Domain 1- Security and Risk Management

Question 1

Under the Digital Milennium Copyright Act (DMCA), what type of offenses do not require prompt action by an internet service provider after it receives a notification of infringement claim from a copyright holder?

A) Storage of information by a customer on a provider’s server

B) Caching of information by the provider

C) Transmission of information over the provider’s network by a customer

D) Caching of information in a provider search engine

Answer 1

C) The DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all non-transitory actions that require remediation by the provider.

Question 2

Which one of the following elements of information is not considered PII that would trigger most US state data breach laws?

A) Student ID number
B) Social security number
C) Driver’s license number
D) Credit card number

Answer 2

A) Most state data breach notification laws are modeled after California’s law, which covers SSN, driver’s license number, state identification card number, credit/debit card number, bank account numbers (in conjunction with a PIN or password) , medical records, and health insurance information

Question 3

In 1991, the Federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?

A) Due diligence rule
B) Personal liability rule
C) Prudent man rule
D) Due process rule

Answer 3

C) The prudent man rule requires that senior executives take personal responsibility ensuring that the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but federal sentencing guidelines applied them to information security matters in 1991.

Question 4

Scott is developing a BCP and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

A) Quantitative analysis
B) Qualitative analysis
C) Neither quantitative nor qualitative risk assessment
D) Combination of quantitative and qualitative risk assessment?

Answer 4

D) Scott would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well rounded risk picture.

Question 5

Which one of the following actions might be taken as part of a business continuity plan?

A) Restoring from backup tapes
B) Implementing RAID
C) Relocating to a cold site
D) Restarting business operations

Answer 5

B) RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to cold site, and restarting business operations are all DR actions

Question 6

Which one of the following is not normally considered a business continuity task?

A) Business impact assessment
B) Emergency response guidelines
C) Electronic vaulting
D) Vital records program

Answer 6

C) Electronic vaulting is a data backup task that is part of a disaster recovery, not business continuity effort.

Question 7

Who should receive initial BCP training in an organization?

A) Senior executives
B) Those with specific business continuity roles
C) Everyone in the organization
D) First responders

Answer 7

C) Everyone in the organization should receive a basic awareness training for the BCP. Those with specific roles, such as first responders and senior executives, should also recieve detailed, role-specific training.

Question 8

James is conducting a risk assessment for his org. and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate i this situation?

A) Purchase cost
B) Depreciated cost
C) Replacement cost
D) Opportunity cost

Answer 8

C) If the organization’s primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers

Question 9

HAL systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services

A) Risk mitigation
B) Risk acceptance
C) Risk transference
D) Risk avoidance

Answer 9

D) HAL systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse.

Question 10

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but not hardware. What type of facility is Becka using

A) Cold site
B) Warm site
C) Hot site
D) Mobile site

Answer 10

A) A cold site includes the basic capabilities required for a datacenter operations; space, power, HVAC, and communications, but it does not include any hardware required to restore operations.

Question 11

Which one of the following laws requires that communications service providers cooperate with law enforcement requests?

A) ECPA
B) CALEA
C) Privacy act
D) HITECH ac

Answer 11

B) Communications assistance to law enforcement act (CALEA) requires that all communication carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Question 12

Which one of the following stakeholders is not typically included ona BCP team?

A) Core business function leaders
B) Information technology staff
C) CEO
D) Support departments

Answer 12

C) While senior management should be represented in the BCP team, it would be highly unusual for the CEO to fill this roll personally

Question 13

Which one of the following stakeholders is not typically included ona BCP team?

A) Core business function leaders
B) Information technology staff
C) CEO
D) Support departments

Answer 13

C) While senior management should be represented in the BCP team, it would be highly unusual for the CEO to fill this roll personally.

Question 14

Which of the following is not a goal for a formal change management plan?

A) Implement change in an orderly fashion
B) Test changes prior to implementation
C) Provide rollback plans for changes
D) Inform stakeholders of changes after they occur

Answer 14

D) Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management.

Question 15

Helen is the owner of a website that provides information for middle and highschool students preparing for exams. She is concerned thatbthe activities of her site may fall under the jurisdiction of the children’s online privacy protection act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?

A) 13
B) 15
C) 17
D) 18

Answer 15

A) COPPA require that websites obtain parental consent for the collection of personal information from children under the age of 13

Question 16

What is reduction analysis and how is it used for threat modeling?

Answer 16

Reduction analysis is an optional step in threat modeling to avoid duplication of effort. It doesn’t make sense to spend a lot of time analyzing different components in an environment if they are all using the same technology and configuration.

Question 17

Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a a SQL injection to deface a web server due to a missing patch in the company’s web application. In this scenario, what is the threat?

A) Unpatched web application
B) Web defacement
C) Malicious hacker
D) Operating system

Answer 17

C) Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, missing a patch is a vulnerability .

Question 18

What is meant by the term “exposure factor”?

Answer 18

The percentage of value lost to an asset because of an incident.

Question 19

In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?

A) Regression testing
B) Code review
C) Change management
D) Fuzz testing

Answer 19

C) Change management process is a critical process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn’t bring back back old flaws, while fuzz testing feeds unexpected input to code. Code review reviews source code itself and may be involved in the change management process but isn’t described here.

Question 20

Lawrence has been asked to perform vulnerability scans and a risk assessment of systems. Which organizational process are these more likely to be associated with?

A) A merger
B) Divestiture
C) A lay off
D) Financial assessment

Answer 20

A) When organization’s merge, it is important to understand the state of the security for both organizations. Running vulnerability scans and performing a risk assessment are both common steps taken when preparing to merge two (or more) IT environments.

Question 21

Laura has been asked to perform an SCA. What type of organization is she most likely in?

A) Higher education
B) Banking
C) Government
D) Healthcare

Answer 21

C) A Security Control Assessment (SCA) most often refers to a formal US government process for assessing security controls and if often paired with a security test and evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.