Governance, Risk, and Compliance

Question 1

What is the primary goal of governance in the context of information security?

A) implementing technical controls
B) establishing policies and procedures
C) performing vulnerability assessments
D) enforcing user training

Answer 1

Establishing policies and procedures

Governance in information security is primarily concerned with setting up a framework of policies, procedures, and controls to guide an organization’s security posture. These policies are designed to align with the organization’s objectives and ensure compliance.

Question 2

What is the purpose of a risk assessment in an organization’s security strategy?

A) identifying vulnerabilities
B) determining compliance requirements
C) assigning blame in case of a security incident
D) evaluating the cost of security measures

Answer 2

Identifying vulnerabilities

The primary purpose of a risk assessment is to identify potential threats, vulnerabilities, and their potential impact on an organization’s assets. It’s a fundamental step in developing effective security measures.

Question 3

Which of the following is an example of a compliance standard relevant to the handling of payment card data?

A) HIPAA
B) PCI DSS
C) FERPA
D) ISO/IEC 27001

Answer 3

PCI DSS

PCI DSS (Payment Card Industry Data Security Standard). PCI DSS is specifically designed to ensure the secure handling of cardholder information. It applies to all organizations that handle credit card data.

Question 4

What role does the CISO (Chief Information Security Officer) typically play in an organization’s security governance?

A) developing software applications
B) implementing firewalls and intrusion detection systems
C) enforcing security policies and procedures
D) managing HR operations

Answer 4

Enforcing security policies and procedures

The CISO is primarily responsible for establishing and enforcing security policies and procedures, aligning them with the organization’s objectives.

Question 5

How does governance differ from compliance in the context of security management?

A) governance deals with regulations, while compliance focuses on internal policies
B) governance refers to policies, while compliance refers to risk assessment
C) governance defines the rules, while compliance ensures adherence to those rules
D) governance establishes procedures, while compliance dictates technology use

Answer 5

Governance defines the rules, while compliance ensures adherence to those rules

Governance defines the rules, while compliance ensures adherence to those rules. Governance sets the framework, rules, and guidelines for security, while compliance is about conforming to those rules and standards.

Question 6

What is the main purpose of a compliance audit?

A) identifying vulnerabilities
B) ensuring conformity to established standards and regulations
C) conducting risk assessment
D) creating security policies

Answer 6

Ensuring conformity to established standards and regulations

A compliance audit verifies whether an organization is adhering to relevant laws, regulations, and internal policies regarding security measures.

Question 7

How does risk acceptance differ from risk avoidance in risk management?

A) risk acceptance involves mitigating identified risks, while risk avoidance ignores potential risks
B) risk acceptance is acknowledging the existence of a risk without taking action, while risk avoidance is actively working to eliminate risks
C) risk acceptance transfers identified risks to a third party, while risk avoidance mitigates risks within the organization
D) risk acceptance is embracing identified risks, while risk avoidance is eliminating the risk by investing in insurance

Answer 7

B

Risk acceptance is acknowledging the existence of a risk without taking action, while risk avoidance is actively working to eliminate risks

Risk acceptance means acknowledging the existence of a risk without taking actions to mitigate it, whereas risk avoidance involves active measures to eliminate or reduce the risk.

Question 8

Which regulation is specifically designed to protect the privacy of individuals’ personally identifiable information (PII)?

A) GDPR
B) SOX
C) GLBA
D) FERPA

Answer 8

GDPR

GDPR (General Data Protection Regulation) is specifically designed to protect the privacy of individuals’ personally identifiable information within the European Union and the European Economic Area.

Question 9

What is the primary objective of a security policy in an organization?

A) enforcing legal regulation
B) providing technical guidance for IT professionals
C) communicating management’s directives for security
D) establishing penalties for security breaches

Answer 9

Communicating management’s directives for security

Security policies in an organization communicate management’s directives and expectations for security measures to ensure alignment and compliance throughout the organization.

Question 10

What is the primary objective of a data classification policy in an organization’s security framework?

A) to define security measures for physical data storage
B) to categorize data based on sensitivity and define handling procedures
C) to outline procedures for disaster recovery
D) to encrypt all sensitive data

Answer 10

To categorize data based on sensitivity and define handling procedures

A data classification policy establishes how data should be categorized based on sensitivity levels and outlines appropriate handling procedures for each category.

Question 11

What is the primary focus of a change management process in an organization’s security governance?

A) implementing security incident response plans
B) reviewing security policies quarterly
C) controlling modifications to systems and environments
D) evaluating security awareness training effectiveness

Answer 11

C

Controlling modifications to systems and environments

Change management in security governance primarily focuses on controlling and documenting modifications to systems, configurations, and environments to maintain security and reduce risks associated with changes.

Question 12

Which term refers to the maximum acceptable amount of time a system can be unavailable before it starts causing severe damage to the organization?

A) MTBF (mean time between failures)
B) RTO (recovery time objective)
C) MTTR (mean time to repair)
D) MTD (maximum tolerable downtime)

Answer 12

MTD (maximum tolerable downtime)

MTD is the maximum duration a system can be down before severe damage occurs to the organization.

Question 13

What is the primary purpose of a security awareness training program within an organization?

A) implementing security controls
B) identifying security incidents
C) educating employees about security best practices
D) responding to security breaches

Answer 13

C

Educating employees about security best practices

Security awareness training aims to educate employees about security best practices and potential threats.

Question 14

Which of the following is an essential component of a security policy framework in an organization?

A) conducting regular vulnerability assessments
B) providing physical access controls
C) establishing a business continuity plan
D) configuring network firewalls

Answer 14

Establishing a business continuity plan

A business continuity plan is vital for operations during and after a disaster or security breach.

Question 15

What is the primary objective of an IT audit of an organization’s security governance?

A) ensuring all software is up-to-date
B) verifying compliance with policies and regulations
C) implementing new security protocols
D) assessing user access controls

Answer 15

B

Verifying compliance with policies and regulations

An IT audit primarily aims to assess and ensure that the organization complies with established policies, regulations, and industry standards.

Question 16

Which term describes the process of quantifying the possible losses from a particular risk?

A) risk analysis
B) risk mitigation
C) risk assessment
D) risk management

Answer 16

Risk analysis

Risk analysis involves the process of evaluating potential losses from a specific risk in terms of impact and likelihood.

Question 17

What is the purpose of a Security Risk Assessment?

A) identifying security controls
B) evaluating the impact of a security breach
C) measuring and managing potential risks
D) testing the effectiveness of disaster recovery plans

Answer 17

Measuring and managing potential risks

A Security Risk Assessment involves identifying, analyzing, and managing potential risks within an organization’s security landscape.

Question 18

What is the primary function of a Privacy Impact Assessment (PIA)?

A) assessing the financial impact of security breaches
B) identifying potential risks to individual privacy
C) evaluating the effectiveness of security controls
D) analyzing the impact of data encryption methods

Answer 18

Identifying potential risks to individual privacy

A Privacy Impact Assessment primarily aims to identify and evaluate potential risks to individual privacy within a specific system or process.

Question 19

Which term refers to a legal statement ensuring that two parties will keep specific information confidential?

A) non-disclosure agreement (NDA)
B) memorandum of understanding (MOU)
C) service level agreement (SLA)
D) business partnership agreement (BPA)

Answer 19

Non-disclosure agreement (NDA)

An NDA is a legally binding contract between two or more parties, ensuring that specific information remains confidential and is not shared with others.

Question 20

What does the term “Chain of Custody” primarily refer to?

A) documentation of evidence handling procedures
B) tracking unauthorized access attempts
C) cataloging software and hardware inventory
D) maintaining system backups

Answer 20

Documentation of evidence handling procedures

The “Chain of Custody” refers to a documented trail that records the chronological history of evidence handling, ensuring its integrity and admissibility in legal proceedings.

Question 21

In terms of risk management, what does the term “Risk Appetite” refer to?

A) the maximum risk level an organization is willing to accept
B) the likelihood of a security incident occurring
C) the overall risk exposure of the organization
D) the effectiveness of risk mitigation strategies

Answer 21

A

The maximum risk level an organization is willing to accept

Risk Appetite signifies the level of risk an organization is willing to accept or tolerate before taking action.

Question 22

How do Deterrent Controls contribute to an organization’s security strategy?

A) providing immediate response to security incidents
B) discouraging potential attackers from targeting the organization
C) identifying and mitigating security vulnerabilities
D) establishing secure data backups and recovery plan

Answer 22

Discouraging potential attackers from targeting the organization

Deterrent Controls aim to dissuade potential attackers or threats from targeting the organization by creating visible deterrents.

Question 23

What is the primary purpose of Corrective Controls in the realm of cybersecurity governance?

A) preventing potential security incidents
B) quickly responding to security incidents as they occur
C) correcting and mitigating the impact of security incidents
D) establishing robust access control measures

Answer 23

Correcting and mitigating the impact of security incidents

Corrective Controls aim to correct and reduce the impact of security incidents after they’ve occurred, working to restore affected systems.

Question 24

What role do Preventive Controls play in an organization’s security framework?

A) correcting and mitigating the impact of security incidents
B) identifying and alerting the presence of security incidents
C) blocking potential security incidents from occurring
D) establishing secure data backups and recovery plans

Answer 24

Blocking potential security incidents from occurring

Preventive Controls are measures or mechanisms put in place to avoid security incidents from happening or to reduce the likelihood of their occurrence.

Question 25

In the context of security best practices, what does “Separation of Duties” aim to achieve?

A) assigning multiple duties to a single individual to maximize productivity
B) limiting an employee’s access to specific areas of the workplace
C) restricting an employee’s access to sensitive data and systems
D) dividing tasks among different individuals to prevent fraud and errors

Answer 25

Dividing tasks among different individuals to prevent fraud and errors

“Separation of Duties” ensures that critical functions are divided among multiple individuals to reduce the risk of fraud, errors, and misuse of power.

Question 26

How does an “Acceptable Use Policy” contribute to an organization’s security framework?

A) limiting access to specific work areas to certain employee roles
B) outlining guidelines for appropriate use of company resources and systems
C) implementing mandatory background checks for all employees
D) rotating employees through different job roles periodically

Answer 26

Outlining guidelines for appropriate use of company resources and systems

An Acceptable Use Policy defines acceptable behaviors regarding the use of company resources, systems, and information, reducing risks associated with improper use.

Question 27

Why is “Job Rotation” considered a valuable security measure within organizations?

A) preventing unauthorized access to company resources
B) ensuring employees clean their desk spaces regularly
C) limiting access to sensitive data through mandatory vacations
D) mitigating risks by rotating employees through different job responsibilities

Answer 27

Mitigating risks by rotating employees through different job responsibilities

Job Rotation helps reduce the risk of fraud, errors, and misuse by moving employees through various job roles, which provides cross-training and prevents potential abuse of access.

Question 28

How does the principle of “Clean Desk Space” contribute to an organization’s security measures?

A) reducing employee engagement by limiting personal desk items
B) limiting access to certain work areas to specific employee roles
C) ensuring employees regularly clean and organize their workstations
D) preventing unauthorized access to sensitive documents left on desks

Answer 28

Preventing unauthorized access to sensitive documents left on desks

The concept of a clean desk space involves ensuring sensitive information and documents are not left exposed, thus reducing the risk of unauthorized access to such materials.

Question 29

What is the primary aim of “Mandatory Vacation” within an organization’s security strategy?

A) providing employees time off for relaxation and stress reduction
B) limiting access to specific areas of the workplace to certain roles
C) ensuring sensitive roles are temporarily filled by other staff
D) preventing potential risks or fraud by requiring employees to take time off

Answer 29

Preventing potential risks or fraud by requiring employees to take time off

Mandatory vacations ensure that employees take time off, reducing the potential for fraud or errors by requiring others to cover their roles temporarily.

Question 30

What does “Residual Risk” represent in the context of risk management?

A) the risk level after implementing risk controls
B) the initial risk level identified in a risk self-assessment
C) employee awareness of potential risks in the workplace
D) the inherent risks associated with a particular activity

Answer 30

The risk level after implementing risk controls

Residual risk represents the remaining level of risk after all applicable controls, safeguards, and mitigations have been applied.

Question 31

What is the primary goal of “Risk Control Self-Assessment” within an organization?

A) determining the inherent risks of specific activities
B) evaluating the effectiveness of control measures
C) assessing the residual risks after implementing controls
D) increasing employee awareness of workplace risks

Answer 31

B

Evaluating the effectiveness of control measures

The primary goal of Risk Control Self-Assessment is to assess and gauge the effectiveness of control measures in place to manage risks within the organization.

Question 32

What does “Annualized Loss Expectancy (ALE)” represent in a risk assessment?

A) the likelihood of occurrence of a specific risk over a year
B) the total potential loss from a specific risk in a year
C) the qualitative nature of a potential risk impact
D) the value assigned to a single occurrence of a potential risk

Answer 32

The total potential loss from a specific risk in a year

ALE represents the total expected loss from a particular risk over a year, factoring in SLE and ARO.

Question 33

How is “Asset Value” defined in a risk assessment?

A) the monetary value of a specific risk occurrence
B) the overall worth of an organization’s physical and digital resources
C) the probability of a risk’s impact on the organization
D) the total value of all potential annual losses within an organization

Answer 33

B

The overall worth of an organization’s physical and digital resources

Asset value refers to the total worth of an organization’s assets, both physical and digital, which are subject to risk.

Question 34

In the context of security training, what is the primary goal of a “Capture the Flag” exercise?

A) to capture sensitive information through network security breaches
B) to engage employees in a competitive outdoor team-building exercise
C) to simulate real-world cyber-attack scenarios for skill improvement
D) to test physical security measures within the workplace

Answer 34

C

To simulate real-world cyber-attack scenarios for skill improvement

Capture the Flag exercises simulate real-world cyber-attack scenarios, helping participants improve their skills and responses.

Question 35

How can “Phishing Campaigns” benefit an organization’s security preparedness?

A) by encouraging employees to share personal information to improve teamwork
B) by identifying and educating employees on recognizing and avoiding phishing attempts
C) by distributing email links for users to click and win prizes for engagement
D) by implementing random system shutdowns to test employee response time

Answer 35

By identifying and educating employees on recognizing and avoiding phishing attempts

Phishing campaigns help in identifying vulnerable employees and educating them on spotting and avoiding phishing attempts, thereby strengthening security awareness.

Question 36

What should be included in a comprehensive third-party risk management plan?

A) legal disclaimers for liability
B) regular security audits of the organization
C) a process for onboarding new employees
D) assessment of third-party access and controls

Answer 36

Assessment of third-party access and controls

A comprehensive third-party risk management plan should involve assessing third-party access levels and the controls in place to manage those access privileges.

Question 37

Which type of System and Organization Controls (SOC) report is based on the design and suitability of controls at a specific point in time?

A) SSAE SOC 1 type l
B) SSAE SOC 2 type l
C) SSAE SOC 1 type ll
D) SSAE SOC 2 type ll

Answer 37

SSAE SOC 2 type l

SOC 2 Type I reports focus on the design and suitability of controls at a specific point in time.

Question 38

How does implementing account lockout policies contribute to credential security within an organization?

A) encourages employees to use simple passwords
B) prevents unauthorized access by limiting login attempts
C) ensures continuous access to all user accounts
D) allows unlimited login attempts without restriction

Answer 38

Prevent unauthorized access by limiting login attempts

Account lockout policies prevent unauthorized access by restricting the number of unsuccessful login attempts, enhancing credential security.

Question 39

What type of risk involves potential financial loss due to the inability to recover from a disaster or unexpected event?

A) operational risk
B) compliance risk
C) business continuity risk
D) legal risk

Answer 39

Business continuity risk

Business continuity risk refers to the potential financial loss resulting from an organization’s inability to recover from a disaster or unexpected event.

Question 40

What type of risk is associated with the potential financial loss due to human errors, fraud, or intentional sabotage within an organization?

A) compliance risk
B) human error risk
C) operational risk
D) financial risk

Answer 40

Operational risk

Operational risk involves potential financial loss resulting from human errors, fraud, or deliberate sabotage within an organization.