Governance, Risk, and Compliance Flashcards by Fabien Sacco

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization’s RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?

RTO

RPO

MTBF

MTTR

How well did you know this?

Not at all

Perfectly

Which of the following categories would contain information about a French citizen’s race or ethnic origin?

SPI

PII

DLP

PHI

SPI

How well did you know this?

Not at all

Perfectly

Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?

Notification to federal law enforcement

Notification to Visa and Mastercard

Notification to local law enforcement

Notification to your credit card processor

How well did you know this?

Not at all

Perfectly

What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network?

Social engineering

Vulnerability scanning

Application security testing

Network sniffing

Social engineering

How well did you know this?

Not at all

Perfectly

Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company’s German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?

There was a privacy violation since the customer’s explicitly gave permission to use the email address as an identifier and did not consent to receiving marketing emails

There was a privacy violation since data minimization policies were not followed properly

There was no privacy violation because only corporate employees had access to their email addresses

There was no privacy violation since the customer’s were emailed securely through the customer relationship management tool

There was a privacy violation since the customer’s explicitly gave permission to use the email address as an identifier and did not consent to receiving marketing emails

How well did you know this?

Not at all

Perfectly

Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline?

MTBF

RPO

RTO

MTTR

RTO

How well did you know this?

Not at all

Perfectly

Which of the following categories would contain information about an individual’s race or ethnic origin?

DLP

SPI

PHI

PII

SPI (Sensitive Personal Information)

How well did you know this?

Not at all

Perfectly

Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?

Dual control

Separation of duties

Least privilege

Mandatory vacations

How well did you know this?

Not at all

Perfectly

MTBF

MTTR

RPO

RTO

How well did you know this?

Not at all

Perfectly

A competitor recently bought Dion Training’s ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. How would you classify this situation as a risk to Dion Training, which of the following terms would you use?

Data breach

Mission essential function

IP theft

Identity theft

IP theft (intellectual property)

How well did you know this?

Not at all

Perfectly

If an administrator cannot fully remediate a vulnerability, which of the following should they implement?

Access requirements

A compensating control

A policy

An engineering tradeoff

A compensating control

How well did you know this?

Not at all

Perfectly

Which of the following methods is used to replace all or part of a data field with a randomly generated number that is used to reference the original value stored in another vault or database?

Data masking

Data minimization

Tokenization

Anonymization

Tokenization

How well did you know this?

Not at all

Perfectly

Dion Training is currently undergoing an audit of its information systems. The auditor wants to get a better understanding of how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?

Data controller

Data privacy officer

Data owner

Data steward

Data privacy officer

How well did you know this?

Not at all

Perfectly

During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?

PII of company employees and customers was exfiltrated

IP addresses and other network-related configurations were exfiltrated

Raw financial information about the company was accessed

Forensic review of the server required fallback to a less efficient service

PII of company employees and customers was exfiltrated

How well did you know this?

Not at all

Perfectly

What term describes the amount of risk an organization is willing to accept?

Risk avoidance

Risk mitigation

Risk acceptance

Risk appetite

Risk appetite describes how much risk an organization is willing to accept.

How well did you know this?

Not at all

Perfectly

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as?

Administrative controls

Compensating controls

Physical controls

Technical controls

Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls.

How well did you know this?

Not at all

Perfectly

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this time period?

MTBF

RTO

MTTR

RPO

Recovery point objective (RPO) describes a period of time in which an enterprise’s operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.

How well did you know this?

Not at all

Perfectly

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network?

Zombie attacks

Password compromises

Security policy violations

Privilege creep

Security policy violations

How well did you know this?

Not at all

Perfectly

Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while they negotiate the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose?

MOU

ISA

NDA

MOU

Memorandum of understanding (MOU) is used as a preliminary or exploratory agreement to express their intent for the two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party that will be interconnecting their systems. A non-disclosure agreement (NDA) is the legal basis for protecting information assets.

How well did you know this?

Not at all

Perfectly

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor’s website. What should you do next?

Submit a Request for Change using the change management process

Download and install the patch immediately

Establish continuous monitoring

Start the incident response process

Submit a Request for Change using the change management process

How well did you know this?

Not at all

Perfectly

Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that a data breach will cost them $120,000 for each occurrence. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?

$90,000

$36,000

$9,000

$360,000

$9,000

The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 0.3 = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000

How well did you know this?

Not at all

Perfectly

Which type of agreement between companies and employees is used as a legal basis for protecting information assets?

ISA

MOU

NDA

SLA

NDA

How well did you know this?

Not at all

Perfectly

Which law requires that government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?

SOX

COPPA

HIPPA

FISMA

The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards.

How well did you know this?

Not at all

Perfectly

Dion Training has a $15,000 server that has been crashing frequently. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted in order to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server?

$1,500

$7,500

$15,000

$2,500

$7,500

Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

How well did you know this?

Not at all

Perfectly

Dion Training is building a new data center. The group designing the facility has decided to provide additional HVAC capacity to ensure the data center maintains a consistently low temperature. Which of the following is the most likely benefit that will be achieved by increasing the designed HVAC capacity? Higher data integrity due to more efficient SSD cooling Increase the availability of network services due to higher throughput Longer MTBF of hardware due to lower operating temperatures Longer UPS run time due to increased airflow

Longer MTBF of hardware due to lower operating temperatures

Which of the following is a senior role with the ultimate responsibility for maintaining confidentiality, integrity, and availability in a system? Data custodian Privacy officer Data steward Data owner

Data owner A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of information assets. They are usually senior executives and somebody with authority and responsibility

Data privacy officer The primary role of the data protection officer (DPO) is to ensure that her organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within the business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

Which of the following methods is used to replace all or part of a data field with a randomly generated number that is used to reference the original value stored in another vault or database? Data masking Data minimization Tokenization Anonymization

Tokenization

You have decide to have DNA genetic testing and analysis preformed to determine your exact ancestor composition. Which of the following types of data should this be classified? CUI PHI IP PII

PHI

MOU

a preliminary or exploratory agreement to express their intent for the two companies to work together

Memorandum of understanding (MOU)

a contractual agreement setting out the detailed terms under which a service is provided

service level agreement (SLA)

the legal basis for protecting information assets

A non-disclosure agreement (NDA)

What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network? Security policy violations Password compromises Zombie attacks Privilege creep

Security policy violations

Which of the following is considered a form of regulated data? DMCA PII AUP DRM

PII The four forms of regulated data covered by the CompTIA A+ (220-1002) exam are PII (Personally Identifiable Information), PCI (Payment Card Industry), GDPR (General Data Protection Regulation), and PHI (Protected Health Information).

Which of the following terms is used to describe the period of the time taken to correct a fault so that the system is restored to full operations after a failure or incident? MTTR RPO RTO MTBF

Mean time to repair (MTTR)

the amount of data loss that a system can sustain, measured in time MTTR RPO RTO MTBF

Recovery point objective (RPO)

the period following a disaster that an individual IT system may remain offline MTTR RPO RTO MTBF

Recovery time objective (RTO

the average time to replace or recover a system or product MTTR RPO RTO MTBF

Mean time to repair (MTTR)

the expected liftetime of a product before it fails and must be replaced or repaired MTTR RPO RTO MTBF

MTBF

Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? Technical controls Compensating controls Administrative controls Physical controls

Technical controls

a client-server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.

RADIUS (Remote Authentication Dial-In User Service)

provides a secure mechanism for verifying the identity of network services, such as servers and applications

Kerberos (Port 88)

James, a programmer at Apple Computers, is surfing the internet on his lunch break. He comes across a rumor site that is focused on providing details of the upcoming iPhone being released in a few months. James knows that Apple likes to keep its product details a secret until it is publicly announced. As James is looking over the website, he sees a blog post with an embedded picture of a PDF containing detailed specifications for the next iPhone and labeled as “Proprietary Information – Internal Use Only.” The new iPhone is still several months away from release. What should James do next? Contract the service desk or incident response team to determine what to do next Contact his team lea and ask what he should do next Reply to the blog post and deny the accuracy of the specifications Contact the website's owner and request they take down the PDF

Contract the service desk or incident response team to determine what to do next

You have been asked to write a new security policy to reduce the risk of employees working together to steal information from the Dion Training corporate network. Which of the following policies should you create to counter this threat? Acceptable use policy Least privilege policy Privacy policy Mandatory vacation policy

Mandatory vacation policy

Which type of personnel control is being implemented if Kirsten must receive and inventory any items that her coworker, Bob, orders? Dual control Separation of duties Mandatory vacation Background checks

Separation of duties

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters Open authentication standards should be implemented on all wireless infrastructure All guests must provide valid identification when registering their wireless devices for use on the network

All guests must provide valid identification when registering their wireless devices for use on the network

Dion Training is concerned with the possibility of a data breach causing a financial loss to the company. After performing a risk analysis, the COO decides to purchase data breach insurance to protect the company in the event of an incident. Which of the following best describes the company's risk response? Transference Mitigation Avoidance Acceptance

Transference Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities).

What should be done NEXT if the final set of security controls does not eliminate all of the risks in a given system? You should remove the current controls since they are not completely effective You should accept the risk if the residual risk is low enough You should ignore any remaining risk You should continue to apply additional controls until there is zero risk

You should accept the risk if the residual risk is low enough

Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline? MTBF MTTR RTO RPO

RTO

A cybersecurity analyst is analyzing what they believe to be an active intrusion into their network. The indicator of compromise maps to suspected nation-state group that has strong financial motives, APT 38. Unfortunately, the analyst finds their data correlation is lacking and cannot determine which assets have been affected, so they begin to review the list of network assets online. The following servers are currently online: PAYROLL_DB, DEV_SERVER7, FIREFLY, DEATHSTAR, THOR, and DION. Which of the following actions should the analyst conduct first? Conduct a data criticality and prioritization analysis Logically isolate the PAYROLL_DB server from the production network Conduct a Nessus scan of the FIREFLY server Hardening the DEV_SERVER7 server

Conduct a data criticality and prioritization analysis

You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor's website. What should you do next? Establish continuous monitoring Submit a Request for Change using the change management process Download and install the patch immediately Start the incident response process

Submit a Request for Change using the change management process

SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.

Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization's RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period? RPO RTO MTTR MTBF

MTTR

Which of the following categories would contain information about an individual's race or ethnic origin? DLP PII SPI PHI

SPI information about an individual's race or ethnic origin is classified as Sensitive Personal Information (SPI)

Sensitive Personal Information

Sensitive personal information (SPI) is information about a subject's opinions, beliefs, and nature that is afforded specially protected status by privacy legislation.

Janet, a defense contractor for the military, is performing an analysis of their enterprise network to identify what type of work the Army would be unable to perform if the network were down for more than a few days. Which of the following was Janet trying to identify? Critical systems Backup and restoration plan Mission essential function Single point of failure

Mission essential function

During an assessment of the POS terminals that accept credit cards, a cybersecurity analyst notices a recent Windows operating system vulnerability exists on every terminal. Since these systems are all embedded and require a manufacturer update, the analyst cannot install a regular patch provided by Microsoft. Which of the following options would be best to ensure the system remains protected and are compliant with the rules outlined by the PCI DSS? Replace the Windows POS terminals with standard Windows systems Build a custom OS image that includes the patch Remove the POS terminals from the network until the vendor releases a patch Identify, implement, and document compensating controls

Identify, implement, and document compensating controls

Vulnerability scans must be conducted on a continuous basis in order to meet regulatory compliance requirements for the storage of PHI. During the last vulnerability scan, a cybersecurity analyst received a report of 2,592 possible vulnerabilities and was asked by the Chief Information Security Officer (CISO) for a plan to remediate all the known issues. Which of the following should the analyst do next? Wait to perform any additional scanning until the current list of vulnerabilities have been remediated fully Attempt to identify all the false positives and exceptions, then resolve any remaining items Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first Place any assets that contain PHI in a sandbox environment and then remediate all the vulnerabilities

Filter the scan results to include only those items listed as critical in the asset inventory and remediate those vulnerabilities first

Your organization is updating its Acceptable User Policy (AUP) to implement a new password standard that requires a guest's wireless devices to be sponsored before receiving authentication. Which of the following should be added to the AUP to support this new requirement? Open authentication standards should be implemented on all wireless infrastructure Network authentication of all guest users should occur using the 802.1x protocol as authenticated by a RADIUS server Sponsored guest passwords must be at least 14 alphanumeric characters containing a mixture of uppercase, lowercase, and special characters All guests must provide valid identification when registering their wireless devices for use on the network

All guests must provide valid identification when registering their wireless devices for use on the network OBJ 5.3: Explain the importance of policies to organizational security