Governance, Risk, and Compliance

Question 1

Janet, a defense contractor for the military, performs an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify?

A. Mission Essential Function
B. Critical Systems
C. Backup and Restoration
D. Single Point of Failure

Answer 1

A. Mission Essential Functons

Question 2

Your organization is updating its incident response communications plan. A business analyst in the working group recommends that if the company discovers they are the victims of a data breach, they should only notify the affected parties to minimize media attention and bad publicity. Which of the following recommendations do you provide in response to the business analyst’s statement?

A. An External Hosted
B. The Human Resorces
C. Guidance of Law
D. The first Responder

Answer 2

C. Guidance of Law

Question 3

Which of the following agreements is used between companies and employees, between companies and contractors, and between two companies to protect information assets?

A. SLA
B. NDA
C. DSAU
D. ISA

Answer 3

B. NDA

Question 4

Hilda needs a cost-effective backup solution that would allow for the restoration of data within a 24 hour RPO. The disaster recovery plan requires that backups occur during a specific timeframe each week, and then the backups should be transported to an off-site facility for storage. What strategy should Hilda choose to BEST meet these requirements?

A. Create a daily incremental backup
B. Create a full backup
C. Create disk to disk
D. Configure replication of data

Answer 4

A. Create a daily incremental backup

Question 5

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization’s RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?

A. RTO
B. RPO
C. MTTR
D. MTBF

Answer 5

C. MTTR

Question 6

Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident?

A. MTTR
B. RPO
C.MTBF
D.RTO

Answer 6

A.MTTR

Question 7

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that their file server has crashed twice in the last two years. The most recent time was in August, and the time before that was 15 months before. Which of the following metrics would best represent this 15 month time period?

A. MTTR
B. RTO
C. MTBF
D. RPO

Answer 7

C.MTBF

Question 8

Your company is setting up a system to accept credit cards in their retail and online locations. Which of the following compliance types should you be MOST concerned with dealing with credit cards?

A. PHI
B. PII
C. PCI-DSS
D. GDPR

Answer 8

C. PCI-DSS

Question 9

Which type of agreement between companies and employees is used as a legal basis for protecting information assets?

A. NDA
B. SLA
C. ISA
D. MOU

Answer 9

A.NDA

Question 10

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest’s wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement?

A. Network authentication
B. Sponsored guest passwords
C. All guest provide valid identification
D. Open authentication

Answer 10

C. All guest provide valid identification

Question 11

You just moved into a new house, and you are worried about a burglar breaking into the home and stealing your laptop. Unfortunately, the security alarm company cannot get to your home to install the security system you just purchased for another 3 weeks. In the meantime, they have sent you a little sign that says, “Protected by Security Inc.” for you to place in front of your house. Once installed, which of the following control types is this sign?

A. Detective
B. Deterrent
C. Preventive
D. Corrective

Answer 11

B.Deterrent

Question 12

You have been asked to classify a hospital’s medical records as a form of regulated data. Which of the following would BEST classify this type of data?

A. GDPR
B. PII
C. PCI
D. PHI

Answer 12

D. PHI

Question 13

Which of the following BEST describes when a third-party takes components produced by a legitimate manufacturer and assembles an unauthorized replica sold in the general marketplace?

A. Recycling
B. Entuerpunership
C. Counterfeiting
D. Capitalism

Answer 13

C. Counterfeiting

Question 14

After completing an assessment, you create a chart listing the associated risks based on the vulnerabilities identified with your organization’s privacy policy. The chart contains listings such as high, medium, and low. It also utilizes red, yellow, and green colors based on the likelihood and impact of a given incident. Which of the following types of assessments did you just complete?

A. Privacy Assessment
B. Qualitative Risk Assessment
C. Quantative Risk Assessment
D. Supply Chain Assessment

Answer 14

B. Qualitative Risk Assessment

Question 15

Vulnerability scans must be conducted continuously to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next?

A. Wait to perform any additional scans
B. Place any asset that contains PHI
C. Attempt to identify false positives
D. Filter the scan results to include only those items listed as critical

Answer 15

D. Filter the scan results to include only those items listed as critical

Question 16

A competitor recently bought Dion Training’s ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. From Dion Training’s perspective, how would you BEST classify this situation?

A. IP Theft
B. Data Breach
C. Mission essential functions
D. Identify Theft

Answer 16

A. IP Theft

Question 17

You are applying for a job at a cybersecurity firm. The application requests you enter your social security number, date of birth, and email address to conduct a background check as part of the hiring process. Which of the following types of information have you been asked to provide?

A. IP
B. PII
C. CUI
D. PHI

Answer 17

B. PII

Question 18

A new corporate policy dictates that all access to network resources will be controlled based on the user’s job functions and tasks within the organization. For example, only people working in Human Resources can access employee records, and only the people working in finance can access customer payment histories. Which of the following security concepts is BEST described by this new policy?

A. Directory Permission
B. Blocklist
C. Least Privilege
D. Permission Creep

Answer 18

C. Least Privilege

Question 19

James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled “Proprietary Information – Internal Use Only.” The new iPhone is still several months away from release. What should James do next?

A. Contact team lead and ask what they should do next
B. Reply to the blog post and deny the accuracy of the specfication
C. Contact the service desk or incident response team to determine what to do next
D. Contact the website owner and request the take down the PDF

Answer 19

C. Contact the service desk or incident response team to determine what to do next

Question 20

During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?

A. PII of the company employees and customers was exfiltrated
B. Raw financial Information about the company was accessed
C. IP addresses and other network-related confiiguration was exfiltrated
D. Forensic review of the server requireed fallback to less efficent service

Answer 20

A. PII of the company employees and customers was exfiltrated

Question 21

What regulation protects the privacy of student educational records?

A. GLBA
B. SOX
C. FERPA
D. HIPAA

Answer 21

C.FERPA

Question 22

You have been hired as a cybersecurity analyst for a privately-owned bank. Which of the following regulations would have the greatest impact on your bank’s cybersecurity program?

A. SOX
B. HIPAA
C. FERPA
D. GLBA

Answer 22

D. GLBA

Question 23

Which law requires government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?

A. HIPAA
B. FISMA
C. COPPA
D. SOX

Answer 23

B. FISMA

Question 24

Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that the asset value of a database server is $120,000. Based on her analysis, she believes that a data breach to this server will occur once every four years and has a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?

A. $90,000
B. $36,000
C. $360,000
D. $9,000

Answer 24

D. $9,000

Question 25

When you purchase an exam voucher at diontraining.com, the system only collects your name, email, and credit card information. Which of the following privacy methods is being used by Dion Training?

A. Data Minimization
B. Tokenization
C. Atomization
D. Data Masking

Answer 25

A. Data Minimization

Question 26

Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand better how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?

A. Data Owner
B. Data Protection Officer
C. Data Steward
D. Data Controller

Answer 26

B. Data Protection Officer

Question 27

Which of the following categories would contain information about a French citizen’s race or ethnic origin?

A. PHI
B. SPI
C. DLP
D. PII

Answer 27

B. SPI

Question 28

Dion Training has just completed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 30 minutes of downtime for their public-facing webserver. Which of the following metrics would best represent this period of time?

A. RTO
B. MTBF
C. MTTR
D. RPO

Answer 28

A. RTO

Question 29

Christina is auditing the security procedures related to the use of a cloud-based online payment service. She notices that the access permissions are set so that a single person can not add funds to the account and transfer funds out of the account. What security principle is most closely related to this scenario?

A. Security through Obscurity
B. Least Privilege
C. Separation of Duty
D. Dual Control Authentication

Answer 29

C. Separation of Duty

Question 30

Julie was just hired to conduct a security assessment of Dion Training’s security policies. During her assessment, she noticed that many users were sharing group accounts to conduct their work roles. Julie recommended that the group accounts be eliminated and instead have an account created for each user. What improvement will this recommended action provide for the company?

A. More route auditing
B. Increase password security
C. Increase individual accountability
D. More efficient baseline management

Answer 30

C. Increase individual accountability

Question 31

Dion Training’s offices utilize an open concept floor plan. They are concerned that a visitor might attempt to steal an external hard drive and carry it out of the building. To mitigate this risk, the security department has recommended installing security cameras clearly visible to both employees and visitors. What type of security control do these cameras represent?

A. Administrative
B. Corrective
C. Compensating
D. Deterrent

Answer 31

D. Deterrent

Question 32

An internet marketing company decided that they didn’t want to follow the rules for GDPR because it would create too much work for them. They wanted to buy insurance, but no insurance company would write them a policy to cover any fines received. They considered how much the fines might be and decided to ignore the regulation and its requirements. Which of the following risk strategies did the company choose?

A. Transference
B. Mitigation
C. Acceptance
D. Avoidance

Answer 32

C. Acceptance

Question 33

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system?

A. Data Steward
B. Data Custodian
C. Privacy Officer
D. Data Owner

Answer 33

D. Data Owner

Question 34

Following a root cause analysis of an edge router’s unexpected failure, a cybersecurity analyst discovered that the system administrator had purchased the device from an unauthorized reseller. The analyst suspects that the router may be a counterfeit device. Which of the following controls would have been most effective in preventing this issue?

A. Conduct secure supply chain management training
B. Ensure all anti-virus signature are up to date
C. Increase network vulnerability scan frequency
D. Verify that all routers are patched to the latest release

Answer 34

A. Conduct secure supply chain management training

Question 35

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor’s website. What should you do next?

A. Submit a request for change using change management
B. Establish continues monitoring
C. Download and Install a patch immediately
D. Start the incident response process

Answer 35

A. Submit a request for change using change management

Question 36

Which of the following methods is used to replace all or part of a data field with a randomly generated number used to reference the original value stored in another vault or database?

A. Data Masking
B. Data Minimization
C. Anonymization
D. Tokenization

Answer 36

D. Tokenization

Question 37

What is the biggest disadvantage of using single sign-on (SSO) for authentication?

A. System must be configured toutile the federation
B. Users need to authenticate with each server as they log in
C. The identity provider issues the authorization
D. It introduces a single point of failure

Answer 37

D. It introduces a single point of failure

Question 38

Which of the following terms is used to describe the timeframe following a disaster that an individual IT system may remain offline?

A. MTTR
B. RTO
C. MTBF
D. RPO

Answer 38

B. RTO

Question 39

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first?

A. Conduct a Nessus scan of the firefly server
B. Hardening the DEV_Server7 server
C. Logically isolate the PAYROLL_DB server from the production network
D. Conduct a data critically and prioritization analysis

Answer 39

D. Conduct a data critically and prioritization analysis

Question 40

Dion Training has a $15,000 server that has frequently been crashing. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server?

A. 2,500
B. 7,500
C. 15,000
D. 1,000

Answer 40

B. 7,500

Question 41

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system?

A. You should continue to apply additional controls until there is zero risk
B. You should ignore remaining risk
C. You should accept residual risk
D. You should remove the current controls since they are not completely effective

Answer 41

C. You should accept residual risk

Question 42

When you are managing a risk, what is considered an acceptable option?

A. Reject
B. Mitigate
C. Intiate
D. Deny

Answer 42

B. Mitigate

Question 43

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network?

A. Social Engineering
B. Vulnerability Scan
C. Network Sniffing
D. Application Security Testing

Answer 43

A. Social Engineering

Question 44

Dion Consulting Group has recently been awarded a contract to provide cybersecurity services for a major hospital chain in 48 cities across the United States. Previously, the consultants have won numerous contracts with financial services and publicly traded companies, but they are new to the healthcare industry. Which of the following laws must the consultants review to ensure the hospital and its customers are fully protected?

A. SOX
B. HIPAA
C. COSO
D. GLBA

Answer 44

B. HIPAA

Question 45

Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity?

A. Longer UPS run time due to increased air flow
B. Longer MTBF of hardware due to lower operating temperatures
C. Higher data integrity due to more efficient SSD cooling
D. Increase the availability of network due to higher throughput

Answer 45

B. Longer MTBF of hardware due to lower operating temperatures

Question 46

What legal contract outlining the confidential material or information that will be shared by the pen tester and organization during an assessment?

A. MSA
B. SOW
C. SLA
D. NDA

Answer 46

D. NDA

Question 47

What term describes the amount of risk an organization is willing to accept?

A. Risk Appetite
B. Risk Mitigation
C. Risk Acceptance
D. Risk Avoidance

Answer 47

A. Risk Appetite

Question 48

Your company is expanding its operations in the European Union and is concerned about additional governmental regulations that may apply. Which of the following regulations applies when processing personal data within the European Union?

A. PII
B. GDPR
C. PHI
D. PCI

Answer 48

B. GDPR

Question 49

Dion Training conducts weekly vulnerability scanning of their network and patches any identified issues within 24 hours. Which of the following best describes the company’s risk response strategy?

A. Acceptance
B. Avoidance
C. Mitigation
D. Transference

Answer 49

C. Mitigation

Question 50

Which of the following is considered a form of regulated data?

A. DRM
B. PII
C. DMCA
D. AUP

Answer 50

B. PII

Question 51

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install Microsoft’s regular patch. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS?

A. Build a custom OS
B. Replace the Windows POS
C. Identify, Implement, and document
D. Remove the POS terminals

Answer 51

C. Identify, Implement, and document

Question 52

What is the term for the amount of risk that an organization is willing to accept or tolerate?

A. Risk Deterrence
B. Risk Avoidance
C. Risk Appetite
D. Risk Transference

Answer 52

C. Risk Appetite

Question 53

Dion Training performed an assessment as part of its disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this timeframe?

A. MTTR
B. RPO
C. MTBF
D. RTO

Answer 53

B. RPO

Question 54

When your credit card data is written to the customer invoicing system at Dion Training, the first 12 digits are replaced with an x before storing the data. Which of the following privacy methods is being used?

A. Data Minimization
B. Data Masking
C. Anonymization
D. Tokenization

Answer 54

B. Data Masking

Question 55

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?

A. Mandatory Vacation
B. Dual Control
C. Least Privilege
D. Separation of Duty

Answer 55

Mandatory Vacation

Question 56

You are attempting to prioritize your vulnerability scans based on the data’s criticality. This will be determined by the asset value of the data contained in each system. Which of the following would be the most appropriate metric to use in this prioritization?

A. The deprecated hardware cost
B. The cost of acquisition of the system
C. The cost of hardware replacement
D. The type of data processed by the systems

Answer 56

D. The type of data processed by the systems

Question 57

Which of the following vulnerabilities is the greatest threat to data confidentiality?

A. SSL server with SSLv3 enables vulnerability
B. HTTP TRACE/TRACK methods enable
C. phpinfo information disclosure vulnerability
D. Web application SQL injection vulnerabilities

Answer 57

D. Web application SQL injection vulnerabilities

Question 58

Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while negotiating the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose?

A. NDA
B. MOU
C. SLA
D. ISA

Answer 58

B. MOU

Question 59

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company’s German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?

A. There is no privacy violation since the customers were emailed
B. There is no privacy violation because of corporate employees
C. There is no privacy violation since the customers explicitly gave permission to use email
D. There is no privacy violation since data minimization

Answer 59

C. There is no privacy violation since the customers explicitly gave permission to use email

Question 60

If an administrator cannot fully remediate a vulnerability, which of the following should they implement?

A. An engineering tradeoff
B. A Policy
C. Access Requirement
D. A Compensating Control

Answer 60

D. A Compensating Control

Question 61

Jack is assessing the likelihood of reconnaissance activities being performed against his organization. Which of the following would best classify the likelihood of a port scan being conducted against his DMZ?

A. None
B. High
C. Medium
D. Low

Answer 61

B. High

Question 62

Last week, your organization was the victim of a cyber attack. The attack’s root cause was investigated and found to be due to a missing patch on your Windows 2016 server for the EternalBlue exploit. The organization’s vulnerability management team has rescanned the network and identified all the machines missing this critical patch. These systems were then patched, and the network was rescanned to verify the patch was installed properly. Which of the following types of controls would you classify the installation of this patch as?

A. Corrective
B. Compensating
C. Deterrrent
D. Detective

Answer 62

A. Corrective

Question 63

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat?

A. Acceptance use policy
B. Mandatory Vacation Policy
C. Privacy Policy
D. Least Privilege Policy

Answer 63

B. Mandatory Vacation Policy

Question 64

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as?

A. Physical Controls
B. Compensating Controls
C. Administrative Controls
D. Technical Controls

Answer 64

D. Technical Controls

Question 65

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders?

A. Mandatory Vacation
B. Separation of Duties
C. Background Checks
D. Dual Controls

Answer 65

B. Separation of Duties

Question 66

What process is used to conduct an inventory of critical systems, components, and devices within an organization?

A. Vulnerability Management
B. Patch Management
C. Change Management
D. Asset Management

Answer 66

D. Asset Management

Question 67

Every new employee at Dion Training must sign a document to show they understand the proper rules for using the company’s computers. This document states that the new employee has read the policy that dictates what can and cannot be done from the corporate workstations. Which of the following documents BEST describes this policy?

A. SOW
B. AUP
C. SLA
D. MOU

Answer 67

B. AUP

Question 68

What is a major security risk that could occur when you comingle

A. Security Policy Violation
B. zombie Attacks
C. Password Compromises
D. Privilege Escalation

Answer 68

A. Security Policy Violation