Module 15: Risk Management & Data Privacy Q Flashcards
Which control discourages security violations before their occurrence?
Deterrent control
A deterrent control attempts to discourage security violations before they occur
The risk of DDoS attacks, SQL injection attacks, phishing, etc., is classified under which threat category?
Technical
Technical threats are events that affect information technology systems
Which of the following types of risk would organizations being impacted by an upstream organization’s vulnerabilities be classified as?
Multiparty risk
Multiparty risk is the impact that one organization’s vulnerabilities can have on other organizations connected to it
You are the cybersecurity chief of an enterprise. A risk analyst new to your company has come to you about a recent report compiled by the team’s lead risk analyst. According to the new analyst, the report overemphasizes the risk posed by employees who currently have broad network access and puts too much weight on the suggestion to immediately limit user access as much as possible. According to the new analyst, not only does the report not mention the risk posed by a hacktivist group that has successfully attacked other companies in the same industry, it doesn’t mention data points related to those breaches and your company’s risk of being a future target of the group.
How should you address this issue so that future reports and risk analyses are more accurate and cover as many risks as needed?
You should implement risk control self-assessment
Risk control self-assessment (RCSA) is an “empowering” methodology that limits unconscious biases by having management and staff at all levels collectively work to identify and evaluate risks
Which of the following can be done to obfuscate sensitive data?
Masking
Data masking involves creating a copy of the original data by obfuscating any sensitive elements
Your company has hired a contractor to build fences surrounding the office building perimeter and install signs that say “premises under 24-hour video surveillance.” When do these controls occur?
The fence and the signs should both be installed before an attack
Perimeter fences are physical control, and surveillance camera warnings are deterrent control. Both of these control types occur before an attack
Several quantitative tools like mean time between failure (MTBF), mean time to recovery (MTTR), mean time to failure (MTTF), and failure in time (FIT) can be used to predict the likelihood of the risk. Which of these tools perform similar functions?
MTBF and FIT
The mean time between failure (MTBF) calculates the average (mean) amount of time until a component fails, cannot be repaired, and must be replaced. The failure in time (FIT) calculation is another way of reporting MTBF. FIT can report the number of expected failures per one billion hours of operation for a device
In a security review meeting, you are asked to calculate the single loss expectancy (SLE) of an enterprise building worth $100,000,000, 75% of which is likely to be destroyed by a flood. Flood insurance data suggest that a severe flood is likely to occur once every 100 years. Which formula should you use to calculate the SLE?
100,000,000 * 0.75
Single loss expectancy is calculated when the asset value (100,000,000) is multiplied by the exposure factor (0.75)
Which of the following types of risk control occurs during an attack?
Detective control
Detective control is used to identify an attack while the attack is occurring
Which risk remains after additional controls are applied?
Residual risk
Residual risk is the risk level that remains after additional controls are applied
In a security review meeting, you are asked to implement a detective control to ensure enhanced security during an attack. Which of the following actions should you take?
Install motion detection sensors in strategic areas
Installing motion detection sensors is a detective control that can identify threats that have reached the system
In 2016, your enterprise issued an end-of-life notice for a product. In 2020, an end-of-service notice was issued for the same product. What does this mean?
Your company stopped manufacturing a product in 2016, and all maintenance services for the product stopped in 2020
An end-of-life notice is issued when a company stops manufacturing a product, and an end-of-service notice is issued when a company stops all support for the product
In an interview, you are asked to explain how gamification contributes to enterprise security. How should you reply?
Instructional gaming can train employees on the details of different security risks while keeping them engaged
Gamification is the process of using game-based scenarios for instruction. Security training can often include gamification in an attempt to heighten the interest and retention of the learner
You are the chief security administrator in your enterprise. You are asked to train every employee, from top-level officers to front gate security officers, to make them aware of various security risks. Which of the following training techniques should you use?
Role-based awareness training
Role-based training involves specialized training customized to the specific role that an employee holds in the organization. This technique best fits in this scenario because so many different levels of employees are involved
What does the end-of-service notice indicate?
The enterprise will no longer offer support services for a product
End-of-service (EOS) indicates the end of support when the manufacturer quits selling a piece of equipment and no longer provides maintenance services or updates after a specific date
Your enterprise’s employees prefer a kinesthetic learning style for increasing their security awareness. How should you train them?
Give employees a hands-on experience of various security constraints
Hands-on approaches are good for kinesthetic learning, which is preferred by the employees
How do phishing simulations contribute to enterprise security?
Phishing simulations train employees on how to recognize phishing attacks
Phishing simulations can be used to help employees recognize phishing emails and counteract phishing attacks
In an interview, you are asked to differentiate between data protection and data privacy. How should you differentiate between data protection and data privacy?
Data protection involves securing data against unauthorized access, while data privacy is concerned with authorized data access
Data protection secures data against unauthorized access, and data privacy makes data accessible only to authorized persons
You were hired by a social media platform to analyze different user concerns regarding data privacy. After conducting a survey, you found that the concern of a majority of users is personalized ads. Which of the following should you mention in your report as a major concern?
Individual inconveniences
User concerns with using personal data for personalized ads are individual inconveniences
Why can the accuracy of data collected from users not be verified?
Users have no right to correct or control the information gathered
The accuracy of data cannot be verified because the users have no right to correct or control what information is gathered
Which data category can be accessed by any current employee or contractor?
Proprietary
Proprietary data belongs to the enterprise and can be made available to any current employee or contractor
In a security review meeting, you are asked to appropriately handle the enterprise’s sensitive data. How should you configure the security of the data?
Give access only to employees who need and have been approved to access it
Access to sensitive data is only given to employees who have a business need for accessing the data and have been approved
The protection of which of the following data type is mandated by HIPAA?
Health information
The Health Insurance Portability and Accountability Act (HIPAA) mandates that protected health information is kept secure
Which of the following is NOT a method for destroying data stored on paper media?
Degaussing
Degaussing permanently destroys an entire magnetic drive by reducing or eliminating the magnetic field
When your enterprise’s collected data information life cycle ended, you were asked to destroy the data stored on magnetic storage devices. Which of the following techniques should you use to destroy the data?
Degauss the data
Degaussing permanently destroys the entire magnetic drive by reducing or eliminating the magnetic field
You are assigned to destroy the data stored in electrical storage by degaussing. You need to ensure that the drive is destroyed. What should you do before degaussing so that the destruction can be verified?
You should wipe the data before degaussing
Wiping overwrites the disk space with zeroes or random data. It will destroy the entirety of the data, which can verify its destruction
How does pseudo-anonymization contribute to data privacy?
Pseudo-anonymization obfuscates sensitive data elements
Pseudo-anonymization obfuscates sensitive data elements so that sensitive information is not exposed
After reviewing the data collection procedures in your organization, a court ordered you to issue a document that specifies how the organization uses the collected personal information. This document must be displayed to the user before allowing them to share personal data. Which of the following documents should you prepare?
Privacy notice
A privacy notice that outlines how an organization uses the personal information it collects
Which of the following methods can be used to destroy data on paper?
Pulping
Pulping breaks paper back into wood cellulose fibers after the ink is removed
What should be done when the information life cycle of the data collected by an organization ends?
Destroy the data
When the information life cycle ends, data should be destroyed