Domain 1

Question 1

A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a _____ control.

Answer 1

Management/Administrative control

Question 2

Which region enacted comprehensive legislation addressing personal privacy in 2016?

Answer 2

European Union

(In 2016, the European Union passed comprehensive legislation addressing personal privacy, deeming it an individual human right)

Question 3

What is the purpose of implementing security controls in the risk management process?

Answer 3

To mitigate the risk to an acceptable level

Question 4

If a pickpocket is a threat, what would be their attack vector?

Answer 4

Their technique and approach

Question 5

What term is used to refer to information that, when combined with other pieces of data, significantly narrows the possibility of association with more individuals?

Answer 5

Personally Identifiable Information (PII)

Question 5

How do companies that offer identity theft insurance manage their own financial risk?

Answer 5

By calculating premium payments against potential payouts

Question 6

What potential risk can occur when a remote worker’s laptop is left unattended or unlocked?

Answer 6

Accidental introduction of unauthorized software with malware

Question 7

Multifactor authentication involves using two or more instances of different authentication factors.

Which of the following are considered a widely accepted factor for authentication?

Answer 7

Something you are, something you know

Question 8

While taking the certification exam for this certification, you notice another candidate for the certification cheating.

What should you do?

Answer 8

Report the candidate to ISC2

Question 9

In the United States, which act governs the privacy of medical information?

Answer 9

HIPAA

Question 10

What is an “asset” in the context of risk management terminology?

Answer 10

Something in need of protection

Question 11

Who is responsible for determining risk tolerance in an organization?

Answer 11

Executive management and board of directors

Question 12

What action is suggested to mitigate the risk associated with a threat?

Answer 12

Evaluate the likelihood of the event and take appropriate actions to mitigate the risk

Question 13

Which regulation grants data protection and control to individuals within the EU, regardless of citizenship?

Answer 13

General Data Protection Regulation (GDPR)

Question 14

What role might security professionals play in risk assessment at a system level?

Answer 14

Assisting in risk assessment at a system level

Question 15

Who is responsible for identifying risks within an organization?

Answer 15

Employees at all levels of the organization

Question 16

Procedures are

Answer 16

the detailed steps to complete a task that support
departmental or organizational policies

Question 17

They are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations

Answer 17

Policies are

Question 18

often used by governance teams to provide a framework to introduce policies and proceduresin support of regulations

Answer 18

Standards

Question 19

commonly issued in the form of laws, usually from
government (not to be confused with governance) and typically carry financial penalties for non-compliance

Answer 19

Regulations are

Question 20

Bot

Answer 20

Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities

Question 21

Criticality

Answer 21

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function

Question 22

Data Integrity

Answer 22

The property that data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing and while in transit

Question 23

General Data Protection Regulation (GDPR)

Answer 23

In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right

Question 24

Integrity

Answer 24

The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose

Question 25

International Organization of Standards (ISO)

Answer 25

The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies

Question 26

Internet Engineering Task Force (IETF)

Answer 26

The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus

Question 27

Multi-Factor Authentication

Answer 27

Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification

Question 28

National Institutes of Standards and Technology (NIST)

Answer 28

The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions

Question 29

Non-repudiation

Answer 29

The inability to deny taking an action such as creating information, approving information and sending or receiving a message.

Question 30

Personally Identifiable Information (PII)

Answer 30

The National Institute of Standards and Technology (NIST) defines Personally Identifiable Information (PII) as any data that can distinguish or trace an individual’s identity, including common identifiers like name and Social Security number, as well as other information linked to an individual such as biometric records, medical, educational, financial, and employment information.

Question 31

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many ____ control systems are linked to technical/logical systems, such as badge readers connected to door locks

Answer 31

Physical controls

Question 32

Protected Health Information (PHI)

Answer 32

Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act)

Question 33

Qualitative Risk Analysis

Answer 33

A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high

Question 34

Quantitative Risk Analysis

Answer 34

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain

Question 35

Risk Acceptance

Answer 35

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action

Question 36

Risk Assessment

Answer 36

The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

Question 37

Risk Avoidance

Answer 37

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Question 38

Risk Management

Answer 38

The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.

Question 39

Risk Management Framework

Answer 39

A structured approach used to oversee and manage risk for an enterprise

Question 40

Risk Mitigation

Answer 40

Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk

Question 41

Risk Tolerance

Answer 41

The level of risk an entity is willing to assume in order to achieve a potential desired result. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance

Question 42

Risk Transference

Answer 42

Paying an external party to accept the financial impact of a given risk

Question 43

Risk Treatment

Answer 43

The determination of the best way to address an identified risk

Question 44

Sensitivity

Answer 44

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection

Question 45

Single-Factor Authentication

Answer 45

Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested

Question 46

System Integrity

Answer 46

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental

Question 47

Technical Controls

Answer 47

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system

Question 48

Threat Vector

Answer 48

The means by which a threat actor carries out their objectives

Question 49

Token

Answer 49

A physical object a user possesses and controls that is used to authenticate the user’s identity

Question 50

Institute of Electrical and Electronics Engineers

Answer 50

IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.

Question 51

What is the primary purpose of the ISC2 Code of Ethics?

Answer 51

Ensuring the safety and welfare of society and the common good

Question 52

What type of authentication process is used at the bank with an ATM card?

Answer 52

Two-factor authentication

Question 53

Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting the personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs.

The published user agreement states that the company will not share personal user data with any entities without the users’ explicit permission.

According to the ISC2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?

Answer 53

The users

Question 54

In e-commerce and electronic transactions, what does non-repudiation protect against?

Answer 54

Falsely denying transactions

Question 55

What type of cyber attack often targets the availability of data?

Answer 55

Ransomware attacks

Question 56

What is meant by non-repudiation?

Answer 56

If a user does something, they can’t later claim that they didn’t do it

Question 57

What does knowledge-based authentication involve?

Answer 57

Differentiating between authorized and unauthorized users using a passphrase or secret code

Question 58

What is the purpose of using a risk matrix?

Answer 58

To prioritize risks based on likelihood and impact

Question 59

What measures would a trauma center be most likely to take to ensure zero tolerance for power failure?

Answer 59

Redundancy in emergency power supplies, battery backup, and generators

Question 60

Which of the following is NOT one of the four typical ways of managing risk?

Answer 60

Conflate

Question 61

When a company chooses to ignore a risk and proceed with a risky activity, which treatment is being applied by default?

Answer 61

Acceptance

Question 62

What is risk tolerance often likened to?

Answer 62

Risk appetite

Question 63

Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user account and is requesting Siobhan’s full name, home address, credit card number, phone number, email address, the ability to send marketing messages to Siobhan, and permission to share this data with other vendors.

Siobhan decides that the item for sale is not worth the value of Siobhan’s personal information, and decides to not make the purchase.

What kind of risk management approach did Siobhan make?

Answer 63

Avoidance

Question 64

What is done with the result of the risk assessment process?

Answer 64

It is presented as a report or presentation to the management

Question 65

What is an example of a physical control?

Answer 65

Walls, fences, guards, locks

Question 66

Software security practitioners seek to maintain the CIA of systems and software based on business needs.

Which aspect of the CIA is focused on guaranteeing that authorized subjects are granted uninterrupted access to objects in a timely fashion?

Answer 66

Availability

Question 67

A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff.

This is an example of a: __________.

Answer 67

Management/Administrative control

Question 68

What is the correct sequence of the elements in governance, starting from the highest level?

Answer 68

Regulations, standards, policies, procedures

Question 69

Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop.

This document is an example of a ________.

Answer 69

Procedure