Practice Test SYO - 701 Security Program Management and Oversight

Question 1

Jill’s organization wants to ensure that services and systems are back online and functioning normally within 4 hours of an event or incident. What term best describes this goal?

An RTO

An MTTR

An RPO

An MTBF

Answer 1

A. A recovery time objective (RTO) is set by organizations to describe how long restoring systems or services to normal function after a disruption can take. Mean time to repair (MTTR) is the average time it takes to repair a system or device. A recovery point objective (RPO) describes how much data can be lost in the event of an outage or issue, and the mean time between failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures.

Question 2

Angie is performing a penetration test and has gathered information using the Shodan search engine about her target. What type of reconnaissance has she performed?

Active

Commercial

Scanner‐based

Passive

Answer 2

D. Angie has conducted passive reconnaissance. She did not perform a scan or otherwise take direct active action to gather her information. Instead, she used the existing Shodan engine to gather information. While Shodan is a commercial product and does gather information using scans, databases like Shodan are considered passive reconnaissance, and the Security+ exam objectives recognize two types of reconnaissance: active and passive.

Question 3

Hong’s company conducts regular risk assessments. As part of their assessment process, they gather a team of experts who assess risks on a scale from low to high based on their knowledge and experience. What type of risk assessment is Hong’s company conducting?

Ad hoc

Quantitative

Qualitative

Continuous

Answer 3

C. Qualitative risk assessment uses knowledge and expertise to assess risk rather than assigning numeric values and calculations like a quantitative assessment process would. Ad hoc risk assessment is done when risks need to be assessed for a specific, immediate need unlike the planned, regular risk assessments described. Continuous risk assessment is ongoing, whereas this is conducted regularly.

Question 4

Grace wants to establish a governance structure that will leverage third‐party experts who are paid by her organization. What governance structure should she select?

Board‐based

Committee‐based

Government‐based

Market‐based

Answer 4

A. Boards often include external members who may have industry or other experience and expertise that will benefit the organization, and they are sometimes, but not always, paid as part of their work on the board. Committees are frequently composed of internal staff; government‐based governance occurs through laws or as part of public service. Market‐based is not a type of governance outlined by the Security+ exam objectives.

Question 5

Marissa has been recruited to a group that provides oversight for an organization but that doesn’t engage in the day‐to‐day operations of the organization. The group focuses on strategy and direction for the organization and meets a few times a year. What type of governance group is Marissa part of?

An activist investor’s group

A committee

A board

A regulator

Answer 5

C. Boards provide strategic oversight and direction for organizations. Boards may form subcommittees to accomplish specific tasks or to provide oversight over specific areas. Regulators oversee an industry based on law. Activist investor’s groups are not covered by the exam, but typically they own stock in an organization and seek to direct the organization through their activism and stock ownership.

Question 6

Sharon’s organization wants to understand the risks that it will experience due to acquiring a new subsidiary, but it needs to conduct the assessment quickly while leveraging their industry expertise. Which of the following risk assessment options should Sharon recommend to address this need?

Conduct an ad hoc risk assessment.

Conduct a one‐time risk assessment.

Conduct a third‐party risk assessment.

Build a continuous risk assessment process.

Answer 6

B. A one‐time risk assessment that addresses the acquisition will best meet Sharon’s needs. Ad hoc assessments are less formal, and they are often used to quickly assess a system or other potential risk. There is no requirement listed for third‐party assessment, and they can be both expensive and time‐consuming. Continuous risk assessment efforts are typically built into ongoing processes and are not suited to this type of one‐time review.

Question 7

Which of the following will provide a customer the opportunity to engage a third party to deliver an SOC 2, Type 1 report created by third‐party assessors?

A penetration testing agreement

A risk assessment agreement

A vulnerability scan clause

A right‐to‐audit clause

Answer 7

D. Right‐to‐audit clauses provide customers with the right to have an audit of their vendor like an SOC 2, Type 1 assessment performed. SOC 2, Type 1 reports are not penetration testing reports, vulnerability scan reports, or risk assessment reports.

Question 8

Jake’s team has begun handling new data related to customers, including their personally identifiable information. Jake takes on a new role that has responsibilities including classifying each data element gathered about customers. What is Jake’s role in the data handling process?

Controller

Custodian

Owner

Processor

Answer 8

C. Data owners classify, protect, oversee the use of, and ensure the quality of data. Controllers are responsible for the procedures and purposes of data use, often described as the why and how. Custodians are the staff and teams who handle data, and processors work with data on behalf of a controller.

Question 9

Which of the following is not a commonly used term to describe risk appetite?

Intentional

Neutral

Expansionary

Conservative

Answer 9

A. Terms used for risk appetite in the Security+ exam objectives include conservative, neutral, and expansionary. Intentional is not a term used for risk appetite.

Question 10

What does a data steward do?

Create data.

Carry out data use and security policies.

Explain compliance requirements for data.

Oversee data throughout its life cycle.

Answer 10

B. Data stewards are responsible for the data in their charge. That means they carry out data usage and security policies and ensure that data is handled appropriately. Creating data is typically done by data owners, who also explain and set data security policies. Multiple roles oversee data throughout its life cycle, not just a data steward.

Question 11

Colleen’s organization has deployed web application firewalls (WAFs) to protect their web services from being impacted by a known SQL injection attack. What risk management strategy has the organization adopted?

Transfer

Accept

Avoid

Mitigate

Answer 11

C. Avoidance seeks to prevent the risk from occurring. In this case, the WAF is a method of preventing the attack, thus avoiding the risk. Risk transfer options move the costs of risks to another organization such as through insurance. Acceptance involves management acknowledging that the risk and its impacts may occur and that the organization will move forward despite that chance. Mitigation works to limit the impact of a risk.

Question 12

Requiring all web traffic to be sent via HTTPS is an example of what type of standard?

Access control

Encryption

Password

Physical security

Answer 12

B. HTTPS using TLS is a form of encryption for data in motion. Encryption standards often require specific ways to use encryption, encryption algorithms, settings or configurations for encryption, or times and places where encryption must be used. Access control standards focus on how access is controlled, by whom, and who is impacted. Password standards define settings and requirements related to passwords, and physical security standards address physical security requirements.

Question 13

Why are cloud IaaS vendors unlikely to agree to including a right‐to‐audit clause in their contracts?

The risk to their other customers is too great.

The cost of the assessment is too high.

They may not pass the audit.

They have competing regulatory requirements.

Answer 13

A. Cloud vendors rarely agree to right‐to‐audit clauses, instead choosing to provide their own third‐party audit results. This reduces the chances of an audit or assessment causing issues with their other customers. Third‐party audit costs covered by right‐to‐audit clauses are often borne by the customers, not the vendor. Not passing an audit is unlikely for major vendors, regulatory requirements are more likely to require audits, and regulations rarely limit auditability.

Question 14

Jill’s organization has selected Agile with a CI/CD process for their organization. What type of policy would document this selection?

Business continuity

Disaster recovery

Incident response

Software development life cycle

Answer 14

D. Agile, along with continuous integration/continuous delivery (CI/CD) pipelines, describes a software development life cycle. Business continuity, disaster recovery, and incident response policies may mention the Agile process and impacts on the CI/CD pipeline, but it is not the primary focus of those types of policies.

Question 15

Megan’s organization wants to create a change management policy. Which of the following is not a typical change type found in a change policy?

Preauthorized changes

Emergency changes

Legislated changes

Standard changes

Answer 15

C. Change management practices often include options for preapproved changes, emergency changes, and standard changes. Changes required by legislation or other external factors are not typically built into most change management processes.

Question 16

What describes the key difference between policies and standards?

Policies are defined by third parties; standards are defined by organizations.

Policies are defined by organizations; standards are defined by third parties.

Policies are a statement of intent; standards define how rules help enforce policy.

Policies are legally enforceable; standards are optional.

Answer 16

C. Policies are a statement of organizational intent. Standards are defined to help organization achieve that intent through the use of rules. Policies are typically defined by an organization, and standards may be adopted from third parties or created by the organization itself. Policies might be defined by law but are not required to be defined that way.

Question 17

Connie wants to explain the consequences of noncompliance with data regulations to her organization’s management. Which of the following is the most common statutory consequence of noncompliance with regulations?

Data breaches

Reputational damage

Contractual impacts

Fines

Answer 17

D. Regulations most commonly have fines and sanctions as their primary punishments levied against noncompliant organizations. Data breaches and reputational damage may occur, but are they are not enforced by regulation. Contractual impacts may occur, but again are not directly enforced by regulations.

Question 18

The company that Omar works for wants to co‐develop a mobile application with a third‐party company. What type of agreement should they both sign as part of this?

An SLA

An NDA

An MSA

A BPA

Answer 18

D. BPAs, or business partners agreements, are used when two organizations want to do business as a partnership. SLAs, or service level agreements, determine service levels and penalties if they are not met. Nondisclosure agreements, or NDAs, are used to protect sensitive data. Master service agreements, or MSAs, are foundational documents determining how organizations will work together as a foundation for specific work covered in SOWs, or statements of work.

Question 19

What term describes the possibility of a risk occurring?

Impact

Likelihood

Potential

Rate of occurrence

Answer 19

B. Likelihood describes the possibility of a risk occurring. Impact describes what will happen if it does, potential is not a term used in this space, and rate of occurrence is how often a risk occurs on an annual basis.

Question 20

Risk assessments required for regulatory compliance are most frequently conducted in which of the following modes?

As ad hoc risk assessments

As one‐time risk assessments

As recurring risk assessments

As continuous risk assessments

Answer 20

C. Regulatory compliance typically requires risk assessment on a regular basis, often once a year. Ad hoc, one‐time, and continuous risk assessments are used for other purposes to serve the organization but are not as common for regulatory compliance.

Question 21

How is exposure factor (EF) expressed for risk calculations?

As a calculation of the ALE multiplied by the ARO

As the likelihood of loss

As a potential percentage of loss

As a calculation of the SLE multiplied by the ARO

Answer 21

C. Exposure factors are the percentage of value of an asset that would be lost due to an incident. ALE is the annual loss expectancy, and the ARO is the annual rate of occurrence. SLE is the single loss expectancy. Calculating these gives the cost of an incident, but EF is the impact of the risk and is not calculated using these, nor does it involve the likelihood of the risk.

Question 22

Valerie’s organization wants to ensure that their access control vestibule, ID card system, and guards are effective in stopping unwanted entrance. What type of penetration test should she use to validate this?

Physical

Offensive

Defensive

Integrated

Answer 22

D. Integrated penetration testing combines both offensive and defensive penetration testing, and testing guards as well as attempting to make it through access controls is an example of an integrated test. Physical security testing involves testing an organization’s physical security defenses and practices, including guards, locks and doors, and other physical security components like access control vestibules. Offensive penetration testing involves acting like attackers, while defensive penetration testing seeks to learn as defenders.

Question 23

Alexandria wants to mitigate the risk of ransomware during its initial infection stages. Which of the following strategies should she employ?

Deploy an EDR tool.

Purchase cybersecurity insurance.

Use secure, ransomware‐resistant backups.

Continue to operate as usual.

Answer 23

A. Secure, ransomware resistant backups can mitigate the impact of ransomware but cannot stop it from impacting systems like an endpoint detection and response (EDR) tool can. Since Alexandria’s focus is on immediate mitigation, her best answer is EDR. Cybersecurity insurance is a means of transferring risk, and simply operating as usual is an acceptance strategy.

Question 24

Shane’s organization has determined that they can accept up to $10,000,000 a year in risk‐related loss in support of their strategic plans. What term best describes this?

Risk acceptance

Risk appetite

Ad hoc risk

A conservative risk tolerance

Answer 24

B. Shane’s organization has determined their risk appetite. They are willing to accept some risk, but may also choose to mitigate, transfer, or otherwise deal with their risk to match their appetite. Ad hoc describes risk assessment, not risk appetite or thresholds, and there is no way to determine if this is a conservative, neutral, or expansionary risk appetite.

Question 24

What organization typically includes an audit committee for a company?

The security office

The shareholders

The board of directors

The third‐party assessors

Answer 24

C. Audit committees are typically part of the organization’s board of directors, and they oversee financial reporting–related activities. Audit committees are required for US‐traded companies that are listed on stock exchanges. Shareholders, third‐party assessors, and the security office are not typical places to find an audit committee.

Question 25

Jaime wants to establish her organization’s change management policy. What should the policy include?

High‐level descriptions of how the organization will review, approve, and implement proposed changes

A detailed process for review and approval of changes

Descriptions of how a change request should be created, formatted, reviewed, and approved

An outline of the regulatory requirements for changes

Answer 25

A. Policies are high‐level descriptions of an organization’s intent and understanding of their topic. Procedures will have descriptions of how a change is made in detailed form, while standards will describe how changes are created, made, and approved. Regulatory requirements are most likely to be part of standards or procedures.

Question 26

What is the key difference between a business continuity plan and a business continuity policy?

The plan describes how an organization will respond, whereas the policy outlines the high‐level intent of the organization’s business continuity efforts.

The plan includes detailed steps for each part of the response, including how to restore systems and investigate issues, whereas the policy outlines the high‐level intent of the organization’s business continuity efforts.

The plan describes the high‐level intent of the organization’s business continuity efforts, whereas the incident response policy describes how the organization will respond.

They are the same; the terms are interchangeable.

Answer 26

A. Business continuity plans address how the organization will respond, including referencing runbooks that may detail how to handle restoration or other efforts on a step‐by‐step basis, but doesn’t itself include that level of detail. Business continuity policies describe the organization’s intent at a high level and are likely to reference the business continuity plan. They are not the same, as the policy is a higher‐level document than the plan is.

Question 27

Gary wants to determine the probability of a risk occurring. What should he base his assessment on if he is performing a qualitative risk assessment?

A calculated rate of occurrence using industry statistical data

A rating from an experienced team of staff

The number of times it has happened to their competitors in a year

Actuarial tables provided by his insurance broker

Answer 27

B. Qualitative risk assessment relies on expertise and staff members who have relevant knowledge to provide a rating based on their experience, skills, and knowledge. A common rating for probability in a qualitative risk assessment might be low, medium, or high, rather than a 0–100 rating based on statistics or large datasets.

Question 28

What type of agreement do organizations create after signing an MSA that describes the specific tasks or deliverables that will be created or performed?

A MOU

A SOW

A punch list

A BPA

Answer 28

B. A statement of work (SOW) or work order (WO) is created to list the tasks and deliverables that will be performed under the blanket master services agreement (MSA). An MOU, or memorandum of understanding, declares how two organizations want to work together; a business partners agreement (BPA) establishes a partnership between two organizations; and punch lists are not covered under the Security+ exam outline but are a list of tasks that must be accomplished for a contractor to be paid.

Question 29

Jack’s organization recently received a shipment of SSDs and has begun to deploy them. What information would best help Jack assess the useful life of the devices?

An RTO

An MTTR

An RPO

An MTBF

Answer 29

D. Jack should use the manufacturer’s published mean time between failures (MTBF), which is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures. While organizations typically replace devices well before their MTBF ratings, knowing how long the devices should last on average can be useful in long‐lived applications and for budgetary planning. A recovery time objective, or RTO, is set by organizations to describe how long restoring systems or services to normal function after a disruption can take. Mean time to repair, or MTTR, is the average time it takes to repair a system or device. A recovery point objective, or RPO, describes how much data can be lost in the event of an outage or issue.

Question 30

Olivia’s organization operates servers in a datacenter that support customers across the country. As Olivia is determining her service level agreements, what information is most important in determining how quickly a server can be restored to operation if its motherboard fails?

An RTO

An MTTR

An RPO

An MTBF

Answer 30

B. Mean time to repair, or MTTR, is the average time it takes to repair a system or device, and Olivia needs to know that to determine what she can promise in her service level agreements that rely on server repair timelines. A recovery time objective, or RTO, is set by organizations to describe how long restoring systems or services to normal function after a disruption can take; it doesn’t determine how fast the server can be fixed but sets a goal that needs to take things like repair and recovery time into account as it is determined. A recovery point objective, or RPO, describes how much data can be lost in the event of an outage or issue, and the mean time between failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures.

Question 31

Chuck wants to conduct a quantitative risk assessment. Which of the following will he need to be able to determine the single loss expectancy for a server?

Its purchase date

Which department manages the server

The operating system the server uses

The cost of the server

Answer 31

D. SLE, or single loss expectancy, uses the asset value (AV) and exposure factor (EF) to determine the SLE. Purchase date, which department manages the server, and its operating system are not part of the calculation.

Question 32

Jeremy knows that his customer data is worth $500,000, and that the value of the data would be reduced by 25 percent if it was exposed. What is the SLE for this data?

$25,000

$125,000

$250,000

$375,000

Answer 32

B. Single loss expectancy, or SLE, is calculated by multiplying the asset value (AV) by the exposure factor (EF). In this case, that means that the potential loss during a loss event would be $125,000.

Question 33

Alaina’s company is considering signing a contract with a cloud service provider and wants to determine how secure their services are. Which of the following is a method she is likely to be able to use to assess it?

Ask for permission to vulnerability scan the vendor’s production service.

Conduct an audit of the organization.

Review an existing SOC audit.

Hire a third party to audit the organization.

Answer 33

C. Many cloud service providers do not allow customer‐driven audits, either by the customer or a third party. They also commonly prohibit vulnerability scans of their production environment to avoid service outages. Instead, many provide third‐party audit results in the form of a service organization controls (SOC) report or similar audit artifact.

Question 34

Gurvinder’s corporate datacenter is located in an area that FEMA has identified as being part of a 100‐year flood plain. He knows that there is a chance in any given year that his datacenter could be completely flooded and underwater, and he wants to ensure that his organization knows what to do if that happens. What type of plan should he write?

A continuity of operations plan

A business continuity plan

A flood insurance plan

A disaster recovery plan

Answer 34

D. A disaster recovery plan addresses what to do during a person‐made or natural disaster. A flood that completely fills a datacenter would require significant efforts to recover from, and Gurvinder will need a solid disaster recovery plan—and perhaps a new datacenter location as soon as possible! A COOP, or continuity of operations plan, is needed for U.S. government agencies but is not required for businesses. A business continuity plan would cover how to keep the business running, but it does not cover all the requirements in a natural disaster of this scale, and a flood insurance plan is not a term used in the Security+ exam objectives.

Question 35

You are the IT manager and one of your employees asks who assigns data labels. Which of the following assigns data labels?

Owner

Custodian

Privacy officer

System administrator

Answer 35

A. Data owners assign labels such as top secret to data. Custodians assign security controls to data. A privacy officer ensures that companies comply with privacy laws and regulations. System administrators are responsible for the overall functioning of IT systems.

Question 36

An organization’s information security policy framework typically contains what four types of documents?

A risk register, an audit report, a vulnerability scan, and a pentest report

Policies, standards, procedures, and guidelines

Laws, policies, standards, and practices

Policies, practices, procedures, and playbooks

Answer 36

B. Organizational policy frameworks typically contain policies, standards and procedures that support and expand on the policy, and guidelines. Risk registers, audit reports, vulnerability scans, and pentest reports are all artifacts organizations generate in support of information security practices. Laws are not part of a policy framework but may influence it.

Question 37

Isaac has been asked to write his organization’s access control standards. What policy is commonly put in place for service accounts?

They must be issued only to system administrators.

They must use multifactor authentication.

They cannot use interactive logins.

All of the above.

Answer 37

C. It is common practice to prohibit interactive logins to a GUI or shell for service accounts. Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC).

Question 38

Patching systems immediately after patches are released is an example of what risk management strategy?

Acceptance

Avoidance

Mitigation

Transference

Answer 38

B. Patching is a form of avoidance because it works to remove a risk from the environment. Acceptance of flaws that need patching would involve leaving the software unpatched; mitigation strategies might include firewalls, intrusion prevention systems (IPSs), or web application firewall (WAF) devices; and transference options include third‐party hosting or services.

Question 39

What phases of handling a disaster are covered by a disaster recovery plan?

What to do before the disaster

What to do during the disaster

What to do after the disaster

All of the above

Answer 39

D. Disaster recovery requires forethought and preparation, response to issues to minimize impact during a disaster, and response activities after a disaster. Thus, a complete disaster recovery plan should include actions that may or will occur before, during, and after a disaster, and not just the recovery process after the fact.

Question 40

What law or regulation requires a DPO in organizations?

FISMA

COPPA

PCI DSS

GDPR

Answer 40

D. The General Data Protection Regulation, or GDPR, requires a data protection officer (DPO). They oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR.

Question 41

What process is used to help identify critical systems?

A BIA

An MTBF

An RTO

An ICD

Answer 41

A. A business impact analysis (BIA) helps to identify critical systems by determining which systems will create the largest impact if they are not available. MTBF is the mean time between failures, an RTO is a recovery time objective, and an ICD was made up for this question.

Question 42

How is SLE calculated?

AV * EF

RTO * AV

MTTR * EF

AV * ARO

Answer 42

A. The single loss expectancy (SLE) describes what a single risk event is likely to cost. It is calculated using the asset value (AV) times the exposure factor (EF), which is an estimated percentage of the cost that will occur in damage if the loss occurs. MTTR is the mean time to repair, ARO is the annual rate of occurrence, and RTO is the recovery time objective. These are not part of the SLE equation.

Question 43

What common limitation do IaaS vendors place on penetration testing by their customers?

It can only be done by third parties.

It must be prescheduled.

It can only be done by the customers themselves.

Notification must be sent immediately after it occurs.

Answer 43

B. Vendors often ask that customers work with them to preschedule the testing so that they are aware of it. They typically do not place limitations on whether customers or third parties conduct the testing, and after‐the‐fact notification instead of prior notification is not a typical requirement.

Question 44

Which of the following reflects an organisation’s attentiveness to risk issues?
Risk register
Risk appetite
Heat map
Vulnerability assessment

Answer 44

The risk register reflects an organisation’s attentitiveness to risk issues. The risk register is a document, database or repository that the organisation uses for risk identification and management.

Question 45

Your company has deployed a firewall that includes two network interfaces. Which firewall architecture has been deployed?

Answer 45

A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs.

Question 46

Which of the following is an independent third party which provides validation services to assure that a digital certificate is genuine?
Certificate signing request
OCSP
Certificate authority
Root of trust

Answer 46

Certificate authorities (CA) are independent third parties who provide validation services to assure that a digital certificate is genuine. Certificate authorities can also create and manage certificates. Some of the major CA organisations include Amazon Web Services, GoDaddy and GlobalSign.

Question 47

Which are is primarily focused on overseeing the performance, availability and security of network devices, servers and databases?
Services
Infrastructure
Software
Systems

Answer 47

Monitoring infrastructure refers to overseeing the performance of the components that support the organisation, including network devices, servers, storage systems and databases. Monitoring infrastructure involves observing the performance, availability and security of these components to ensure the overall health and functionality of the infrastructure.

Question 48

Which role and associated responsibility involves managing and overseeing the use of systems and data, ensuring compliance with security policies and regulations?

Answer 48

Custodians and stewards are individuals or entities who are responsible for the day-to-day management and protection of systems and data assets. They ensure the proper handling, storage and security of data in accordance with established policies and procedures.

Question 49

Your company really needs to enhance email security to prevent spoofing. What should you implement?

Answer 49

Domain-based Message Authentication, Reporting and Conformance (DMARC) is the correct solution to prevent email spoofing and enhance email security. DMARC is an email authentication protocol that helps prevent email spoofing and phishing attacks by allowing senders to specify policies for email authentication and enforcement.

Question 50

You are evaluating cloud architecture and infrastructure concepts. Which factors are MOST important for enhancing separation and minimising attack surfaces?
Cloud orchestration
Physical isolation
Microservices
Logical segmentation

Answer 50

Physical isolation and logical segmentation contribute the most to minimising attack surfaces.

Question 51

Your company-provided Android devices are all under the control of a mobile device management (MDM) console. You want to use this console to prevent users from rooting their devices. How does this support security?

Answer 51

On an unrooted device, the user cannot allow apps to eSCAPe the isolated virtual sandbox they run in. On a rooted mobile device apps can escape the isolated virtual sandbox which could allow malware access to the company storage that is normally protected.

Question 52

Which of the following has Firewall as a Service (FWaaS) as a component?
Secure Access Service Edge
Software-defined networking
On-premises
Network segmentation

Answer 52

Secure Access Service Edge (SASE) has Firewall as a Service (FWaaS) as one of its components. Other components include secure web gateways (SWG), a cloud access security broker (CASB) and zero-trust network access (ZTNA).

Question 53

Juan’s company trains users to be cautious about revealing information about security controls, practices, configurations, and even the tools and software the company deploys. What is this practice known as?

Awareness training

Social engineering

An insider threat

Operational security

Answer 53

D. Operational security is the practice of educating users on the importance of protecting sensitive information, including security practices, configurations, and other details. Awareness training is a broad term describing all elements of security awareness. Social engineering is used by attackers to leverage human behaviors and practices for their own gain. Insider threats are threats created by those inside the organization.

Question 54

Evangeline wants to develop a security training program. What should she do first?

Determine how the training will be presented.

Establish a budget.

Review regulatory requirements for training.

Assess the threats and risks the organization faces.

Answer 54

D. The first step in developing security training programs is to determine what risks and threats the organization faces. Once those are understood, an appropriate program can be created, including obtaining a budget, determining how training will be presented, and ensuring that regulatory requirements, if any, are met.

Question 55

Victoria wants to understand a potential vendor’s security practices. Which of the following is the simplest way for her to gather that information from multiple potential vendors?

Third‐party audits

Questionnaires

Penetration testing

OSINT

Answer 55

B. Companies commonly send questionnaires to potential vendors to gather information about security practices prior to acquiring their products or engaging their services. This is a simpler method than requiring audits or penetration tests, and OSINT will not provide organizational answers about practices in most cases.

Question 56

What organization typically elects an organization’s board of directors in a public company?

The employees

The CEO

Shareholders

All relevant stakeholders

Answer 56

C. Boards are typically elected by shareholders. Employees, the CEO, and non‐shareholders typically do not have the ability to elect or name members of the board.

Question 57

Latisha is conducting a security review and notices that one of her users consistently uses her organization’s VPN from Chile while the employee is based in the United States. After reviewing logs, she notes that the user is sometimes logged in from both the US and the remote location in Chile, and believes that the user may be allowing a third party to access their VPN account to perform some or all of their job tasks. What type of threat most accurately describes this?

Anomalous

Insider

Social engineering

Nation‐state

Answer 57

B. The employee at Latisha’s company can be considered an insider threat because they have provided access to a third party. Most organizations will terminate employees who do this due to violations of their acceptable use policy (AUP). The behavior is anomalous, but an insider threat is a better description. No social engineering is evident, nor is a nation‐state actor described.

Question 58

Marcia wants to assess the effectiveness of her security awareness program. What should she do?

Establish and monitor awareness KPIs.

Require a third‐party awareness audit.

Conduct regular surveys about security awareness.

Track incident rates versus training participation.

Answer 58

A. Establishing security awareness KPIs, including incident rates, training uptake, responses to security awareness surveys, and other measurable indicators, is both the broadest and most useful option listed. Third‐party awareness audits are not a typical method for doing this, and conducting surveys and tracking incident rates are both actions that will be part of common awareness KPIs.

Question 59

Sabrina wants to train her users on password management best practices. Which of the following options will have the largest impact on her organization’s password security?

Implementing biometrics authentication factors

Conducting annual training on password best practices

Adopting NIST password length and complexity standards

Requiring staff to use an enterprise password manager

Answer 59

D. An enterprise password manager can help to make it easier to use appropriate passwords without requiring users to memorize them. This results in less reuse, stronger passwords, and the ability to manage them, including preventing password reuse. Biometrics, training, and adopting NIST password complexity and length standards will not have the same broad impact.