Domain 1 Security and Risk Management Flashcards
Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?
A. Confidentiality
B. Integrity
C. Availability
D. Safety
Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.
Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:
A. Shareholders
B. Management
C. Users
D. Humanity
Answer: D Aisha’s primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of
the other options, answer D is correct.
Ian’s private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?
A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password.
Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
Answer: C Gwendolyn’s job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.
Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.’s policy is to not provide credentials via technical support. What is his next BEST step?
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
Answer: A Usain’s next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if
the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.
Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.
Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu’s firm is required to follow specific regulations.
Which of the following is it only recommended to follow?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Answer: D Guidelines are non-mandatory, advisory recommendations. Policies are put together by management and are required to be followed across the organization. Procedures are detailed step-by-step instructions to achieve a given goal or mandate.
Standards form metrics to help measure the success of procedures and policies.
Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?
A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.
Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?
A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)
Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.
Teecee is running the computer sales department and sees that her team has sold$600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.
Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.
Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?
A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility
Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
D. Implement data leak prevention (DLP)
Answer: C Nina’s next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.
What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage—for example, the business has to shut down.
Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
Answer: C The prudent person principle is a standard of care that a reasonably prudent person would follow in certain situations. This principle, borrowed from the law and insurance industries, is also followed in cybersecurity if it is outside a NIST, PCI-DSS, Center for Internet Security (CIS), or another standard. Due care is the effort made to avoid harm to others, such as putting mitigating controls in place. Due diligence is the practice of due care—for example, making
sure the mitigating controls work. Measuring negligence helps to determine if an organization acted prudently.
Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed
records of the loan agreement?
A. Common access card (CAC)
B. Password
C. Mother’s maiden name
D. His birthday
Answer: A Scoop will use the CAC. This is the best authentication type to combine something-that-you-know authentication with. Since your password, mother’s maiden name, and birthday are all something you know, these combined with a PIN would simply be single-factor authentication (SFA).
Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi’s BEST next step?
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
Answer: D Randi must always follow the corporate policy. Getting customer feedback is good, and rewarding inside information can be beneficial, but following management policy is always the most important. Transferring Percy exposes the client to the threat of an immediate bad hire; for example, the new hire may get searched by the Federal Bureau of Investigation (FBI).
Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):
A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
Answer: B If Greg provides a written contract, Dito will have a signed document stating what was expected. If the opportunity fell through, Dito could ask for alternatives by enforcing the contract. An NDA states that Dito keeps corporate secrets private. An AUP states Dito will use the product in an acceptable manner. Intellectual property (IP) is works or inventions that have value to an organization.
Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?
A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. The Sarbanes-Oxley Act (SOX)
Answer: C Yaza needs to consider the GDPR because she wants to sell masks to EU clients, and in order to do that, she must abide by GDPR law. (A key tenet of GDPR is the data subject’s right to be forgotten, which is not a part of most other privacy acts). The FTC focuses on US trade and consumer protections. HIPAA affects hospitals and other medical providers. SOX makes corporate fraud a criminal act.
Trevor is considering transferring much of his organization’s data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
C. Amazon Web Services (AWS) certification
D. Red Hat (RH) cloud certification
Answer: A Trevor would consider CSA STAR certification, which demonstrates the cloud service provider’s (CSP’s) adherence to privacy and security best practices, and the only option that is vendor-neutral. Azure certification is a Microsoftonly standard. AWS is an Amazon-only standard. RH cloud certification is a Red Hat-only standard.
Shewan’s credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?
A. The PCI-DSS is a contractual agreement between the store owner and the credit
card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5
years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit
card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5
years in state prison.
Answer: A PCI-DSS is a contractual standard between stores and credit card providers. Vendors agree to provide minimal security measures to protect customer PII. Results from poor audits risk the shop owner losing the ability to accept credit cards. Federal and legal standards may include fines and even prison time, but PCI-DSS is a contractual standard. PCI-DSS is not an industry standard, and there
is no credit card license. Industry standards are non-contractual agreements—for example, automotive manufacturers deciding to put steering wheels on the right if selling to Japan.
Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?
A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)
Answer: D Pat would use an SLA to monitor the effectiveness of the service provider. KRIs, KGIs, and KPIs are part of SLAs.
Tara’s computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?
A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
Answer: B This is an excellent example of ransomware. Once Tara pays the attacker, there is a good chance she will have access to her data. Ransomware is a type of malware that asks for a ransom payment. This is a type of DoS attack, but DoS attacks are, in general, considered availability attacks over a network. MitM attacks in general are network attacks design to sniff packets
Karthik receives a threatening email stating that they have a video of him performing lewd acts while watching porn. They will release the videos unless he pays them $1,000. This type of attack is BEST called:
A. Social engineering
B. Sextortion
C. Ransomware
D. Spam
Answer: B Karthik was attacked with a sextortion scam. Most of these are fake, and the victim should not send money. Ransomware is distinguished by locking the victim’s data. Although this is unwanted email like spam, sextortion demands a monetary threat. Most social engineering attacks come with a degree of spoofing, where the sender pretends to be someone they are not.
Alexis is a security engineer and must secure her network from outside attackers. Which is the first BEST step she can take?
A. Disable File Transfer Protocol (FTP) and Telnet services
B. Install the latest security update patches
C. Remove default logins and passwords
D. Implement security-hardening standards
Answer: D Alexis’ next best step would be to implement security hardening standards, which includes disabling Telnet and FTP services, installing the latest security updates and patches, and removing default logins and passwords.
Zosimo works for Maximo Smartphones, and for years, their new smartphone plans have been leaked to the public 2 years ahead of time, hurting sales. What is the BEST administrative control he can use to stop this?
A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers’ briefcases when they leave for the day
Answer: A Of the four options, the only administrative option is having staff sign the NDA. Zosimo can further layer security with technical controls (for example, DLP and proxy servers) as well as physical controls (for example, security guards).
Angalina has noticed that several books have gone missing from the corporate library. She would like to install security controls but is on a budget. Which is the BEST solution for her?
A. Add radio-frequency identification (RFID) to books.
B. Security guards
C. Dummy cameras
D. Security cameras
Answer: C The key point to this question is on a budget. Dummy cameras are deterrent-type controls that reduce the likelihood of an attack and are very inexpensive. RFID is a detective-type control that is not that expensive but requires a lot of labor expense to add the RFID tags to the books. Security cameras are detective and deterrent control types and are expensive to purchase, install, and monitor. Security guards are an expensive detective type of control as well.
Coop, a security manager, practices decrypting secure documents. He has plain text of some of the files and needs to decrypt the rest. Which attack should he use?
A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext
Answer: D Coop has some of the plain text that goes with the encrypted message, so this is a known plaintext attack.
Which of the following is NOT a directive control type?
A. Privacy policy (PP)
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign
Answer: C Guard dogs are detective control types that recognize attacks and other negative activities. PPs, ToS, and signage are all directive control types.
Ysaline has discovered her staff is spending over 80% of their time on IT-related issues, instead of designing and engineering smartphones. She wants to outsource IT-related issues to AXQO Corp. Which type of risk management is this?
A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance
Answer: B Ysaline is performing risk transference since AXQO Corp will now manage the day-to-day IT functions. Risk mitigation is what happens if she continues to operate as is. Risk avoidance would not work for her because it would mean not having any IT equipment at all to manage. Risk acceptance is the amount of acceptable risk after mitigations are put in place.
Levi has purchased tablets for his staff for $2,000 each. Insurance will cover 50% if they are lost, stolen, or damaged. On an average year, five laptops are lost, stolen, or damaged. What would be the annualized loss expectancy (ALE) calculation?
A. $10,000
B. $5,000
C. $2,000
D. $1,000
Answer: B AV = $2,000; EF = 50%
SLE = AV * EF = $2,000 * 50% = $1,000
ARO = 5
ALE = SLE * ARO = $1,000 * 5 = $5,000
Zulene has spent weeks collecting pricing, performance, and tuning data to conduct her risk assessment meeting. Now that she has all the data, her team will perform which type of risk analysis?
A. Quantitative
B. Qualitative
C. Likelihood
D. Impact
Answer: A Quantitative risk analysis takes more time than qualitative risk analysis because participants need all of the data to proceed. This can be time-consuming. Qualitative risk analysis is much quicker because it relies on educated guesses. It is important that the people who understand the areas of risk to their departments are in the room. Likelihood and impact are used in risk analysis to prioritize asset protection.
Zhenyu advises on security matters, helps draft security policy, and sits on the configuration management board. What is his role in the organization?
A. Senior management
B. Security director
C. Security personnel
D. Systems administrator
Answer: B Security directors advise on security matters, draft security policy, and contribute to the Configuration Management Board. Senior management includes positions such as CEO, CFO, CIO, and so on, and mandates policies, determines strategic goals, and determines which security frameworks to use. Security personnel follow the security processes of the organization. System administrators manage day-to-day IT operations, including helpdesks.
Bianca has already contacted SGI News regarding the use of her copyrighted images on their website, but they refuse to take them down. What is her BEST next step to have her images removed from the site?
A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
D. Submit a Digital Millennium Copyright Act (DMCA) takedown request to the hosting provider.
Answer: D Bianca’s next best step is to submit a DCMA takedown request to the DMCA designated agent of the hosting company, with a list of the copyrights and location on the website. Legal action generally follows this step if the copyrighted material is not removed. Legal action is a much longer process, and it will take much longer to have her material removed. Free publicity and watermarking do not
help her get her images removed.
Roger, the chief financial officer (CFO) of NUS Micro, just received an email from his boss requesting he immediately wire $50 million to China to close a business deal. He calls his boss but cannot reach him. The email looks genuine, including the email address and domain name. He wires the money, only to find out later that his
boss did not make this request. This represents which type of attack?
A. Phishing
B. Spear phishing
C. Business email compromise (BEC)
D. Whaling
Answer: C A BEC contains characteristics of spear phishing, but the domain name is very similar, and the email appears to be from internal management. Finally, large sums of money are directed outside of the company. Sometimes, funds can be recovered by working with the federal police.
Sloane received a phone call from her administrator to confirm an email received from her. She then gets a phone call from her CFO that he received a message from her to transfer $1 million overseas. What has MOST LIKELY occurred?
A. Email account compromise (EAC)
B. Spear phishing
C. Phishing
D. Whaling
Answer: A An EAC is when a hacker uses phishing, spear phishing, whaling, password attacks, malware, and so on to compromise a C-level executive’s email account for the purpose of tricking targets to send funds.
Rafael, a systems administrator, notices that spam and phishing attacks are increasing. Which is the next BEST step he can take to safeguard the organization?
A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server
Answer: B Updates of firewalls, SpamAssassin, and proxies can help reduce the volume of attacks, but none of these systems is perfect. Continuous training programs via live training, videos, podcasts, and so on are the best way to safeguard the organization.
Which of the following represents an acceptable amount of data loss measured in time?
A. RPO
B. RTO
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)
Answer: A The RPO represents the acceptable amount of data loss in time— for example, snapshots might be taken every 15 minutes, so 15 minutes is the RPO. The RTO is the period to bring all systems back online after a disaster. WRT is the time needed to verify systems and data integrity. MTD is the maximum amount of downtime before going out of business and is generally the sum of WRT and RTO.
Individuals from all departments of the organization meet to prioritize risks based on impact, likelihood, and exposure. Which process is this?
A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
D. BIA
Answer: D BIA includes prioritization of risks based on impact, likelihood, and exposure. Risk analysis can be qualitative or quantitative. BIA is part of BCP,which defines how to continue business operations after a disaster. DRP details how to recover business operations after a disaster. IRPs are executed when legal
authorities must be involved—for example, when PII or financial records are stolen over the internet.
Attacks such as dumpster diving, phishing, baiting, and piggybacking all represent a class of attacks called:
A. MitM
B. DoS
C. Social engineering
D. Doxxing
Answer: C Dumpster diving, phishing, baiting, and piggybacking are all non-high-technical methods to engage the victim. MitM attacks use high-tech tools to download conversations of the victim. DoS is a network attack where data floods the device. Doxxing is searching and publishing private information about individuals.
Unexpectedly, Coco has been given 2 weeks of paid time off. What is the security purpose of this event?
A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
D. Mandatory vacation as part of a disaster recovery (DR) simulation
Answer: B Mandatory vacations are designed to expose any fraud that might be occurring. If Coco is involved in fraud, she needs to be at work to be monitored for fraudulent activity. Healthy worker vacations are planned and expected. Phishing email issues are better resolved with training than with vacation. Staff need to be on-site for DR simulations so that they know their part in a disaster
Simon needs to calculate risk. Which formula will he use?
A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact
Answer: C Risk is the product of vulnerability and a possible threat.
Qiang has been assigned to find recovery sites as a result of the DR planning meeting. Her job is to find sites with heating, cooling, electricity, internet access, and power. The site will require no computers. Which type of recovery site is this?
A. Mirrored site
B. Hot site
C. Warm site
D. Cold site
Answer: D Cold sites are empty rooms and designed for low-priority data that can take several weeks or months for recovery. Warm sites have some computer equipment but no current backup tapes. Hot sites have recent backups for fast recovery within minutes to hours. Mirrored sites have the most current information in case of failure.
Milos is the chief security officer (CSO) of the organization and is designing a policy that includes fences, secured parking, security policies, firewalls, account management, and patch management. This is an example of which strategy?
A. Defense-in-depth (DiD)
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls
Answer: A Although D might be true, the strategy is called DiD, or a layered approach.
