Domain 1: Review Questions Flashcards

Question 1

Q

Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which of the following is not considered a violation of confidentiality?

A. Stealing passwords using a keystroke logging tool
B. Eavesdropping on wireless network communications
C. Hardware destruction caused by arson
D. Social engineering that tricks a user into providing personal information to a false website

Answer

A

C. Hardware destruction is a violation of availability and possibly integrity. Violations of confidentiality include stealing passwords, eavesdropping, and social engineering.

Question 2

Q

Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?

A. A network’s border perimeter
B. The CIA Triad
C. AAA services
D. Ensuring that subject activities are recorded

Answer

A

B. The primary goals and objectives of security are confidentiality, integrity, and availability, commonly referred to as the CIA Triad.

The other options are incorrect. A security infrastructure needs to establish a network’s border perimeter security, but that is not a primary goal or objective of security. AAA services are a common component of secured systems, which can provide support for accounting, but the primary goals of security remain the elements of the CIA Triad. Ensuring that subject activities are recorded is the purpose of auditing, but that is not a primary goal or objective of security.

Question 3

Q

Jamie recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?

A. Identification
B. Availability
C. Encryption
D. Layering

Answer

A

B. Availability means that authorized subjects are granted timely and uninterrupted access to objects.

Identification is claiming an identity, the first step of AAA services. Encryption is protecting the confidentiality of data by converting plaintext into ciphertext. Layering is the use of multiple security mechanisms in series.

Question 4

Q

Emma is concerned that the recent breach of personal health information in a large healthcare corporation may affect her, but she has not yet been notified by the company that was breached. Emma, a resident of the state of Alabama, is researching the various laws under which she should be legally notified of the breach. Which of the following relevant laws or regulations dictates the timeframe under which she should be notified of the data breach of her PHI?

A. California Consumer Privacy Act (CCPA)
B. Health Information Technology for Economic and Clinical Health (HI-TECH) Act
C. General Data Protection Regulation (GDPR)
D. Federal Information Security Management Act (FISMA)

Answer

A

B Emma should be notified of the breach under the Health Information Technology for Economic and Clinical Health (HI-TECH) Act, which expands HIPAA regulations to include breach notification. As a resident of the state of Alabama, neither the California Consumer Privacy Act (CCPA), which protects state of California residents, nor the General Data Protection Regulation (GDPR), which protects citizens of the European Union, applies. FISMA is a federal regulation requiring government agencies to manage risk and implement security controls.

Question 5

Q

You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization’s security purpose. It also needs to define the security function and align it with the goals, mission, and objectives of the organization. What are you being asked to create?

A. Tactical plan
B. Operational plan
C. Strategic plan
D. Rollback plan

Answer

A

C. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s security purpose. It defines the security function and aligns it with the goals, mission, and objectives of the organization.

The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based on unpredicted events. An operational plan is a short-term, highly detailed plan based on strategic and tactical plans. It is valid or useful only for a short time. A rollback plan is a means to return to a prior state after a change does not meet expectations.

Question 6

Q

Annaliese’s organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are examples of those risks? (Choose all that apply.)

A. Inappropriate information disclosure
B. Increased worker compliance
C. Data loss
D. Downtime
E. Additional insight into the motivations of inside attackers
F. Failure to achieve a sufficient return on investment (ROI)

Answer

A

A, C, D, F. Acquisitions and mergers place an organization at an increased level of risk. Such risks include inappropriate information disclosure, data loss, downtime, and failure to achieve a sufficient return on investment (ROI). Increased worker compliance is not a risk, but a desired security precaution against the risks of acquisitions. Additional insight into the motivations of inside attackers is not a risk, but a potential result of investigating breaches or incidents related to acquisitions.

Question 7

Q

Which security control framework is a set of security standards and requirements designed to ensure the protection of sensitive credit card and debit card information?

A. ITIL
B. ISO 27000
C. PCI DSS
D. CSF

Answer

A

C. Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards and requirements designed to ensure the protection of sensitive credit card and debit card information.

The other options are incorrect. Information Technology Infrastructure Library (ITIL) was initially crafted by the British government for domestic use but is now an international standard, which is a set of recommended best practices for core IT security and operational processes, and is often used as a starting point for the crafting of a customized IT security solution. ISO 27000 is a family group of international security standards that can be the basis for implementing organizational security and related management practices. NIST Cybersecurity Framework (CSF) is designed for critical infrastructure and commercial organizations and consists of five functions: Identify, Protect, Detect, Respond, and Recover. It is a prescription of operational activities that are to be performed on an ongoing basis for the support and improvement of security over time.

Question 8

Q

Which is the opposite of disclosure?

A. Integrity
B. Availability
C. Confidentiality
D. Authorization

Answer

A

C. The opposite of disclosure is confidentiality. The opposite of corruption is integrity. The opposite of destruction is availability. The opposite of disapproval is authorization.

Question 9

Q

Which of the following controls is an administrative control?

A. Security policy
B. CCTV
C. Data backups
D. Locks

Answer

A

A. A security policy is an administrative control. CCTV and locks are physical controls. Data backups are a technical control.

Question 10

Q

What is a vulnerability?

A. The entity that carries out a threat
B. The exposure of an organizational asset to losses
C. An absence or a system weakness that can be exploited
D. A control that reduces risk

Answer

A

C. A vulnerability is an absence or a weakness of a countermeasure that is in place. A threat occurs when a vulnerability is identified or exploited. A threat agent is the entity that carries out a threat. Exposure occurs when an organizational asset is exposed to losses. A countermeasure or safeguard is a control that reduces risk.

Question 11

Q

Which framework uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual)?

A. Six Sigma
B. SABSA
C. ITIL
D. ISO/IEC 27000 series

Answer

A

B. SABSA uses the six communication questions (what, where, when, why, who, and how) that intersect with six layers (operational, component, physical, logical, conceptual, and contextual). Six Sigma is a process improvement standard that includes two project methodologies that were inspired by Deming’s Plan–Do–Check–Act cycle. ITIL is a process management development standard that has five core publications: ITIL Service Strategy, ITIL Service Design, ITIL Service Transition, ITIL Service Operation, and ITIL Continual Service Improvement. The ISO/IEC 27000 Series includes a list of standards, each of which addresses a particular aspect of information security management.

Question 12

Q

Which group of threat agents includes hardware and software failure, malicious code, and new technologies?

A. Human
B. Natural
C. Environmental
D. Technical

Answer

A

D. Technical threat agents include hardware and software failure, malicious code, and new technologies.

Human threat agents include both malicious and non-malicious insiders and outsiders, terrorists, spies, and terminated personnel. Natural threat agents include floods, fires, tornadoes, hurricanes, earthquakes, or other natural disasters or weather events. Environmental threat agents include power and other utility failure, traffic issues, biological warfare, and hazardous material issues (such as spillage).

Question 13

Q

Which term indicates the monetary impact of each threat occurrence?

A. Annual Rate of Occurrence (ARO)
B. Annual Loss Expectancy (ALE)
C. Exposure Factor (EF)
D. Single Loss Expectancy (SLE)

Answer

A

D. Single loss expectancy (SLE) indicates the monetary impact of each threat occurrence.

Annualized rate of occurrence (ARO) is the estimate of how often a given threat might occur annually. Annual loss expectancy (ALE) is the expected risk factor of an annual threat event. Exposure factor (EF) is the percent value or functionality of an asset that will be lost when a threat event occurs.

Question 14

Q

What is risk avoidance?

A. Risk that is left over after safeguards have been implemented
B. Terminating the activity that causes a risk or choosing an alternative that is not as risky
C. Passing the risk on to a third party
D. Defining the acceptable risk level the organization can tolerate and reducing the risk to that level

Answer

A

B. Risk avoidance is terminating the activity that causes a risk or choosing an alternative that is not as risky.

Residual risk is risk that is left over after safeguards have been implemented. Risk transfer is passing the risk on to a third party. Risk mitigation is defining the acceptable risk level the organization can tolerate and reducing the risk to that level.

Question 15

Q

Which of the following security policies provides instruction on acceptable and unacceptable activities?

A. Informative security policies
B. Regulatory security policies
C. System-specific security policies
D. Advisory security policies

Answer

A

D. Advisory security policies provide instruction on acceptable and unacceptable activities. Informative security policies provide information on certain topics and act as an educational tool. Regulatory security policies address specific industry regulations, including mandatory standards. System-specific security policies address security for a specific computer, network, technology, or application.

Question 16

Q

Which organization role determines the classification level of the information to protect the data for which that role is responsible?

A. Data owner
B. Data custodian
C. Security administrator
D. Security analyst

Answer

A

A. The data owner determines the classification level of the information to protect the data for which that role is responsible.

The data custodian implements the information classification and controls after they are determined. The security administrator maintains security devices and software. The security analyst analyzes the security needs of the organizations and develops the internal information security governance documents.

Question 17

Q

Which type of crime occurs when a computer is used as a tool to help commit a crime?

A. Computer-assisted crime
B. Incidental computer crime
C. Computer-targeted crime
D. Computer prevalence crime

Answer

A

A. A computer-assisted crime occurs when a computer is used as a tool to help commit a crime.

An incidental computer crime occurs when a computer is involved in a computer crime without being the victim of the attack or the attacker. A computer-targeted crime occurs when a computer is the victim of an attack in which the sole purpose is to harm the computer and its owner. A computer prevalence crime occurs due to the fact that computers are so widely used in today’s world.

Question 18

Q

Which access control type reduces the effect of an attack or another undesirable event?

A. Compensative control
B. Preventive control
C. Detective control
D. Corrective control

Answer

A

D. A corrective control reduces the effect of an attack or other undesirable event.

A compensative control substitutes for a primary access control and mainly acts as mitigation to risks. A preventive control prevents an attack from occurring. A detective control detects an attack while it is occurring to alert appropriate personnel.

Question 19

Q

What is the first stage of the security program life cycle?

A. Plan and Organize
B. Implement
C. Operate and Maintain
D. Monitor and Evaluate

Answer

A

A. Plan and Organize

The four stages of the security program life cycle, in order, are as follows:

Plan and Organize
Implement
Operate and Maintain
Monitor and Evaluate

Question 20

Q

Which of the following frameworks is a two-dimensional model that intersects communication interrogatives (what, why, where, and so on) with various viewpoints (planner, owner, designer, and so on)?

A. SABSA
B. Zachman Framework
C. TOGAF
D. ITIL

Answer

A

B. The Zachman Framework is a two-dimensional model that intersects communication interrogatives (what, why, where, and so on) with various viewpoints (planner, owner, designer, and so on). It is designed to help optimize communication between the various viewpoints during the creation of the security architecture.

Question 21

Q

Which management officer implements and manages all aspects of security, including risk analysis, security policies and procedures, training, and emerging technologies?

A. Data protection officer (DPO)
B. Chief financial officer (CFO)
C. Chief security officer (CSO)
D. Chief information officer (CIO)

Answer

A

C. The chief security officer (CSO) is the officer that leads any security effort and reports directly to the chief executive officer (CEO).

The chief privacy officer (CPO) is the officer responsible for private information and usually reports directly to the chief information officer (CIO). The chief financial officer (CFO) is the officer responsible for all financial aspects of an organization. The CFO reports directly to the CEO and must also provide financial data for the shareholders and government entities. The CIO is the officer responsible for all information systems and technology used in the organization and reports directly to the CEO or CFO.

Question 22

Q

Which of the following do organizations have employees sign to protect trade secrets?

A. Trademark
B. Patent
C. Digital Rights Management (DRM)
D. Nondisclosure agreement (NDA)

Answer

A

D. Most organizations that have trade secrets attempt to protect these secrets using nondisclosure agreements (NDAs). These NDAs must be signed by any entity that has access to information that is part of the trade secret.

A trademark is an intellectual property type that ensures that the symbol, sound, or expression that identifies a product or an organization is protected from being used by another. A patent is an intellectual property type that covers an invention described in a patent application and is granted to an individual or company. Digital rights management (DRM) is used by hardware manufacturers, publishers, copyright holders, and individuals to control the use of digital content. This often also involves device controls.

Question 23

Q

Which type of access control type is an acceptable use policy (AUP) most likely considered?

A. Corrective
B. Detective
C. Compensative
D. Directive

Answer

A

D. The most popular directive control is an acceptable use policy (AUP) that lists proper (and often examples of improper) procedures and behaviors that personnel must follow.

Corrective controls are in place to reduce the effect of an attack or other undesirable event. Examples of corrective controls include installing fire extinguishers and implementing new firewall rules.

Detective controls are in place to detect an attack while it is occurring to alert appropriate personnel. Examples of detective controls include motion detectors, IDSs, or guards.

Compensative controls are in place to substitute for a primary access control and mainly act as a mitigation to risks. Examples of compensative controls include requiring two authorized signatures to release sensitive or confidential information and requiring two keys owned by different personnel to open a safety deposit box.

Question 24

Q

What is the legal term used to describe an organization taking all reasonable measures to prevent security breaches and also taking steps to mitigate damages caused by successful breaches?

A. Due care
B. Due diligence
C. Default security posture
D. Qualitative risk analysis

Answer

A

A. Due care is a legal term that is used when an organization took all reasonable measures to prevent security breaches and also took steps to mitigate damages caused by successful breaches.

Due diligence is a legal term that is used when an organization investigated all vulnerabilities. The default security posture is the default security posture used by the organization. An allow-by-default security posture permits access to any data unless a need exists to restrict access. A deny-by-default security posture is much stricter because it denies any access that is not explicitly permitted. Qualitative risk analysis is a method of analyzing risk whereby intuition, experience, and best practice techniques are used to determine risk.

Question 25

Q

Which threat modeling perspective profiles malicious characteristics, skills, and motivation to exploit vulnerabilities?

A. Application-centric
B. Asset-centric
C. Attacker-centric
D. Hostile-centric

Answer

A

C. Attacker-centric threat modeling profiles an attacker’s characteristics, skills, and motivation to exploit vulnerabilities.

Application-centric threat modeling uses application architecture diagrams to analyze threats. Asset-centric threat modeling uses attack trees, attack graphs, or displaying patterns to determine how an asset can be attacked. Hostile describes one of two threat actor categories: nonhostile and hostile.

Question 26

Q

Which of the following is not a consideration for security professionals during mergers and acquisitions?

A. New data types
B. New technology types
C. Cost of the merger or acquisition
D. The other organization’s security awareness training program

Answer

A

C. A security professional should not be concerned with the cost of a merger or an acquisition. A security professional should be concerned only with issues that affect security and leave financial issues to financial officers.

Question 27

Q

What is the first step of CRAMM (CCTA Risk Analysis and Management Method)?

A. Identify threats and vulnerabilities.
B. Identify and value assets.
C. Identify countermeasures.
D. Prioritize countermeasures.

Answer

A

B. Identify and value assets.

CRAMM review includes three steps:

Identify and value assets.
Identify threats and vulnerabilities and calculate risks.
Identify and prioritize countermeasures.

Question 28

Q

Which of the following is the process of taking away or removing characteristics from something to reduce it to a set of essential characteristics?

A. Auditing
B. Accounting
C. Non-repudiation
D. Abstraction

Answer

A

D. Abstraction is the process of taking away or removing characteristics from something to reduce it to a set of essential characteristics.

Auditing is the process of providing a manual or systematic measurable technical assessment of a system or application. Accounting is the process whereby auditing results are used to hold users and organizations accountable for their actions or inaction. Non-repudiation is the assurance that a user cannot deny an action.

Question 29

Q

Which specific plan focuses on restoring an organization’s mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations?

A. Continuity of operations plan
B. Business continuity plan
C. Crisis communications plan
D. Cyber incident response plan

Answer

A

A. A continuity of operations plan (COOP) is a plan that focuses on restoring an organization’s mission-essential functions (MEFs) at an alternate site and performing those functions for up to 30 days before returning to normal operations.

A business continuity plan (BCP) is a plan that focuses on sustaining an organization’s mission/business processes during and after a disruption. A crisis communications plan is a plan that documents standard procedures for internal and external communications in the event of a disruption using a crisis communications plan. It also provides various formats for communications appropriate to the incident. A cyber incident response plan is a plan that establishes procedures to address cyberattacks against an organization’s information system(s).

Question 30

Q

Which of the following is an information system–focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency?

A. Occupant emergency plan
B. Disaster recovery plan
C. Information system contingency plan
D. Critical infrastructure protection plan

Answer

A

B. A disaster recovery plan (DRP) is an information system–focused plan designed to restore operability of the target system, application, or computer facility infrastructure at an alternate site after an emergency.

An occupant emergency plan (OEP) is a plan that outlines first-response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property. An information system contingency plan (ISCP) provides established procedures for the assessment and recovery of a system following a system disruption. A critical infrastructure protection (CIP) plan is a set of policies and procedures that serve to protect and recover assets and mitigate risks and vulnerabilities.

Question 31

Q

Which of the following is a segment of the communication path that an attack uses to access a vulnerability?

A. Breach
B. Threat agent
C. Attack vector
D. Countermeasure

Answer

A

C. An attack vector is a segment of the communication path that an attack uses to access a vulnerability.

A breach is an attack that has been successful in reaching its goal. A threat is carried out by a threat agent. Not all threat agents will actually exploit an identified vulnerability. A countermeasure reduces the potential risk. Countermeasures are also referred to as safeguards or controls.

Question 32

Q

Which of the following is a six-category threat classification model developed by Microsoft to assess the threats in an application?

A. Visual, Agile, and Simple Threat (VAST)
B. Trike
C. Process for Attack Simulation and Threat Analysis (PASTA)
D. STRIDE (Spoofing of user identity, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege)

Answer

A

D. Developed by Microsoft, STRIDE is a threat classification model that is used to assess the threats in an application. It covers the following six categories:

Spoofing of user identity
Tampering
Repudiation
Information disclosure (privacy breach or data leak)
Denial of service (DoS)
Elevation of privilege

The Visual, Agile, and Simple Threat (VAST) model was created as a result of the shortcomings in the other models and methodologies. VAST threat modeling scales across the infrastructure and entire development portfolio. Trike is both a methodology and a tool with its basis in a requirements model designed to ensure the level of risk assigned to each asset is classified as acceptable by stakeholders. The Process for Attack Simulation and Threat Analysis (PASTA) methodology provides a seven-step process for analyzing applications to align business objectives and technical requirements. It is intended to provide an attacker-centric view of the application and infrastructure from which defenders can develop an asset-centric mitigation strategy.

Question 33

Q

What is the first step of the NIST SP 800-154 draft publication for data-centric system threat modeling?

A. Identify and select the attack vectors to be included in the model.
B. Identify and characterize the system and data of interest.
C. Analyze the threat model.
D. Characterize the security controls for mitigating the attack vectors.

Answer

A

B. NIST SP 800-154 is a draft publication for data-centric system threat modeling. It includes the following steps:

Identify and characterize the system and data of interest.
Identify and select the attack vectors to be included in the model.
Characterize the security controls for mitigating the attack vectors.
Analyze the threat model.

Most of the actions within the methodology can be addressed in a wide variety of ways in terms of both content (what information is captured) and format/structure (how that information is captured).

Question 34

Q

What investigation type specifically refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process?

A. Data loss prevention (DLP)
B. Regulatory
C. eDiscovery
D. Operations

Answer

A

C. Electronic discovery (eDiscovery) refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process. It involves electronically stored information (ESI) and includes emails, documents, presentations, databases, voicemail, audio and video files, social media, and websites. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. A regulatory investigation occurs when a regulatory body investigates an organization for a regulatory infraction. Operations investigations involve any investigations that do not result in any criminal, civil, or regulatory issue. In most cases, this type of investigation is completed to determine the root cause so that steps can be taken to prevent this incident in the future.

Question 35

Q

What is the second step of the forensic investigations process?

A. Identification
B. Collection
C. Preservation
D. Examination

Answer

A

C. The steps of the forensic investigation process are as follows:

Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision

Question 36

Q

Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?

A. Gamification
B. Computer-based training
C. Content reviews
D. Live training

Answer

A

C

Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization’s needs and is up-to-date based upon the evolving risk landscape. She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.

Question 37

Q

Gavin is creating a report for management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?

A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk

Answer

A

B.

The residual risk is the level of risk that remains after controls have been applied to mitigate risks. Inherent risk is the original risk that existed prior to the controls. Control risk is new risk introduced by the addition of controls to the environment. Mitigated risk is the risk that has been addressed by existing controls.

Question 38

Q

Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?

A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm-Leach-Bliley Act

Answer

A

C.

The Digital Millennium Copyright Act (DMCA) sets forth the requirements for online service providers when handling copyright complaints received from third parties. The Copyright Act creates the mechanics for issuing and enforcing copyrights but does not cover the actions of online service providers. The Lanham Act regulates the issuance of trademarks to protect intellectual property. The Gramm-Leach-Bliley Act regulates the handling of personal financial information.

Question 39

Q

FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

A. The right to access
B. Privacy by Design
C. The right to erasure
D. The right of data portability

Answer

A

C.

The right to erasure, also known as the right to be forgotten, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.

Question 40

Q

After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?

A. Accept
B. Transfer
C. Reduce
D. Reject

Answer

A

B.

Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

Question 41

Q

Which one of the following elements of information is not considered personally identifiable information that would trigger most United States state data breach laws?

A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number

Answer

A

A.

Most state data breach notification laws are modeled after California’s data breach notification law, which covers Social Security number, driver’s license number, state identification card number, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.

Question 42

Q

Renee is purchasing a new software product and is working with the vendor on the negotiation of a license agreement that will specify customized terms of use and a discounted price. What type of agreement would normally be used to document the results of this negotiation?

A. Perpetual license
B. Subscription license
C. Enterprise license agreement
D. End-user license agreement

Answer

A

C.

Renee’s situation calls for an enterprise license agreement as it typically allows customization of terms and pricing, reflecting the negotiated details between the vendor and a corporate client. The license agreement may be written as a perpetual or subscription license, but there is no information provided in the scenario about which one is being used. An end-user license agreement usually accompanies software to dictate the terms of use but is not designed for custom negotiations and pricing agreements.

Question 43

Q

Henry recently assisted one of his co-workers in preparing for the CISSP® exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?

A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.

Answer

A

B.

This is a question about who has the standing to bring an ethics complaint. The group of individuals that has standing differs based upon the violated canon. In this case, we are examining Canon IV, which permits any certified or licensed professional who subscribes to a code of ethics to bring charges. Charges of violations of Canons I or II may be brought by anyone. Charges of violations of Canon III may be brought only by a principal with an employer/contractor relationship with the accused.

Question 44

Q

Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?

A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor

Answer

A

C.

The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data was being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.

Question 45

Q

Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

A. GLBA
B. SOX
C. HIPAA
D. FERPA

Answer

A

A.

The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. Among other things, the Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies.
The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI).

The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.

Question 46

Q

Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA

Answer

A

A.

The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. Among other things, the Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies.
The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI).

The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.

Question 47

Q

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?

A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software

Answer

A

D.

The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are less likely to be covered by these regulations, unless they contain hardware dedicated to encryption.

Question 48

Q

Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege

Answer

A

D.

In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

Question 49

Q

You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?

A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.

Answer

A

D.

Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

Question 50

Q

You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.)

A. Physical
B. Detection
C. Deterrent
D. Preventive

Answer

A

A, C, D.

A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. A fence is an example of a physical control.

Question 51

Q

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

Answer

A

D.

Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

Question 52

Q

Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?

A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act

Answer

A

D.

The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation.

Question 53

Q

Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?

A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege

Answer

A

C.

The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Question 54

Q

Brenda’s organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?
A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies

Answer

A

C.

The protection of intellectual property is a greater concern during a divestiture, where a subsidiary is being spun off into a separate organization, than an acquisition, where one firm has purchased another. Acquisition concerns include consolidating security functions and policies as well as integrating security tools.

Question 55

Q

Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation?

A. Preponderance of the evidence.
B. Beyond a reasonable doubt.
C. Beyond the shadow of a doubt.
D. There is no standard.

Answer

A

D.

Unlike criminal or civil cases, administrative investigations are an internal matter, and there is no set standard of proof that Kelly must apply. However, it would still be wise for her organization to include a standard burden of proof in their own internal procedures to ensure the thoroughness and fairness of investigations.

Question 56

Q

Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

A. Patent
B. Trade secret
C. Copyright
D. Trademark

Answer

A

A.

Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case. Copyrights are used to protect creative works, while trademarks are used to protect names, logos, and symbols.

Question 57

Q

Which one of the following actions might be taken as part of a business continuity plan?

A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations

Answer

A

B.

RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Question 58

Q

When developing a business impact analysis, the team should first create a list of assets. What should happen next?

A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.

Answer

A

C.

After developing a list of assets, the business impact analysis team should assign values to each asset. The other activities listed here occur only after the assets are assigned values.

Question 59

Q

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference

Answer

A

C.

Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation. Risk acceptance involves making a conscious decision to accept a risk as is with no further action.
Risk avoidance alters business activities to make a risk irrelevant.

Risk transference shifts the costs of a risk to another organization, such as an insurance company.

Question 60

Q

Laura has been asked to perform a security controls assessment (SCA). What type of organization is she most likely in?

A. Higher education
B. Banking
C. Government
D. Healthcare

Answer

A

C.

A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls. This means that Laura is probably part of a government organization or contractor.

Question 61

Q

Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet?

A. Beyond the shadow of a doubt
B. Preponderance of the evidence
C. Beyond a reasonable doubt
D. Majority of the evidence

Answer

A

C.

There are two steps to answering this question. First, you must realize that for the case to lead to imprisonment, it must be the result of a criminal investigation. Next, you must know that the standard of proof for a criminal investigation is normally the beyond a reasonable doubt standard.

Question 62

Q

ISC2 uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection can it use to protect its rights in this logo?
Source: ISC2, Inc.

A. Copyright
B. Patent
C. Trade secret
D. Trademark

Answer

A

D.

Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace. Copyrights are used to protect creative works.
Patents and trade secrets are used to protect inventions and similar intellectual property.

Question 63

Q

Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions?

A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan

Answer

A

B.

A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

Question 64

Q

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?
Source: CryptoLocker

A. Availability
B. Confidentiality
C. Disclosure
D. Distributed

Answer

A

A.

The message displayed is an example of ransomware, which encrypts the contents of a user’s computer to prevent legitimate use. This is an example of an availability attack. There is no indication that the data was disclosed to others, so there is no confidentiality/disclosure risk.
There is also no indication that other systems were involved in a distributed attack.

Answer 65

A

A.

A SYN flood attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network. SYN flood attacks do not target integrity or confidentiality.
While this is a denial-of-service attack, denial is not the correct answer because you are asked which principle is being violated, not what type of attack took place.

Denial-of-service attacks target resource availability.

Answer 66

A

D.

Strategic plans have a long-term planning horizon of up to five years in most cases. They are designed to strategically align the security function with the business’ objectives. Operational and tactical plans have shorter horizons of a year or less.

Answer 67

A

A.

First, you must realize that a trademark is the correct intellectual property protection mechanism for a logo. Therefore, Gina should contact the U.S. Patent and Trademark Office (USPTO), which bears responsibility for the registration of trademarks. The Library of Congress Copyright Office administers the copyright program. The National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) play no role in intellectual property protection.

Answer 68

A

B.

When following the segregation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner. Mandatory vacations and job rotations are designed to detect fraud, not prevent it.
Defense in depth is not a relevant principle here because the answer is seeking an initial control.

Management may choose to add additional controls at a later date, but the primary objective here would be to implement segregation of duties.

Answer 69

A

B.

The U.S. Federal Information Security Modernization Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.

Answer 70

A

B.

The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of payment card information. Among other things, the Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies.
The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Gramm-Leach-Bliley Act (GLBA) regulates the handling of personal financial information.

Answer 71

A

A.

The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.

Answer 72

A

B.

Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions, and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.

Answer 73

A

C.

The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The U.S. Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.

Answer 74

A

D.

Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack. Adding a firewall will not address the impact of a risk, the recovery point objective (RPO), or the maximum tolerable outage (MTO).

Answer 75

A

B.

The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

Answer 76

A

A.

Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

Answer 77

A

D.

The System and Organization Controls audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

Answer 78

A

A.

Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently. There is no evidence that the attacker engaged in information disclosure, tampering, or elevation of privilege.

Answer 79

A

A.

Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information. There is no evidence of an attack against availability or confidentiality.
Denial is an objective of attackers, rather than of security professionals, and is not relevant in this scenario that targets integrity.

Answer 80

A

A.

SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).

Answer 81

A

A.

Trademarks protect words and images that represent a product or service and would not protect computer software.

Answer 82

A

B.

Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the Internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office’s server over the Internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the Internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

Answer 83

A

C.

RAID uses additional hard drives to protect the server against the failure of a single drive or two, based on the RAID level selected. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Answer 84

A

A.

Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Answer 85

A

D.

Signing a noncompete (NCA) or NDA agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process. During the exit interview, the team may choose to review employment agreements and policies that remain in force, such as a noncompete or nondisclosure agreement.

Answer 86

A

A.

Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, a statement of priorities, a statement of organizational responsibility, a statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.

Answer 87

A

D.

Mandatory vacation programs require that employees take continuous periods of time off each year and have their system privileges revoked during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Answer 88

A

C.

The Risk Maturity Model (RMM) is specifically designed for the purpose of assessing enterprise risk management programs. Jeff could conceivably use the more generic capability maturity model (CMM), but this would not be as good of a fit. The software capability maturity model (SW-CMM) is designed for assessing development projects, not risk management efforts. The Control Objectives for Information Technology (COBIT) are a set of security control objectives and not a maturity model.

Answer 89

A

C.

Denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

Answer 90

A

B.

Baselines provide the minimum level of security that every system throughout the organization must meet. This type of information would not appear in a policy, guideline, or procedure.

Answer 91

A

C.

Everyone in the organization should receive basic training on the nature and scope of the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

Answer 92

A

C.

If the organization’s primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.

Answer 93

A

C.

PCI DSS is a standard promulgated by the Payment Card Industry Security Standards Council (PCI SSC) but is enforced through contractual relationships between merchants and their banks. Therefore, the bank would be the appropriate entity to initiate an investigation under PCI DSS. Local and federal law enforcement agencies (such as the FBI) could decide to pursue a criminal investigation if the circumstances warrant it, but they do not have the authority to enforce PCI DSS requirements.

Answer 94

A

A.

This is an example of a security champion program that uses individuals employed in other roles in a business unit to share security messaging. The individuals in these roles are not necessarily security experts and do not have a peer review role.

Answer 95

A

A.

Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Answer 96

A

B.

The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor’s security controls meet the organization’s own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendor’s policy may be weaker than the organization’s own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.

Answer 97

A

A.

The missing step of the NIST risk management framework is assessing security controls. This is an important component of the process. The organization has already prepared, categorized the system, selected appropriate controls, and implemented those controls. Before authorizing the use of the system, they must assess the effectiveness of those controls to ensure that they meet security requirements.

Answer 98

A

D.

HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse. Risk acceptance involves making a conscious decision to accept a risk as is with no further action.
Risk mitigation takes measures to reduce the likelihood and/or impact of a risk.

Risk transfer shifts the costs of a risk to another organization, such as an insurance company.

Answer 99

A

C.

Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

Answer 100

A

A.

The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

Answer 101

A

B.

Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

Answer 102

A

D.

The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Answer 103

A

D.

Keeping a service up and running is an example of an availability control because it increases the likelihood that a service will remain available to answer user requests.

Answer 104

A

A.

A cold site includes the basic capabilities required for data center operations such as space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations. Warm sites, hot sites, and mobile sites would all include hardware.

Answer 105

A

B.

In general, companies should be aware of the breach laws in any location where they do business. U.S. states have a diverse collection of breach laws and requirements, meaning that in this case, Greg’s company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state’s residents.

Answer 106

A

B.

ISO 27002 is an international standard focused on information security and titled “Information security, cybersecurity and privacy protection: Information security controls.” ITIL does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

Answer 107

A

B.

The Communications Assistance for Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Answer 108

A

B.

The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

Answer 109

A

C.

Nondisclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements specify service uptime and other performance measures. Noncompete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.

Answer 110

A

B.

The ISC2 Code of Ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

Answer 111

A

C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

Answer 112

A

D.

Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Answer 113

A

C.

Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure. Least privilege ensures that an individual has only the minimum set of permissions necessary to carry out their assigned job functions and does not require overlapping controls.
Separation of duties requires that one person not have permission to perform two separate actions that, when combined, carry out a sensitive function.

Security through obscurity attempts to hide the details of security controls to add security to them.

Neither separation of duties nor security through obscurity involves overlapping controls.

Answer 114

A

A, B.

All ISC2 certified professionals are required to comply with the ISC2 Code of Ethics. All employees of an organization are required to comply with the organization’s code of ethics. The federal code of ethics (or, more formally, the Code of Ethics for Government Service) would not apply to a nonprofit organization, as it applies only to federal employees. RFC 1087 does provide a code of ethics for the Internet, but it is not binding on any individual.

Answer 115

A

B.

Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Answer 116

A

A.

The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.

Answer 117

A

D.

Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that they are about to be terminated.

Answer 118

A

D.

In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.

Answer 119

A

A.

COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

Answer 120

A

D.

The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.

Answer 121

A

D.

Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

Answer 122

A

C.

In reduction analysis, the security professional breaks the system down into five core elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.

Answer 123

A

D.

South Africa’s Protection of Personal Information Act (POPIA) governs the processing of personal data and would affect any new enterprise operating within its jurisdiction that handles personal information. PIPL refers to China’s Personal Information Protection Law, which would not apply in South Africa. PCI DSS is a set of security standards for entities that handle credit cards and does not relate to privacy law but rather to the security of cardholder data. PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada’s data privacy law and would not be applicable to operations in South Africa.

Answer 124

A

B.

Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

Answer 125

A

C.

Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this scenario the missing patch is the vulnerability, and the malicious hacker is the threat. If the hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.

Answer 126

A

C.

The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50%.

B.

The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.

A.

The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

Answer 127

A

C.

Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. When the attacker examined the HTML code and discovered sensitive information, this was an example of an information disclosure attack, as the attacker gained information they should not have been privy to.

Answer 128

A

A.

Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

Answer 129

A

C.

Change management is a critical control process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn’t bring back old flaws, while fuzz testing feeds unexpected input to code. In a code review the source code itself is reviewed, and this may be done as part of the change management process but isn’t what is described here.

Answer 130

A

A.

Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.

Answer 131

A

D.

A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.

Answer 132

A

A, C.

Supply chain risks occur when the adversary is interfering with the delivery of goods or services from a supplier to the customer. This might involve tampering with hardware before the customer receives it or using social engineering to compromise a vendor employee. Hacking into a web server run in an infrastructure-as-a-service (IaaS) environment is not a supply chain risk because the web server is already under the control of the customer. Using a botnet to conduct a denial-of-service attack does not involve any supply chain elements.

Answer 133

A

The laws or industry standards match to the descriptions as follows:

GLBA: A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis

PCI DSS: C. An industry standard that covers organizations that handle payment cards

HIPAA: D. A U.S. law that provides data privacy and security requirements for medical information

SOX: B. A U.S. law that requires internal controls’ assessments including IT transaction flows for publicly traded companies

Domain 1: Review Questions Flashcards

The Security and Risk Management domain encompasses many of the foundational elements of security solutions.