Domain 5 Flashcards

1
Q

Which Service Organization Control (SOC) level of reporting in the Statements on Standards for Attestation Engagements (SSAE) assesses the ongoing effectiveness of the security architecture of a system in a certain period of time?

A

A Service Organization Control (SOC) Type II report provides assurances about the effectiveness of controls in place in an organization within a given timeframe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

operational security control

A

is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

technical control

A

control includes hardware or software mechanisms used to protect assets. Antivirus software, firewalls, and intrusion detection systems are examples of a technical control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

compensating control

A

does not prevent an attack but can restore functionality of systems through other means, such as a backup.

3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

corrective control

A

responds to, and fixes, an incident and prevents reoccurrence. Antivirus software is an example of a corrective control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

preventive control

A

aims to prevent security incidents in a system. Security training and change management are examples of a preventive security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

detective control

A

identifies when incidents or vulnerabilities have occurred. Auditing and monitoring are examples of detective controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

managerial security

A

control provides the guidance, policies, and procedures for implementing a secure environment, such as an acceptable use policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A company is determining what should be in a contract with a new Cloud Service Provider (CSP). Which resource from the Cloud Security Alliance will give the company the baseline level of security competency that the CSP should meet?

A

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. The cloud controls matrix lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

A

is a framework that provides guidance in security domains, including application security, identity and access management, mobile security, encryption and key management, and data center operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

A

provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

International Organization for Standardization (ISO)

A

is an international standard for information technology security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Statements on Standards for Attestation Engagements (SSAE)

A

is an audit specification guide developed for accountants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following requires evidence that a specific user can have data collected about them?

A

The European Union’s General Data Protection Regulation (GDPR) states as one of its requirements that personal data cannot be collected, processed or retained without the individual’s informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. There are other methods where information can be collected, such as legal obligation, contractual obligation, legitimate interest, vital interest, or public task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Gramm–Leach–Bliley Act (GLBA)

A

is a federal law in the United States and is a vertical law for the financial sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Sarbanes-Oxley Act (SOX)

A

mandates the implementation of risk assessments, internal controls, and audit procedures in the United States.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

International Organization for Standardization (ISO) 27001

A

is a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

International Organization for Standardization (ISO) 27002

A

is a supplementary standard that focuses on the information security controls that organizations might choose to implement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

International Organization for Standardization (ISO) 27701

A

provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

International Organization for Standardization (ISO) 31000

A

is a risk management framework that assists an organization in integrating risk management into day to day functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) maps to which of the following compliance standards?

A

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks. It maps to CSA CCM.
The Sarbanes-Oxley (SOX) Act helps to protect investors from fraudulent financial reporting by large corporations. It maps to CSA CCM.
The International Organization for Standardization (ISO) is an international standard for information technology security. It maps to CSA CCM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A company needs to evaluate the overall security posture of the firm. Analyze the following options to determine which is the best solution.

A

The Center for Internet Security (CIS) publishes the “20 CIS Controls.” The Risk Assessment Method (CIS-RAM) can be used to perform an overall evaluation of security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Department of Defense Cyber Exchange

A

provides Security Technical Implementation Guides (STIGs) with hardening guidelines for a variety of software and hardware solutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

National Checklist Program (NCP)

A

by the National Institute of Standards and Technology (NIST), provides checklists and benchmarks for a variety of operating systems and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Center for Internet Security Configuration Access Tool (CIS-CAT)

A

can be used with automated vulnerability scanners to test compliance against these benchmarks.

26
Q

A company needs to onboard a new employee. The HR department is implementing a new process for preparing the new employee for employment. Which step should the company perform first to eliminate wasted effort?

A

The background check process essentially determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them unsuitable or risky employees. The company should perform a background check first

27
Q

Analyze and select the statement that accurately distinguishes the similarities between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)?

A

The similarity is that MTTF and MTBF can determine the amount of asset redundancy a system should have. A redundant system can failover to another asset if there is a fault and continue to operate normally.

28
Q

Two technology firms are in preliminary discussions to work together on several projects. The goal of the joint venture entails providing support services to a wider customer base as an entity with shared resources. Each firm has its own customer base, custom branded products, and established processes. Evaluating the current situation between the two firms, which type of agreement should they put in place?

A

A Memorandum of Understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs usually tend to be relatively informal and do not act as binding contracts.

29
Q

Memorandum of Agreement (MOA)

A

is a formal agreement or contract that contains specific obligations rather than a broad understanding.

30
Q

A company had data for an upcoming project stolen and leaked online. The investigation implies social engineering is the cause. Which policy can prevent such an incident from occurring?

A

A clean desk policy means an employee’s work area should be free from any documents or information. The policy aims to prevent sensitive information from prying eyes.

31
Q

What type of risk describes the likelihood and impact of a risk after mitigation, transference, or acceptance measures have been applied?

A

Residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

32
Q

Control risk

A

is a measure of how much less effective a security control has become over time. Control risk can also refer a security control that was never effective in mitigating inherent risk.

33
Q

Inherent risk

A

is the level of risk before any type of mitigation has been attempted.

34
Q

A company wants to determine the Single Loss Expectancy (SLE) for a critical server. What formula will the company use to calculate the SLE?

A

The Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). The EF is the percentage of the asset value that would be lost.

35
Q

A business continuity plan indicates that a system can only be down for a maximum of eight hours. Data within the past seven days must still be accessible once the system returns to service. What does the data availability time frame represent?

A

The recovery point objective (RPO) identifies a point in time that data loss is acceptable. In the event of a system failure, the company may lose some data, but the RPO is the last seven days.

36
Q

risk register

A

is a repository for documenting risks identified in an organization and includes information and steps to take regarding the risk. Common information found in a risk register is the specific risk, the likelihood of occurrence, and the action to take.

37
Q

A multinational company is assessing risk appetite and how risks could affect mission essential functions in different regions, such as complying with local regulations and licensing to avoid financial risk or addressing security risks, and adjusting risk posture to compensate. Recommend a tool or technology that will help the assessment team find solutions to security challenges categorized by regulatory requirements and their impacts on risk posture.

A

A risk or impact assessment matrix, or heat map, is a chart that enables one to identify issues according to risk severity or impact.

38
Q

asset management

A

In an inventory, an asset management process tracks all the essential structures, parts, devices, and other items of value to the organization.

39
Q

A systems analyst conducts an impact analysis to identify critical assets and components in an infrastructure. This evaluation aids in identifying the steps taken to restore a system in the event of a failure. What is the systems analyst creating?

A

A disaster recovery plan (DRP) is part of a continuity plan that identifies critical assets and components of a system. The disaster recovery plan prioritizes the list and identifies what to restore and in what order to restore each asset. A risk assessment quantifies and qualifies risks to a system based on variable values.

40
Q

configuration management (CM)

A

plan is the process of identifying and managing changes to a system baseline. A CM plan defines, documents, controls, and audits all deltas.

41
Q

privacy officer

A

is responsible for oversight of any Personally Identifiable Information (PII) assets managed by a company. This role ensures that the processing and disclosure of PII comply with legal and regulatory frameworks and also oversees the retention of PII.

42
Q

data steward

A

is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata.

43
Q

data custodian

A

is responsible for managing the system where data assets are stored. Responsibilities for this role include enforcing access control.

44
Q

data owner

A

role has the ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset.

45
Q

Which of the following represents the role in an enterprise organization responsible for the end-to-end protection of personally identifiable information (PII)?

A

The Data Privacy Officer (DPO) is the role mandated by the General Data Protection Regulation (GDPR) that ensures the processing, disclosure, and retention complies with regulatory frameworks.

46
Q

information life cycle management model

A

identifies the processes and procedures for managing data from cradle to the grave. This model includes creation, use, retention, and disposal.

47
Q

Waterfall

A

is a software development lifecycle model that maintains a top to bottom approach. When one stakeholder has finished their piece of work, then another stakeholder can begin.

48
Q

Data masking

A

is a de-identification tactic that takes all or part of the contents of a data field and substitutes character strings with a simple character to conceal the Personally Identifiable Information (PII).

49
Q

Code obfuscation

A

is the method of disguising coding methods by way of renaming variables, replacing strings, and hiding comments.

50
Q

Tokenization

A

is a database de-identification method where all or part of data in a field is substituted with a randomly generated token. The token is stored with the original value, separate from the production database.

50
Q

Hashing

A

is a cryptographic process that creates a fixed-length string from an input plaintext. Hashes are created at separate times to verify the integrity of a file.

50
Q

information security officer (ISO)has determined that a system contains personally identifiable information (PII) when the system aggregates certain data. The ISO works diligently to ensure that the system protects the data, in accordance with the laws, and documents the potential fallout if a breach occurs. Which of the following best describes what the ISO is creating?

A

An impact assessment identifies risks and vulnerabilities and the potential impact they could cause an organization or information technology asset. The assessment further identifies methods to limit or mitigate the risks.

51
Q

quantitative risk assessment

A

measures risks in a program using a specific dollar amount to identify cost and asset value.

52
Q

qualitative risk assessment

A

prioritizes identified risks based on their probability or likelihood of occurring.

53
Q

An information security officer (ISO) has determined that a system contains personally identifiable information (PII) when the system aggregates certain data. The ISO works diligently to ensure that the system protects the data, in accordance with the laws, and documents the potential fallout if a breach occurs. Which of the following best describes what the ISO is creating?

A

An impact assessment identifies risks and vulnerabilities and the potential impact they could cause an organization or information technology asset. The assessment further identifies methods to limit or mitigate the risks.

54
Q

A third-party vendor collects and analyzes data for a paint supply retailer website. The retailer specifically asks for information, such as what colors customers are searching for regularly and what quantity customers request the most. Which of the following best describes the third-party vendor?

A

A data processor collects and analyzes data based on a data collector’s set of predefined instructions.

55
Q

The Gramm-Leach-Bliley Act (GLBA) requires that a financial institution safeguard sensitive customer data. In order to comply with the regulation, the institution implements a database de-identification method that replaces social security numbers in a data field with randomly generated gestures. Which of the following de-identification methods did the company implement to comply with the GLBA?

A

Tokenization is a database de-identification method where randomly generated tokens substitute all or part of data in a field. The token is stored with the original value separate from the production database.

56
Q

data anonymization

A

process is a practice of protecting private or sensitive data by erasing or encrypting identifiers that connect an individual to stored data. The process permanently removes the identifying information.

57
Q

Pseudonymization

A

is a de-identification procedure that ensures one or more pseudonyms replace personally identifiable information (PII) fields within a data record. Pseudonymization makes the data record less identifiable and is reversible.

58
Q

Code reuse

A

is the practice of reusing tested and approved code for development to save time and prevent the introduction of errors in new coding efforts.

59
Q

Which study aims to identify vulnerabilities that may lead to the data breach of personal information and to evaluate controls mitigating those risks?

A

A Privacy Impact Assessment (PIA) is performed to identify vulnerabilities that may lead to data breach when storing, processing, and disclosing Personally Identifiable Information (PII). It also evaluates controls mitigating those risks.

60
Q

Privacy Threshold Analysis (PTA)

A

is an initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed.