Module 15: Risk Management & Data Privacy Q Flashcards
Which control discourages security violations before their occurrence?
Deterrent control
A deterrent control attempts to discourage security violations before they occur
The risk of DDoS attacks, SQL injection attacks, phishing, etc., is classified under which threat category?
Technical
Technical threats are events that affect information technology systems
Which of the following types of risk would organizations being impacted by an upstream organization’s vulnerabilities be classified as?
Multiparty risk
Multiparty risk is the impact that one organization’s vulnerabilities can have on other organizations connected to it
You are the cybersecurity chief of an enterprise. A risk analyst new to your company has come to you about a recent report compiled by the team’s lead risk analyst. According to the new analyst, the report overemphasizes the risk posed by employees who currently have broad network access and puts too much weight on the suggestion to immediately limit user access as much as possible. According to the new analyst, not only does the report not mention the risk posed by a hacktivist group that has successfully attacked other companies in the same industry, it doesn’t mention data points related to those breaches and your company’s risk of being a future target of the group.
How should you address this issue so that future reports and risk analyses are more accurate and cover as many risks as needed?
You should implement risk control self-assessment
Risk control self-assessment (RCSA) is an “empowering” methodology that limits unconscious biases by having management and staff at all levels collectively work to identify and evaluate risks
Which of the following can be done to obfuscate sensitive data?
Masking
Data masking involves creating a copy of the original data by obfuscating any sensitive elements
Your company has hired a contractor to build fences surrounding the office building perimeter and install signs that say “premises under 24-hour video surveillance.” When do these controls occur?
The fence and the signs should both be installed before an attack
Perimeter fences are physical control, and surveillance camera warnings are deterrent control. Both of these control types occur before an attack
Several quantitative tools like mean time between failure (MTBF), mean time to recovery (MTTR), mean time to failure (MTTF), and failure in time (FIT) can be used to predict the likelihood of the risk. Which of these tools perform similar functions?
MTBF and FIT
The mean time between failure (MTBF) calculates the average (mean) amount of time until a component fails, cannot be repaired, and must be replaced. The failure in time (FIT) calculation is another way of reporting MTBF. FIT can report the number of expected failures per one billion hours of operation for a device
In a security review meeting, you are asked to calculate the single loss expectancy (SLE) of an enterprise building worth $100,000,000, 75% of which is likely to be destroyed by a flood. Flood insurance data suggest that a severe flood is likely to occur once every 100 years. Which formula should you use to calculate the SLE?
100,000,000 * 0.75
Single loss expectancy is calculated when the asset value (100,000,000) is multiplied by the exposure factor (0.75)
Which of the following types of risk control occurs during an attack?
Detective control
Detective control is used to identify an attack while the attack is occurring
Which risk remains after additional controls are applied?
Residual risk
Residual risk is the risk level that remains after additional controls are applied
In a security review meeting, you are asked to implement a detective control to ensure enhanced security during an attack. Which of the following actions should you take?
Install motion detection sensors in strategic areas
Installing motion detection sensors is a detective control that can identify threats that have reached the system
In 2016, your enterprise issued an end-of-life notice for a product. In 2020, an end-of-service notice was issued for the same product. What does this mean?
Your company stopped manufacturing a product in 2016, and all maintenance services for the product stopped in 2020
An end-of-life notice is issued when a company stops manufacturing a product, and an end-of-service notice is issued when a company stops all support for the product
In an interview, you are asked to explain how gamification contributes to enterprise security. How should you reply?
Instructional gaming can train employees on the details of different security risks while keeping them engaged
Gamification is the process of using game-based scenarios for instruction. Security training can often include gamification in an attempt to heighten the interest and retention of the learner
You are the chief security administrator in your enterprise. You are asked to train every employee, from top-level officers to front gate security officers, to make them aware of various security risks. Which of the following training techniques should you use?
Role-based awareness training
Role-based training involves specialized training customized to the specific role that an employee holds in the organization. This technique best fits in this scenario because so many different levels of employees are involved
What does the end-of-service notice indicate?
The enterprise will no longer offer support services for a product
End-of-service (EOS) indicates the end of support when the manufacturer quits selling a piece of equipment and no longer provides maintenance services or updates after a specific date
