Domain 1 Security and Risk Management Flashcards
Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?
A. Confidentiality
B. Integrity
C. Availability
D. Safety
Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.
Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:
A. Shareholders
B. Management
C. Users
D. Humanity
Answer: D Aisha’s primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of
the other options, answer D is correct.
Ian’s private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?
A. Password
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password.
Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
Answer: C Gwendolyn’s job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.
Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.’s policy is to not provide credentials via technical support. What is his next BEST step?
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
Answer: A Usain’s next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if
the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.
Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing ethics@isc2.org
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.
Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu’s firm is required to follow specific regulations.
Which of the following is it only recommended to follow?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Answer: D Guidelines are non-mandatory, advisory recommendations. Policies are put together by management and are required to be followed across the organization. Procedures are detailed step-by-step instructions to achieve a given goal or mandate.
Standards form metrics to help measure the success of procedures and policies.
Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?
A. The IT Infrastructure Library (ITIL)
B. The Committee of Sponsoring Organizations (COSO)
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.
Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?
A. The National Institute of Standards and Technology (NIST)
B. ITIL
C. COSO
D. The Payment Card Industry Data Security Standard (PCI-DSS)
Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.
Teecee is running the computer sales department and sees that her team has sold$600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.
Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.
Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?
A. Collusion
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility
Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
D. Implement data leak prevention (DLP)
Answer: C Nina’s next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.
What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage—for example, the business has to shut down.
Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
Answer: C The prudent person principle is a standard of care that a reasonably prudent person would follow in certain situations. This principle, borrowed from the law and insurance industries, is also followed in cybersecurity if it is outside a NIST, PCI-DSS, Center for Internet Security (CIS), or another standard. Due care is the effort made to avoid harm to others, such as putting mitigating controls in place. Due diligence is the practice of due care—for example, making
sure the mitigating controls work. Measuring negligence helps to determine if an organization acted prudently.
Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed
records of the loan agreement?
A. Common access card (CAC)
B. Password
C. Mother’s maiden name
D. His birthday
Answer: A Scoop will use the CAC. This is the best authentication type to combine something-that-you-know authentication with. Since your password, mother’s maiden name, and birthday are all something you know, these combined with a PIN would simply be single-factor authentication (SFA).
Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi’s BEST next step?
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
Answer: D Randi must always follow the corporate policy. Getting customer feedback is good, and rewarding inside information can be beneficial, but following management policy is always the most important. Transferring Percy exposes the client to the threat of an immediate bad hire; for example, the new hire may get searched by the Federal Bureau of Investigation (FBI).
Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):
A. Non-disclosure agreement (NDA)
B. Contract
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
Answer: B If Greg provides a written contract, Dito will have a signed document stating what was expected. If the opportunity fell through, Dito could ask for alternatives by enforcing the contract. An NDA states that Dito keeps corporate secrets private. An AUP states Dito will use the product in an acceptable manner. Intellectual property (IP) is works or inventions that have value to an organization.
Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?
A. The Federal Trade Commission (FTC)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
D. The Sarbanes-Oxley Act (SOX)
Answer: C Yaza needs to consider the GDPR because she wants to sell masks to EU clients, and in order to do that, she must abide by GDPR law. (A key tenet of GDPR is the data subject’s right to be forgotten, which is not a part of most other privacy acts). The FTC focuses on US trade and consumer protections. HIPAA affects hospitals and other medical providers. SOX makes corporate fraud a criminal act.
Trevor is considering transferring much of his organization’s data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
C. Amazon Web Services (AWS) certification
D. Red Hat (RH) cloud certification
Answer: A Trevor would consider CSA STAR certification, which demonstrates the cloud service provider’s (CSP’s) adherence to privacy and security best practices, and the only option that is vendor-neutral. Azure certification is a Microsoftonly standard. AWS is an Amazon-only standard. RH cloud certification is a Red Hat-only standard.
Shewan’s credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?
A. The PCI-DSS is a contractual agreement between the store owner and the credit
card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5
years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit
card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5
years in state prison.
Answer: A PCI-DSS is a contractual standard between stores and credit card providers. Vendors agree to provide minimal security measures to protect customer PII. Results from poor audits risk the shop owner losing the ability to accept credit cards. Federal and legal standards may include fines and even prison time, but PCI-DSS is a contractual standard. PCI-DSS is not an industry standard, and there
is no credit card license. Industry standards are non-contractual agreements—for example, automotive manufacturers deciding to put steering wheels on the right if selling to Japan.
Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?
A. Key risk indicator (KRI)
B. KGI
C. KPI
D. Service-level agreement (SLA)
Answer: D Pat would use an SLA to monitor the effectiveness of the service provider. KRIs, KGIs, and KPIs are part of SLAs.
Tara’s computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?
A. Malware
B. Ransomware
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
Answer: B This is an excellent example of ransomware. Once Tara pays the attacker, there is a good chance she will have access to her data. Ransomware is a type of malware that asks for a ransom payment. This is a type of DoS attack, but DoS attacks are, in general, considered availability attacks over a network. MitM attacks in general are network attacks design to sniff packets
Karthik receives a threatening email stating that they have a video of him performing lewd acts while watching porn. They will release the videos unless he pays them $1,000. This type of attack is BEST called:
A. Social engineering
B. Sextortion
C. Ransomware
D. Spam
Answer: B Karthik was attacked with a sextortion scam. Most of these are fake, and the victim should not send money. Ransomware is distinguished by locking the victim’s data. Although this is unwanted email like spam, sextortion demands a monetary threat. Most social engineering attacks come with a degree of spoofing, where the sender pretends to be someone they are not.
Alexis is a security engineer and must secure her network from outside attackers. Which is the first BEST step she can take?
A. Disable File Transfer Protocol (FTP) and Telnet services
B. Install the latest security update patches
C. Remove default logins and passwords
D. Implement security-hardening standards
Answer: D Alexis’ next best step would be to implement security hardening standards, which includes disabling Telnet and FTP services, installing the latest security updates and patches, and removing default logins and passwords.
Zosimo works for Maximo Smartphones, and for years, their new smartphone plans have been leaked to the public 2 years ahead of time, hurting sales. What is the BEST administrative control he can use to stop this?
A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers’ briefcases when they leave for the day
Answer: A Of the four options, the only administrative option is having staff sign the NDA. Zosimo can further layer security with technical controls (for example, DLP and proxy servers) as well as physical controls (for example, security guards).
Angalina has noticed that several books have gone missing from the corporate library. She would like to install security controls but is on a budget. Which is the BEST solution for her?
A. Add radio-frequency identification (RFID) to books.
B. Security guards
C. Dummy cameras
D. Security cameras
Answer: C The key point to this question is on a budget. Dummy cameras are deterrent-type controls that reduce the likelihood of an attack and are very inexpensive. RFID is a detective-type control that is not that expensive but requires a lot of labor expense to add the RFID tags to the books. Security cameras are detective and deterrent control types and are expensive to purchase, install, and monitor. Security guards are an expensive detective type of control as well.
Coop, a security manager, practices decrypting secure documents. He has plain text of some of the files and needs to decrypt the rest. Which attack should he use?
A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext
Answer: D Coop has some of the plain text that goes with the encrypted message, so this is a known plaintext attack.
Which of the following is NOT a directive control type?
A. Privacy policy (PP)
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign
Answer: C Guard dogs are detective control types that recognize attacks and other negative activities. PPs, ToS, and signage are all directive control types.
Ysaline has discovered her staff is spending over 80% of their time on IT-related issues, instead of designing and engineering smartphones. She wants to outsource IT-related issues to AXQO Corp. Which type of risk management is this?
A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance
Answer: B Ysaline is performing risk transference since AXQO Corp will now manage the day-to-day IT functions. Risk mitigation is what happens if she continues to operate as is. Risk avoidance would not work for her because it would mean not having any IT equipment at all to manage. Risk acceptance is the amount of acceptable risk after mitigations are put in place.
Levi has purchased tablets for his staff for $2,000 each. Insurance will cover 50% if they are lost, stolen, or damaged. On an average year, five laptops are lost, stolen, or damaged. What would be the annualized loss expectancy (ALE) calculation?
A. $10,000
B. $5,000
C. $2,000
D. $1,000
Answer: B AV = $2,000; EF = 50%
SLE = AV * EF = $2,000 * 50% = $1,000
ARO = 5
ALE = SLE * ARO = $1,000 * 5 = $5,000
Zulene has spent weeks collecting pricing, performance, and tuning data to conduct her risk assessment meeting. Now that she has all the data, her team will perform which type of risk analysis?
A. Quantitative
B. Qualitative
C. Likelihood
D. Impact
Answer: A Quantitative risk analysis takes more time than qualitative risk analysis because participants need all of the data to proceed. This can be time-consuming. Qualitative risk analysis is much quicker because it relies on educated guesses. It is important that the people who understand the areas of risk to their departments are in the room. Likelihood and impact are used in risk analysis to prioritize asset protection.
Zhenyu advises on security matters, helps draft security policy, and sits on the configuration management board. What is his role in the organization?
A. Senior management
B. Security director
C. Security personnel
D. Systems administrator
Answer: B Security directors advise on security matters, draft security policy, and contribute to the Configuration Management Board. Senior management includes positions such as CEO, CFO, CIO, and so on, and mandates policies, determines strategic goals, and determines which security frameworks to use. Security personnel follow the security processes of the organization. System administrators manage day-to-day IT operations, including helpdesks.
Bianca has already contacted SGI News regarding the use of her copyrighted images on their website, but they refuse to take them down. What is her BEST next step to have her images removed from the site?
A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
D. Submit a Digital Millennium Copyright Act (DMCA) takedown request to the hosting provider.
Answer: D Bianca’s next best step is to submit a DCMA takedown request to the DMCA designated agent of the hosting company, with a list of the copyrights and location on the website. Legal action generally follows this step if the copyrighted material is not removed. Legal action is a much longer process, and it will take much longer to have her material removed. Free publicity and watermarking do not
help her get her images removed.
Roger, the chief financial officer (CFO) of NUS Micro, just received an email from his boss requesting he immediately wire $50 million to China to close a business deal. He calls his boss but cannot reach him. The email looks genuine, including the email address and domain name. He wires the money, only to find out later that his
boss did not make this request. This represents which type of attack?
A. Phishing
B. Spear phishing
C. Business email compromise (BEC)
D. Whaling
Answer: C A BEC contains characteristics of spear phishing, but the domain name is very similar, and the email appears to be from internal management. Finally, large sums of money are directed outside of the company. Sometimes, funds can be recovered by working with the federal police.
Sloane received a phone call from her administrator to confirm an email received from her. She then gets a phone call from her CFO that he received a message from her to transfer $1 million overseas. What has MOST LIKELY occurred?
A. Email account compromise (EAC)
B. Spear phishing
C. Phishing
D. Whaling
Answer: A An EAC is when a hacker uses phishing, spear phishing, whaling, password attacks, malware, and so on to compromise a C-level executive’s email account for the purpose of tricking targets to send funds.
Rafael, a systems administrator, notices that spam and phishing attacks are increasing. Which is the next BEST step he can take to safeguard the organization?
A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server
Answer: B Updates of firewalls, SpamAssassin, and proxies can help reduce the volume of attacks, but none of these systems is perfect. Continuous training programs via live training, videos, podcasts, and so on are the best way to safeguard the organization.
Which of the following represents an acceptable amount of data loss measured in time?
A. RPO
B. RTO
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)
Answer: A The RPO represents the acceptable amount of data loss in time— for example, snapshots might be taken every 15 minutes, so 15 minutes is the RPO. The RTO is the period to bring all systems back online after a disaster. WRT is the time needed to verify systems and data integrity. MTD is the maximum amount of downtime before going out of business and is generally the sum of WRT and RTO.
Individuals from all departments of the organization meet to prioritize risks based on impact, likelihood, and exposure. Which process is this?
A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
D. BIA
Answer: D BIA includes prioritization of risks based on impact, likelihood, and exposure. Risk analysis can be qualitative or quantitative. BIA is part of BCP,which defines how to continue business operations after a disaster. DRP details how to recover business operations after a disaster. IRPs are executed when legal
authorities must be involved—for example, when PII or financial records are stolen over the internet.
Attacks such as dumpster diving, phishing, baiting, and piggybacking all represent a class of attacks called:
A. MitM
B. DoS
C. Social engineering
D. Doxxing
Answer: C Dumpster diving, phishing, baiting, and piggybacking are all non-high-technical methods to engage the victim. MitM attacks use high-tech tools to download conversations of the victim. DoS is a network attack where data floods the device. Doxxing is searching and publishing private information about individuals.
Unexpectedly, Coco has been given 2 weeks of paid time off. What is the security purpose of this event?
A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
D. Mandatory vacation as part of a disaster recovery (DR) simulation
Answer: B Mandatory vacations are designed to expose any fraud that might be occurring. If Coco is involved in fraud, she needs to be at work to be monitored for fraudulent activity. Healthy worker vacations are planned and expected. Phishing email issues are better resolved with training than with vacation. Staff need to be on-site for DR simulations so that they know their part in a disaster
Simon needs to calculate risk. Which formula will he use?
A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact
Answer: C Risk is the product of vulnerability and a possible threat.
Qiang has been assigned to find recovery sites as a result of the DR planning meeting. Her job is to find sites with heating, cooling, electricity, internet access, and power. The site will require no computers. Which type of recovery site is this?
A. Mirrored site
B. Hot site
C. Warm site
D. Cold site
Answer: D Cold sites are empty rooms and designed for low-priority data that can take several weeks or months for recovery. Warm sites have some computer equipment but no current backup tapes. Hot sites have recent backups for fast recovery within minutes to hours. Mirrored sites have the most current information in case of failure.
Milos is the chief security officer (CSO) of the organization and is designing a policy that includes fences, secured parking, security policies, firewalls, account management, and patch management. This is an example of which strategy?
A. Defense-in-depth (DiD)
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls
Answer: A Although D might be true, the strategy is called DiD, or a layered approach.
As part of a disaster strategy, Caty asks management for approval of deploying a warm site. Warm sites are which type of control functionality?
A. Recovery
B. Deterrent
C. Detective
D. Preventative
Answer: A Preventative functionality implements incident avoidance—for example, locks or mantraps. Detective functionality detects or alerts an incident—for example, motion detectors and job rotations. Deterrents diminish threats by reducing the confidence of the intruder—for example, fences and fake cameras. Recovery brings
organizations back to normal operations.
Arthur, chief executive officer (CEO) of Funutek, wishes to implement online purchasing via their website. The chief marketing officer (CMO) likes the idea because the new system can double sales. The CSO fears internet attacks and suggests NOT moving forward. How should Arthur proceed?
A. Implement the website once certain there is no risk of attack.
B. Implement the website after the CMO collects research on securing websites.
C. Implement the website and secure it within acceptable risk levels.
D. Listen to the CSO and do not implement the website.
Answer: C The CSO is an advisor to the organization, seeking ways to implement operations and enable business functions within an acceptable risk level. Option A is wrong because there is no such thing as zero risks, and B is wrong because CMOs are not in charge of security.
NIST outlines security controls to put in place of federal agencies in which Special Publication (SP)?
A. 800-50
B. 800-51
C. 800-52
D. 800-53
Answer: D SP 800-53 is the Security and Privacy Controls for Federal
Information Systems and Organizations document. The document outlines various administrative, technical, and physical security controls to protect organizations.
Bud has just learned about hacking, knows a little about programming, and likes to bring misery to others. He decides to attempt hacking into his school website to change his grades. This puts him in which class of hackers?
A. Advanced persistent threat (APT)
B. Script kiddie
C. Ethical hacker
D. Internal threat
Answer: B Script kiddies are in general non-sophisticated and new to hacking. APTs generally work as a group, carefully study the target, and are patient enough to wait for the right time to exploit a vulnerability. Ethical hackers are generally paid to attack organizations to find vulnerabilities but do not harm. Bud could almost be an internal threat since he is a student at the school, but he does not work for the school.
When it comes to dual-use goods (items that can be used by the military and ordinary citizens), there are special requirements and agreements for import and export. One that seeks to limit military buildup that could threaten international security is called Conventional Arms and Dual-Use Goods and Technologies, or the:
A. Arms Agreement
B. Wassenaar Arrangement
C. Dual-Use Agreement
D. Import/Export Law
Answer: B The Wassenaar Arrangement applies export controls and rules for computers, electronics, encryption, and more.
Taylor just won her court case through the benefit of the doubt. Her case falls under which legal system?
A. Contract
B. Administrative
C. Civil
D. Criminal
Answer: D Criminal law is invoked when a person violates governmental laws, whereas civil law depends on the preponderance of the evidence. Administrative law is handled internally within organizations, similarly to internal affairs for police. Contract law is handled between the parties of a working agreement and can be
disputed in court or through a mediator.
Gael and his team have developed the perfect advertising algorithm so that when users search on his website, it leads them exactly to the information they need to reach. What is his BEST approach to assuring the secrecy of this algorithm?
A. Trade secret
B. Patent
C. Copyright
D. Trademark
Answer: A Copyrights and software patents require the algorithm to be published, making it easy for a competitor to reverse-engineer. Trademarks are used to protect an organization’s logo or brand.
Su-wei uses the Linux operating system, and freely copies it and gives it to friends. She is allowed to do this because of which of the following licenses?
A. Shareware
B. Commercial
C. End-user license agreement (EULA)
D. Academic
Answer: C Shareware, commercial, and academic licenses come with a EULA, which states how software can be used. Linux’s EULA is a call to the GNU General Public License (GNU GPL), giving freedom to users to distribute software as long as they give credit to the authors.
The area of United States (US) copyright law that makes it a crime to copy and distribute stolen software is called:
A. DMCA
B. EULA
C. Privacy Act
D. Business Software Alliance (BSA)
Answer: A The Digital Millennium Copyright Act helps to reduce software piracy by criminalizing the dissemination of stolen software. The EULA limits what users can do with software they purchase—for example, only allow 10 users. The BSA promotes the enforcement of software copyrights. The Privacy Act helps to protect user PII.
Fritz works with a document providing him step-by-step instructions. Which of the following is he working with?
A. Policies
B. Procedures
C. Standards
D. Guidelines
Answer: B Fritz is working with procedures because they provide explicit directions on performing specific operations. Policies are documents with concepts developed by management and must be followed. Guidelines are strong recommendations from management but do not have to be followed. Standards are metrics and are meant for use as a type of scoring system.
Naomi needs to calculate the TCO. Which of the following will she NOT use to complete the calculation?
A. Support costs
B. Cost to replace the unit
C. Cost of maintenance
D. Asset cost
Answer: B Naomi will need support costs, maintenance costs, and asset costs to calculate the TCO, but not replacement costs.
Viktor is conducting a risk assessment and needs to determine the percentage of risk his organization would suffer if an asset is compromised. Which of the following signifies this aspect of risk?
A. Safeguards
B. Vulnerabilities
C. Exposure factor
D. Risk
Answer: C Viktor needs the exposure factor, which defines the percentage of loss of an asset if a threat is realized. Safeguards add controls to mitigate risks, such as locks or firewalls. Vulnerabilities are weaknesses or flaws in a system, and risk is the probability of an attack or negative event.
Ons, a security manager, is working with her team to develop and update policies for staff and vendors. Controls in this area are considered which of the following?
A. Management
B. Operational
C. Technical
D. Logical
Answer: A Management controls develop policies. Logical and technical controls support technology such as firewalls, switches, and so on. Operational and physical controls support day-to-day activities such as security guards, grounds security, and so on.
Which of these is NOT true?
A. Procedures are the same as written directions.
B. Strategic documents would be considered policies.
C. Guidelines contain step-by-step instructions that must be followed.
D. Standards can define KPIs.
Answer: C Guidelines are informal recommendations that do not have to be followed. Policies are generated by management and are mandatory. Procedures are step-by-step instructions, and standards detail metrics that should be met.
Kei, a security manager, just completed a risk assessment with his team, and they determined that the new planned plant location was too dangerous, so they decided not to expand there. Which risk response did his team use?
A. Mitigation
B. Avoidance
C. Transfer
D. Acceptance
Answer: B Since Kei’s team has decided not to locate their business in a dangerous area, they are avoiding the risk. Mitigation would be building the business and then adding 8-foot (ft)-tall barbed wire fences around the building. When they purchase insurance on the building, they will be transferring that risk to the insurance company. Any leftover risk, they will accept.
What are the three primary components of risk?
A. Threat, consequence, vulnerability
B. Impact, threat, vulnerability
C. Asset, threat, impact
D. Asset, impact, consequence
Answer: B. Impact, threat, vulnerability
Explanation: Risk is typically composed of three components: threat (a potential cause of an incident that may result in harm), vulnerability (a weakness that can be exploited by a threat), and impact (the potential harm caused by a threat exploiting a vulnerability).
Which of the following is NOT a component of the ISC2 Code of Ethics?
A. Protect society and the infrastructure
B. Act honorably, honestly, and legally
C. Provide diligent and competent service
D. Prioritize personal gain over professional duties
Answer: D. Prioritize personal gain over professional duties
Explanation: The ISC2 Code of Ethics includes the principles of protecting society and the infrastructure; acting honorably, honestly, and legally; and providing diligent and competent service. Prioritizing personal gain over professional duties is contrary to the ethical principles outlined by ISC2.
Which of the following best describes a qualitative risk assessment?
A. It uses numerical values to estimate risk.
B. It relies on subjective judgments to rank risk.
C. It calculates the financial value of a risk.
D. It identifies the vulnerabilities that might be exploited by threats.
Answer: B. It relies on subjective judgments to rank risk.
Explanation: A qualitative risk assessment uses subjective judgments and expert opinions to rank risks, often categorizing them as low, medium, or high. In contrast, a quantitative risk assessment uses numerical values and calculations to estimate risks.
Which of the following is NOT a key element of effective risk communication and reporting?
A. Clarity
B. Timeliness
C. Consistency
D. Complexity
Answer: D. Complexity
Explanation: Effective risk communication and reporting should be clear, timely, and consistent. Complexity, particularly in the form of jargon and technical terms, can actually hinder effective communication and should be avoided when possible.
Which of the following activities is NOT involved in regular risk monitoring and review?
A. Tracking risk treatment progress
B. Reviewing risk assessments
C. Analyzing incident reports
D. Implementing risk treatment plans
Answer: D. Implementing risk treatment plans
Explanation: Regular risk monitoring and review involves tracking risk treatment progress, reviewing risk assessments, and analyzing incident reports. Implementing risk treatment plans is part of risk treatment, not monitoring and review.
In the context of compliance and regulatory considerations, what does it mean to “conduct compliance audits”?
A. Determine which laws and regulations apply to the organization
B. Establish policies and procedures that address legal and regulatory requirements
C. Perform regular assessments of the organization’s adherence to relevant laws and regulations
D. Develop and maintain incident response plans
Answer: C. Perform regular assessments of the organization’s adherence to relevant laws and regulations
Explanation: Conducting compliance audits involves performing regular assessments to check if the organization is adhering to relevant laws and regulations. This process helps to identify any deviations or noncompliance issues, which can then be addressed to avoid legal penalties, reputational damage, and other negative consequences. Options A, B, and D are all important components of a compliance program but do not accurately define the term “conduct compliance audits.”
What does FAIR in the risk management framework stand for?
A. Factual Analysis of Intrinsic Risk
B. Factor Analysis of Information Risk
C. Formal Assessment of Incident Response
D. Functional Analysis of Infrastructure Resilience
Answer: B. Factor Analysis of Information Risk
Explanation: FAIR stands for Factor Analysis of Information Risk. It offers a quantitative approach to risk management, enabling organizations to measure and prioritize risks using financial terms
Which of the following is not a type of control used in risk mitigation strategies?
A. Technical controls
B. Administrative controls
C. Physical controls
D. Emotional controls
Answer: D. Emotional controls
Explanation: Risk mitigation strategies involve technical, administrative, and physical controls. Emotional controls are not a recognized type of control in risk mitigation
Which asset valuation methodology considers the asset’s contribution to the organization’s intellectual property, customer trust, or competitive advantage?
A. Financial value
B. Business impact
C. Market value
D. Intangible value
Answer: D. Intangible value
Explanation: Intangible value considers the asset’s contribution to the organization’s intellectual property, customer trust, or competitive advantage. These aspects may not have a direct monetary value but are critical to the organization’s success.
What does the “canons” in the ISC2 Code of Ethics refer to?
A. A list of security technologies
B. A set of fundamental principles
C. A set of regulatory laws
D. A list of cybersecurity certifications
Answer: B. A set of fundamental principles
Explanation: The “canons” in the ISC2 Code of Ethics refer to a set of fundamental principles that guide the ethical and professional behavior of information security professionals.
In the context of risk management, what is the primary role of a quantitative risk assessment?
A. To make subjective judgments about risks
B. To rank risks based on expert opinion
C. To use numerical values to estimate risks
D. To categorize risks as low, medium, or high
Answer: C. To use numerical values to estimate risks
Explanation: Quantitative risk assessment uses numerical values and calculations to estimate potential risks, often in terms of potential financial impact.
Which of the following is not typically included in a comprehensive enterprise risk management program according to the COSO ERM framework?
A. Risk governance and culture
B. Risk strategy and objective setting
C. Risk in execution and performance
D. Risk in product design and marketing
Answer: B. Risk in product design and marketing
Explanation: The COSO ERM framework includes principles and guidance focusing on risk governance and culture, strategy and objective setting, and risk in execution and performance. Risk in product design and marketing, while important, is not specifically mentioned in the framework.
What does the NIST SP 800-37 framework primarily provide guidelines for?
A. Implementing an information security risk management process
B. Implementing a risk management process for federal information systems
C. Providing a quantitative approach to risk management
D. Developing a comprehensive enterprise risk management program
Answer: B. Implementing a risk management process for federal information systems
Explanation: The NIST SP 800-37 framework primarily provides guidelines for implementing a risk management process for federal information systems.
What is the primary purpose of asset valuation in the context of risk management?
A. To estimate the direct monetary value of an asset
B. To identify potential threats to the asset
C. To assess the potential impact and likelihood of threats to the asset
D. To prioritize the asset for risk treatment
Answer: A. To estimate the direct monetary value of an asset
Explanation: Asset valuation involves assigning a value to an organization’s assets, such as hardware, software, data, or personnel. This value can be based on various factors, including the cost of purchasing, maintaining, or replacing the asset; its potential impact on the organization’s operations or reputation; its market value; or its intangible value.
Which of the following is a key component of the risk monitoring and review process?
A. Ignoring risk treatment progress
B. Avoiding reviewing risk assessments
C. Tracking risk treatment progress
D. Omitting incident report analysis
Answer: C. Tracking risk treatment progress
Explanation: Tracking risk treatment progress is a key component of the risk monitoring and review process. Other elements include reviewing risk assessments, analyzing incident reports, and evaluating the overall effectiveness of the risk management program.
Which of the following activities is not a part of compliance and regulatory considerations?
A. Identifying applicable laws and regulations
B. Developing policies and procedures
C. Ignoring compliance audits
D. Implementing incident response plans
Answer: C. Ignoring compliance audits
Explanation: Ignoring compliance audits is not a part of compliance and regulatory considerations. Regular audits are important for assessing the organization’s compliance with relevant laws and regulations and identifying potential gaps or areas for improvement.
What does the intangible value of an asset refer to in the context of asset valuation methodologies?
A. The asset’s direct monetary value
B. The asset’s market demand
C. The asset’s contribution to the organization’s intellectual property or customer trust
D. The asset’s impact on the organization’s operations
Answer: C. The asset’s contribution to the organization’s intellectual property or customer trust
Explanation: The intangible value of an asset refers to nonmonetary aspects such as its contribution to the organization’s intellectual property, customer trust, or competitive advantage.
What is the most effective method to ascertain the value of an intangible asset?
A. Calculate the physical storage costs and multiply by the company’s projected lifespan
B. Engage a financial or accounting expert to determine the asset’s profit returns
C. Examine the intangible asset’s depreciation over the previous three years
D. Refer to the historical cost of acquiring or developing the intangible asset
Answer: B. Engage a financial or accounting expert to determine the asset’s profit returns
Explanation: The value of an intangible asset is best determined by assessing its economic benefits, such as the profits it generates. A financial or accounting professional would be most equipped to calculate this.
What is the key characteristic of qualitative risk assessment?
A. It can be executed easily and by individuals with basic knowledge of the risk assessment process.
B. It can be executed by individuals with basic knowledge of risk assessment and utilizes specific metrics for risk calculation.
C. It uses specific metrics for risk calculation and can be easily implemented.
D. It can be done by individuals with limited risk assessment knowledge and utilizes specific metrics for risk calculation.
Answer: A. It can be executed easily and by individuals with basic knowledge of the risk assessment process.
Explanation: Qualitative risk assessment is characterized by its simplicity and the ability to be performed by individuals with a basic understanding of the process. It does not rely heavily on specific metrics or calculations; rather, it uses descriptions or categories to assess and prioritize risks
What are the factors to consider when deciding on the type of risk assessment to perform?
A. Organizational culture, probability of exposure, and budget
B. Budget, resource capabilities, and probability of exposure
C. Resource capabilities, probability of exposure, and budget
D. Organizational culture, budget, and resource capabilities
Answer: D. Organizational culture, budget, and resource capabilities
Explanation: The type of risk assessment to be performed in an organization is influenced by various factors. These include the organizational culture (which can determine the acceptance and understanding of the assessment process), the available budget (which can limit or extend the scope and depth of the assessment), and resource capabilities (which can impact the ability to perform certain types of assessments). While the probability of exposure is a factor in risk assessment, it is part of the assessment process itself rather than a determining factor in the type of risk assessment to be conducted.
What does security awareness training encompass?
A. Legal security compliance objectives
B. Security roles and responsibilities of staff
C. High-level results of vulnerability assessments
D. Specialized curriculum tasks, coursework, and an accredited institution
Answer: B. Security roles and responsibilities of staff
Explanation: Security awareness training typically covers the roles and responsibilities of staff regarding security. It aims to equip them with the knowledge they need to recognize and respond appropriately to security threats.
What is the purpose of a signed user acknowledgment of the corporate security policy?
A. To ensure that users have read the policy
B. To ensure that users understand the policy, as well as the consequences of not adhering to the policy
C. Can be waived if the organization is satisfied that users have a good understanding of the policy
D. To protect the organization if a user’s behavior violates the policy
Answer: D. To protect the organization if a user’s behavior violates the policy
Explanation: While all options may have some relevance, a signed user acknowledgment of the corporate security policy primarily helps protect the organization if a user’s behavior violates the policy. It serves as documented evidence that the user was aware of the policy and the associated consequences of noncompliance.
To maintain impartiality, the security officer could report to which of the following?
A. CEO, application development, or CFO
B. Chief Information Officer, CFO, or application development
C. CFO, CEO, or Chief Information Officer
D. Application development, CFO, or CEO
Answer: C. CFO, CEO, or Chief Information Officer
Explanation: To avoid bias and ensure independence, a security officer could report directly to top-level management such as the Chief Financial Officer (CFO), Chief Executive Officer (CEO), or the Chief Information Officer (CIO). This arrangement helps to ensure that security concerns are addressed at the highest level of decision-making.
What is the best use of tactical security plans?
A. To establish high-level security policies
B. To enable enterprise-wide security management
C. To minimize downtime
D. To deploy new security technology
Answer: D. To deploy new security technology
Explanation: Tactical security plans are typically used to guide the implementation of specific security measures, such as the deployment of new security technologies. These plans have a shorter time horizon than strategic security plans and are more detailed, focusing on the practical aspects of implementing security measures.
Who is responsible for the implementation of information security?
A. Everyone
B. Senior management
C. Security officer
D. Data owners
Answer: A. Everyone
Explanation: While specific roles like the security officer, senior management, and data owners have key responsibilities, implementing information security is a shared responsibility. Everyone in an organization has a part to play in maintaining security, from following established policies to reporting potential security incidents.
What attributes should a security policy have to remain relevant and meaningful over time?
A. Directive words such as shall, must, or will, technical specifications, and should be short in length
B. A defined policy development process, should be short in length, and contain directive words such as shall, must, or will
C. Short in length, contain technical specifications, and directive words such as shall, must, or will
D. Directive words such as shall, must, or will, a defined policy development process, and is short in length
Answer: D. Directive words such as shall, must, or will, a defined policy development process, and is short in length
Explanation: A security policy that remains meaningful over time is one that is clear and concise, has a defined policy development and review process, and uses directive words to clearly communicate the requirements. It doesn’t necessarily need to contain detailed technical specifications, as these may change over time and could make the policy less adaptable and more difficult to maintain.
Which among the following best describes an intangible asset’s valuation process?
A. Multiplying the physical storage costs by the company’s expected lifespan
B. Collaborating with finance or accounting professionals to ascertain the profit returned by the asset
C. Reviewing the intangible asset’s depreciation over the past three years
D. Using the historical acquisition or development cost of the intangible asset
Answer: B. Collaborating with finance or accounting professionals to ascertain the profit returned by the asset
Explanation: The value of an intangible asset is often best determined by its ability to generate profit. Therefore, working with finance or accounting professionals to ascertain the profit returned by the asset is typically the most effective approach.
Which principle is violated if one individual in the finance department has the ability to add vendors to the vendor database and subsequently make payments to the vendor?
A. A well-formed transaction
B. Separation of duties
C. Least privilege
D. Data sensitivity level
Answer: B. Separation of duties
Explanation: The separation of duties principle is designed to prevent errors and fraud that might be possible when only one person is in control of all parts of a process. Here, allowing one person to both add vendors and make payments could lead to fraudulent transactions. Hence, this scenario is a violation of the separation of duties principle.
What is the best way to mitigate collusion?
A. Job rotation
B. Data classification
C. Defining job sensitivity level
D. Least privilege
Answer: A. Job rotation
Explanation: Collusion is the act of collaborating fraudulently within an organization to deceive or defraud. Job rotation, which involves moving employees between different roles, is a good way to prevent collusion because it reduces the opportunity for long-term manipulation in any single position.
Who is best suited to make decisions about data access?
A. User managers
B. Data owners
C. Senior management
D. Application developers
Answer: B. Data owners
Explanation: Data owners, the individuals or entities responsible for the data’s security and use, are best suited to make decisions about data access. They understand the data’s sensitivity and the potential risks of unauthorized access. While other stakeholders may have input, the ultimate decision should lie with the data owner.
What is the primary obstacle in combating computer crime?
A. Computer criminals are generally smarter than computer investigators.
B. Adequate funding to stay ahead of the computer criminals.
C. Activity associated with computer crime is truly international.
D. There are so many more computer criminals than investigators that it is impossible to keep up.
Answer: C. Activity associated with computer crime is truly international.
Explanation: The international nature of computer crime is a major hindrance to fighting it. Jurisdictional issues, differences in laws across countries, and the sheer scope of the Internet make it challenging to investigate and prosecute cybercrimes effectively.
What discipline does computer forensics combine with computer science, information technology, and engineering?
A. Law
B. Information systems
C. Analytical thought
D. The scientific method
Answer: A. Law
Explanation: Computer forensics is a multidisciplinary field that combines computer science, information technology, and engineering with law. The goal is to gather and analyze data in a way that is legally admissible.
Which principle allows an investigator to identify aspects of a person responsible for a crime, based on the residual traces left behind while stealing information?
A. Meyer’s principle of legal impunity
B. Criminalistic principles
C. IOCE/Group of 8 Nations principles for computer forensics
D. Locard’s principle of exchange
Answer: D. Locard’s principle of exchange
Explanation: Locard’s exchange principle states that the perpetrator of a crime will bring something into the crime scene and leave with something from it and that both can be used as forensic evidence. This principle is applicable to cybercrimes, where digital traces can be left behind.
Which of the following is a part of the fundamental principles of evidence?
A. Authenticity, redundancy, and admissibility
B. Completeness, authenticity, and admissibility
C. Completeness, redundancy, and authenticity
D. Redundancy, admissibility, and completeness
Answer: B. Completeness, authenticity, and admissibility
Explanation: The five cardinal rules of evidence include completeness, authenticity, admissibility, accuracy, and reasonableness. Hence, option B is correct as it contains three of these principles.
Which of the following is not listed as a stage in incident response?
A. Documentation
B. Prosecution
C. Containment
D. Investigation
Answer: B. Prosecution
Explanation: While prosecution may be a result of an incident response, it is not a phase in itself. The typical phases of incident response include preparation, identification, containment, eradication, recovery, and lessons learned/documentation.
Which category of intellectual property protection covers the expression of ideas rather than the ideas themselves?
A. Trademark
B. Patent
C. Copyright
D. Trade secret
Answer: C. Copyright
Explanation: Copyright law protects the expression of an idea in a tangible medium, such as a book, song, or software program, rather than the idea itself.
Which type of intellectual property safeguards the goodwill that a merchant or vendor invests in its products?
A. Trademark
B. Patent
C. Copyright
D. Trade secret
Answer: A. Trademark
Explanation: Trademarks protect brand names, logos, and other identifiers that signify the source of goods or services. The value of a trademark lies in the goodwill and brand recognition that a merchant or vendor builds in its products or services.
How does the ISC2 Code of Ethics address conflicts between canons?
A. There can never be conflicts between canons.
B. Through a process of adjudication.
C. Based on the order of the canons.
D. By having all canon conflicts reviewed by the board of directors.
Answer: C. Based on the order of the canons
Explanation: If a conflict arises between the canons in the ISC2 Code of Ethics, they are resolved by giving precedence to the canon that appears earlier in the list.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy. Which of the following principles is NOT stated in GDPR?
A. Data minimization
B. Consent
C. Data localization
D. Accountability
Answer: C. Data localization
Explanation: Data localization is not a principle stated in GDPR. GDPR principles include lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
Which of the following laws mandates that organizations must have adequate security measures in place to protect customer data?
A. Sarbanes-Oxley Act (SOX)
B. Gramm-Leach-Bliley Act (GLBA)
C. Data Protection Act (DPA)
D. Federal Information Security Management Act (FISMA)
Answer: B. Gramm-Leach-Bliley Act (GLBA)
Explanation: The GLBA requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
The purpose of the _____________ is to ensure the accuracy, fairness, and privacy of the information in a consumer’s credit reports.
A. Fair Credit Reporting Act (FCRA)
B. General Data Protection Regulation (GDPR)
C. Gramm-Leach-Bliley Act (GLBA)
D. Federal Information Security Management Act (FISMA)
Answer: A. Fair Credit Reporting Act (FCRA)
Explanation: FCRA is designed to ensure the accuracy, fairness, and privacy of the information in a consumer’s credit reports.
What is the primary purpose of the Children’s Online Privacy Protection Act (COPPA)?
A. To regulate how websites collect data about children under 13
B. To regulate how websites collect data about all users
C. To protect children from inappropriate content online
D. To protect the privacy of adults when they use websites
Answer: A. To regulate how websites collect data about children under 13
Explanation: COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
The _____________ outlines procedures to enhance the protection of critical infrastructure from cyber threats.
A. Executive Order 13636
B. HIPAA Security Rule
C. Federal Information Security Management Act (FISMA)
D. Computer Fraud and Abuse Act
Answer: A. Executive Order 13636
Explanation: This executive order establishes a policy to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity.
Which law is designed to combat identity theft by requiring businesses to destroy sensitive information derived from consumer reports?
A. Fair and Accurate Credit Transactions Act (FACTA)
B. General Data Protection Regulation (GDPR)
C. Sarbanes-Oxley Act (SOX)
D. Federal Information Security Management Act (FISMA)
Answer: A. Fair and Accurate Credit Transactions Act (FACTA)
Explanation: FACTA aims to help consumers protect their data from identity theft. It allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies.
Which role within an organization is responsible for assigning sensitivity labels to information assets?
A. Management
B. The auditor
C. The user
D. The owner
Answer: C. Policies
Explanation: Policies are the most general type of security document. They provide a high-level overview of an organization’s principles, rules, and expectations regarding information security. Policies set the foundation for all other security documents and guide the development of standards, procedures, and baselines, which are more specific and detail oriented. They are typically designed to guide decision-making and set the direction for an organization’s information security program.
If the cost of implementing a countermeasure exceeds the value of the asset it’s meant to protect, which approach should be preferred?
A. Do nothing
B. Transfer the risk
C. Mitigate the risk
D. Increase the cost of exposure
Answer: B. Transfer the risk
Explanation: When the cost of the countermeasure is more than the value of the asset, the most appropriate approach is typically to transfer the risk. This could be through insurance or by using third-party services. In this way, the organization can balance the cost of protection with the value of the asset. This doesn’t mean ignoring the risk (option A) or unnecessarily increasing costs (option D). Mitigating the risk (option C) might still be more expensive than the asset’s value.
Which of the following identifies a model that specifically targets security and not governance of an entire enterprise?
A. The Zachman framework
B. COBIT
C. COSO
D. SABSA
Answer: D. SABSA
Explanation: The Sherwood Applied Business Security Architecture (SABSA) is a framework and methodology for enterprise security architecture and service management. It is specifically designed to focus on security, unlike other models like COBIT, COSO, or the Zachman framework, which are designed for broader governance of an entire enterprise. COBIT (Control Objectives for Information and Related Technologies) and COSO (Committee of Sponsoring Organizations of the Treadway Commission) are used for IT governance and enterprise risk management, respectively. The Zachman framework is an enterprise architecture framework, which is not specifically focused on security.
Which term allows the management to demonstrate that they took necessary steps to prevent negligence in lawsuits, even if their actions weren’t flawless?
A. Due care
B. Prudency
C. Due diligence
D. Threat agent
Answer: A. Due care
Explanation: “Due care” refers to the effort made by an ordinarily prudent or reasonable party to prevent harm to another, taking the circumstances into account. It is the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances. In the context of lawsuits, demonstrating “due care” can help management show that they took all necessary precautions, even if the outcomes weren’t perfect. The other options – “prudency,” “due diligence,” and “threat agent” – are not specifically related to this context.
What is the suitable standard for governing third-party providers?
A. A nondisclosure agreement (NDA)
B. An acceptable use policy
C. The same level as employees
D. The same level as defined by the ISC2 Code of Ethics
Answer: C. The same level as employees
Explanation: Third-party providers should be governed at the same level as employees. This is because they often have access to the same sensitive information and systems as employees and therefore pose a similar risk. They should be subject to the same policies, procedures, and controls as employees to ensure information security. The other options – an NDA, an acceptable use policy, and the ISC2 Code of Ethics – are components of a broader governance strategy, but they are not comprehensive standards for third-party governance on their own.
What is the rationale behind an enterprise reassessing the classification of its data files and records at least once a year?
A. To adhere to the stipulations of the Internet Architecture Board
B. Because the worth of data varies as time progresses
C. Due to the necessity of mitigating new threats
D. To safeguard the data’s confidentiality
Answer: B. Because the worth of data varies as time progresses
Explanation: Data’s value can change over time based on its relevance, accuracy, and usefulness to the organization. Therefore, it’s essential to periodically reevaluate the classification of data files and records. While the other options may influence data management practices, they don’t directly explain why data classification should be reevaluated annually.
What should be the primary concern of management when establishing a governance framework?
A. Enhancing profits
B. Evading losses
C. Catering to the needs of the business
D. Ensuring safety
Answer: C. Catering to the needs of the business
Explanation: A governance framework should be designed primarily to support the needs of the business. It should guide the organization in achieving its strategic objectives while managing risks and ensuring compliance. Although maximizing profits, avoiding losses, and ensuring safety are important, they are not the primary purpose of a governance framework.
When it comes to forensically examining digital evidence, which is the most accurate description of the priorities?
A. Carry out an analysis of a bit-level duplicate of the disk.
B. Examine the log files on the duplicated disk.
C. Perform steganographic analysis on the duplicated disk.
D. Detect any harmful code present on the duplicated disk.
Answer: A. Carry out an analysis of a bit-level duplicate of the disk.
Explanation: When forensically analyzing digital evidence, the first priority is to create and analyze a bit-level clone of the disk. This ensures that the original evidence remains unaltered and preserves its admissibility in court. After creating the clone, further analysis like reviewing log files, detecting malicious code, or performing a steganographic analysis can be done.
Which element does not constitute part of risk analysis?
A. Assets
B. Threats
C. Vulnerabilities
D. Countermeasures
Answer: D. Countermeasures
Explanation: Risk analysis involves the identification and assessment of assets, threats, and vulnerabilities. Countermeasures, however, are a response to the identified risk, applied after risk analysis to mitigate the risk. They are not a part of the analysis itself.
