examines the information resulting from the Processing phase to determine what information is responsive to the request and remove any information protected by attorney-client privilege. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Collection gathers the relevant information centrally for use in the eDiscovery process. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening.

Question 22

Q

Admissible Evidence

Answer

A

Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case. In addition, the evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.

Question 23

Q

Asset Criticality

Answer

A

Estimate of the priority/value of the asset to the organization. Helps guide decisions about the types of scans that are performed, the frequency of those scans, and the priority administrators should place on remediating vulnerabilities detected by the scan.

Question 24

Q

Best Evidence Rule

Answer

A

States that when a document is used as evidence in a court proceeding, the original document must be introduced.

Question 25

Q

Beyond a Reasonable Doub

Answer

A

t Standard of evidence where the prosecution must demonstrate that the defendant committed the crime by presenting facts from which there are no other logical conclusions.

Question 26

Q

Business Partnership Agreement (BPA)

Answer

A

A contract between two entities dictating their business relationship. It clearly defines the expectations and obligations of each partner in the endeavor.

Question 27

Q

Certificate Signing Request (CSR)

Answer

A

A message sent from an applicant to a registration authority of the Public Key Infrastructure in order to apply for a digital identity certificate.

Question 28

Q

Certificate Stapling

Answer

A

A means for checking the revocation status of X.509 digital certificates. It is a mechanism that enables the presenter of a certificate to append or staple a time- stamped OCSP response signed by the issuing certificate authority (CA).

Question 29

Q

CMMI (Capability Maturity Model Integration)

Answer

A

A formal software development management concept that describes the process that organizations undertake as they move toward incorporating solid engineering principles into their software development processes.

Question 30

Q

Data Loss Prevention (DLP)

Answer

A

Any systems that identify, monitor, and protect data to prevent it from unauthorized use, modification, destruction, egress, or exfiltration from a location.

Question 31

Q

Data Masking

Answer

A

Partially redacts sensitive information by replacing some or all sensitive fields with blank characters.

Question 32

Q

Data Minimization

Answer

A

Techniques used to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis.

Question 33

Q

Data Obfuscation

Answer

A

The process that transforms data into a format where the original information can’t be retrieved.

Question 34

Q

Digital Signatures

Answer

A

A method for assuring a recipient that a message truly came from the claimed sender and that the message was not altered while in transit between the sender and recipient. A digital signature is created by encrypting or signing the hash of the message with the private key of the sender.

Question 35

Q

Direct Evidence

Answer

A

Evidence that proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses.

Question 36

Q

Domain Validation (DV) Certificates

Answer

A

Certificate issued based upon the CA’s verification that the certificate subject has control over a domain name.

Question 37

Q

Electronic Discovery Reference Model (EDRM)

Answer

A

A framework that outlines standards for the recovery and discovery of digital data related to legal proceedings.

Question 38

Q

Enterprise Risk Management (ERM)

Answer

A

A formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk management strategies to address each risk.

Question 39

Q

Exposure Factor (EF)

Answer

A

Determines the amount of damage that will occur to the asset if the risk materializes; generally expressed as a percentage of the value of the asset.

Question 40

Q

Extended Validation (EV) Certificates

Answer

A

Provide a high level of assurance because the CA takes steps to verify that the certificate owner is a legitimate business before issuing the certificate.

Question 41

Q

Full Interruption Tests

Answer

A

Shutting down operations at the primary site and shifting them to the recovery site.

Question 42

Q

Governance

Answer

A

Sets of procedures and controls put in place to allow an organization to effectively direct its work.

Question 43

Q

Hardware Security Module (HSM)

Answer

A

A cryptoprocessor used to manage/store digital encryption keys, accelerate cryptographic operations, support faster digital signatures, and improve authentication.

Question 44

Q

Impact

Answer

A

A measurement of the amount of damage or loss that could or would be caused if a potential threat is ever realized.

Question 45

Q

Incremental Backups

Answer

A

A backup that stores only those files that have been modified since the time of the most recent full or incremental backup. This term is also used to mean the process of creating such a backup.

Question 46

Q

Incremental Budgeting

Answer

A

Approaches that start with the prior year’s budget and then make adjustments by either raising or lowering that budget

Question 47

Q

Indicators of Compromise (IOCs)

Answer

A

The telltale signs that an attack has taken place may include file signatures, log patterns, and other evidence left behind by attackers.

Question 48

Q

Managed Service Providers (MSPs)

Answer

A

Service organizations that provide information technology as a service to their customers. MSPs may handle an organization’s IT needs completely, or they may offer focused services such as network design and implementation, application monitoring, or cloud cost management.

Question 49

Q

Master Service Agreements (MSAs)

Answer

A

Agreements that provide an umbrella contract for the work that a vendor does with an organization over an extended period of time.

Question 50

Q

Multiparty Risks

Answer

A

Those risks that impact more than one organization.

Question 51

Q

OAuth

Answer

A

Open Standard for Authorization, a common method for authorizing websites or applications to access information.
OAuth is an open-standard authorization protocol that allows applications to obtain limited access to a user’s account information on another application. This is done without exposing the user’s password to the application.

OAuth is often used to allow users to log in to websites and applications using their existing accounts on other websites and applications, such as Facebook, Google, and Twitter. This can save users the time and hassle of having to create and manage multiple accounts.

OAuth works by having the user authenticate with the service provider (SP), such as Facebook or Google. The SP then provides the user with an access token that can be used to access the user’s account information on the client application. The client application can then use the access token to request the user’s account information from the SP.

OAuth is a secure protocol that protects the user’s privacy. The user’s password is never exposed to the client application, and the client application can only access the user’s account information that the user has authorized it to access.

Here is an example of how OAuth works:

The user wants to log in to a website using their Facebook account.
The website redirects the user to Facebook to authenticate.
The user enters their Facebook credentials and authenticates.
Facebook provides the user with an access token.
The user is redirected back to the website.
The website uses the access token to request the user’s account information from Facebook.
Facebook provides the website with the user’s account information.
The website can then use the user’s account information to log the user in and provide them with access to the website’s features.

OAuth is a powerful tool that can be used to simplify the login process and improve the security of websites and applications. It is used by millions of websites and applications around the world.

Question 52

Q

Online Certificate Status Protocol (OCSP)

Answer

A

A real- time facility for verifying the validity of a digital certificate and confirming that it has not been revoked by the issuing certificate authority.

Question 53

Q

Parol Evidence Rule

Answer

A

States that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement.

Question 54

Q

Privileged Access Management (PAM)

Answer

A

A tool that can be used to handle administrative and privileged accounts.

Question 55

Q

Real Evidence

Answer

A

Consists of things that may actually be brought into a court of law; also known as object evidence.

Question 56

Q

Segmentation

Answer

A

The act of subdividing a network into numerous smaller units. These smaller units, groupings, segments, or subnetworks (subnets) can be used to improve various aspects of the network. Segmentation can boost performance, reduce congestion, compartmentalize communication problems (such as broadcast storms), and provide security improvements through traffic isolation. Segments can be created by using switch- based VLANs, routers, or firewalls (as well as combinations of all of these).

Question 57

Q

SWOT Analysis

Answer

A

A technique commonly used by organizations to assess their current state and develop their forward- looking strategy based on identification and analysis of strengths, weaknesses, opportunities, and threats.

Question 58

Q

Trusted Platform Module (TPM)

Answer

A

A specification for a cryptoprocessor as well as the chip in a mainboard supporting this function. A TPM chip is used to store and process cryptographic keys for a hardware- supported or hardware- implemented hard drive encryption system.

Question 59

Q

Unified Threat Management (UTM)

Answer

A

A security device that includes traditional functions of a firewall such as packet filtering and stateful inspection. It is able to perform packet inspection techniques, allowing it to identify and block malicious traffic. It can filter malware using definition files and/or whitelists and blacklists. It also includes intrusion detection and/ or intrusion prevention capabilities. Also known as a next- generation firewall.

Question 60

Q

Virtual Machine Escape

Answer

A

The process of breaking out of the constraints of a virtual machine environment to attack or compromise the host system or software.

Question 61

Q

Zero-Trust

Answer

A

NetworkNetwork where users and systems are not trusted regardless of whether they are an internal or an external person or system, and where each action must be authenticated, authorized, and observed.

Question 62

Q

business purpose of the IT Security Program Charter

Answer

A

The business purpose of the IT Security Program Charter is to define the goals, objectives, and scope of the organization’s IT security program. It is also a document that can be used to communicate the importance of IT security to the organization’s employees and stakeholders.

Question 63

Q

What are the implementation tiers of the NIST Cybersecurity Framework?

Answer

A

The NIST Cybersecurity Framework (CSF) implementation tiers are a way to measure and improve an organization’s cybersecurity maturity. The tiers range from Partial (Tier 1) to Adaptive (Tier 4), with each tier representing an increasing level of cybersecurity maturity.

**Tier 1: Partial
Organizations at this tier are developing a cybersecurity program and have implemented some basic cybersecurity practices.

**Tier 2: Risk Informed
Organizations at this tier have implemented a risk-informed cybersecurity program. They have identified their cybersecurity risks and taken steps to mitigate those risks.

Tier 3: Repeatable
Organizations at this tier have implemented a repeatable cybersecurity program. They have documented their cybersecurity processes and procedures, and they have a plan in place for improving their cybersecurity program over time.

Tier 4: Adaptive
Organizations at this tier have implemented an adaptive cybersecurity program. They can continuously monitor and improve their cybersecurity program in response to changing threats and risks.**

Organizations can use the NIST CSF implementation tiers to assess their current cybersecurity maturity and to develop a plan for improving their cybersecurity posture. The tiers can also be used to communicate the organization’s cybersecurity maturity to stakeholders.

Here are some examples of how organizations can improve their cybersecurity posture at each tier:

Tier 1:
Develop and implement a cybersecurity policy and procedures.
Implement basic cybersecurity practices, such as password management and multi-factor authentication.
Conduct security awareness training for employees.

Tier 2:
Conduct a risk assessment to identify the organization’s cybersecurity risks.
Implement risk mitigation measures to address the organization’s cybersecurity risks.
Develop a business continuity plan and disaster recovery plan.

Tier 3:
Document the organization’s cybersecurity processes and procedures.
Implement a process for continuous monitoring and improvement of the cybersecurity program.

Tier 4:
Integrate cybersecurity into the organization’s overall risk management framework.
Implement a process for continuous monitoring and improvement of the cybersecurity program in response to changing threats and risks.
The NIST CSF implementation tiers are a valuable tool for organizations of all sizes and industries to improve their cybersecurity posture.
Bard may display inaccurate or offensive information that doesn’t represent Google’s views. Bard Privacy Notice

Question 64

Q

What considerations are used to determine an appropriate vulnerability scanning frequency?

Answer

A

Risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations

The following considerations should be used to determine an appropriate vulnerability scanning frequency:

Organizational risk tolerance: Organizations with a higher risk tolerance may be able to scan less frequently, while organizations with a lower risk tolerance may need to scan more frequently.
Industry: Some industries are more heavily regulated than others, and may require more frequent vulnerability scanning.
Asset sensitivity: Organizations with more sensitive assets, such as customer data or intellectual property, may need to scan more frequently.
Threat landscape: Organizations that operate in industries that are more heavily targeted by cyberattacks may need to scan more frequently.
Budget: Vulnerability scanning can be expensive, so organizations need to consider their budget when determining how often to scan.
In addition to these considerations, organizations should also consider the following factors when determining vulnerability scanning frequency:

The types of systems and applications being scanned: Some systems and applications may need to be scanned more frequently than others.
The frequency of changes to systems and applications: Systems and applications that are frequently changed may need to be scanned more frequently.
The availability of systems and applications: Systems and applications that are critical to the organization’s business operations may need to be scanned less frequently to avoid disrupting operations.
Organizations should also consider using a risk-based approach to vulnerability scanning. This means that the organization should prioritize scanning based on the risk of each system or application. For example, systems and applications that contain sensitive data or that are critical to the organization’s business operations should be scanned more frequently.

Overall, the best way to determine an appropriate vulnerability scanning frequency is to consider the organization’s specific needs and risks.

Here are some additional tips for determining an appropriate vulnerability scanning frequency:

Start by scanning all systems and applications at least once a quarter.
Increase the frequency of scans for systems and applications that are more sensitive or more likely to be targeted by cyberattacks.
Scan systems and applications more frequently after any changes are made.
Use a risk-based approach to prioritize scans.
By following these tips, organizations can determine an appropriate vulnerability scanning frequency that helps them to protect their systems and applications from cyberattacks.

Answer 65

A

The Capability Maturity Model Integration (CMMI) model is a framework for assessing and improving the maturity of an organization’s processes. The CMMI model can be used to assess and improve the maturity of processes in any industry, but it is most commonly used in the software development industry.

The CMMI model has five maturity levels:
Level 1: Initial: At this level, processes are characterized as ad hoc, chaotic, and reactive.
Level 2: Managed: At this level, processes are planned and performed.
Level 3: Defined: At this level, processes are well-characterized and documented.
Level 4: Quantitatively Managed: At this level, processes are measured and controlled using quantitative methods.
Level 5: Optimizing: At this level, processes are continuously improved based on quantitative understanding and organizational objectives.

Organizations can use the CMMI model to assess their current maturity level and to develop a plan for improving their processes. The CMMI model can also be used to communicate the organization’s process maturity to stakeholders.

Here are some of the benefits of using the CMMI model:

It can help organizations to improve the quality and efficiency of their processes.
It can help organizations to reduce the cost of developing and maintaining their products and services.
It can help organizations to improve their customer satisfaction.
It can help organizations to attract and retain top talent.
It can help organizations to comply with industry regulations.
Overall, the CMMI model is a valuable tool for organizations that are committed to improving their processes and their performance.

Answer 66

A

If an organization is unable to meet a regulatory requirement, it may implement a compensating control in place of that requirement. A compensating control is a control that reduces the risk to an acceptable level even if the original control is not implemented.

For example, if a regulatory requirement requires that all employees be trained on cybersecurity awareness, but an organization is unable to provide training to all employees, it could implement a compensating control such as requiring employees to sign a statement acknowledging that they have read and understand the organization’s cybersecurity policy.

Another example is if a regulatory requirement requires that all data be encrypted, but an organization is unable to encrypt all data, it could implement a compensating control such as limiting access to sensitive data to only authorized personnel.

When implementing a compensating control, it is important to ensure that the control is effective in reducing the risk to an acceptable level. The organization should also document the compensating control and its rationale for implementing it.

Here are some tips for implementing compensating controls:

Identify the regulatory requirement that the organization is unable to meet.
Assess the risk associated with not meeting the regulatory requirement.
Identify a compensating control that will reduce the risk to an acceptable level.
Implement the compensating control.
Document the compensating control and its rationale for implementing it.
Monitor the effectiveness of the compensating control.
It is important to note that compensating controls should not be used as a substitute for good security practices. Organizations should always strive to meet all regulatory requirements. However, in some cases, compensating controls may be necessary to reduce the risk to an acceptable level.

Answer 67

A

An exit interview is a meeting between an employee who is leaving a company and a representative of the company, such as the employee’s manager or a human resources (HR) representative. The purpose of the exit interview is to gather feedback from the employee about their experience working at the company and to identify areas where the company can improve.

Exit interviews can be conducted in a variety of ways, including face-to-face, over the phone, or via email. The interviewer will typically ask the employee a series of questions about their experience working at the company, such as:

What did you like and dislike about your job?
What did you learn while working at the company?
What are your reasons for leaving?
What suggestions do you have for improving the company?
The employee’s feedback from the exit interview can be used to improve the company’s culture, hiring practices, employee training and development programs, and overall workplace experience.

Here are some of the benefits of conducting exit interviews:
Gather feedback from employees about their experience working at the company.
Identify areas where the company can improve.
Improve the company’s culture, hiring practices, employee training and development programs, and overall workplace experience.
Reduce employee turnover.
Maintain a positive relationship with departing employees.
Exit interviews are an important part of any company’s offboarding process. By conducting exit interviews, companies can gain valuable feedback from departing employees and use that feedback to improve the workplace for all employees.

Answer 68

A

A SMART goal is a specific, measurable, achievable, relevant, and time-bound goal. SMART goals are designed to be helpful and effective in achieving your goals.

Specific: Your goal should be specific and well-defined. What exactly do you want to achieve?
Measurable: Your goal should be measurable so that you can track your progress and see how close you are to achieving it.
Achievable: Your goal should be achievable, but still challenging. You should be able to realistically achieve your goal with the resources and time that you have available.
Relevant: Your goal should be relevant to your overall goals and objectives.
Time-bound: Your goal should have a specific deadline or timeframe. When do you want to achieve your goal by?
Here are some examples of SMART goals:

Lose 10 pounds in 3 months.
Increase website traffic by 20% in 6 months.
Launch a new product within a year.
Get promoted to manager within 2 years.
Save $10,000 in 5 years.

Answer 69

A

Pattern matching and watermarking

Answer 70

A

Scope statement
Strategic context
Cost analysis
Evaluation of alternatives
Project plan
Management plan

Answer 71

A

**Extended recoverability effort occurs when the time to recovery is unpredictable.
** In those cases, additional resources and outside help are typically needed.
**
Extended recoverability efforts are those that go beyond the normal range of recovery activities to restore systems and data to a usable state. These efforts may be required in the event of a major disaster, cyberattack, or other significant disruption.

Extended recoverability efforts can be complex and time-consuming, and they may require the involvement of specialized personnel and resources. The specific steps involved in an extended recoverability effort will vary depending on the circumstances of the event. However, some common steps include:

Assessing the damage: The first step is to assess the damage caused by the event and to identify the systems and data that need to be recovered.
Developing a recovery plan: Once the damage has been assessed, a recovery plan should be developed. This plan should outline the steps that need to be taken to recover the systems and data, as well as the resources that will be required.
Recovering the systems and data: The recovery plan should then be implemented to recover the systems and data. This may involve rebuilding systems from scratch, restoring data from backups, or using other methods.
Testing the recovered systems and data: Once the systems and data have been recovered, it is important to test them to ensure that they are working properly.
Returning the systems and data to production: Once the systems and data have been tested and verified, they can be returned to production.
Extended recoverability efforts can be challenging, but they are essential for ensuring that businesses can recover from major disruptions. By having a plan in place and by taking the necessary steps, businesses can minimize the impact of these events and get back to business as usual as quickly as possible.

Here are some examples of extended recoverability efforts:

Rebuilding a data center that has been destroyed by a natural disaster.
Restoring data that has been encrypted by ransomware.
Recovering from a cyberattack that has compromised critical systems.
Dealing with the aftermath of a major supply chain disruption.
Extended recoverability efforts are often expensive and time-consuming, but they are essential for businesses that want to protect themselves from major disruptions. By having a plan in place and by taking the necessary steps, businesses can minimize the impact of these events and get back to business as usual as quickly as possible.

Answer 72

A

To perform a business impact analysis (BIA) with quantitative or qualitative assessments, you can follow these steps:

Identify the business processes that are critical to your organization.
Assess the impact of a disruption to each of these processes. This can be done using quantitative or qualitative methods.
Prioritize the business processes based on their criticality and impact.
Develop a plan to mitigate the risks to the most critical business processes.
Quantitative assessments involve using data to measure the impact of a disruption. For example, you could estimate the cost of lost revenue, productivity, or customer satisfaction.

Qualitative assessments involve using expert judgment to assess the impact of a disruption. For example, you could identify the intangible impacts of a disruption, such as damage to reputation or loss of competitive advantage.

Here are some examples of quantitative and qualitative assessments that you can use in a BIA:

Quantitative assessments:

Cost of lost revenue
Cost of lost productivity
Cost of customer churn
Cost of fines and penalties
Cost of downtime
Qualitative assessments:

Damage to reputation
Loss of competitive advantage
Impact on customer satisfaction
Impact on employee morale
Impact on regulatory compliance
You can use a combination of quantitative and qualitative assessments to get a more complete picture of the impact of a disruption to your business.

Once you have completed the BIA, you can use the results to develop a business continuity plan (BCP). The BCP should outline the steps that you will take to mitigate the risks to your most critical business processes and to recover from a disruption in the event that it does occur.

Here are some tips for performing a BIA with quantitative or qualitative assessments:

Involve key stakeholders from across the organization in the process.
Use a variety of data sources to inform your assessment.
Be realistic about the impact of disruptions.
Update your BIA regularly to reflect changes in your business and environment.
By following these tips, you can conduct a BIA that will help you to protect your business from disruptions.

Answer 73

A

When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.
The separation of duties principle is a security principle that states that no one person should have too much control over any one process or system. This principle is designed to reduce the risk of fraud, error, and abuse.

Here are some examples of the separation of duties principle:

In an accounting department:
The person who approves invoices should not be the same person who cuts checks.
The person who reconciles bank statements should not be the same person who deposits cash.
The person who maintains inventory records should not be the same person who has physical custody of the inventory.
In an IT department:
The person who develops and tests software should not be the same person who deploys it to production.
The person who has administrative access to systems should not be the same person who uses them for daily operations.
The person who manages user accounts should not be the same person who has access to sensitive data.
The separation of duties principle can be implemented in a variety of ways, depending on the size and complexity of the organization. In smaller organizations, it may be necessary for one person to perform multiple roles. However, it is important to minimize the overlap of duties whenever possible.

In larger organizations, the separation of duties principle can be implemented by creating a matrix of roles and responsibilities. This matrix should define the specific tasks that each role is authorized to perform.

Here are some tips for implementing the separation of duties principle:

Identify the key processes and systems in your organization.
Determine the roles and responsibilities that are required to support these processes and systems.
Assign roles and responsibilities to different people in a way that minimizes the overlap of duties.
Implement controls to prevent unauthorized access to systems and data.
Monitor the system regularly to ensure that the separation of duties principle is being followed.
By implementing the separation of duties principle, organizations can reduce the risk of fraud, error, and abuse.

Answer 74

A

D
The parallel test involves relocating personnel to the alternate recovery site and implementing site activation procedures. Checklist tests, structured walkthroughs, and simulations are all test types that do not involve actually activating the alternate site.
A disaster recovery test is a process of testing a disaster recovery plan to ensure that it can be executed effectively in the event of a disaster. The parallel test is a type of disaster recovery test that is conducted without disrupting production systems.

In a parallel test, a replica of the production environment is created and the disaster recovery plan is tested on that replica. This allows organizations to test their disaster recovery plan without affecting their customers or business operations.

Here are some examples of parallel tests for disaster recovery:

Testing a failover site: A failover site is a backup site that can be used to support production operations in the event of a disaster. A parallel test of a failover site would involve routing traffic to the failover site and testing to make sure that all systems and applications are working properly.
Testing a data backup and restore process: A data backup and restore process is a process for backing up data and restoring it in the event of a data loss. A parallel test of a data backup and restore process would involve backing up data and then restoring it to a test environment to make sure that the data can be restored successfully.
Testing a business continuity plan: A business continuity plan is a plan for how to continue business operations in the event of a disruption. A parallel test of a business continuity plan would involve simulating a disruption and then testing the business continuity plan to make sure that it can be executed effectively.
Parallel tests are an important part of disaster recovery planning. By conducting parallel tests, organizations can identify and address any gaps in their disaster recovery plans before a real disaster occurs.

Here are some of the benefits of conducting parallel tests for disaster recovery:

Parallel tests allow organizations to test their disaster recovery plans without disrupting production systems.
Parallel tests can help organizations to identify and address any gaps in their disaster recovery plans.
Parallel tests can help organizations to improve the effectiveness of their disaster recovery plans.
Parallel tests are a valuable tool for organizations of all sizes. By conducting parallel tests, organizations can increase their confidence in their ability to recover from a disaster.

Answer 75

A

D
TAXII, the Trusted Automated Exchange of Intelligence Information protocol, is specifically designed to communicate cyberthreat information at the application layer. OpenIOC is a compromise indicator framework, and STIX is a threat description language

TAXII (Trusted Automated eXchange of Indicator Information) is a standard protocol for the secure and automated exchange of cyber threat intelligence (CTI) information. It is developed and maintained by the OASIS Open Standards Consortium.

TAXII is used by cybersecurity organizations to share CTI information with each other and with other stakeholders, such as government agencies and industry associations. TAXII can be used to share a wide variety of CTI information, including:

Indicators of compromise (IoCs)
Tactics, techniques, and procedures (TTPs)
Malware samples
Threat actor profiles
TAXII provides a number of benefits to cybersecurity organizations, including:

Improved visibility: TAXII allows organizations to share CTI information with each other, which can help them to improve their visibility into the threat landscape.
Increased collaboration: TAXII can help organizations to collaborate more effectively in the fight against cybercrime.
Reduced risk: TAXII can help organizations to reduce their risk of being attacked by cybercriminals by providing them with access to the latest CTI information.
TAXII is a valuable tool for cybersecurity organizations of all sizes. By using TAXII, organizations can improve their visibility into the threat landscape, increase collaboration, and reduce their risk of being attacked.

Here are some specific examples of how TAXII can be used by cybersecurity organizations:

An organization can use TAXII to share IoCs with other organizations. This can help to prevent other organizations from being attacked by the same malware or threat actors.
An organization can use TAXII to subscribe to CTI feeds from other organizations or from commercial vendors. This can help the organization to stay up-to-date on the latest threats.
An organization can use TAXII to share TTPs with other organizations. This can help organizations to develop more effective defenses against cyberattacks.
An organization can use TAXII to share malware samples with other organizations. This can help organizations to better understand how malware works and to develop more effective detection and remediation solutions.
TAXII is a powerful tool that can help cybersecurity organizations to improve their security posture. By using TAXII, organizations can share CTI information with each other and with other stakeholders, which can help them to improve their visibility into the threat landscape, increase collaboration, and reduce their risk of being attacked.

Answer 76

A

Open IOC (Open Indicators of Compromise) and STIX (Structured Threat Information Expression) are both standards for representing cyber threat intelligence (CTI) information. However, there are some key differences between the two standards.

Open IOC is a simpler standard that is easier to use and implement. It is primarily used to represent indicators of compromise (IoCs), such as IP addresses, file hashes, and URLs.

STIX is a more complex standard that can be used to represent a wider variety of CTI information, including IoCs, tactics, techniques, and procedures (TTPs), malware samples, and threat actor profiles. STIX is also more flexible than Open IOC and can be used to represent more complex relationships between different CTI objects.

Here is a table that summarizes the key differences between Open IOC and STIX:

Feature Open IOC STIX
Complexity Simple Complex
Ease of use Easy to use and implement More difficult to use and implement
Primary use case Representing IoCs Representing a wider variety of CTI information
Flexibility Less flexible More flexible
Ability to represent complex relationships Limited Good
Which standard is better for you depends on your specific needs. If you need a simple and easy-to-use standard for representing IoCs, then Open IOC is a good choice. If you need a more flexible standard that can be used to represent a wider variety of CTI information, then STIX is a better choice.

Here are some examples of when you might use Open IOC or STIX:

You might use Open IOC to share IoCs with other organizations or to subscribe to CTI feeds from other organizations.
You might use STIX to represent the results of a threat intelligence investigation or to share CTI information with other organizations in a more structured way.
You might use STIX to integrate CTI information with your security tools and platforms.
Both Open IOC and STIX are valuable tools for cybersecurity organizations. By using these standards, organizations can improve their visibility into the threat landscape, increase collaboration, and reduce their risk of being attacked.

Answer 77

A

This is an example of a Managed organization: one that begins to implement organized processes on a per-project basis but is still operating in reactive mode. At the Initial level, the organization has unpredictable processes that are poorly controlled. When an organization achieves Level 3: Defined, it has standard processes that are used organization-wide and are adapted for use within each project. Level 4: Quantitatively Managed organizations build measurement and controls on top of their processes to allow them to quickly identify and remediate deficiencies and address control gaps before issues arise. At the top tier of the CMMI, Level 5: Optimizing organizations use a continuous process improvement approach to adjust and fine-tune the way that they work to achieve peak efficiency and effectiveness.

Based on the information given, Brian’s cybersecurity team would most likely be classified as CMMI Maturity Level 2: Managed.

At CMMI Maturity Level 2, organizations have defined processes in place for managing their projects and products. However, these processes may not be fully optimized or integrated across the organization. Additionally, organizations at this level may still be reactive in their approach to process improvement, waiting until problems arise before making changes.

The fact that Brian’s team uses defined processes, even if they are developed reactively, suggests that they have made some progress towards improving their maturity. However, there is still room for growth. For example, the team could benefit from developing a more proactive approach to process improvement, where they regularly identify and address areas where their processes can be improved.

Here are some specific recommendations that Brian could make to his team to help them improve their maturity:

Develop a process for identifying and prioritizing process improvement opportunities.
Implement a regular process for reviewing and updating processes.
Establish a culture of continuous improvement, where everyone is encouraged to identify and suggest ways to improve the team’s processes.
Integrate process improvement into the team’s project management and development processes.
By following these recommendations, Brian’s team can move towards CMMI Maturity Level 3: Defined, where they will have well-defined and integrated processes that are regularly reviewed and updated.

Answer 78

A

A
This Answer is Correct
CSIRT members do not normally communicate directly with the perpetrator of a cybersecurity incident. Although team members may have contact with the perpetrator in the case of ransomware attacks, this would not normally be the case during an incident involving the theft of information. It is far more likely that the CSIRT would be in routine contact with vendors, law enforcement, and information sharing partners as the incident unfolds.

Answer 79

A

A formal change management program is a structured approach to managing change within an organization. It provides a framework for identifying, assessing, planning, implementing, and monitoring changes. The goal of a formal change management program is to help organizations implement change successfully and minimize disruption to business operations.

A formal change management program typically includes the following steps:

Identify and assess the change: The first step is to identify the change that needs to be made and assess its impact on the organization. This includes identifying the potential benefits and risks of the change, as well as the resources that will be required to implement it.
Develop a change plan: Once the change has been identified and assessed, a change plan should be developed. The change plan should outline the steps that will be taken to implement the change, as well as the resources that will be required.
Communicate the change: The next step is to communicate the change to all stakeholders. This includes communicating the purpose of the change, the benefits of the change, and the timeline for the change.
Implement the change: Once the change has been communicated, it can be implemented. This may involve making changes to processes, systems, or infrastructure.
Monitor and sustain the change: Once the change has been implemented, it is important to monitor and sustain the change. This includes monitoring the performance of the change and making adjustments as needed.
Formal change management programs can be used to manage all types of changes, from small changes to large and complex changes. They can also be used to manage changes at all levels of an organization, from individual changes to organizational changes.

Answer 80

A

here are three main types of backups:

Full backup: A full backup is a copy of all of your data. Full backups are the most comprehensive type of backup, but they can also be the most time-consuming to perform and to store.
Differential backup: A differential backup is a copy of all of the data that has changed since the last full backup. Differential backups are less time-consuming to perform and to store than full backups, but they require that you maintain a full backup in order to restore your data.
Incremental backup: An incremental backup is a copy of all of the data that has changed since the last backup, regardless of whether it is a full or differential backup. Incremental backups are the fastest type of backup to perform and to store, but they require that you maintain all of the previous backups in order to restore your data.
Here is an example of each type of backup:

Full backup:

You have a server that contains 100 GB of data. You decide to perform a full backup of the server. The backup takes 1 hour to complete and creates a 100 GB backup file.

Differential backup:

One day later, you perform a differential backup of the server. The backup takes 10 minutes to complete and creates a 10 GB backup file. This is because only 10 GB of data has changed since the last full backup.

Incremental backup:

Two days later, you perform an incremental backup of the server. The backup takes 5 minutes to complete and creates a 5 GB backup file. This is because only 5 GB of data has changed since the last backup.

You can use any of these backup types, or a combination of them, to protect your data. The best backup strategy for you will depend on your specific needs and requirements.

For example, if you have a large amount of data and you can afford to take the time to perform full backups, then you may want to use a full backup strategy. However, if you have a limited amount of time and resources, then you may want to use a differential or incremental backup strategy.

You should also consider how often you need to back up your data. If you have data that changes frequently, then you may need to back up your data more often. However, if you have data that does not change frequently, then you may not need to back up your data as often.

It is important to have a backup strategy in place to protect your data from loss or corruption. By choosing the right backup strategy for you and by backing up your data regularly, you can minimize the risk of data loss.

Answer 81

A

In the context of a network malware attack, segmentation, isolation, and removal refer to the process of identifying and isolating infected systems and networks to prevent the spread of the malware, and then removing the malware from the infected systems.

Segmentation is the process of dividing a network into smaller segments, each of which is isolated from the others. This can be done using firewalls, VLANs, or other isolation techniques. Segmentation helps to prevent the spread of malware by limiting its ability to move from one segment to another.

Isolation is the process of identifying and isolating infected systems from the rest of the network. This can be done using a variety of methods, such as network monitoring, endpoint security tools, and manual investigation. Once an infected system has been identified, it should be isolated from the network to prevent the malware from spreading.

Removal is the process of removing the malware from infected systems. This can be done using a variety of methods, such as antivirus software, malware removal tools, and manual removal. Once the malware has been removed, the system should be tested to ensure that it is clean and that the malware has not returned.

Here is an example of how segmentation, isolation, and removal can be used to respond to a network malware attack:

A company is attacked by ransomware. The ransomware encrypts files on a number of servers on the company’s network.
The company’s incident response team uses network monitoring tools to identify the infected servers.
The incident response team isolates the infected servers from the rest of the network by changing firewall rules.
The incident response team uses antivirus software to remove the ransomware from the infected servers.
The incident response team tests the infected servers to ensure that they are clean and that the ransomware has not returned.
Segmentation, isolation, and removal are essential components of any incident response plan. By following these steps, organizations can minimize the damage caused by malware attacks and protect their data and networks.

Additional tips for segmentation, isolation, and removal:

Segment your network: Segment your network into smaller segments, each of which is isolated from the others. This will help to prevent the spread of malware if one segment is infected.
Use network monitoring tools: Use network monitoring tools to identify infected systems and networks. This will help you to isolate infected systems and prevent the malware from spreading.
Have a malware removal plan in place: Have a plan in place for removing malware from infected systems. This plan should include a variety of methods, such as antivirus software, malware removal tools, and manual removal.
Test your systems regularly: Test your systems regularly to ensure that they are clean and that the malware has not returned.

Answer 82

A

This Answer is Correct
Even removing a system from the network doesn’t guarantee that the attack will not continue. In the example given in Chapter 8, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.

Answer 83

A

C
Interactive testing combines static and dynamic analysis, performing static code analysis while the attacker interacts with application inputs. Static analysis analyzes code but does not manipulate inputs. Dynamic analysis manipulates inputs without performing code analysis. Footprinting is a network reconnaissance technique and not an application testing technique.

Answer 84

A

When an individual digitally signs a message, they do so using their own private key. When the recipient verifies the digital signature, they do so using the signer’s public key. Therefore, Carrie should use Tina’s public key to verify the signature.

Answer 85

A

B
Harold should first conduct a business impact assessment to determine whether the MTO and recovery time values are accurate and the impact on the business. Harold should not change the MTO without input from stakeholders and a business impact assessment. He may wind up developing a plan to meet the MTO, but he should only do so after conducting a business impact assessment. Harold should not immediately jump to notifying executives but rather develop a plan to determine whether the MTO is appropriate and/or modifications to the disaster recovery plan can bring the plan into acceptable parameters.

Answer 86

A

The primary goal of the awareness program should be to reduce the likelihood and/or impact of a security incident. The awareness program may include efforts to increase awareness of security policy, improve communications, and increase adoption of security technologies, but the primary goal of the program should be to reduce the likelihood and impact of a security incident.

Answer 87

A

D
Understanding the root cause of an attack is critical to the incident recovery effort. Analysts should examine all available information to help reconstruct the attacker’s actions. This information is crucial to remediating security controls and preventing future similar attacks.

Understanding the root cause of an attack is critical to the incident recovery effort because it allows organizations to:

Identify the vulnerabilities that were exploited. This information can be used to remediate the vulnerabilities and prevent future attacks.
Determine the scope of the attack. This information can be used to assess the damage and to develop a plan for recovery.
Implement effective containment and eradication measures. Understanding the root cause of the attack can help organizations to identify the best way to stop the attack and remove the malware from their systems.
Prevent future attacks. By understanding the root cause of the attack, organizations can develop strategies to mitigate the risk of similar attacks in the future.
In addition, understanding the root cause of an attack can help organizations to:

Improve their security posture. By identifying and remediating the vulnerabilities that were exploited, organizations can make it more difficult for attackers to succeed in the future.
Learn from their mistakes. By understanding what went wrong, organizations can make changes to their security practices to prevent similar attacks from happening in the future.
Communicate with stakeholders. By understanding the root cause of the attack, organizations can provide accurate information to their stakeholders about what happened and what steps are being taken to prevent similar attacks from happening in the future.
Overall, understanding the root cause of an attack is essential for organizations to recover from an incident and to prevent future attacks.

Here are some examples of how understanding the root cause of an attack can help organizations to improve their security posture and prevent future attacks:

If an organization is attacked by ransomware and the attackers are able to encrypt the organization’s data, the organization can use the information about the root cause of the attack to identify the vulnerabilities that were exploited and to remediate those vulnerabilities. This will make it more difficult for attackers to successfully encrypt the organization’s data in the future.
If an organization is attacked by a phishing attack and the attackers are able to steal the organization’s employees’ login credentials, the organization can use the information about the root cause of the attack to educate its employees about phishing attacks and to implement security measures, such as multi-factor authentication, to make it more difficult for attackers to steal employees’ login credentials in the future.
By understanding the root cause of attacks, organizations can make their systems more secure and reduce the risk of future attacks.

Answer 88

A

The chain of custody requires that Renee be able to clearly document every change in control of the evidence from the time it is collected until it is presented at trial. Evidence may be thrown out if there is any question about the chain of custody. There is no requirement to use identical hardware for drive images, and in many cases, the image is simply a large file stored on a forensic server. There are no formal educational requirements for performing forensic operations, although the opposing attorney may question Renee’s experience. While many forensic investigators do use write-blockers as a safety mechanism while collecting evidence, their use is not a requirement and is not as important as preserving the chain of custody.

If Renee is called to testify in court, one of the primary things she must prove is that the drive image she created is an accurate and authentic copy of the original drive. This is important because the drive image will be used as evidence in the criminal investigation, and the defense may challenge the authenticity of the image if they believe it has been tampered with.

To prove the authenticity of the drive image, Renee can:
Document the entire drive imaging process, including the date and time the image was created, the tools and methods used, and the steps taken to ensure the integrity of the image.
Use a write-blocker to prevent the drive from being modified during the imaging process.
Generate a hash of the drive image and compare it to the hash of the original drive to verify that the image is accurate.

Create a chain of custody for the drive image to document its handling and storage.
In addition to proving the authenticity of the drive image, Renee may also be asked to testify about the contents of the drive image and the analysis she performed. She should be prepared to answer questions about the specific tools and methods she used, as well as the conclusions she reached.

Here are some additional tips for Renee:
Be prepared to explain the drive imaging process in detail, including the tools and methods used, and the steps taken to ensure the integrity of the image.
Be prepared to answer questions about the specific evidence found on the drive image, and the analysis performed.
Be prepared to be cross-examined by the defense.
By being prepared and professional, Renee can help to ensure that the drive image she created is admitted as evidence in court and that her testimony is credible.

Answer 89

A

B. Cloud-native control
Controls offered by cloud service providers have the advantage of direct integration with the provider’s offerings, often making them cost-effective and user-friendly. Third-party solutions are often more costly, but they bring the advantage of integrating with a variety of cloud providers, facilitating the management of multicloud environments.

View other drafts

To select a new security control to meet his organization’s objectives in a multicloud environment and minimize the administrative work required from his fellow technologists, Ryan should consider the following approaches:

Cloud-native security solutions: Cloud-native security solutions are designed to work specifically with cloud platforms, which can make them easier to deploy and manage. They can also provide a more integrated security approach, as they can be used to protect both the cloud platform itself and the applications and data running on it.
Managed security services: Managed security services (MSS) providers offer a range of security services, including security monitoring, threat detection, and incident response. This can help to reduce the administrative burden on Ryan’s team, as they will not need to manage these tasks themselves.
Security automation: Security automation tools can be used to automate a variety of security tasks, such as patching systems, configuring security settings, and responding to security incidents. This can help to free up Ryan’s team to focus on other tasks.
In addition to these approaches, Ryan should also consider the following factors when selecting a new security control:

Cost: Security controls can vary in cost, so Ryan should choose a solution that fits within his organization’s budget.
Ease of use: Ryan should choose a solution that is easy to deploy and manage, especially if he has a limited team.
Scalability: Ryan should choose a solution that can scale with his organization’s needs.
Integration: Ryan should choose a solution that can integrate with his existing security infrastructure.
Once Ryan has considered all of these factors, he can start to evaluate specific security controls. There are a number of cloud-native security solutions, MSS providers, and security automation tools available on the market. Ryan should compare the features and benefits of different solutions to find the one that best meets his needs.

Here are some specific examples of security controls that Ryan may want to consider:

Cloud security posture management (CSPM) tools: CSPM tools can be used to assess and monitor the security posture of cloud environments. They can help to identify security risks and misconfigurations, and they can also provide recommendations for remediation.
Cloud workload protection platforms (CWPPs): CWPPs provide a range of security features for cloud workloads, including vulnerability scanning, malware detection, and intrusion prevention.
Managed security information and event management (SIEM) services: Managed SIEM services provide real-time monitoring and analysis of security logs and events. They can help to identify and respond to security threats quickly and effectively.
By taking the time to carefully select the right security control, Ryan can help to protect his organization’s multicloud environment while minimizing the administrative burden on his team.

Answer 90

A

This Answer is Correct
All of these factors may prompt a risk reassessment to ensure that changes to existing, or new, risk scenarios are identified and managed appropriately. However, a system configuration change is an internal factor, not an external factor. Changes in the geopolitical climate, threat landscape, or the regulatory regime are external factors.
Here are some internal factors that could spark a change that would require a new risk assessment:

Changes to the organization’s infrastructure: This could include changes to the organization’s network, hardware, software, or data. For example, if the organization migrates to a new cloud platform, it would need to conduct a new risk assessment to identify and mitigate any new risks that may be introduced.
Changes to the organization’s business processes: This could include changes to the organization’s supply chain, customer base, or regulatory environment. For example, if the organization starts offering new products or services, it would need to conduct a new risk assessment to identify and mitigate any new risks that may be introduced.
Changes to the organization’s risk appetite: The organization’s risk appetite is its tolerance for risk. If the organization’s risk appetite changes, it would need to conduct a new risk assessment to ensure that its risk management strategy is aligned with its new risk appetite.
The occurrence of a security incident: A security incident is an event that has the potential to compromise the organization’s security. If a security incident occurs, the organization should conduct a new risk assessment to identify and mitigate any new risks that may have been introduced.
It is important to note that risk assessments should be conducted on a regular basis, even if there are no changes to the organization’s infrastructure, business processes, risk appetite, or security posture. This is because the threat landscape is constantly evolving, and new risks emerge all the time.

Here are some additional tips for conducting risk assessments:

Identify the organization’s assets. This could include the organization’s people, data, systems, and infrastructure.
Identify the threats to the organization’s assets. This could include internal threats, such as employee error or malicious intent, and external threats, such as cyberattacks or natural disasters.
Assess the likelihood and impact of each threat. This will help the organization to prioritize its risk management efforts.
Identify and implement risk mitigation measures. This could include technical controls, such as firewalls and intrusion detection systems, and administrative controls, such as security policies and procedures.
Monitor and review the risk assessment on a regular basis. This will help the organization to ensure that its risk management strategy is still effective.
By taking the time to conduct regular risk assessments, the organization can identify and mitigate risks, and protect its assets.

Answer 91

A

ISO 27701 contains standard guidance for managing privacy controls and would, therefore, be a helpful resource for Gwen. ISO 31000 provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk. NIST publishes both a Cybersecurity Framework (CSF) and a Risk Management Framework (RMF). The RMF is a formal process for implementing security controls and authorizing system use, whereas the CSF provides a broad structure for cybersecurity controls. Neither addresses privacy specifically.

The ISO standard that is a privacy standard is ISO/IEC 27701:2019 Privacy Information Management System (PIMS). It is an extension of ISO/IEC 27001:2013 Information Security Management System (ISMS), and provides guidance on how to establish, implement, maintain and continually improve a PIMS.

ISO/IEC 27701 is designed to help organizations protect the privacy of personal information, and to comply with privacy regulations such as the General Data Protection Regulation (GDPR). It provides a framework for managing privacy risks, and for implementing privacy controls throughout the organization.

The standard includes a number of requirements for organizations, such as:

Establishing a privacy policy and privacy objectives.
Identifying and assessing privacy risks.
Implementing privacy controls to mitigate risks.
Monitoring and reviewing the PIMS on a regular basis.
ISO/IEC 27701 is a voluntary standard, but it is becoming increasingly popular among organizations that are committed to protecting the privacy of personal information. It is a valuable tool for organizations of all sizes, and in all industries.

Here are some of the benefits of implementing ISO/IEC 27701:

Improved protection of personal information
Reduced risk of privacy breaches
Increased compliance with privacy regulations
Boosted customer and stakeholder confidence
Competitive advantage
If you are interested in learning more about ISO/IEC 27701, you can visit the website of the International Organization for Standardization (ISO).

Answer 92

A

Employee use of social media requires tact and discretion. Employees are likely to access social media despite any technical controls put in place, so the most effective way to protect against the loss of sensitive information is education and awareness. Firewalls may block access to social media in some cases, but employees will likely continue to access social media on their personal devices. Data loss prevention technology may identify some unintended exposure of sensitive information, but employees are likely to access social media from their personal mobile devices or from home, where this control would not apply.

Content filtering may block access to social media in some cases, but employees will likely continue to access social media on their personal devices.

The most effective control against the risk of employees accidentally sharing sensitive information on social media is employee education and awareness. By providing comprehensive training on social media best practices and the potential risks associated with sharing sensitive information, employees will be better equipped to recognize and prevent such incidents. This should include guidelines on what information is considered sensitive and should not be shared on public platforms.

Additionally, implementing strong access controls and monitoring within the organization’s internal systems can help prevent unauthorized sharing of sensitive information. This includes restricting access to sensitive data to only those who need it for their job roles.

Furthermore, Gary should consider implementing data loss prevention (DLP) tools that can monitor and block the sharing of sensitive information on social media platforms. These tools can help enforce policies and prevent accidental data exposure.

Answer 93

A

Procedures contain step-by-step instructions for completing a security-related activity. Policies contain high-level statements of security objectives. They do not contain step-by-step guidance. Standards provide the detailed configuration parameters necessary to implement security policy. They do not normally contain implementation instructions.

Guidelines provide best practices for users to follow but they are not mandatory and do not normally include step-by-step instructions.

Answer 94

A

The adoption of formal risk management policies is a hallmark of Tier 3: Repeatable under the NIST Cybersecurity Framework. Moving to the top tier, Tier 4: Adaptive, would require that the organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. Because the organization does not yet conduct lessons learned sessions, they have not reached this tier.

Answer 95

A

The recovery time objective (RTO) is the amount of time that may elapse between when a system fails and when it is recovered before causing substantial harm to the business. The recovery point objective (RPO) is the amount of acceptable data loss in the event of a disaster, expressed as the period of time from which data may be lost. The service level agreement (SLA) is an agreement between a vendor and a customer regarding technology services. Mail transfer agents (MTAs) are a component of email infrastructure and are not related to disaster recovery.

The statement “In the event that the payroll system fails, the IT team must restore access within 48 hours to avoid unacceptable levels of damage to the business” is a recovery time objective (RTO).

An RTO is the maximum amount of time that a system can be unavailable before it causes unacceptable damage to the business. RTOs are typically measured in hours or minutes.

In this example, the RTO for the payroll system is 48 hours. This means that the IT team must restore access to the payroll system within 48 hours of a failure to avoid unacceptable damage to the business.

RTOs are important because they help organizations to prioritize their disaster recovery efforts. By understanding the RTO for each system, organizations can focus their resources on restoring the most critical systems first.

Here are some of the factors that organizations consider when setting RTOs:

The importance of the system to the business
The impact of a system outage on the business
The cost of downtime
The feasibility of restoring the system within a specific timeframe
It is important to note that RTOs are not always achievable. In some cases, it may not be possible to restore a system within a specific timeframe due to factors such as the severity of the failure or the availability of resources. However, by having RTOs in place, organizations can make informed decisions about how to prioritize their disaster recovery efforts.

Answer 96

A

Under industry best practices, the minimum acceptable number of independent directors on a board of directors for a publicly traded corporation is a majority. This means that at least six of the 12 directors on Darcy’s Doodles’ board of directors should be independent.

Independent directors are those who do not have any material relationships with the company, such as being an officer, employee, or major shareholder. This independence is important to ensure that the directors can make objective decisions in the best interests of the company and its shareholders.

While there is no legal requirement for a majority of independent directors, it is considered to be a best practice by many industry organizations and regulatory bodies. For example, the Nasdaq Stock Market requires that all listed companies have at least one independent director, and the New York Stock Exchange recommends that listed companies have a majority of independent directors.

There are a number of benefits to having a majority of independent directors on a board of directors. Independent directors can provide a more objective perspective on the company’s performance and strategy. They can also help to hold the management team accountable and to ensure that the company is being run in the best interests of shareholders.

Overall, having a majority of independent directors on a board of directors is a good way to promote good corporate governance and to protect the interests of shareholders.

Answer 97

A

The end goal of the disaster recovery process is restoring normal business operations in the primary facility. All the other actions listed may take place during the disaster recovery process, but the process is not complete until the organization is once again functioning normally in its primary facilities.

he event that marks the completion of a disaster recovery process is when all essential systems and processes have been restored to a working state and the organization is able to operate at or near normal capacity.

This can be a complex and time-consuming process, depending on the severity of the disaster and the complexity of the organization’s systems and processes. However, it is important to note that disaster recovery is not complete until all essential systems and processes have been restored and the organization is able to operate normally.

Here are some of the key steps involved in the disaster recovery process:

Assessment: The first step is to assess the damage caused by the disaster and to identify the essential systems and processes that need to be restored.
Prioritization: Once the essential systems and processes have been identified, they need to be prioritized based on their importance to the organization.
Recovery: The next step is to recover the essential systems and processes. This may involve restoring data from backups, repairing damaged equipment, or rebuilding infrastructure.
Testing: Once the essential systems and processes have been recovered, they need to be tested to ensure that they are working properly.
Return to normal operations: Once the essential systems and processes have been tested and verified, the organization can begin to return to normal operations.
It is important to note that the disaster recovery process is not always linear. There may be times when the organization needs to revisit previous steps in the process. For example, if the organization discovers new damage or if a restored system fails, it may need to go back and assess the damage or recover the system again.

The disaster recovery process is also not complete until the organization has learned from the disaster and has made changes to its disaster recovery plan to prevent similar problems from happening in the future.

By understanding the disaster recovery process, Brian can develop a training program that will help participants to understand when disaster activity concludes and to ensure that the organization is able to recover from a disaster quickly and efficiently.

Answer 98

A

Tamara’s first priority should be containing the attack. This will prevent it from spreading to other systems and also potentially stop the exfiltration of sensitive information. Only after containing the attack should Tamara move on to eradication and recovery activities. Identifying the source of the attack should be a low priority.

Tamara’s first priority should be to contain the breach. This means preventing the attackers from further compromising the organization’s systems and data, and from exfiltrating any data that has already been compromised.

There are a number of ways to contain a breach, including:
Isolating the affected systems and data. This may involve disconnecting the systems from the network or moving data to a secure location.
Changing passwords and credentials. This will help to prevent the attackers from using the compromised credentials to access other systems.
Implementing additional security controls. This may include enabling firewalls, intrusion detection systems, and other security measures.
Once the breach has been contained, Tamara can then begin to investigate the breach and to recover from the damage.

Here are some additional tips for Tamara:
Document everything. Document all actions taken during the incident response process, including the date and time of each action and the reason for the action. This documentation will be helpful in investigating the breach and in recovering from the damage.
Communicate with stakeholders. Keep stakeholders, such as management and customers, informed of the situation. This will help to build trust and confidence.
Learn from the breach. Once the breach has been resolved, take steps to improve the organization’s security posture and to prevent similar breaches from happening in the future.

Answer 99

A

This is an example of a detective control—one that identifies attacks that are in progress, such as a physical intrusion. Preventive controls seek to stop an attack from occurring in the first place. Corrective controls attempt to restore normal operations after an incident takes place. Deterrent controls seek to prevent attackers from attempting an attack.

Answer 100

A

Corporate governance programs ensure that the organization sets an appropriate strategic direction, develops a plan to implement that strategy, and then executes on its strategic plan. Therefore, the strategic plan is the most important deliverable of a corporate governance process.

The corporate governance process and the information security organization are closely related. The corporate governance process provides the framework for the information security organization to operate and to protect the company’s information assets.

The corporate governance process typically includes the following steps:

Establish a board of directors. The board of directors is responsible for overseeing the company’s management team and for ensuring that the company is run in the best interests of its shareholders.
Develop a code of conduct. The code of conduct sets out the ethical standards that directors and employees are expected to uphold.
Implement a risk management framework. The risk management framework identifies and assesses the risks facing the company and sets out plans for mitigating those risks.
Develop an internal controls policy. The internal controls policy sets out the procedures that the company uses to protect its assets and to ensure the accuracy and reliability of its financial reporting.
Monitor and review the corporate governance process. The corporate governance process should be monitored and reviewed on a regular basis to ensure that it is effective and that it reflects the best practices of corporate governance.
The information security organization plays a critical role in the corporate governance process by helping to identify and mitigate the risks to the company’s information assets. The information security organization also helps to develop and implement the company’s information security policy and procedures.

The information security organization should be involved in all aspects of the corporate governance process. For example, the information security organization should be involved in developing the risk management framework and the internal controls policy. The information security organization should also be involved in monitoring and reviewing the corporate governance process to ensure that it is effective.

Here are some specific ways that the information security organization can support the corporate governance process:

Identify and assess information security risks. The information security organization can help to identify and assess the risks to the company’s information assets. This information can then be used to develop the risk management framework and to implement appropriate security controls.
Develop and implement information security policies and procedures. The information security organization can help to develop and implement the company’s information security policy and procedures. This policy should set out the company’s requirements for information security and should provide guidance to employees on how to protect the company’s information assets.
Monitor and review the information security program. The information security organization should monitor and review the company’s information security program on a regular basis to ensure that it is effective and that it is aligned with the company’s overall business goals.
Train and educate employees on information security best practices. The information security organization can train and educate employees on information security best practices. This will help to reduce the risk of human error and will help employees to better protect the company’s information assets.
By working together, the corporate governance process and the information security organization can help to protect the company’s information assets and to reduce the risk of cyberattacks.

Answer 101

A

A. Reduce the likelihood of an exploit

Reducing the exposure of an asset by limiting access through a firewall decreases the likelihood that an external actor will be able to exploit the vulnerability. Threats are external in nature and cannot be eliminated or reduced through the use of controls. Risk appetite is a measure of the organization’s willingness to accept risk and does not change based on the controls Doug implements. Changing firewall exposure reduces the likelihood that an incident will occur but does not reduce the impact of a successful incident.

Brainscape's Knowledge GenomeTM

CISM Final Review Questions Flashcards

Brainscape's Knowledge Genome^TM