Domain 1 Security and Risk Management Flashcards
Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?
A. Confidentiality
B. Integrity
C. Availability
D. Safety
Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.
Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:
A. Shareholders
B. Management
C. Users
D. Humanity
Answer: D Aisha’s primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of
the other options, answer D is correct.
Ian’s private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?
A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password.
Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
Answer: C Gwendolyn’s job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.
Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.’s policy is to not provide credentials via technical support. What is his next BEST step?
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
Answer: A Usain’s next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if
the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.
Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.
Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu’s firm is required to follow specific regulations.
Which of the following is it only recommended to follow?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Answer: D Guidelines are non-mandatory, advisory recommendations. Policies are put together by management and are required to be followed across the organization. Procedures are detailed step-by-step instructions to achieve a given goal or mandate.
Standards form metrics to help measure the success of procedures and policies.
Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?
A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.
Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?
A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)
Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.
Teecee is running the computer sales department and sees that her team has sold$600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.
Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.
Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?
A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility
Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
D. Implement data leak prevention (DLP)
Answer: C Nina’s next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.
What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage—for example, the business has to shut down.
Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
Answer: C The prudent person principle is a standard of care that a reasonably prudent person would follow in certain situations. This principle, borrowed from the law and insurance industries, is also followed in cybersecurity if it is outside a NIST, PCI-DSS, Center for Internet Security (CIS), or another standard. Due care is the effort made to avoid harm to others, such as putting mitigating controls in place. Due diligence is the practice of due care—for example, making
sure the mitigating controls work. Measuring negligence helps to determine if an organization acted prudently.
Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed
records of the loan agreement?
A. Common access card (CAC)
B. Password
C. Mother’s maiden name
D. His birthday
Answer: A Scoop will use the CAC. This is the best authentication type to combine something-that-you-know authentication with. Since your password, mother’s maiden name, and birthday are all something you know, these combined with a PIN would simply be single-factor authentication (SFA).
Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi’s BEST next step?
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
Answer: D Randi must always follow the corporate policy. Getting customer feedback is good, and rewarding inside information can be beneficial, but following management policy is always the most important. Transferring Percy exposes the client to the threat of an immediate bad hire; for example, the new hire may get searched by the Federal Bureau of Investigation (FBI).
Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):
A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
Answer: B If Greg provides a written contract, Dito will have a signed document stating what was expected. If the opportunity fell through, Dito could ask for alternatives by enforcing the contract. An NDA states that Dito keeps corporate secrets private. An AUP states Dito will use the product in an acceptable manner. Intellectual property (IP) is works or inventions that have value to an organization.
Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?
A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. The Sarbanes-Oxley Act (SOX)
Answer: C Yaza needs to consider the GDPR because she wants to sell masks to EU clients, and in order to do that, she must abide by GDPR law. (A key tenet of GDPR is the data subject’s right to be forgotten, which is not a part of most other privacy acts). The FTC focuses on US trade and consumer protections. HIPAA affects hospitals and other medical providers. SOX makes corporate fraud a criminal act.
Trevor is considering transferring much of his organization’s data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
C. Amazon Web Services (AWS) certification
D. Red Hat (RH) cloud certification
Answer: A Trevor would consider CSA STAR certification, which demonstrates the cloud service provider’s (CSP’s) adherence to privacy and security best practices, and the only option that is vendor-neutral. Azure certification is a Microsoftonly standard. AWS is an Amazon-only standard. RH cloud certification is a Red Hat-only standard.
Shewan’s credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?
A. The PCI-DSS is a contractual agreement between the store owner and the credit
card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5
years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit
card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5
years in state prison.
Answer: A PCI-DSS is a contractual standard between stores and credit card providers. Vendors agree to provide minimal security measures to protect customer PII. Results from poor audits risk the shop owner losing the ability to accept credit cards. Federal and legal standards may include fines and even prison time, but PCI-DSS is a contractual standard. PCI-DSS is not an industry standard, and there
is no credit card license. Industry standards are non-contractual agreements—for example, automotive manufacturers deciding to put steering wheels on the right if selling to Japan.
Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?
A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)
Answer: D Pat would use an SLA to monitor the effectiveness of the service provider. KRIs, KGIs, and KPIs are part of SLAs.
Tara’s computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?
A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
Answer: B This is an excellent example of ransomware. Once Tara pays the attacker, there is a good chance she will have access to her data. Ransomware is a type of malware that asks for a ransom payment. This is a type of DoS attack, but DoS attacks are, in general, considered availability attacks over a network. MitM attacks in general are network attacks design to sniff packets