Objective 5 Flashcards
Which of the following terms refer to the specific laws and regulations set by a country’s government that dictate how the personal data of its citizens should be collected, stored, and processed?
General Data Protection Regulation (GDPR)
Consent management
National legal implications
Data encryption
National legal implications are laws and regulations set at the country level that outline the requirements and boundaries for data protection and privacy.
Consent management is a process that ensures organizations obtain and manage the consent of individuals before collecting or processing their personal data. Data encryption is a method used to protect data from unauthorized access by converting it into a code. The GDPR is a regulation enacted by the European Union to ensure data protection and privacy for all its citizens.
What term refers to an organization’s predetermined level of acceptable risk exposure?
Risk tolerance
Risk appetite
Exposure factor
Conservative
Risk tolerance refers to an organization’s predetermined level of acceptable risk exposure.
It represents the extent to which an organization is willing to tolerate potential risks before taking action to mitigate or avoid them. The exposure factor is a calculation that determines the amount of value that is lost if an event takes place. It doesn’t measure an organization’s level of acceptable risk exposure. The term “conservative” is not directly related to risk management. In financial contexts, it may refer to a risk-averse approach or cautious decision-making. While similar to risk tolerance, risk appetite refers to the amount of risk an organization is willing to take on to achieve its strategic objectives. It represents the organization’s overall attitude toward risk-taking.
Which of the following terms BEST describe the affirmation of the validation of the accuracy and thoroughness of compliance-related reports?
Attestation
Regulatory examination
Independent third-party audit
Internal assessment
Attestation is the correct answer. In the context of compliance, attestation refers to the formal confirmation or affirmation that the compliance-related reports are accurate and thorough. It typically involves a statement or certification made by an authorized party, confirming that the processes and data in the reports are valid.
Regulatory examination refers to an official review by a regulatory body to assess compliance but doesn’t specifically focus on the affirmation of accuracy. Independent third-party audit is a more formal, external evaluation of compliance but doesn’t directly refer to the affirmation itself, which is more about attestation. Internal assessment refers to self-evaluations within an organization but does not carry the same formal, external validation as attestation.
The executive team at a software development firm decides that any project with a potential financial impact greater than $500,000 due to a security incident will require an immediate review and intervention. This financial impact figure represents which of the following in risk management?
Risk level
Risk threshold
Risk limit
Risk tolerance
Risk threshold is the correct answer. The risk threshold refers to the specific point or value at which an organization decides to take action, such as conducting a review or intervention, due to the potential impact of a security incident. In this case, the executive team has set a threshold of $500,000 for financial impact, above which immediate action is required.
Risk level is incorrect because it refers to the overall assessment of the risk based on likelihood and impact, not the specific trigger point for action. Risk limit is a similar concept but generally refers to the maximum acceptable level of risk in a given scenario, often relating to financial or operational constraints. Risk tolerance refers to the overall amount of risk an organization is willing to accept, but in this case, the executive team is setting a threshold for action, not defining the overall tolerance.
Which of the following BEST describes the Software Development Life Cycle (SDLC) in application security?
It only considers security during the testing and creation phases of software development.
It primarily focuses on the speed of software delivery over security.
It replaces the need for regular software updates and patches.
It emphasizes the integration of security in software creation and maintenance.
It emphasizes the integration of security in software creation and maintenance is the correct answer. The Software Development Life Cycle (SDLC) in application security focuses on integrating security at every stage of software development, from design and development to testing and maintenance. This ensures that security is considered proactively throughout the process, reducing vulnerabilities and addressing security concerns as the software is being built and updated.
The other options are incorrect because they either narrow the scope of security considerations to certain phases (testing and creation), prioritize speed over security, or suggest that SDLC replaces the need for ongoing maintenance like patches, which is not the case. Regular updates and patches remain important even within the SDLC framework.
Hair and There, an online beauty supply store, has conducted a comprehensive risk assessment and identified potential vulnerabilities in their network infrastructure. They recognize that another global pandemic would seriously harm their business and is a considerable risk. After careful analysis, they determine that they simply cannot control whether another pandemic occurs. They take measures to help reduce the types of damage a pandemic will cause and then hope that it doesn’t happen. Which risk management strategy is are they employing?
Avoid
Accept
Transfer
Mitigate
Mitigating the risk means implementing measures or controls to reduce the potential impact or likelihood of the risk event occurring.
Accepting the risk means the organization acknowledges the risk and does not take any specific actions to mitigate it. In the scenario above, they do take some measures to reduce the impact, so they are not just accepting the risk. Transferring the risk involves shifting the financial burden of potential losses to a third party, such as an insurance company. There is no mention of bringing in a third party to accept some of the financial burden for a pandemic. Avoiding the risk involves eliminating the risk entirely by refraining from activities or situations that could expose the organization to potential threats. They are not avoiding the risk since they are taking actions to minimize the impact. If they were avoiding the risk, they would probably close the business since avoiding involves not undertaking the activity that is risky.
Emily is part of the IT team and oversees the secure transmission of sensitive data within her organization, ensuring that all systems comply with integrity protocols. She monitors for any inconsistencies or issues that could compromise data integrity. What role does Emily most likely hold?
Data Custodian
Data Owner
Data Controller
Data Processor
The correct answer is Data Custodian.
Emily is responsible for ensuring the secure transmission of sensitive data and monitoring for issues that could compromise data integrity, which aligns with the role of a Data Custodian. A Data Custodian typically handles the management and protection of data on behalf of the data owner, ensuring that systems are secure and compliant with integrity protocols. Data Owners are responsible for making decisions about the data’s use, while Data Processors are entities that process data based on the Data Owner’s instructions. Data Controllers typically oversee the overall management and compliance of data.
Which agreement type outlines the specific services to be provided by the vendor, along with associated timelines and costs?
MOA
SLA
MSA
SOW
A statement of work specifies the detailed scope of work, tasks, deliverables, timelines, and costs for a specific project or engagement with the vendor.
A Memorandum of agreement (MOA) typically outlines a broader understanding or collaboration between parties, but it may not necessarily include specific services, timelines, and costs as in this context. A Service-level agreement (SLA) is a specific type of agreement that defines the level of service expected from the vendor, including performance metrics, response times, and other service-related terms. An MSA is a comprehensive contract that sets forth the general terms and conditions that will govern multiple future engagements between the parties. It may reference specific work orders or statements of work for individual projects.
Which of the following terms BEST describes the measurement used to describe a 7% possibility of hardware failure in the next year based on past statistical data?
Likelihood
Probability
Severity ranking
Exposure factor
The correct answer is Probability. Probability is used to describe the likelihood of an event occurring, such as the 7% possibility of hardware failure in the next year, based on statistical data. Likelihood is a more general term and often refers to the general chance of something happening, while probability is the quantitative measurement of that chance. Severity ranking would be used to describe the impact of an event, and exposure factor refers to the potential loss or impact from an event occurring, which isn’t relevant in this context.
Which of the following entities is responsible for providing detailed analysis and recommendations to the governance board to aid in informed decision-making, particularly in areas requiring specialized knowledge?
Management Groups
Committees
Executive Teams
Advisory Councils
Committees are specialized groups that include subject matter experts who support the governance board with expert analysis and recommendations. While Advisory Councils may also provide advice, they are not solely responsible for in-depth analysis and recommendations for the governance board. Executive Teams individuals are part of the governance board with ultimate decision-making authority but may not focus on specific issues like committees do. Management Groups typically handle day-to-day operational decisions rather than providing specialized support to the governance board.
Which of the following types of penetration tests provides the tester with comprehensive knowledge of the target environment, including the system’s architecture, design, and source code, to identify hidden vulnerabilities?
Black box
Grey box
White box
Passive
The correct answer is White box. A white box penetration test is when the tester is provided with comprehensive knowledge of the target system, such as system architecture, design, and source code. This enables the tester to conduct a more thorough examination and identify vulnerabilities that may not be easily discovered through other methods.
Black box testing provides no prior knowledge of the system, requiring the tester to work from the outside in, much like an external attacker would. Grey box testing offers partial knowledge, often similar to an insider’s perspective, but not as detailed as white box testing. Passive testing focuses on gathering information without actively interacting with the target system, making it different from the other testing types, which involve more direct engagement.
In the context of privacy compliance, which of the following describes the role of a data controller?
The organization that handles data retention and storage.
The individual whose data is being processed.
The entity responsible for determining why data is processed.
The external auditor responsible for privacy compliance checks
The correct answer is The entity responsible for determining why data is processed. A data controller is the entity or organization that determines the purposes and means of processing personal data. Essentially, they make decisions about how and why data is used and are responsible for ensuring compliance with privacy regulations, such as GDPR.
The other options are incorrect. The organization that handles data retention and storage is typically involved in data management but is not necessarily the data controller. The individual whose data is being processed is referred to as the data subject, not the controller. The external auditor, while important for compliance checks, is not responsible for determining how and why the data is processed.
Members of the Risk Management Team at Eclipse, an awning manufacturer, are discussing the organization’s approach to risk management. They are considering the level of risk they are willing to accept to achieve the aggressive set of goals the CEO has created. What is the term for what they are considering?
Risk appetite
Risk deterrence
Risk tolerance
Risk acceptance
The term for what the Risk Management Team is considering is risk appetite. Risk appetite refers to the level of risk that an organization is willing to take on in pursuit of its objectives or goals, which aligns with the CEO’s aggressive set of goals.
Risk tolerance, while similar, is more about the specific level of risk an organization can bear before it negatively impacts the organization’s ability to meet its objectives. Risk acceptance refers to acknowledging the presence of risk and deciding not to take any action to mitigate it. Risk deterrence involves efforts to reduce the likelihood of a risk occurring.
A severe storm disrupts power at a company’s main data center, leaving essential systems offline. To maintain operations, the IT team initiates procedures to bring up backup systems at an alternate location and restore critical data. Which aspect of the organization’s disaster recovery policy is being implemented in this scenario?
Risk assessment
Business continuity planning
Data redundancy testing
Recovery and restoration processes
The correct answer is “Recovery and restoration processes.” This aspect of the disaster recovery policy focuses on the steps to bring systems back online and restore critical data after a disruption, such as the storm in this scenario. The IT team is activating backup systems and restoring data, which is a clear example of this process. “Business continuity planning” refers to the overall strategy to ensure ongoing operations, but it doesn’t specifically address the recovery of data and systems. “Risk assessment” is about identifying and analyzing potential risks, not responding to a disruption, and “Data redundancy testing” involves verifying that backup data is available but doesn’t directly address the recovery process itself.
Which of the following BEST defines the term that represents the expected number of times a risk event will occur within a one-year period?
EF
ALE
SLE
ARO
The correct answer is “ARO,” which stands for Annual Rate of Occurrence. ARO represents the expected number of times a particular risk event will occur within a one-year period. It helps in calculating the potential financial impact of risks when combined with other factors like SLE (Single Loss Expectancy) and ALE (Annual Loss Expectancy). “EF” (Exposure Factor) represents the percentage of loss a business would face if a particular risk occurs, while “SLE” is the monetary loss expected from a single occurrence of a risk. “ALE” represents the annual financial loss expected from a risk event occurring multiple times throughout the year, but it requires ARO to calculate.
Rippled, a drink vendor, is developing a disaster recovery plan to ensure the swift recovery of critical systems and processes in the event of a disruption. They are defining a specific metric which is the amount of acceptable amount of time it will take to return to normal business. What measure are they defining?
MTTR
RPO
MTBF
RTO
The correct answer is RTO, which stands for Recovery Time Objective. RTO is the amount of time an organization is willing to tolerate for the recovery of a system or process after a disruption before it impacts the business. This metric helps define how quickly systems need to be restored to avoid significant operational or financial damage. “MTTR” (Mean Time to Repair) refers to the average time required to fix a system after failure, while “RPO” (Recovery Point Objective) focuses on the maximum acceptable amount of data loss, not recovery time. “MTBF” (Mean Time Between Failures) is a reliability measure that tracks the average time between system failures, which is not related to recovery time.
What key principle underpins the European Union’s General Data Protection Regulation (GDPR) concerning personal data collection and processing?
Informed consent
Continuous monitoring
Data encryption
Data retention
The correct answer is “Informed consent.” The General Data Protection Regulation (GDPR) emphasizes that personal data must be collected and processed with the explicit, informed consent of the individual. This means that organizations must clearly explain how data will be used and obtain permission before collecting or processing it. “Continuous monitoring” is not a core principle of GDPR, although monitoring may be part of ensuring compliance. “Data encryption” is an important security measure but not a foundational principle of the regulation itself. “Data retention” is covered by GDPR but refers to limiting how long personal data is kept, not the key principle of consent for processing.
At DionTraining, the risk management team has completed a comprehensive risk assessment and identified potential risks across various departments. To ensure proactive risk management and response, they want to establish a system for continuously monitoring and tracking these identified risks. Which element of the risk management process should the risk management team implement to monitor and track the identified risks over time?
Risk reporting
Risk register
Risk assessment
Business impact analysis
The correct answer is “Risk register.” A risk register is a tool used to document and track the identified risks within an organization, along with their potential impacts, likelihood, and the actions taken to mitigate them. This allows for continuous monitoring and management of risks over time. “Risk reporting” is part of the process of communicating risk information, but it is not the tool used for tracking risks. “Risk assessment” refers to the process of identifying and analyzing risks, not tracking them long-term. “Business impact analysis” focuses on understanding the potential impacts of risks on business operations, but it does not track the risks themselves.
Which term refers to the percentage of an asset’s value that is expected to be lost when a specific risk eventuates?
EF
Asset impact
Damage proportion
SLE
The correct answer is “EF” (Exposure Factor). EF represents the percentage of an asset’s value that is expected to be lost when a specific risk occurs. It is used in risk analysis to quantify the potential loss associated with a specific threat. “SLE” (Single Loss Expectancy) is the result of multiplying the asset’s value by the exposure factor, representing the actual monetary loss when a risk event happens. “Asset impact” and “Damage proportion” are not standard terms used in risk management to describe this concept.
Jamario, an IT specialist at Dion Training, has been tasked to ensure that employees working from their homes can securely access the company’s network. He recommends the use of VPNs, multi-factor authentication, and encrypted communications for all remote connections. What kind of work environment is Jamario addressing?
Remote
Decentralized
Collaborative
Centralized
The correct answer is “Remote” because Jamario is addressing the needs of employees working from home, which is a typical characteristic of a remote work environment. Using VPNs, multi-factor authentication, and encrypted communications ensures that remote workers can securely access the company’s network from off-site locations.
The other answers are incorrect because “Decentralized” refers to the structure of an organization’s operations, “Collaborative” refers to a work environment focused on teamwork, and “Centralized” refers to a structure where decision-making is concentrated in one place. These terms don’t specifically address the needs of remote workers.
Which of the following security features, integral to incident response, chronicles a sequence of activities within a system to aid in the detection and examination of security breaches?
Event monitoring
Audit trails
Incident logs
Operational history
The correct answer is “Audit trails” because audit trails record a sequence of activities and events within a system, helping to trace actions and changes for security investigation. These records are crucial in detecting and analyzing security breaches, as they provide a detailed history of system interactions.
The other answers are incorrect because “Event monitoring” typically refers to real-time tracking of events, “Incident logs” are specific to incidents but don’t capture the full sequence of activities, and “Operational history” is more general and may not always include the detailed tracking needed for forensic analysis.
An organization hires a third-party vendor to handle its data storage needs. To ensure data confidentiality and establish clear expectations around responsibilities, they sign a document that outlines security controls, availability requirements, and confidentiality clauses. Which type of agreement is this document?
Service Level Agreement (SLA)
Business Partnership Agreement (BPA)
Memorandum of Understanding (MOU)
Data Use Agreement (DUA)
The correct answer is “Service Level Agreement (SLA)” because an SLA outlines specific expectations between a service provider and a client, including security controls, availability, and confidentiality clauses. It defines the level of service expected and the responsibilities of both parties.
The other answers are incorrect because a “Business Partnership Agreement (BPA)” focuses on the terms of collaboration between two businesses, a “Memorandum of Understanding (MOU)” is a non-binding agreement that outlines intentions but doesn’t always define specific services or metrics, and a “Data Use Agreement (DUA)” focuses on how data is to be used, often in the context of research or healthcare, rather than service delivery.
Which of the following statements BEST describes the role of a data processor in data governance?
Processes personal data for controllers and ensures implementation of security measures.
Assesses and manages risks related to data security and compliance.
Directly responsible for classifying data and defining access permissions.
Sets the strategic direction and policies for organizational data management.
The correct answer is “Processes personal data for controllers and ensures implementation of security measures” because a data processor is responsible for handling personal data on behalf of a data controller and must ensure appropriate security measures are in place to protect that data.
The other answers are incorrect because a data processor does not typically assess or manage risks related to data security and compliance, define access permissions, or set strategic direction and policies for data management; those responsibilities are generally within the scope of the data controller or other organizational roles.
What is the primary purpose of internal compliance reporting?
To request additional information from agencies that are in charge of compliance
To report compliance status to the public
To prove to third party auditors that a company is complying with its internal processes
To provide compliance updates to the organization’s management
The correct answer is “To provide compliance updates to the organization’s management” because internal compliance reporting is primarily designed to keep an organization’s management informed about the current status of compliance with internal policies and external regulations.
The other answers are incorrect because internal compliance reporting is not primarily meant to request information from external agencies, report to the public, or prove compliance to third-party auditors. These are secondary outcomes, while the main goal is to inform management.
Which type of agreement defines the terms of a partnership between two organizations and how they will collaborate on specific projects or initiatives?
SLA
MSA
MOU
BPA
The correct answer is “MOU” (Memorandum of Understanding) because an MOU outlines the terms of a partnership and details how two organizations will collaborate on specific projects or initiatives. It is a non-binding agreement that defines the scope, goals, and responsibilities of both parties.
The other answers are incorrect because an SLA (Service Level Agreement) focuses on the expected level of service between a provider and a client, while an MSA (Master Service Agreement) outlines the general terms for a business relationship, including payment and legal terms, but doesn’t focus on specific projects. A BPA (Business Partnership Agreement) is similar but generally more formal and legally binding than an MOU.
Which of the following encryption standards is primarily used for securing data at rest and in transit through symmetric key cryptography?
SHA
RSA
AES
HMAC
The correct answer is “AES” (Advanced Encryption Standard) because AES is a symmetric key encryption algorithm widely used for securing both data at rest and in transit. It uses the same key for both encryption and decryption, making it efficient and fast for large volumes of data.
The other answers are incorrect because SHA (Secure Hash Algorithm) is a cryptographic hash function used for data integrity verification, not encryption. RSA (Rivest-Shamir-Adleman) is an asymmetric encryption algorithm typically used for securing data during key exchange and not for large data encryption. HMAC (Hash-based Message Authentication Code) is used for data integrity and authentication, not for encrypting data.
In regards to US regulations, which legislation is a high-profile example of “horizontal” personal data regulation, similar in approach to the GDPR?
CCPA
PCI DSS
GLBA
FISMA
The correct answer is “CCPA.” The California Consumer Privacy Act (CCPA) is a high-profile example of “horizontal” personal data regulation, similar to the GDPR, because it applies broadly to all sectors of business rather than targeting specific industries. It provides consumers with rights regarding their personal data and places obligations on businesses regarding data handling, similar to the GDPR’s comprehensive data protection framework.
The other answers are incorrect because PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), and FISMA (Federal Information Security Modernization Act) are more industry-specific regulations. PCI DSS focuses on payment card data, GLBA deals with financial institutions, and FISMA pertains to federal information security.
When a cybersecurity expert categorizes the chance of a data breach as “high” due to recent similar incidents in the industry, which risk assessment term are they using?
Risk rating
EF
Likelihood
Confidence level
The correct answer is “Likelihood.” In this context, the cybersecurity expert is assessing the chance or probability of a data breach occurring based on recent similar incidents in the industry, which directly corresponds to the term “likelihood” in risk assessment. Likelihood refers to the probability of a specific event happening.
The other options are incorrect because:
- “Risk rating” typically refers to the overall assessment of the severity and impact of a risk, not just the likelihood.
- “EF” (which might refer to “Exposure Factor”) is a term used to describe the potential impact or loss of a risk, not the probability.
- “Confidence level” generally refers to the level of certainty in the assessment of the risk, but not the probability of the event occurring.
In the context of compliance monitoring, which of the following does “due diligence/care” refer to?
Automated compliance checks.
Reviewing third-party vendor agreements.
Conducting internal audits on a regular basis.
Taking steps to meet legal and other requirements.
The correct answer is “Taking steps to meet legal and other requirements.” In the context of compliance monitoring, “due diligence/care” refers to the proactive measures an organization takes to ensure it meets its legal, regulatory, and contractual obligations. This includes thoroughly assessing and managing risks to comply with laws and standards.
The other options are incorrect because:
- “Automated compliance checks” refer to the use of tools or software to verify compliance, but this is a method, not the concept of due diligence itself.
- “Reviewing third-party vendor agreements” is an important aspect of compliance but is a specific action within the broader scope of due diligence, not its definition.
- “Conducting internal audits on a regular basis” is a compliance activity but does not fully capture the proactive and preventive nature of due diligence.
River, a project manager at a tech company, is tasked with keeping track of all potential risks related to a new software deployment. She uses a structured document that lists identified risks, their potential impact, likelihood, and mitigation strategies. Which document is River using to manage these risks?
Business Continuity Plan
Risk Register
Playbook
Incident Response Plan
The correct answer is “Risk Register.” A Risk Register is a structured document used to track identified risks, their potential impact, likelihood, and mitigation strategies. It is an essential tool in risk management, helping to organize and prioritize risks for better decision-making and mitigation.
The other options are incorrect because:
- A “Business Continuity Plan” focuses on ensuring the organization’s operations can continue in the event of a disruption, rather than specifically managing risks related to a project.
- A “Playbook” typically refers to a set of standard procedures or guidelines to follow in specific situations, often related to incident response or operational tasks.
- An “Incident Response Plan” outlines the steps to take during and after a security incident, focusing on response rather than proactively managing risks in a project.
Connor has just gotten a promotion to data processor. What task will he be solely in charge of with his new position?
To manage and control access to data
To establish data ownership and control over access to the data
To ensure physical security of data storage devices
To analyze data on behalf of the data controller
The correct answer is “To analyze data on behalf of the data controller.” As a data processor, Connor’s primary responsibility is to process and analyze data according to the instructions provided by the data controller, who owns and decides how the data should be used.
The other options are incorrect because:
- “To manage and control access to data” is typically the responsibility of the data controller or the security team, not the data processor.
- “To establish data ownership and control over access to the data” is also the role of the data controller, who determines who has access to the data and under what conditions.
- “To ensure physical security of data storage devices” would be the responsibility of IT security or facilities management, not the data processor.
