Module 15 Flashcards
Angelo has received notification that a business partner will no longer sell or update a specific product. What type of notification is this?
EOL
EOS
EOP
EOA
End of life (EOL) is a term used by a manufacturer to indicate that a product has reached the end of its “useful life” and the manufacturer will no longer market, sell, or update it after a specified date. The manufacturer may still offer maintenance options but at a premium price.
Which of the following threats would be classified as the actions of a hacktivist?
Compliance threat
Environmental threat
Internal threat
External threat
An external risk is from the outside (like the actions of a hacktivist).
Simona needs to research a control that attempts to discourage security violations before they occur. Which control will she research?
Preventive control
Deterrent control
Corrective control
Detective control
A deterrent control attempts to discourage security violations before they occur.
Which of the following is not a legally enforceable agreement but is still more formal than an unwritten agreement?
BPA
MSA
MOU
SLA
A memorandum of understanding (MOU) describes an agreement between two or more parties. It demonstrates a “convergence of will” between the parties so that they can work together. An MOU generally is not a legally enforceable agreement but is more formal than an unwritten agreement.
Which of the following control categories includes conducting workshops to help users resist phishing attacks?
Managerial
Operational
Technical
Administrative
Operational controls may include conducting workshops.
You are assigned to destroy the data stored in electrical storage by degaussing. You need to ensure that the drive is destroyed. What should you do before degaussing so that the destruction can be verified?
You should burn the disk before degaussing.
You should perform data masking before degaussing.
You should wipe the data before degaussing.
You should delete the data before degaussing.
Wiping overwrites the disk space with zeroes or random data. It will destroy the entirety of the data, which can verify its destruction.
Which of the following methods can be used to destroy data on paper?
Pulping
Masking
Degaussing
Wiping
Pulping breaks paper back into wood cellulose fibers after the ink is removed.
You are the cybersecurity chief of an enterprise. A risk analyst new to your company has come to you about a recent report compiled by the team’s lead risk analyst. According to the new analyst, the report overemphasizes the risk posed by employees who currently have broad network access and puts too much weight on the suggestion to immediately limit user access as much as possible. According to the new analyst, not only does the report not mention the risk posed by a hacktivist group that has successfully attacked other companies in the same industry, it doesn’t mention data points related to those breaches and your company’s risk of being a future target of the group.
How should you address this issue so that future reports and risk analyses are more accurate and cover as many risks as needed?
You should implement mean time between failure.
You should implement qualitative risk assessment.
You should implement risk control self-assessment.
You should implement quantitative risk assessment.
Risk control self-assessment (RCSA) is an “empowering” methodology that limits unconscious biases by having management and staff at all levels collectively work to identify and evaluate risks.
Which of the following types of risk would organizations being impacted by an upstream organization’s vulnerabilities be classified as?
Legacy risk
External risk
Multiparty risk
Multi-network risk
Multiparty risk is the impact that one organization’s vulnerabilities can have on other organizations connected to it.
What does the end-of-service notice indicate?
The enterprise will no longer offer support services for a product.
The service-level agreement with a vendor has expired.
The nondisclosure agreement with a service vendor has expired.
The enterprise is halting the manufacturing of a product.
End-of-service (EOS) indicates the end of support when the manufacturer quits selling a piece of equipment and no longer provides maintenance services or updates after a specific date.
You were hired by a social media platform to analyze different user concerns regarding data privacy. After conducting a survey, you found that the concern of a majority of users is personalized ads. Which of the following should you mention in your report as a major concern?
Statistical inferences
Identity theft
Associations with groups
Individual inconveniences
Individual inconveniences
Which risk remains after additional controls are applied?
Control risk
Internal risk
Inherent risk
Residual risk
Residual risk is the risk level that remains after additional controls are applied.
In an interview, you are asked to differentiate between data protection and data privacy. How should you differentiate between data protection and data privacy?
Data protection secures data against unauthorized access, while data privacy secures data against authorized access.
Data protection involves unauthorized data access, while data privacy secures data against authorized access.
Data protection involves securing data against unauthorized access, while data privacy is concerned with authorized data access.
Data protection secures data against authorized access, while data privacy involves unauthorized data access.
Data protection secures data against unauthorized access, and data privacy makes data accessible only to authorized persons.
The protection of which of the following data type is mandated by HIPAA?
Health information
Personally identifiable information
Proprietary data
Public data
The Health Insurance Portability and Accountability Act (HIPAA) mandates that protected health information is kept secure.
What should be done when the information life cycle of the data collected by an organization ends?
Protect the data
Tokenize the data
Mask the data
Destroy the data
When the information life cycle ends, data should be destroyed.
What is a list of potential threats and associated risks?
Risk portfolio
Risk matrix
Risk assessment
Risk register
A risk register is a list of potential threats and associated risks. Often shown as a table, a risk register can help provide a clear snapshot of vulnerabilities and risks.
Which of the following data types has the highest level of data sensitivity?
Private
Sensitive
Confidential
Secure
Confidential is the highest level.
Which of the following uses data anonymization?
Data obfuscation sanitization (DOS)
Data minimization
Data masking
Tokenization
Data masking involves creating a copy of the original data but obfuscating (making unintelligible) any sensitive elements such as a user’s name or Social Security number. Data masking should replace all actual information that is not absolutely required. Because data masking involves replacing data elements, it is also called data anonymization: there is not a means to reverse the process to restore the data back to its original state.
Which of the following threats would be classified as the actions of a hacktivist?
External threat
Internal threat
Compliance threat
Environmental threat
An external risk is from the outside (like the actions of a hacktivist).
After reviewing the data collection procedures in your organization, a court ordered you to issue a document that specifies how the organization uses the collected personal information. This document must be displayed to the user before allowing them to share personal data. Which of the following documents should you prepare?
Data minimization
Terms of agreement
Pseudo-anonymization
Privacy notice
A privacy notice that outlines how an organization uses the personal information it collects.
When your enterprise’s collected data information life cycle ended, you were asked to destroy the data stored on magnetic storage devices. Which of the following techniques should you use to destroy the data?
Pulverize the data
Degauss the data
Shred the data
Delete the data
Degaussing permanently destroys the entire magnetic drive by reducing or eliminating the magnetic field.
Several quantitative tools like mean time between failure (MTBF), mean time to recovery (MTTR), mean time to failure (MTTF), and failure in time (FIT) can be used to predict the likelihood of the risk. Which of these tools perform similar functions?
MTBF and MTTF
MTBF and FIT
FIT and MTTR
MTTF and MTTR
The mean time between failure (MTBF) calculates the average (mean) amount of time until a component fails, cannot be repaired, and must be replaced. The failure in time (FIT) calculation is another way of reporting MTBF. FIT can report the number of expected failures per one billion hours of operation for a device.
Your company has hired a contractor to build fences surrounding the office building perimeter and install signs that say “premises under 24-hour video surveillance.” When do these controls occur?
The fence should be built before an attack, and the signs erected after an attack
The fence should be built after an attack, and the signs installed before an attack
The fence and the signs should both be installed after an attack
The fence and the signs should both be installed before an attack
Perimeter fences are physical control, and surveillance camera warnings are deterrent control. Both of these control types occur before an attack.
In 2016, your enterprise issued an end-of-life notice for a product. In 2020, an end-of-service notice was issued for the same product. What does this mean?
The product’s expected lifetime ended in 2016, and it was removed from all enterprise services in 2020.
The product manufactured by your company expired in 2016, and it stopped functioning in 2020.
Your company stopped manufacturing a product in 2016, and all maintenance services for the product stopped in 2020.
All legacy systems in your enterprise were prevented from functioning in 2016 and completely replaced in 2020.
An end-of-life notice is issued when a company stops manufacturing a product, and an end-of-service notice is issued when a company stops all support for the product.
