Dion udemy video course Flashcards
Fail to Pass Systems has recently moved its corporate offices from France to Westeros, a country with no meaningful privacy regulations. The marketing department believes that this move will allow the company to resell all of its customer’s data to third-party companies and shield the company from any legal responsibility. Which policy is violated by this scenario?
A. Data Limitation
B. Data Minimization
C. Data Sovereignty
D. Data enrichment
C. Data Sovereignty
Explanation:
While the fictitious Westeros may have no privacy laws or regulations, the laws of the countries where the company’s customers reside may still retain sovereignty over the data obtained from those regions during the course of the company’s business there. This is called Data Sovereignty. Data sovereignty refers to a jurisdiction (such as France or the European Union) preventing or restricting processing and storage from taking place on systems that do not physically reside within that jurisdiction.
You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information has you been asked to provide?
A. PHI
B. IP
C. PII
D. CUI
C. PII
Explanation:
Personally identifiable information (PII) is data used to identify, contact, or locate an individual. Information such as social security number (SSN), name, date of birth, email address, telephone number, street address, and biometric data is considered PII.
Which of the following elements is LEAST likely to be included in an organization’s data retention policy?
A. Minimum retention period
B. Maximum retention period
C. Description of information that needs to be retained
D. Classification of information
D. Classification of information
Explanation:
Data retention policies highlight what types of information an organization will maintain and the length of time they will maintain it. Data classification would not be covered in the retention policy but would be a key part of your organization’s data classification policy.
Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in an incident. Which of the following best describes the company’s risk response?
A. Avoidance
B. Transference
C. Acceptance
D. Mitigation
B. Transference
Explanation:
Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Acceptance means that no countermeasures are put in place either because the risk level does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.
Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?
A. $9,000
B. $36,000
C. $90,000
D. $360,000
A. $9,000
Explanation:
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the exposure factor (EF). The annual loss expectancy (ALE) is the total cost of a risk to an organization annually. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 30% = $36,000 and ALE = SLE x ARO = $36,000 x 0.25 = $9,000.
Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?
A. RPO
B. MTTR
C. RTO
D. MTBF
B. MTTR
Explanation:
Mean time to repair (MTTR) is a measure of the time taken to correct a fault to restore the system to full operation. MTTR is often used to describe the average time to replace or recover a system or product.
Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets?
A. ISA
B. NDA
C. SLA
D. DSUA
B. NDA
Explanation:
Non-disclosure agreement (NDA) is the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and shares such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them.
You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?
A. HIPAA
B. GLBA
C. FERPA
D. SOX
B. GLBA
Explanation:
The Gramm-Leach-Bliley Act (GLBA) is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company’s German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?
A. There was no privacy violation because only corporate employees had access to their email addresses
B. There was a privacy violation since the customers explicitly gave permission to use the address as an identifier and did not consent to receiving marketing emails
C. There was no privacy violation since the customers were emailed securely through the customer relationship management tool
D. There was a privacy violation since data minimization policies were not followed properly
B. There was a privacy violation since the customers explicitly gave permission to use the address as an identifier and did not consent to receiving marketing emails
Explanation:
According to the European Union’s General Data Protection Regulation (GDPR), personal data collected can only be used for the exact purpose in which explicit consent was obtained. To use email addresses for marketing purposes, separate explicit consent should have been obtained. Since the company operates in Germany, it must follow the GDPR privacy standard. Even if a company doesn’t operate within the European Union, its customers might be European Union citizens, and therefore the company should still optional follow the GDPR guidelines.
Dion Training is considering moving its headquarters and data center to Florida, but they are worried about hurricanes disrupting their business operations. To mitigate this risk, Dion Training has signed a contract with a vendor located in a different state to provide hardware, software, and the procedures necessary for the company to recover quickly in the case of a catastrophic event, like a hurricane causing a power loss for up to 10 days. As the owner, Jason is a little concerned that this contract isn’t sufficient to mitigate enough of the risk since it only provides a solution for the first 10 days. Jason wonders, “what will we do if a major outage occurs, and our offices are not able to be used for 6-12 months?” Jason has hired you to help develop Dion Training’s long-term strategy for recovering from such an event. What type of plan should you create?
A. incident Response Plan
B. Disaster Recovery Plan
C. Business Continuity Plan
D. Risk Management Plan
C. Business Continuity Plan
Explanation:
A business continuity plan (BCP) is a plan to help ensure that business processes can continue during a time of emergency or disaster. Such emergencies or disasters might include a fire or any other case where business cannot occur under normal conditions. A disaster recovery plan is useful (and usually a piece of the large business continuity plan), but it is insufficient for the long-term strategy which is needed to support business operations during an extended outage.
Dion Training has just acquired Small Time Tutors and ordered an analysis to determine the sensitivity level of the data contained in their databases. In addition to determining the sensitivity of the data, the company also wants to determine exactly how they have collected, used, and maintained the data throughout its data lifecycle. Once this is fully identified, Dion Training intends to update the terms and conditions on their website to inform their customers and prevent any possible legal issues from any possible mishandling of the data. Based on the information provided, which of the following types of analysis is the team at Dion Training going to perform?
A. Gap Analysis
B. Tradeoff analysis
C. Business impact analysis
D. Privacy impact analysis
D. Privacy impact analysis
Explanation:
A privacy impact assessment is conducted by an organization in order for it to determine where privacy data is stored and how that privacy data moves throughout an information system. It evaluates the impacts that may be realized by a compromise to the confidentiality, integrity, and/or availability of the data.
Dion Training wants to update their business continuity and disaster recovery plans since they recently moved their headquarters to a hurricane prone area. To begin the process, Jason has asked all of the department heads to create a collaborative list of all of the company’s essential functions and tasks. These will then be used to determine which systems, dependencies, and interactions must be prioritized in the business continuity and disaster recovery plans. Based on the information provided, which of the following types of analysis is the team at Dion Training going to perform?
A. Gap analysis
B. Tradeoff analysis
C. Business impact analysis
D. Privacy impact analysis
C. Business impact analysis
Explanation:
A business impact analysis describes the collaborative effort to identify those systems and software that perform essential functions, meaning the organization cannot run without them. A tradeoff analysis compares potential benefits to potential risks and determining a course of action based on adjusting factors that contribute to each area.
Dion Training’s new COO is reviewing the organization’s current information security policy. She notices that it was first created three years ago. Since that time, the organization has undergone multiple audits and assessments that required revisions to the policy. Which of the following is the most reasonable frequency to conduct a formal review of the organization’s policies to ensure they remain up to date?
A. Monthly
B. Quarterly
C. Annually
D. Every five years
C. Annually
Explanation:
Annual reviews are an industry standard and are typically sufficient unless circumstances happen that might require an update or revision sooner. Waiting five years between policy reviews is too long and would leave the organization with constantly outdated policies. Similarly, conduct quarterly or monthly reviews is too frequent, and there will not be enough time for substantial changes to have occurred. Additionally, most formal audits and assessments are undertaken annually. Therefore, this is a reasonable frequency to use without overburdening your staff.
Dion Training is conducting an analysis of their student practice exam experience. During the analysis, the staff measured the current resiliency of the system by calculating the MTTR and MTBF for the system. The MTTR was measured at 9.1 hours and the MTBF was measured at 3.2 years. Susan, the Chief Operations Officer, stated that the MTTR should be at most 4 hours and the MTBF should be at least 4 years. The team at Dion Training will use all of these measurements and goals to create a technical implementation plan to reach the Susan’s requirements. Based on the measurements and goals provided, which of the following types of analysis has the team at Dion Training just performed?
A. Gap Analysis
B. Tradeoff analysis
C. Business impact analysis
D. Privacy impact analysis
A. Gap Analysis
Explanation:
A gap analysis measures the difference between the current state and desired state in order to assess the scope of work included in a project. By measuring ALE, MTTR, MTBF, TCO, and other factors, the organization can identify how closely it is performing in relation to the desired outcomes or requirements.
Dion Training is trying to define key performance indicators for their recently released voucher management system. The CIO has stated that the voucher management system must be able to provide at least a 99.999% uptime as one of the KPIs. To monitor this requirement, the analysts have created a metric to measure the uptime for the system and will generate a report weekly with the average uptime maintained. Which of the following types of key performance indicators would this metric be classified as?
A. Scalability
B. Reliability
C. Availability
D. Usability
C. Availability
Explanation:
Availability metrics measure the probability that a system will be operating as expected at any given point int time. The most common availability metric used is known as uptime. Scalability metrics measure the ability of a system to handle an increase in workload while maintaining a consistent level of performance. Reliability metrics measure the ability of a system to perform without error or to avoid, detect, and/or repair component or integrity failures. Usability metrics measure the effectiveness, efficiency, and satisfaction of users working with a given system.
Dion Training is accepting request for proposals from three cloud hosting providers to outsource the hosting of their learning management systems. In reviewing the proposals, Jason identified that one of the cloud providers offer free data transfer into the cloud but charges high rates for data transfer out of their cloud. Which of the following vendor risks does this data transfer pricing policy represent?
A. Vendor Lock In
B. Vendor Visibility
C. Vendor Lockout
D. Vendor visibility
A. Vendor Lock In
Explanation:
This pricing policy represents a vendor lock-in risk since it could become cost-prohibitive to migrate to another cloud provider in the future due to the large outbound data transfer costs. Vendor Lock-in occurs when a customer is dependent on a vendor for products or services because switching is either impossible or would result in substantial complexity and costs.
Following a root cause analysis of an edge router’s unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?
A. Increase network vulnerability scan frequency
B. Ensure all anti virus signatures are up to date
C. Conduct secure supply chain management training
D. Verify that all routers are patched to the latest release
C. Conduct secure supply chain management training
Explanation:
Anti-counterfeit training is part of the NIST 800-53r4 control set (SA-19(1)) and should be a mandatory part of your supply chain management training within your organization. All other options may produce security gains in the network. They are unlikely to reliably detect a counterfeit item or prevent its introduction into the organization’s supply chain. Training on detection methodologies (i.e., simple visual inspections) and training for acquisition personnel will better prevent recurrences.
Dion Training is using a cloud service provider under an Infrastructure as a Service (IaaS) model. Assuming there is a shared responsibility model between the two organizations, which of the following is MOST likely the security responsibility of Dion Training under this IaaS model?
A. Physical security of the infrastructure
B. Data and application security configuration
C. Managing the data centers across regions
D. Tenant resource identity and access control
B. Data and application security configuration
Explanation:
The shared responsibility model identifies that responsibility for the implementation of security as applications, data, and workloads are moved to a cloud platform and shared between the customer and the cloud service provider (CSP). Using an IaaS model provides hardware hosted at a provider facility using the provider’s physical security controls and utilities. The cloud customer is responsible for the data and application security configurations, while the cloud service provider will be responsible for the physical data centers, equipment, and the access control to the tenant resources.
What is a reverse proxy commonly used for?
A. Allowing access to a virtual private cloud
B. To prevent the unauthorized use of cloud services from local network
C. Directing traffic to internal services if the contents of the traffic comply with the policy
D. To obfuscate the origin of a user within a network
C. Directing traffic to internal services if the contents of the traffic comply with the policy
Explanation:
A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. This does not require the configuration of the users’ devices. This approach is only possible if the cloud application has proxy support. You can deploy a reverse proxy and configure it to listen for client requests from a public network, like the internet. The proxy then creates the appropriate request to the internal server on the corporate network and passes the server’s response back to the external client.
You received an incident response report indicating a piece of malware was introduced into the company’s network through a remote workstation connected to the company’s servers over a VPN connection. Which of the following controls should be applied to prevent this type of incident from occurring again?
A. ACL
B. NAC
C. SPF
D. MAC Filtering
B. NAC
Explanation:
Network Access Control (NAC) is an approach to computer security that attempts to unify endpoint security technology (such as anti-virus, host intrusion prevention, and vulnerability assessment), user or system authentication, and network security enforcement. When a remote workstation connects to the network, NAC will place it into a segmented portion of the network (sandbox), scan it for malware and validate its security controls, and then based on the results of those scans, either connect it to the company’s networks or place the workstation into a separate quarantined network portion.
A new piece of malware attempts to exfiltrate user data by hiding the traffic and sending it over a TLS-encrypted outbound traffic over random ports. What technology would be able to detect and block this type of traffic?
A. Intrusion Detection System
B. Application Aware Firewall
C. Stateful Packet Inspection
D. Stateless Packet Inspection
B. Application Aware Firewall
Explanation:
A web application firewall (WAF) or application-aware firewall would detect both the accessing of random ports and TLS encryption and identify it as suspicious. An application-aware firewall can make decisions about what applications are allowed or blocked by a firewall, and TLS connections are created and maintained by applications.
Your network has been the victim of a data breach. Your company has hired an incident response team to help control the breach’s damage and restore the network to its full functionality. The incident response team wants to connect a packet capture device to the switch that connects your servers to the DMZ. Which of the following should be configured to ensure the packet capture device can receive all the network traffic going to and from the servers?
A. 802.1q
B. 802.1x
C. Port mirroring
D. Port security
C. Port mirroring
Explanation:
Port mirroring, also known as SPAN (Switched Port Analyzer), is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed. In this case, you can connect the packet capture device to the SPAN port (mirrored port) to collect all the network traffic for later analysis.
Dion Training wants to implement a software-defined network when installing a new enterprise network. The company prefers to use open-source software to reduce the risk of vendor lock-in. Which of the following approaches to implementing a software-defined network should Dion Training utilize?
A. SDN Overlay
B. Hybrid SDN
C. Open SDN
D. Peering SDN
C. Open SDN
Explanation:
Open SDN uses open standards and open-source software as a strategy to reduce the risks of vendor lock-in.
During a security audit, you discovered that customer service employees have been sending unencrypted confidential information to their personal email accounts via email. What technology could you employ to detect these occurrences in the future and send an automated alert to the security team?
A. SSL
B. UTM
C. DLP
D. MDM
C. DLP
Explanation:
Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.