Practice Test SYO - 701 Security Program Management and Oversight Flashcards
Jill’s organization wants to ensure that services and systems are back online and functioning normally within 4 hours of an event or incident. What term best describes this goal?
An RTO
An MTTR
An RPO
An MTBF
A. A recovery time objective (RTO) is set by organizations to describe how long restoring systems or services to normal function after a disruption can take. Mean time to repair (MTTR) is the average time it takes to repair a system or device. A recovery point objective (RPO) describes how much data can be lost in the event of an outage or issue, and the mean time between failures (MTBF) is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures.
Angie is performing a penetration test and has gathered information using the Shodan search engine about her target. What type of reconnaissance has she performed?
Active
Commercial
Scanner‐based
Passive
D. Angie has conducted passive reconnaissance. She did not perform a scan or otherwise take direct active action to gather her information. Instead, she used the existing Shodan engine to gather information. While Shodan is a commercial product and does gather information using scans, databases like Shodan are considered passive reconnaissance, and the Security+ exam objectives recognize two types of reconnaissance: active and passive.
Hong’s company conducts regular risk assessments. As part of their assessment process, they gather a team of experts who assess risks on a scale from low to high based on their knowledge and experience. What type of risk assessment is Hong’s company conducting?
Ad hoc
Quantitative
Qualitative
Continuous
C. Qualitative risk assessment uses knowledge and expertise to assess risk rather than assigning numeric values and calculations like a quantitative assessment process would. Ad hoc risk assessment is done when risks need to be assessed for a specific, immediate need unlike the planned, regular risk assessments described. Continuous risk assessment is ongoing, whereas this is conducted regularly.
Grace wants to establish a governance structure that will leverage third‐party experts who are paid by her organization. What governance structure should she select?
Board‐based
Committee‐based
Government‐based
Market‐based
A. Boards often include external members who may have industry or other experience and expertise that will benefit the organization, and they are sometimes, but not always, paid as part of their work on the board. Committees are frequently composed of internal staff; government‐based governance occurs through laws or as part of public service. Market‐based is not a type of governance outlined by the Security+ exam objectives.
Marissa has been recruited to a group that provides oversight for an organization but that doesn’t engage in the day‐to‐day operations of the organization. The group focuses on strategy and direction for the organization and meets a few times a year. What type of governance group is Marissa part of?
An activist investor’s group
A committee
A board
A regulator
C. Boards provide strategic oversight and direction for organizations. Boards may form subcommittees to accomplish specific tasks or to provide oversight over specific areas. Regulators oversee an industry based on law. Activist investor’s groups are not covered by the exam, but typically they own stock in an organization and seek to direct the organization through their activism and stock ownership.
Sharon’s organization wants to understand the risks that it will experience due to acquiring a new subsidiary, but it needs to conduct the assessment quickly while leveraging their industry expertise. Which of the following risk assessment options should Sharon recommend to address this need?
Conduct an ad hoc risk assessment.
Conduct a one‐time risk assessment.
Conduct a third‐party risk assessment.
Build a continuous risk assessment process.
B. A one‐time risk assessment that addresses the acquisition will best meet Sharon’s needs. Ad hoc assessments are less formal, and they are often used to quickly assess a system or other potential risk. There is no requirement listed for third‐party assessment, and they can be both expensive and time‐consuming. Continuous risk assessment efforts are typically built into ongoing processes and are not suited to this type of one‐time review.
Which of the following will provide a customer the opportunity to engage a third party to deliver an SOC 2, Type 1 report created by third‐party assessors?
A penetration testing agreement
A risk assessment agreement
A vulnerability scan clause
A right‐to‐audit clause
D. Right‐to‐audit clauses provide customers with the right to have an audit of their vendor like an SOC 2, Type 1 assessment performed. SOC 2, Type 1 reports are not penetration testing reports, vulnerability scan reports, or risk assessment reports.
Jake’s team has begun handling new data related to customers, including their personally identifiable information. Jake takes on a new role that has responsibilities including classifying each data element gathered about customers. What is Jake’s role in the data handling process?
Controller
Custodian
Owner
Processor
C. Data owners classify, protect, oversee the use of, and ensure the quality of data. Controllers are responsible for the procedures and purposes of data use, often described as the why and how. Custodians are the staff and teams who handle data, and processors work with data on behalf of a controller.