Governance, Risk, and Compliance

Question 1

Which assessment examines physical and electronic information handling issues to determine whether security weaknesses exist?

Answer 1

Organizational risk assessment

Question 2

In which location should all changes made to your organization’s network and computers be listed?

Answer 2

In the change management system

Question 3

Which type of risk analysis is based on the expert judgment and intuition of members of an organization?

Answer 3

Qualitative risk analysis

Question 4

Which risk response strategy does not implement any countermeasures, but allows risks to remain?

Answer 4

Acceptance

Question 5

What is the definition of maximum tolerable downtime (MTD)

Answer 5

The maximum amount of time a business can tolerate a system remaining non-functional

Question 6

What are the four types of personally identifiable information (PII)

Answer 6

• Personal characteristics
• Unique set of assigned numbers
• Descriptions of events or points in time
• Description of locations or places

Question 7

What are some examples of personal characteristics for personally identifiable information (PII)?

Answer 7

• Full name
• Date of birth
• Height
• Ethnicity
• Place of birth
• Mother’s maiden name
• Biometric characteristics

Question 8

What are some examples of unique sets of assigned numbers that can be used as personally identifiable information (PII)?

Answer 8

• Government ID
• Telephone number
• Driver’s license number
• PIN

Question 9

What are some examples of descriptions of events or points in time that can be used as personally identifiable information (PII)?

Answer 9

• Arrest records
• Employment records
• Medical records

Question 10

Can GPS information be used as an example of a description of location for personally identifiable information (PII)?

Answer 10

Yes

Question 11

What does the acronym MTTR denote?

Answer 11

Mean time to recover or repair

Question 12

When considering regulations set forth by multiple government entities, which regulations should be adopted by an organization?

Answer 12

The most restrictive?

Question 13

What techniques attempts to predict the likelihood that a threat will occur and assign monetary values in the event a loss occurs?

Answer 13

Quantitative risk analysis

Question 14

Which assessment examines network recorces and information to determine the probability of a successful attack by a hacker?

Answer 14

Network risk assessment

Question 15

Which term is used for an agreement that is signed by two partnering companies?

Answer 15

Business partners agreement (BPA)

Question 16

Which type of controls is implemented to secure physical access to an object, such as a building, a room, or a computer?

Answer 16

Physical or operational control

Question 17

Upon which report does the business continuity plan depend most?

Answer 17

Business Impact Analysis (BIA)

Question 18

What is the purpose of administrative controls?

Answer 18

Implement security policies based on procedures, standards, and guidelines

Question 19

In which situation will you accept a risk?

Answer 19

When the cost of safeguard exceeds the amount of the potential loss

Question 20

What is the term for the method of determining which kinds of controls are needed to classify and protect a company’s information assets?

Answer 20

Risk assessment

Question 21

What is another term for unencrypted credentials?

Answer 21

Clear text credentials

Question 22

Which risk response strategy involves reducing the probability or impact of a risk to an acceptable risk threshold?

Answer 22

Mitigation

Question 23

What is another term for logical controls?

Answer 23

Technical controls

Question 24

Which type of controls includes developing policies and procedures, screening personnel, conducting security awareness training, and implementing change control?

Answer 24

Administrative controls

Question 25

What can you do to ensure that staff understands which data they are handling?

Answer 25

Proper labeling

Question 26

What does the acronym MTTR denote?

Answer 26

Mean time to repair

Question 27

Which component of a computer use policy indicates that data stored on a company computer is not guaranteed to remain confidential?

Answer 27

No expectation of privacy policy

Question 28

Which type of controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols?

Answer 28

Technical controls

Question 29

Regarding mean time before failure (MTBF) and mean time to repair (MTTR) as they relate to system reliability, which metrics are desirable?

Answer 29

A high MTBF and a low MTTR

Question 30

What is the purpose of technical controls?

Answer 30

To restrict access to objects and protect availability, confidentiality, and integrity

Question 31

What is the purpose of physical controls?

Answer 31

To work with administrative and technical controls to enforce physical access control

Question 32

What is a service level agreement (SLA)

Answer 32

A contract between a network service provider and a customer that specifies the services the network service provider will furnish?

Question 33

What is the formula for determining annualized loss expectancy (ALE)?

Answer 33

ALE = single loss expectation (SLE) x annualized rate of occurrence (ARO)

Question 34

What is the recommended action when the cost of the safeguard exceeds the amount of potential loss for a given risk?

Answer 34

Accept the risk

Question 35

Which type of controls dictates how security policies are implemented to fulfill the company’s security goals?

Answer 35

Administrative or management control

Question 36

What does the acronym MTBF denote

Answer 36

Mean time before failure

Question 37

What does the acronym RPO denote?

Answer 37

Recovery point objective

Question 38

Which type of controls includes controlling access to different parts of a building, implementing locking systems, installing fencing, implementing environmental controls, and protecting the facility perimeter?

Answer 38

Physical controls

Question 39

Which term refers to the loss potential of an asset for a single year?

Answer 39

Annualized loss expectancy (ALE)

Question 40

According to the CompTIA Security+ blueprint, what are the four categories of platform/vendor-specific guides?

Answer 40

• Webserver
• Operating system (OS)
• Application server
• Network infrastructure devices

Question 41

Which risk response strategy involves purchasing insurance to protect the organization should the risk occur?

Answer 41

Transference

Question 42

Which type of controls include access control mechanisms, password management, identification methods, authentication methods, and security devices?

Answer 42

Technical or logical controls

Question 43

What is the first step in a business impact analysis

Answer 43

To identify all of the organization’s business units

Question 44

What does the acronym MTBF denote?

Answer 44

Mean time between failures

Question 45

Which risk response strategy involves modifying the security plan to eliminate the risk or its impact

Answer 45

Avoidance

Question 46

What does the acronym RTO denote?

Answer 46

Recovery time objective

Question 47

What is the primary concern of the business impact analysis(BIA)?

Answer 47

Identifies all business resources that could be lost

Question 48

Which policy forces all users to organize their work areas to reduce the risk of data theft?

Answer 48

Clean desk policy

Question 49

Which term is used for an agreement between two or more parties where the parties cannot create a legally enforceable agreement?

Answer 49

Memorandum of Understanding (MoU)