Domain 5

Question 1

Which Service Organization Control (SOC) level of reporting in the Statements on Standards for Attestation Engagements (SSAE) assesses the ongoing effectiveness of the security architecture of a system in a certain period of time?

Answer 1

A Service Organization Control (SOC) Type II report provides assurances about the effectiveness of controls in place in an organization within a given timeframe.

Question 2

operational security control

Answer 2

is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.

Question 3

technical control

Answer 3

control includes hardware or software mechanisms used to protect assets. Antivirus software, firewalls, and intrusion detection systems are examples of a technical control.

Question 4

compensating control

Answer 4

does not prevent an attack but can restore functionality of systems through other means, such as a backup.

3

Question 5

corrective control

Answer 5

responds to, and fixes, an incident and prevents reoccurrence. Antivirus software is an example of a corrective control.

Question 6

preventive control

Answer 6

aims to prevent security incidents in a system. Security training and change management are examples of a preventive security control.

Question 7

detective control

Answer 7

identifies when incidents or vulnerabilities have occurred. Auditing and monitoring are examples of detective controls.

Question 8

managerial security

Answer 8

control provides the guidance, policies, and procedures for implementing a secure environment, such as an acceptable use policy.

Question 9

A company is determining what should be in a contract with a new Cloud Service Provider (CSP). Which resource from the Cloud Security Alliance will give the company the baseline level of security competency that the CSP should meet?

Answer 9

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. The cloud controls matrix lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

Question 10

Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

Answer 10

is a framework that provides guidance in security domains, including application security, identity and access management, mobile security, encryption and key management, and data center operations.

Question 11

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Answer 11

provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks.

Question 12

International Organization for Standardization (ISO)

Answer 12

is an international standard for information technology security.

Question 13

Statements on Standards for Attestation Engagements (SSAE)

Answer 13

is an audit specification guide developed for accountants.

Question 14

Which of the following requires evidence that a specific user can have data collected about them?

Answer 14

The European Union’s General Data Protection Regulation (GDPR) states as one of its requirements that personal data cannot be collected, processed or retained without the individual’s informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. There are other methods where information can be collected, such as legal obligation, contractual obligation, legitimate interest, vital interest, or public task.

Question 15

Gramm–Leach–Bliley Act (GLBA)

Answer 15

is a federal law in the United States and is a vertical law for the financial sector.

Question 16

Sarbanes-Oxley Act (SOX)

Answer 16

mandates the implementation of risk assessments, internal controls, and audit procedures in the United States.

Question 17

International Organization for Standardization (ISO) 27001

Answer 17

is a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.

Question 18

International Organization for Standardization (ISO) 27002

Answer 18

is a supplementary standard that focuses on the information security controls that organizations might choose to implement.

Question 19

International Organization for Standardization (ISO) 27701

Answer 19

provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.

Question 20

International Organization for Standardization (ISO) 31000

Answer 20

is a risk management framework that assists an organization in integrating risk management into day to day functions.

Question 21

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) maps to which of the following compliance standards?

Answer 21

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks. It maps to CSA CCM.
The Sarbanes-Oxley (SOX) Act helps to protect investors from fraudulent financial reporting by large corporations. It maps to CSA CCM.
The International Organization for Standardization (ISO) is an international standard for information technology security. It maps to CSA CCM.

Question 22

A company needs to evaluate the overall security posture of the firm. Analyze the following options to determine which is the best solution.

Answer 22

The Center for Internet Security (CIS) publishes the “20 CIS Controls.” The Risk Assessment Method (CIS-RAM) can be used to perform an overall evaluation of security posture.

Question 23

Department of Defense Cyber Exchange

Answer 23

provides Security Technical Implementation Guides (STIGs) with hardening guidelines for a variety of software and hardware solutions.

Question 24

National Checklist Program (NCP)

Answer 24

by the National Institute of Standards and Technology (NIST), provides checklists and benchmarks for a variety of operating systems and applications.

Question 25

Center for Internet Security Configuration Access Tool (CIS-CAT)

Answer 25

can be used with automated vulnerability scanners to test compliance against these benchmarks.

Question 26

A company needs to onboard a new employee. The HR department is implementing a new process for preparing the new employee for employment. Which step should the company perform first to eliminate wasted effort?

Answer 26

The background check process essentially determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them unsuitable or risky employees. The company should perform a background check first

Question 27

Analyze and select the statement that accurately distinguishes the similarities between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)?

Answer 27

The similarity is that MTTF and MTBF can determine the amount of asset redundancy a system should have. A redundant system can failover to another asset if there is a fault and continue to operate normally.

Question 28

Two technology firms are in preliminary discussions to work together on several projects. The goal of the joint venture entails providing support services to a wider customer base as an entity with shared resources. Each firm has its own customer base, custom branded products, and established processes. Evaluating the current situation between the two firms, which type of agreement should they put in place?

Answer 28

A Memorandum of Understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs usually tend to be relatively informal and do not act as binding contracts.

Question 29

Memorandum of Agreement (MOA)

Answer 29

is a formal agreement or contract that contains specific obligations rather than a broad understanding.

Question 30

A company had data for an upcoming project stolen and leaked online. The investigation implies social engineering is the cause. Which policy can prevent such an incident from occurring?

Answer 30

A clean desk policy means an employee’s work area should be free from any documents or information. The policy aims to prevent sensitive information from prying eyes.

Question 31

What type of risk describes the likelihood and impact of a risk after mitigation, transference, or acceptance measures have been applied?

Answer 31

Residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

Question 32

Control risk

Answer 32

is a measure of how much less effective a security control has become over time. Control risk can also refer a security control that was never effective in mitigating inherent risk.

Question 33

Inherent risk

Answer 33

is the level of risk before any type of mitigation has been attempted.

Question 34

A company wants to determine the Single Loss Expectancy (SLE) for a critical server. What formula will the company use to calculate the SLE?

Answer 34

The Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). The EF is the percentage of the asset value that would be lost.

Question 35

A business continuity plan indicates that a system can only be down for a maximum of eight hours. Data within the past seven days must still be accessible once the system returns to service. What does the data availability time frame represent?

Answer 35

The recovery point objective (RPO) identifies a point in time that data loss is acceptable. In the event of a system failure, the company may lose some data, but the RPO is the last seven days.

Question 36

risk register

Answer 36

is a repository for documenting risks identified in an organization and includes information and steps to take regarding the risk. Common information found in a risk register is the specific risk, the likelihood of occurrence, and the action to take.

Question 37

A multinational company is assessing risk appetite and how risks could affect mission essential functions in different regions, such as complying with local regulations and licensing to avoid financial risk or addressing security risks, and adjusting risk posture to compensate. Recommend a tool or technology that will help the assessment team find solutions to security challenges categorized by regulatory requirements and their impacts on risk posture.

Answer 37

A risk or impact assessment matrix, or heat map, is a chart that enables one to identify issues according to risk severity or impact.

Question 38

asset management

Answer 38

In an inventory, an asset management process tracks all the essential structures, parts, devices, and other items of value to the organization.

Question 39

A systems analyst conducts an impact analysis to identify critical assets and components in an infrastructure. This evaluation aids in identifying the steps taken to restore a system in the event of a failure. What is the systems analyst creating?

Answer 39

A disaster recovery plan (DRP) is part of a continuity plan that identifies critical assets and components of a system. The disaster recovery plan prioritizes the list and identifies what to restore and in what order to restore each asset. A risk assessment quantifies and qualifies risks to a system based on variable values.

Question 40

configuration management (CM)

Answer 40

plan is the process of identifying and managing changes to a system baseline. A CM plan defines, documents, controls, and audits all deltas.

Question 41

privacy officer

Answer 41

is responsible for oversight of any Personally Identifiable Information (PII) assets managed by a company. This role ensures that the processing and disclosure of PII comply with legal and regulatory frameworks and also oversees the retention of PII.

Question 42

data steward

Answer 42

is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata.

Question 43

data custodian

Answer 43

is responsible for managing the system where data assets are stored. Responsibilities for this role include enforcing access control.

Question 44

data owner

Answer 44

role has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset.

Question 45

Which of the following represents the role in an enterprise organization responsible for the end-to-end protection of personally identifiable information (PII)?

Answer 45

The Data Privacy Officer (DPO) is the role mandated by the General Data Protection Regulation (GDPR) that ensures the processing, disclosure, and retention complies with regulatory frameworks.

Question 46

information life cycle management model

Answer 46

identifies the processes and procedures for managing data from cradle to the grave. This model includes creation, use, retention, and disposal.

Question 47

Waterfall

Answer 47

is a software development lifecycle model that maintains a top to bottom approach. When one stakeholder has finished their piece of work, then another stakeholder can begin.

Question 48

Data masking

Answer 48

is a de-identification tactic that takes all or part of the contents of a data field and substitutes character strings with a simple character to conceal the Personally Identifiable Information (PII).

Question 49

Code obfuscation

Answer 49

is the method of disguising coding methods by way of renaming variables, replacing strings, and hiding comments.

Question 50

Tokenization

Answer 50

is a database de-identification method where all or part of data in a field is substituted with a randomly generated token. The token is stored with the original value, separate from the production database.

Question 50

Hashing

Answer 50

is a cryptographic process that creates a fixed-length string from an input plaintext. Hashes are created at separate times to verify the integrity of a file.

Question 50

information security officer (ISO)has determined that a system contains personally identifiable information (PII) when the system aggregates certain data. The ISO works diligently to ensure that the system protects the data, in accordance with the laws, and documents the potential fallout if a breach occurs. Which of the following best describes what the ISO is creating?

Answer 50

An impact assessment identifies risks and vulnerabilities and the potential impact they could cause an organization or information technology asset. The assessment further identifies methods to limit or mitigate the risks.

Question 51

quantitative risk assessment

Answer 51

measures risks in a program using a specific dollar amount to identify cost and asset value.

Question 52

qualitative risk assessment

Answer 52

prioritizes identified risks based on their probability or likelihood of occurring.

Question 53

An information security officer (ISO) has determined that a system contains personally identifiable information (PII) when the system aggregates certain data. The ISO works diligently to ensure that the system protects the data, in accordance with the laws, and documents the potential fallout if a breach occurs. Which of the following best describes what the ISO is creating?

Answer 53

An impact assessment identifies risks and vulnerabilities and the potential impact they could cause an organization or information technology asset. The assessment further identifies methods to limit or mitigate the risks.

Question 54

A third-party vendor collects and analyzes data for a paint supply retailer website. The retailer specifically asks for information, such as what colors customers are searching for regularly and what quantity customers request the most. Which of the following best describes the third-party vendor?

Answer 54

A data processor collects and analyzes data based on a data collector’s set of predefined instructions.

Question 55

The Gramm-Leach-Bliley Act (GLBA) requires that a financial institution safeguard sensitive customer data. In order to comply with the regulation, the institution implements a database de-identification method that replaces social security numbers in a data field with randomly generated gestures. Which of the following de-identification methods did the company implement to comply with the GLBA?

Answer 55

Tokenization is a database de-identification method where randomly generated tokens substitute all or part of data in a field. The token is stored with the original value separate from the production database.

Question 56

data anonymization

Answer 56

process is a practice of protecting private or sensitive data by erasing or encrypting identifiers that connect an individual to stored data. The process permanently removes the identifying information.

Question 57

Pseudonymization

Answer 57

is a de-identification procedure that ensures one or more pseudonyms replace personally identifiable information (PII) fields within a data record. Pseudonymization makes the data record less identifiable and is reversible.

Question 58

Code reuse

Answer 58

is the practice of reusing tested and approved code for development to save time and prevent the introduction of errors in new coding efforts.

Question 59

Which study aims to identify vulnerabilities that may lead to the data breach of personal information and to evaluate controls mitigating those risks?

Answer 59

A Privacy Impact Assessment (PIA) is performed to identify vulnerabilities that may lead to data breach when storing, processing, and disclosing Personally Identifiable Information (PII). It also evaluates controls mitigating those risks.

Question 60

Privacy Threshold Analysis (PTA)

Answer 60

is an initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed.