Domain 1: Review Questions Flashcards

Question

Which threat modeling perspective profiles malicious characteristics, skills, and motivation to exploit vulnerabilities? A. Application-centric B. Asset-centric C. Attacker-centric D. Hostile-centric

Answer 1

C. Attacker-centric threat modeling profiles an attacker’s characteristics, skills, and motivation to exploit vulnerabilities. Application-centric threat modeling uses application architecture diagrams to analyze threats. Asset-centric threat modeling uses attack trees, attack graphs, or displaying patterns to determine how an asset can be attacked. Hostile describes one of two threat actor categories: nonhostile and hostile.

Answer 2

C. A security professional should not be concerned with the cost of a merger or an acquisition. A security professional should be concerned only with issues that affect security and leave financial issues to financial officers.

Answer 3

B. Identify and value assets. CRAMM review includes three steps: 1. Identify and value assets. 2. Identify threats and vulnerabilities and calculate risks. 3. Identify and prioritize countermeasures.

Answer 4

D. Abstraction is the process of taking away or removing characteristics from something to reduce it to a set of essential characteristics. Auditing is the process of providing a manual or systematic measurable technical assessment of a system or application. Accounting is the process whereby auditing results are used to hold users and organizations accountable for their actions or inaction. Non-repudiation is the assurance that a user cannot deny an action.

Answer 5

A. A continuity of operations plan (COOP) is a plan that focuses on restoring an organization’s mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations. A business continuity plan (BCP) is a plan that focuses on sustaining an organization’s mission/business processes during and after a disruption. A crisis communications plan is a plan that documents standard procedures for internal and external communications in the event of a disruption using a crisis communications plan. It also provides various formats for communications appropriate to the incident. A cyber incident response plan is a plan that establishes procedures to address cyberattacks against an organization’s information system(s).

Answer 6

B. A disaster recovery plan (DRP) is an information system–focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency. An occupant emergency plan (OEP) is a plan that outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. An information system contingency plan (ISCP) provides established procedures for the assessment and recovery of a system following a system disruption. A critical infrastructure protection (CIP) plan is a set of policies and procedures that serve to protect and recover assets and mitigate risks and vulnerabilities.

Answer 7

C. An attack vector is a segment of the communication path that an attack uses to access a vulnerability. A breach is an attack that has been successful in reaching its goal. A threat is carried out by a threat agent. Not all threat agents will actually exploit an identified vulnerability. A countermeasure reduces the potential risk. Countermeasures are also referred to as safeguards or controls.

Answer 8

D. Developed by Microsoft, STRIDE is a threat classification model that is used to assess the threats in an application. It covers the following six categories: 1. Spoofing of user identity 2. Tampering 3. Repudiation 4. Information disclosure (privacy breach or data leak) 5. Denial of service (DoS) 6. Elevation of privilege The Visual, Agile, and Simple Threat (VAST) model was created as a result of the shortcomings in the other models and methodologies. VAST threat modeling scales across the infrastructure and entire development portfolio. Trike is both a methodology and a tool with its basis in a requirements model designed to ensure the level of risk assigned to each asset is classified as acceptable by stakeholders. The Process for Attack Simulation and Threat Analysis (PASTA) methodology provides a seven-step process for analyzing applications to align business objectives and technical requirements. It is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Answer 9

B. NIST SP 800-154 is a draft publication for data-centric system threat modeling. It includes the following steps: 1. Identify and characterize the system and data of interest. 2. Identify and select the attack vectors to be included in the model. 3. Characterize the security controls for mitigating the attack vectors. 4. Analyze the threat model. Most of the actions within the methodology can be addressed in a wide variety of ways in terms of both content (what information is captured) and format/structure (how that information is captured).

Answer 10

C. Electronic discovery (eDiscovery) refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process. It involves electronically stored information (ESI) and includes emails, documents, presentations, databases, voicemail, audio and video files, social media, and websites. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. A regulatory investigation occurs when a regulatory body investigates an organization for a regulatory infraction. Operations investigations involve any investigations that do not result in any criminal, civil, or regulatory issue. In most cases, this type of investigation is completed to determine the root cause so that steps can be taken to prevent this incident in the future.

Answer 11

C. The steps of the forensic investigation process are as follows: 1. Identification 2. Preservation 3. Collection 4. Examination 5. Analysis 6. Presentation 7. Decision

Answer 12

C Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization's needs and is up-to-date based upon the evolving risk landscape. She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.

Answer 13

B. The residual risk is the level of risk that remains after controls have been applied to mitigate risks. Inherent risk is the original risk that existed prior to the controls. Control risk is new risk introduced by the addition of controls to the environment. Mitigated risk is the risk that has been addressed by existing controls.

Answer 14

C. The Digital Millennium Copyright Act (DMCA) sets forth the requirements for online service providers when handling copyright complaints received from third parties. The Copyright Act creates the mechanics for issuing and enforcing copyrights but does not cover the actions of online service providers. The Lanham Act regulates the issuance of trademarks to protect intellectual property. The Gramm-Leach-Bliley Act regulates the handling of personal financial information.

Answer 15

C. The right to erasure, also known as the right to be forgotten, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.

Answer 16

B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

Answer 17

A. Most state data breach notification laws are modeled after California's data breach notification law, which covers Social Security number, driver's license number, state identification card number, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.

Answer 18

C. Renee's situation calls for an enterprise license agreement as it typically allows customization of terms and pricing, reflecting the negotiated details between the vendor and a corporate client. The license agreement may be written as a perpetual or subscription license, but there is no information provided in the scenario about which one is being used. An end-user license agreement usually accompanies software to dictate the terms of use but is not designed for custom negotiations and pricing agreements.

Answer 19

B. This is a question about who has the standing to bring an ethics complaint. The group of individuals that has standing differs based upon the violated canon. In this case, we are examining Canon IV, which permits any certified or licensed professional who subscribes to a code of ethics to bring charges. Charges of violations of Canons I or II may be brought by anyone. Charges of violations of Canon III may be brought only by a principal with an employer/contractor relationship with the accused.

Answer 20

C. The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data was being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.

Answer 21

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. Among other things, the Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.

Answer 22

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. Among other things, the Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.

Answer 23

D. The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are less likely to be covered by these regulations, unless they contain hardware dedicated to encryption.

Answer 24

D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

Answer 25

D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

Answer 26

A, C, D. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. A fence is an example of a physical control.

Answer 27

D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

Answer 28

D. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation.

Answer 29

C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Answer 30

C. The protection of intellectual property is a greater concern during a divestiture, where a subsidiary is being spun off into a separate organization, than an acquisition, where one firm has purchased another. Acquisition concerns include consolidating security functions and policies as well as integrating security tools.

Answer 31

D. Unlike criminal or civil cases, administrative investigations are an internal matter, and there is no set standard of proof that Kelly must apply. However, it would still be wise for her organization to include a standard burden of proof in their own internal procedures to ensure the thoroughness and fairness of investigations.

Answer 32

A. Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case. Copyrights are used to protect creative works, while trademarks are used to protect names, logos, and symbols.

Answer 33

B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Answer 34

C. After developing a list of assets, the business impact analysis team should assign values to each asset. The other activities listed here occur only after the assets are assigned values.

Answer 35

C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation. Risk acceptance involves making a conscious decision to accept a risk as is with no further action. Risk avoidance alters business activities to make a risk irrelevant. Risk transference shifts the costs of a risk to another organization, such as an insurance company.

Answer 36

C. A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls. This means that Laura is probably part of a government organization or contractor.

Answer 37

C. There are two steps to answering this question. First, you must realize that for the case to lead to imprisonment, it must be the result of a criminal investigation. Next, you must know that the standard of proof for a criminal investigation is normally the beyond a reasonable doubt standard.

Answer 38

D. Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace. Copyrights are used to protect creative works. Patents and trade secrets are used to protect inventions and similar intellectual property.

Answer 39

B. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

Answer 40

A. The message displayed is an example of ransomware, which encrypts the contents of a user's computer to prevent legitimate use. This is an example of an availability attack. There is no indication that the data was disclosed to others, so there is no confidentiality/disclosure risk. There is also no indication that other systems were involved in a distributed attack.

Answer 41

A. A SYN flood attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network. SYN flood attacks do not target integrity or confidentiality. While this is a denial-of-service attack, denial is not the correct answer because you are asked which principle is being violated, not what type of attack took place. Denial-of-service attacks target resource availability.

Answer 42

D. Strategic plans have a long-term planning horizon of up to five years in most cases. They are designed to strategically align the security function with the business' objectives. Operational and tactical plans have shorter horizons of a year or less.

Answer 43

A. First, you must realize that a trademark is the correct intellectual property protection mechanism for a logo. Therefore, Gina should contact the U.S. Patent and Trademark Office (USPTO), which bears responsibility for the registration of trademarks. The Library of Congress Copyright Office administers the copyright program. The National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) play no role in intellectual property protection.

Answer 44

B. When following the segregation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner. Mandatory vacations and job rotations are designed to detect fraud, not prevent it. Defense in depth is not a relevant principle here because the answer is seeking an initial control. Management may choose to add additional controls at a later date, but the primary objective here would be to implement segregation of duties.

Answer 45

B. The U.S. Federal Information Security Modernization Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.

Answer 46

B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of payment card information. Among other things, the Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Gramm-Leach-Bliley Act (GLBA) regulates the handling of personal financial information.

Answer 47

A. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.

Answer 48

B. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions, and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.

Answer 49

C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The U.S. Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.

Answer 50

D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack. Adding a firewall will not address the impact of a risk, the recovery point objective (RPO), or the maximum tolerable outage (MTO).

Answer 51

B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

Answer 52

A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

Answer 53

D. The System and Organization Controls audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

Answer 54

A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently. There is no evidence that the attacker engaged in information disclosure, tampering, or elevation of privilege.

Answer 55

A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information. There is no evidence of an attack against availability or confidentiality. Denial is an objective of attackers, rather than of security professionals, and is not relevant in this scenario that targets integrity.

Answer 56

A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).

Answer 57

A. Trademarks protect words and images that represent a product or service and would not protect computer software.

Answer 58

B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office's server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

Answer 59

C. RAID uses additional hard drives to protect the server against the failure of a single drive or two, based on the RAID level selected. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Answer 60

A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Answer 61

D. Signing a noncompete (NCA) or NDA agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process. During the exit interview, the team may choose to review employment agreements and policies that remain in force, such as a noncompete or nondisclosure agreement.

Answer 62

A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, a statement of priorities, a statement of organizational responsibility, a statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.

Answer 63

D. Mandatory vacation programs require that employees take continuous periods of time off each year and have their system privileges revoked during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Answer 64

C. The Risk Maturity Model (RMM) is specifically designed for the purpose of assessing enterprise risk management programs. Jeff could conceivably use the more generic capability maturity model (CMM), but this would not be as good of a fit. The software capability maturity model (SW-CMM) is designed for assessing development projects, not risk management efforts. The Control Objectives for Information Technology (COBIT) are a set of security control objectives and not a maturity model.

Answer 65

C. Denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

Answer 66

B. Baselines provide the minimum level of security that every system throughout the organization must meet. This type of information would not appear in a policy, guideline, or procedure.

Answer 67

C. Everyone in the organization should receive basic training on the nature and scope of the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

Answer 68

C. If the organization's primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.

Answer 69

C. PCI DSS is a standard promulgated by the Payment Card Industry Security Standards Council (PCI SSC) but is enforced through contractual relationships between merchants and their banks. Therefore, the bank would be the appropriate entity to initiate an investigation under PCI DSS. Local and federal law enforcement agencies (such as the FBI) could decide to pursue a criminal investigation if the circumstances warrant it, but they do not have the authority to enforce PCI DSS requirements.

Answer 70

A. This is an example of a security champion program that uses individuals employed in other roles in a business unit to share security messaging. The individuals in these roles are not necessarily security experts and do not have a peer review role.

Answer 71

A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Answer 72

B. The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor's security controls meet the organization's own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendor's policy may be weaker than the organization's own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.

Answer 73

A. The missing step of the NIST risk management framework is assessing security controls. This is an important component of the process. The organization has already prepared, categorized the system, selected appropriate controls, and implemented those controls. Before authorizing the use of the system, they must assess the effectiveness of those controls to ensure that they meet security requirements.

Answer 74

D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse. Risk acceptance involves making a conscious decision to accept a risk as is with no further action. Risk mitigation takes measures to reduce the likelihood and/or impact of a risk. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.

Answer 75

C. Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

Answer 76

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Answer 77

B. Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

Answer 78

D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Answer 79

D. Keeping a service up and running is an example of an availability control because it increases the likelihood that a service will remain available to answer user requests.

Answer 80

A. A cold site includes the basic capabilities required for data center operations such as space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations. Warm sites, hot sites, and mobile sites would all include hardware.

Answer 81

B. In general, companies should be aware of the breach laws in any location where they do business. U.S. states have a diverse collection of breach laws and requirements, meaning that in this case, Greg's company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state's residents.

Answer 82

B. ISO 27002 is an international standard focused on information security and titled “Information security, cybersecurity and privacy protection: Information security controls.” ITIL does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

Answer 83

B. The Communications Assistance for Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Answer 84

B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

Answer 85

C. Nondisclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements specify service uptime and other performance measures. Noncompete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.

Answer 86

B. The ISC2 Code of Ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

Answer 87

C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

Answer 88

D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Answer 89

C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure. Least privilege ensures that an individual has only the minimum set of permissions necessary to carry out their assigned job functions and does not require overlapping controls. Separation of duties requires that one person not have permission to perform two separate actions that, when combined, carry out a sensitive function. Security through obscurity attempts to hide the details of security controls to add security to them. Neither separation of duties nor security through obscurity involves overlapping controls.

Answer 90

A, B. All ISC2 certified professionals are required to comply with the ISC2 Code of Ethics. All employees of an organization are required to comply with the organization's code of ethics. The federal code of ethics (or, more formally, the Code of Ethics for Government Service) would not apply to a nonprofit organization, as it applies only to federal employees. RFC 1087 does provide a code of ethics for the Internet, but it is not binding on any individual.

Answer 91

B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Answer 92

A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.

Answer 93

D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that they are about to be terminated.

Answer 94

D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.

Answer 95

A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

Answer 96

D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.

Answer 97

D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

Answer 98

C. In reduction analysis, the security professional breaks the system down into five core elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.

Answer 99

D. South Africa's Protection of Personal Information Act (POPIA) governs the processing of personal data and would affect any new enterprise operating within its jurisdiction that handles personal information. PIPL refers to China's Personal Information Protection Law, which would not apply in South Africa. PCI DSS is a set of security standards for entities that handle credit cards and does not relate to privacy law but rather to the security of cardholder data. PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada's data privacy law and would not be applicable to operations in South Africa.

Answer 100

B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

Answer 101

C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this scenario the missing patch is the vulnerability, and the malicious hacker is the threat. If the hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.

Answer 102

1. C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50%. 2. B. The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year. 3. A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

Answer 103

C. Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. When the attacker examined the HTML code and discovered sensitive information, this was an example of an information disclosure attack, as the attacker gained information they should not have been privy to.

Answer 104

A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

Answer 105

C. Change management is a critical control process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn't bring back old flaws, while fuzz testing feeds unexpected input to code. In a code review the source code itself is reviewed, and this may be done as part of the change management process but isn't what is described here.

Answer 106

A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.

Answer 107

D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.

Answer 108

A, C. Supply chain risks occur when the adversary is interfering with the delivery of goods or services from a supplier to the customer. This might involve tampering with hardware before the customer receives it or using social engineering to compromise a vendor employee. Hacking into a web server run in an infrastructure-as-a-service (IaaS) environment is not a supply chain risk because the web server is already under the control of the customer. Using a botnet to conduct a denial-of-service attack does not involve any supply chain elements.

Answer 109

The laws or industry standards match to the descriptions as follows: GLBA: A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis PCI DSS: C. An industry standard that covers organizations that handle payment cards HIPAA: D. A U.S. law that provides data privacy and security requirements for medical information SOX: B. A U.S. law that requires internal controls’ assessments including IT transaction flows for publicly traded companies

Domain 1: Review Questions Flashcards

The Security and Risk Management domain encompasses many of the foundational elements of security solutions.