Governance, Risk, and Compliance Flashcards
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization’s RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?
RTO
RPO
MTBF
MTTR
MTTR
Which of the following categories would contain information about a French citizen’s race or ethnic origin?
SPI
PII
DLP
PHI
SPI
Your company is required to remain compliant with PCI-DSS due to the type of information processed by your systems. If there was a breach of this data, which type of disclosure would you be required to provide during your incident response efforts?
Notification to federal law enforcement
Notification to Visa and Mastercard
Notification to local law enforcement
Notification to your credit card processor
Notification to your credit card processor
What technique is most effective in determining whether or not increasing end-user security training would benefit the organization during your technical assessment of their network?
Social engineering
Vulnerability scanning
Application security testing
Network sniffing
Social engineering
Your company explicitly obtains permission from its customers to use their email address as an account identifier in its CRM. Max, who works at the marketing department in the company’s German headquarters, just emailed all their customers to let them know about a new sales promotion this weekend. Which of the following privacy violations has occurred, if any?
There was a privacy violation since the customer’s explicitly gave permission to use the email address as an identifier and did not consent to receiving marketing emails
There was a privacy violation since data minimization policies were not followed properly
There was no privacy violation because only corporate employees had access to their email addresses
There was no privacy violation since the customer’s were emailed securely through the customer relationship management tool
There was a privacy violation since the customer’s explicitly gave permission to use the email address as an identifier and did not consent to receiving marketing emails
Which of the following terms is used to describe the period of time following a disaster that an individual IT system may remain offline?
MTBF
RPO
RTO
MTTR
RTO
Which of the following categories would contain information about an individual’s race or ethnic origin?
DLP
SPI
PHI
PII
SPI (Sensitive Personal Information)
Which of the following security policies could help detect fraudulent cases that occur even when other security controls are already in place?
Dual control
Separation of duties
Least privilege
Mandatory vacations
Mandatory vacations
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization’s RAID takes, on average, about 8 hours to repair when two drives within the RAID fail. Which of the following metrics would best represent this time period?
MTBF
MTTR
RPO
RTO
A competitor recently bought Dion Training’s ITIL 4 Foundation training course, transcribed the video captions into a document, re-recorded the course exactly word for word as an audiobook, then published this newly recorded audiobook for sale on Audible. How would you classify this situation as a risk to Dion Training, which of the following terms would you use?
Data breach
Mission essential function
IP theft
Identity theft
IP theft (intellectual property)
If an administrator cannot fully remediate a vulnerability, which of the following should they implement?
Access requirements
A compensating control
A policy
An engineering tradeoff
A compensating control
Which of the following methods is used to replace all or part of a data field with a randomly generated number that is used to reference the original value stored in another vault or database?
Data masking
Data minimization
Tokenization
Anonymization
Tokenization
Dion Training is currently undergoing an audit of its information systems. The auditor wants to get a better understanding of how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?
Data controller
Data privacy officer
Data owner
Data steward
Data privacy officer
During your review of the firewall logs, you notice that an IP address from within your company’s server subnet had been transmitting between 125 to 375 megabytes of data to a foreign IP address overnight each day. You have determined this has been occurring for approximately 5 days, and the affected server has since been taken offline for forensic review. Which of the following is MOST likely to increase the impact assessment of the incident?
PII of company employees and customers was exfiltrated
IP addresses and other network-related configurations were exfiltrated
Raw financial information about the company was accessed
Forensic review of the server required fallback to a less efficient service
PII of company employees and customers was exfiltrated
What term describes the amount of risk an organization is willing to accept?
Risk avoidance
Risk mitigation
Risk acceptance
Risk appetite
Risk appetite
Risk appetite describes how much risk an organization is willing to accept.
Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as?
Administrative controls
Compensating controls
Physical controls
Technical controls
Technical controls
Firewalls, intrusion detection systems, and a RADIUS server are all examples of technical controls.
Dion Training has performed an assessment as part of their disaster recovery planning. The assessment found that the organization can only tolerate a maximum of 60 minutes worth of data loss in the event of a disaster. Therefore, the organization has implemented a system of database snapshots that are backed up every hour. Which of the following metrics would best represent this time period?
MTBF
RTO
MTTR
RPO
RPO
Recovery point objective (RPO) describes a period of time in which an enterprise’s operations must be restored following a disruptive event, e.g., a cyberattack, natural disaster or communications failure. RPO is about how much data you afford to lose before it impacts business operations. For example, at Dion Training, if 1 hour of data loss occurred, that means that any student progress within the last hour would be lost once the organization restored a server from a known good backup.
What is a major security risk that could occur when you comingle hosts/servers with different security requirements in a single network?
Zombie attacks
Password compromises
Security policy violations
Privilege creep
Security policy violations
Dion Training is in early discussions with a large university to license its cybersecurity courses as part of their upcoming semester. Both organizations have decided to enter into an exploratory agreement while they negotiate the detailed terms of the upcoming contract. Which of the following documents would best serve this purpose?
MOU
ISA
NDA
SL
MOU
Memorandum of understanding (MOU) is used as a preliminary or exploratory agreement to express their intent for the two companies to work together. A service level agreement (SLA) is a contractual agreement setting out the detailed terms under which a service is provided. The interconnection security agreement (ISA) governs the relationship between any federal agency and a third party that will be interconnecting their systems. A non-disclosure agreement (NDA) is the legal basis for protecting information assets.
You are conducting a routine vulnerability scan of a server when you find a vulnerability. You locate a patch for the vulnerability on the software vendor’s website. What should you do next?
Submit a Request for Change using the change management process
Download and install the patch immediately
Establish continuous monitoring
Start the incident response process
Submit a Request for Change using the change management process
Jamie’s organization is attempting to budget for the next fiscal year. Jamie has calculated that a data breach will cost them $120,000 for each occurrence. Based on her analysis, she believes that a data breach will occur once every four years and have a risk factor is 30%. What is the ALE for a data breach within Jamie’s organization?
$90,000
$36,000
$9,000
$360,000
$9,000
The single loss expectancy (SLE) is the amount that would be lost in a single occurrence (AV) times the risk factor (RF). The annual loss expectancy (ALE) is the total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO). SLE = AV x RF = $120,000 x 0.3 = $36,000 ALE = SLE x ARO = $36,000 x 0.25 = $9,000
Which type of agreement between companies and employees is used as a legal basis for protecting information assets?
ISA
MOU
NDA
SLA
NDA
Which law requires that government agencies and other organizations that operate systems on behalf of government agencies to comply with security standards?
SOX
COPPA
HIPPA
FISMA
FISMA
The Federal Information Security Management Act (FISMA) is a United States federal law that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats. FISMA requires that government agencies and other organizations that operate systems on behalf of government agencies comply with security standards.
Dion Training has a $15,000 server that has been crashing frequently. Over the past 12 months, the server has crashed 10 times, requiring the server to be rebooted in order to recover from the crash. Each time, this has resulted in a 5% loss of functionality or data. Based on this information, what is the Annual Loss Expectancy (ALE) for this server?
$1,500
$7,500
$15,000
$2,500
$7,500
Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000, the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.
