ISC Deck 4 multi-unit

Question 1

Which of the following NIST Privacy Framework Core functions focuses on understanding organizational risk tolerance?

Answer 1

Govern-P

Question 2

Which of the following NIST Privacy Framework Core functions focuses on understanding organizational risk tolerance?

Answer 2

Data loss prevention (DLP)

Question 3

NIST SP 800-53 is designed to help organizations select, design, and implement security and privacy controls. Which of the following questions does it not seek to address?

Answer 3

How can control costs be minimized while while still achieving maximum cybersecurity efficiency?

Question 4

What is risk?

Answer 4

A measure of the extent to which an entity is threatened by a potential circumstance or event.

Question 5

What is the risk determination step in cyber risk assessment?

Answer 5

The step combines the likelihood and impact assessments to determine the overall risk associated with a potential threat.

Question 6

What is the difference between privacy and confidentiality?

Answer 6

Privacy is a matter of restricting access to information about individuals.
Confidentiality involves protecting data from disclosure to unauthorized parties.

Question 7

Which system relieves parties from the need to establish their own pairs of keys when they want to communicate securely?

Answer 7

Public-key infrastructure

Question 8

What is the difference between public-key encryption from symmmetric key encryption?

Answer 8

Public-key (asymmetric) encryption occurs when communicating parties create a pair of keys, one of which is made public while the other is kept secret.
Symmetric encryption occurs when the communicating parties agree to the use of a single private key.

Question 9

What does a coded electronic certificate that the certificate authority create contain?

Answer 9

1) the holder’s name
2) its public key
3) a serial number
4) an expiration date
NOTE: The Certificate authority makes its own public key widely available.

Question 10

Which cyber risk assessment step include the determination of the overall risk associated with a potential threat?

Answer 10

Risk determination - it combines the likelihood & impact assessments to determine overall risk

Question 11

Which does NIST SP 800-53 not address?

Answer 11

It does not address minimization of control costs while achieving max cybersecurity efficiency

Question 12

What is a security incident?

Answer 12

A security event is a violation of computer security policies, acceptable use policies, or standard security practices. It is considered a potential exposure. Incidents do not happen all the time ex data breaches

Question 13

What is an event In IT security?

Answer 13

An event is any observable change in a system or network that might lead to an incident or breach. It does not immediately denote a policy violation. Events are everyday occurrences.

Question 14

What is an Adverse opinion?

Answer 14

An opinion when a misstatement is BOTH Material and Pervasive.

Question 15

What is Disclaimer of opinion?

Answer 15

When the service auditor is unable to obtain sufficient appropriate evidence (Scope limitation)

Question 16

What is an Unqualified (clean) opinion?

Answer 16

When there are no material misstatements.

Question 17

What is a Qualified opinion?

Answer 17

When the effect of misstatements are Material but NOT Pervasive.

Question 18

According to the Center for Internet Security (CIS), what should the configuration of data access control lists be based upon?

Answer 18

A user’s Need to Know

Question 19

What are the typical responsibilities osf the treasury/financing cycle

Answer 19

1) Investing funds
2) Compliance with debt covenants
3) Obtaining and repaying capital
NOTE: It does not oversee daily cash receipts and disbursements

Question 20

NIST SP 800-53 establishes controls for which applicable parties?

Answer 20

Systems & individuals

Question 21

In a flowchart which symbol would indicate that someone inputs a transaction or receives information?

Answer 21

A video display symbol

Question 22

In the cash disbursements process, what action takes place before the check is prepared, signed, and mailed?

Answer 22

The supplier invoice is matched to the purchase order and receiving report to prepare a payment voucher.

Question 23

In the realm of cybersecurity, how do threat agents exploit race condition vulnerabilities within computing systems?

Answer 23

By using code injection to add unauthorized steps into the process sequence of a trusted operation.

NOTE: Race condition attacks exploit situations where computing systems perform tasks in specific sequences.

Question 24

How should the concept of materiality be factored into an auditor’s opinion?

Answer 24

Materiality should be evaluated in the context of the common information needs of a broad range of user entities and their auditors.

Question 25

Which is not a cloud-unique cybersecurity risk associated with a cloud service provider’s (CSP) implementation of a cloud computing environment?

Answer 25

The compromise of the PKI due to lack of segregation of duties over the issuance and use of certificates is a risk generally applicable to cloud computing platforms and is not unique to a CSP’s implementation of a cloud environment.

Question 26

What is the role of cloud service providers (CSPs) in resource provisioning for cloud computing services?

Answer 26

CSPs provision and allocate computing resources to customers based on their needs and within contract limitations.

Question 27

What is a data center in the context of IT systems?

Answer 27

A data center is a dedicated facility or infrastructure where an organization houses and operates its computer systems.