Security and Risk Management Domain

Question 1

What is a condition of (ISC)2 certification

Answer 1

Fully commit to the code of ethics

Question 2

Protect society, the common good, necessary public trust and confidence and the infrastructure

Answer 2

First canon of ISC2 Code of Ethics

Question 3

Act honorably, honestly, justly, responsibly and legally

Answer 3

Second canon of ISC2 Code of Ethics

Question 4

Provide diligent and competent service to principals

Answer 4

Third canon of ISC2 Code of Ethics

Question 5

Advance and protect the profession

Answer 5

Fourth canon of ISC2 Code of Ethics

Question 6

Who can make a complaint to ISC

Answer 6

Only an injured party

Question 7

Code of Ethics: any member of public can complain

Answer 7

Canon I & II

Question 8

Code of Ethics: employer/contractor can complain

Answer 8

Canon III

Question 9

Code of Ethics: certified professional can complain

Answer 9

Canon IV

Question 10

Who reviews Ethics Complaints

Answer 10

ISC2 Ethics Committee

Question 11

How is complaint submitted

Answer 11

Sworn affidavit that specifies respondent, behavior, canon breached, standing of complainant and any corroborating evidence

Question 12

Who decides on discipline of members

Answer 12

ISC2 Board of Directors

Question 13

Perform duties in accordance with existing laws, exercising the highest moral principles

Answer 13

C3 Unified Principles - Integrity

Question 14

Perform all duties in a fair manner and without prejudice

Answer 14

C3 Unified Principles - Objectivity

Question 15

Perform services diligently and with professionalism

Answer 15

C3 Unified Principles - Professional Competence and Due Care

Question 16

Respect and safeguard information and exercise due care to prevent improper disclosure

Answer 16

C3 Unified Principles - Confidentiality

Question 17

Clarifies an organization’s mission, values, and principles, linking them with standards of conduct

Answer 17

Organizational Code of Conduct

Question 18

Number of mandatory canons in ISC2 Code of Ethics

Answer 18

`Four canons

Question 19

Body that investigates and opines on ISC2 Code of Ethics Complaints

Answer 19

ISC2 Ethics Committee

Question 21

Body that makes final decision regarding ISC2 Code of Ethics complaings

Answer 21

ISC2 Board of Directors

Question 21

Extreme action that can be taken against ISC2 member

Answer 21

Decertification

Question 22

What are the fundamental information security principles

Answer 22

Confidentiality, Integrity, Availability CIA

Question 23

Assurance that information is not disclosed to unauthorized persons, processes, or devices

Answer 23

Confidentiality

Question 24

Protection from unintentional, unauthorized, or accidental changes

Answer 24

Ìntegrity

Question 25

Information is known to be good and that the information can be trusted as being complete, consistent and accurate

Answer 25

Data integrity

Question 26

A system will work as intended

Answer 26

System integrity

Question 27

Information, systems and supporting infrastructure are operating and acccessible when needed

Answer 27

Availability

Question 28

The process of tracing actions to the source

Answer 28

Accountability

Question 29

The property of bein genuine and able to be verified iand trusted

Answer 29

Authenticity

Question 30

Protection against an individual falsely denying having performed a particular action

Answer 30

Non-repudiation

Question 31

Measure of condidence that intended security controls are effective in their application

Answer 31

Assurance

Question 32

Expands traditional application of information security by recognizing that we can no longer look at protecting an organization in isolation

Answer 32

Cybersecurity

Question 33

Process by which an organization protects information, people and infrastructure

Answer 33

Cybersecurity

Question 34

Broad primary outcome

Answer 34

Goal

Question 35

Approach taken to achieve a goal

Answer 35

Strategy

Question 36

Measurable step(s)_ taken to achieve a strategy

Answer 36

Objective

Question 37

A tool used in support of an objective

Answer 37

Tactic

Question 38

Align departmental strategies with business strategies to support organizational goals

Answer 38

Departmental Alignment

Question 39

Mitigate risk to an acceptable level

Answer 39

Risk Management

Question 40

Optimize investments in support of business objectives

Answer 40

Value Delivery

Question 41

Efficient and effective use of resources

Answer 41

Resource Management

Question 42

Achieve operational synergies and efficiencies

Answer 42

Process Integration

Question 43

Ensure customer and stakeholder satisfaction

Answer 43

Satisfaction

Question 44

Enhance organizaitonal reputation with stakeholders and the broader community

Answer 44

Reputation Enhancement

Question 45

Reduce the likelihood of successful litigation by adhering to the principle of due care

Answer 45

Reduced Liability

Question 46

Cybersecurity prerequisites for leadership, trust and commitment

Answer 46

Leadership, trust and commitment:
- Embraced throughout and embedded within an organization
- Cybersecurity professionals have access to C-suite and Board of Directors
- Included and recognized in organizational metrics and key performance indicators (KPIs)

Question 47

Management metrics used to inform decision making

Answer 47

Key Performance Indicators

Question 48

System by which organizations are directed and controlled

Answer 48

Corporate governance

Question 49

State of security responsibility of leadership

Answer 49

• Determine and articulate the organization’s desired state of security
• Provide the strategic direction, resources, funding, and support to ensure that the desired state of security can be achieved and sustained
• Maintain responsibility and accountability through oversight

Question 50

What is in the governance ecosystem

Answer 50

1. Board of Directors
2. Executive Management
3. Organizational Roles
4. Functional Roles

Question 51

Sets the tone and direction

Answer 51

Board of Directors / Trustees

Question 52

Board of Directors responsibilities

Answer 52

Oversight and authorization
Fiduciary, legal and regulatory responsibilities
Standard of due care and due diligence

Question 53

Standard of care that a prudent person would have exercised under the same or similar conditions

Answer 53

Due care

Question 54

Investigation o a business or person before entering a contract and during the lifetime of the relationship

Answer 54

Due diligence

Question 55

The first three duties of the board

Answer 55

1. Promoting effective governance
2. Determining organizational risk tolerance
3. Contributing to and authorizing strategic plans

Question 56

Executive Management responsibilities

Answer 56

1. Strategic alignment
2. Risk management
3. Value delivery
4. Performance measurement
5. Resource management
6. Process assurance

Question 57

Have authority to interpret the strategic direction and are held accountable for the success or failure of their area

Answer 57

Information Security Management

Question 58

Who should Information Security Management report to?

Answer 58

As high up ni the organization as possible to maintain visibility, limit distortion, and minimize conflict

Question 59

ISM responsibilities

Answer 59

1. Being a subject matter expert and cybersecurity champion
2. Managing the cybersecurity program
3. Communicating with executive management
4. Coordinating the budget for cybersecurity activities
5. Ensuring the development and upkeep of governance documents.

Question 60

Responsible for developing, implementing, and administering all aspects of an organization’s privacy program

Answer 60

Privacy Officer

Question 61

Responsible for identifying applicable statutory, regulatory and contractual requirements, as well as ensuring compliance thereof

Answer 61

Compliance Officer

Question 62

Responsible for ensuring that appropriate physical security procedures have been established and physical security devices installed, commensurate with the identified risk exposures

Answer 62

Physical Security Officer

Question 63

Responsible for ensuring that management has established a framework of specific internal controls commensurate with risk, regulation, and Board directives

Answer 63

Internal Audit

Question 64

Documenting roles and responsibilities in policies, job descriptions, employee manuals and supported by agreements

Answer 64

Codification

Question 65

The term used to describe the responsibility of leadership to determine, articulate, authorize and fund the desired state of cybersecurity

Answer 65

Security Governance

Question 66

The outcome when cybersecurity decision making is tied to organizational objectives

Answer 66

Strategic Alignment

Question 67

This group has fiduciary responsibility

Answer 67

Board of Directors

Question 68

Legal term applied to the standard of care exercised by a prudent person

Answer 68

Due care

Question 69

Logical structure intended to document and organize processes

Answer 69

Framework

Question 70

International Cybersecurity Framework

Answer 70

ISO 27000 family.
ISO 27001 Information Security Management Systems
ISO 27002 Code of Practice for Information Security Controls
ISO 27005 Information Security Risk Management
ISO 27014 Information Security, Cybersecurity and Privacy Protection

Question 71

US Framework for Cybersecurity

Answer 71

NIST Cybersecurity Framework (CSF)

Question 72

Non-profit dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment

Answer 72

Cloud Security Alliance

Question 73

Framework of cloud-specific security controls mapped to leading standards

Answer 73

Cloud Controls Matrix (CCM)

Question 74

Helps an organization identify their cybersecurity capabilities and initiatives and compare those efforts to peers or competitors of the same sector or size

Answer 74

Information Security Benchmarks

Question 75

Creates consensus-based best practices for the secure configuration of a target system

Answer 75

Center for Internet Security (CIS)
https://www.cisecurity.org

Question 76

A logical structure to document and organize processes

Answer 76

Framework

Question 77

This US framework consists of standards, guidelines and practices to promote the protection of critical infrastructure

Answer 77

NIST Cybersecurity Framework (CSF)

Question 78

This framework of cloud-specific security controls is mapped to leading standards, best practices and regulations

Answer 78

CSA Cloud Controls Matrix (CCM)

Question 79

Non-profit organization that publishes the “Top 10” web

Answer 79

OWASP

Question 80

Acting in accordance with applicable rules, laws, policies and/or obligations

Answer 80

Compliance

Question 81

The power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory

Answer 81

Jurisdiction

Question 82

What is important for jurisdiction in relation to cybersecurity

Answer 82

1. Location of data and systems (processing, transmission, storage)
2. Type of data
3. Residence of data owners
4. Residence of data subjects

Question 83

Security and privacy of consumer financial records

Answer 83

Gramm-Leach-Bliley Act (GLBA)

Question 84

Security and privacy of patient medical records for covered entities and business associates (BA)

Answer 84

HIPAA & HITECH

Question 85

security and privacy of student educational records

Answer 85

Family Educational Rights and Privacy Act (FERPA)

Question 86

security and privacy related to the online collection and use of data for minors under 13

Answer 86

Children’s Online Privacy Protection Act (COPPA)

Question 87

requires federal agencies, U.S. federal agencies, to implement a program to provide security for their information and their information systems, including those provided by or managed by another agency on their behalf

Answer 87

Federal Information Security Management Act (FISMA)

Question 88

first privacy regulation at the state level in the United States

Answer 88

California Consumer Privacy Act (CCPA)

Question 89

Privacy regulation of the EU

Answer 89

General Data Protection Reglation (GDPR)

Question 90

Contractual obligation for any entity that accepts, processes, transmits, or stores payment cardholder data

Answer 90

Payment Card Industry Data Security Standard (PCI DSS)

Question 91

Power or right of a legal or politial agency to exercise its authority over a person, subject matter, or territory

Answer 91

Jurisdiction

Question 92

US regulation that requires safeguarding consumer financial data

Answer 92

Gramm-Leach-Bliley Act (GLBA)

Question 93

Right of an individual to control the use of their personal information

Answer 93

Privacy

Question 94

PII

Answer 94

Personally Identifiable Information

Question 95

PHI

Answer 95

Personal Health Information

Question 96

OECD Privacy Principles

Answer 96

1. Collection Limitation: Collection limitation says that collection of personal data should be obtained by lawful and fair means.
2. Data Quality: personal data should be relevant for the purposes being collected
3. Purpose Specification: the purpose for which personal data is collected should be specified not later than at the time of data collection.
4. Use Limitation: personal data should not be disclosed, made available or otherwise used for purposes other than specified except with the consent of the data subject or by the authority of law
5. Security Safeguard: personal data must be protected

Question 97

Cybersecurity programs should support and compliment organizational goals

Answer 97

Strategic Alignment

Question 98

Role of this position is primarily oversight and fiduciary

Answer 98

Board of Directors (or equivalent)

Question 99

The reasonable care taken before entering into and during the lifetime of a contract or agreement

Answer 99

Due diligence

Question 100

Identifies building and facility risks and mitigation

Answer 100

Physical security officer

Question 101

Manages the information security program

Answer 101

Information Security Officer

Question 102

Role responsible for Managing and monitoring of protection mechanisms

Answer 102

Custodian

Question 103

Assesses the control environment

Answer 103

Internal Audit

Question 104

Regulation for patients

Answer 104

HIPAA

Question 105

Regulation for Federal Agencies

Answer 105

FISMA

Question 106

Regulation for Financial services customers

Answer 106

GLBA

Question 107

Regulation for EU citizens

Answer 107

GDPR

Question 108

Regulation for minors

Answer 108

COPPA

Question 109

The second three duties of the board

Answer 109

4. Allocating funds
5. Approving policies and significant projects
6. Ensuring appropriate monitoring

Question 110

The last three duties of the board

Answer 110

7. Ensuring compliance with laws, regulations and contracts
8. Reviewing audit and examination results
9. Honoring the legal constructs of due diligence and due care

Question 111

Resource intended to help an organization identify their cybersecurity capabilities and compare those efforst to peers or competitors of the same sector or size

Answer 111

Benchmark

Question 112

Broad term given to criminal activity that involves the Internet, a computer network a computer system, or a digital device

Answer 112

Cybercrime

Question 113

Incident in which legally protected or private data has been potentially viewed, stolen (exfiltrated) or used by an individual unauthorized to do so

Answer 113

Data breach

Question 114

Consulting legal counsel

Answer 114

1. There is a possibility that legally or contractually protected information has been exposed

Question 115

Responsibility for damages that result from a security compromise in your business

Answer 115

Downstream Liability

Question 116

Describes a wide variety of property created by musicians, authors, artists, designers, programmers, and inventors

Answer 116

Intellectual Property

Question 117

gives its owner the legal right to exclude others from making, using or selling an invention for aperiod of time in exchange for publishing a public disclosure of the invention

Answer 117

Patent

Question 118

intended to protect recognizable names, icons, shape, color, sound or any combination used to represent a brand, product, service or company

Answer 118

Trademark

Question 119

intended to allow the creator of certain types of original works to benefit from being credited and compensated for their work

Answer 119

Copyright

Question 120

refer to proprietary business and technical information, processes, designs, or practices that are confidential and to a business

Answer 120

Trade Secrets

Question 121

Criteria for trade secret

Answer 121

1. Commercially valuable
2. Be known only to a limited group of persons
3. Be subject to reasonable steps taken by the owner of the information to keep it secret, including the use of confidentiality agreements for business partners and employees

Question 122

Copyrighted software that is available at no cost for unlimited usage. The developer retains all rights to the program and controls distribution

Answer 122

Freeware

Question 123

copyrighted software that’s available at no cost for unlimited usage and users are encouraged to share the software to promote larger distribution and maybe add-on sales

Answer 123

Shareware

Question 124

copyright holder grants users the rights to use, to study, to change, and to distribute the software to anyone for any purpose

Answer 124

Open Source

Question 125

copyrighted software that a company designs and develops to sell or license, and the company retains all rights to the program and controls distribution

Answer 125

Commrecial Software

Question 126

contract between the owner and the end user that governs the use of intellectual property, in this case software licensing

Answer 126

End User License Agreement (EULA)

Question 127

unauthorized copying or distribution of copyrighted software

Answer 127

software piracy

Question 128

law that makes it illegal to create products that circumvent copyright protections

Answer 128

Digital Millenium Copyright Act (DMCA)

Question 129

the flow of data between countries inclusive of processing, storage and transmission

Answer 129

Transborder or cross-border data flow

Question 130

EAR

Answer 130

Export Administration Regulations

Question 131

Legally enforceable software use agreement

Answer 131

EULA

Question 132

US law that makes it illegal to create products that circumvent copyright protections

Answer 132

DMCA

Question 133

Proprietary business and technical information that can be legally protected

Answer 133

Trade Secret

Question 134

Formal inquiry or systematic study

Answer 134

Investigation

Question 135

Investigation pursued by the regulatory agency of a jurisdiction

Answer 135

Regulatory Investigation

Question 136

Maximum fine under GDPR

Answer 136

4% of annual revenue

Question 137

Investigation aligned with violation of contractual standards

Answer 137

Industry investigation

Question 138

Order that suspends the modification, deletion and/or destruction of records and media

Answer 138

Legal Hold

Question 139

any process in which electronic data is sought, located, secured and searched with the intent of using it as evidence in a civil or criminal legal case

Answer 139

eDiscovery

Question 140

Individual who is knowledgeable about the facts of the case through direct participation or observations

Answer 140

Factual witness

Question 141

Person who has knowledge beyond that of an ordinary lay person enabling him/her to give testimony regarding an issue that requires expertise to understand

Answer 141

Expert witness. Experts can give an opinion

Question 142

The basis of this type of investigation is a dispute between parties

Answer 142

Civil investigation

Question 143

The burden of proof for this type of investigation is ‘beyond a reasonable doubt’

Answer 143

Criminal investigation

Question 144

Process of seeking electronic data for use in a civil or criminal legal case

Answer 144

eDiscovery

Question 145

This type of trial witness can proffer an opinion

Answer 145

Expert witness

Question 146

Examples include investigations byt he US FTC or the UK Information Commisioners Office

Answer 146

Regulatory investigation

Question 147

Act of providing leadership and direction

Answer 147

Governance

Question 148

Communicates and codifies management’s requirements, and provides direction

Answer 148

Policy

Question 149

Who should approve policies

Answer 149

Board of Directors (or equivalent)

Question 150

Specifications for the implementation of a policy that dictate mandatory requirements

Answer 150

Standards

Question 151

Aggregate of standards for a specific category or grouping such as a platform, device type, ownership or location

Answer 151

Baseline

Question 152

Document that helps people understand and conform to a standard

Answer 152

Guideline

Question 153

This standard establishes security categories of information systems used by the federal government

Answer 153

FIPS 199

Question 154

This standard lists mandatory security requirements for government systems.

Answer 154

FIPS 200

Question 155

This is a US guide for applying risk management

Answer 155

NIST SP 800-37

Question 156

Instructions for how to carry out an action

Answer 156

Procedures

Question 157

What are the four commonly used formats for procedures

Answer 157

1. Simple step: lists sequential actions
2. Hierarchical: includes both generalized instructions for experienced users and detailed instructions for novice users
3. Graphic: presented in pictorial or symbol form
4. Flowchart: used to communicate a process and/or when decision making is required

Question 158

High-level governance documents

Answer 158

Policies

Question 159

Mandatory implementation requirements (related to policies)

Answer 159

Standards

Question 160

Specific instructions for carrying out a task

Answer 160

Procedure

Question 161

This procedure format requires decision making

Answer 161

Flowchart

Question 162

A detailed roadmap for doing or achieving something

Answer 162

Plan

Question 163

the capability of a business to operate in adverse (disaster) conditions

Answer 163

business continuity

Question 164

disruptive events that significantly impact an organizations capability to operate

Answer 164

disaster

Question 165

What are the three types of disasters

Answer 165

Natural (flood, earthquake, fire, pandemic)
Environmental (loss of power, HVAC)
Human (workplace accidents, cyber attacks, civil disruption)

Question 166

Business Continuity Planning objective

Answer 166

to prepare for continued operation during disruption of normal operating conditions

Question 167

plan focusing on recovery and restoration of technology, physical plant and people

Answer 167

Disaster Recovery Plan (DRP)

Question 168

plan focusing on the overall strategy for sustaining the business during a disaster and the subsequent recovery period

Answer 168

Business Continuity Plan (BCP)

Question 169

Business Continuity Plan Workflow

Answer 169

1. Project Initiation and Assignments
2. Business Impact Analysis
3. Plan Development
4. Procedure Development
5. Training
6. Testing
7. Auditing
8. Maintenance Review and Update

Question 170

the capability of a business to operate in adverse (disaster) conditions

Answer 170

business continuity

Question 171

Business unit plan and procedures for operational activities

Answer 171

Continuity of Operations Plan (COOP)

Question 172

Group responsible for approval of BCP policies and oversight of strategies

Answer 172

Board of Directors (or equivalent)

Question 173

This type of plan describes the overall strategy for sustaining the business

Answer 173

Business Continuity Plan

Question 174

This type of plan includes procedures for internal and external communications

Answer 174

Crisis Communication Plan (CCP)

Question 175

This type of plan describes plans and procedures for recovering technology and facilities

Answer 175

Disaster Recovery Plan

Question 176

This type of plan includes procedures for minimizing loss of life and property

Answer 176

Occupancy Emergency Plan

Question 177

analysis to identify essential services, systems and infrastructure

Answer 177

Business Impact Analysis

Question 178

Maximum time a process / service can be unavailable without causing significant harm to the business

Answer 178

Maximum Tolerable Downtime (MTD)
Maximum Tolerable Outage (MTO)

Question 179

Amount of time allocated for system recovery

Answer 179

Recovery Time Objective (RTO)

Question 180

Acceptable data loss: the point in time, prior to a disruption or system outage that data can be recovered

Answer 180

Recovery Point Objective (RPO)

Question 181

Average time to repair a failed component or device

Answer 181

Mean Time to Repair

Question 182

Measure of reliability (usage stated in hours)

Answer 182

Mean Time Between Failures

Question 183

Business Impact Analysis Process

Answer 183

1. Identify Essential Services & Dependencies
2. Determine Maximum Tolerable Downtime
3. Determine Recovery Point Objective
4. Identify Infrastructure and Dependencies (including SPoF)
5. Determine Current RTO & RPO
6. Gap Analysis
7. Report to Management

Question 184

In a BIA context, this describes services that “the absence or disruption of” would cause significant harm

Answer 184

Essential services

Question 185

Metric related to acceptable data loss

Answer 185

RPO

Question 186

A part of a system that, if it fails, will stop the entire system from working

Answer 186

Single Point of Failure (SPoF)

Question 187

the capability of a business to operate in adverse (disaster) conditions

Answer 187

business continuity

Question 188

Document written for the user community containing policies and standards that specifically pertain to them

Answer 188

Acceptable Use Policy

Question 189

What should AUP introduction do?

Answer 189

Set the tone of the policy, highlight leadership commitment, and emphasize user responsibility

Question 190

AUP Common Elements

Answer 190

1. Data protection: Data classifications and handling standards
2. Authentication: login requirements incluiding password standars and use of tokens and/or biometrics
3. Application: procurement, installation, and licensing
4. Communication: Written and verbal communication use and limitations (including personal email)
5. Internet: Use, activity, and engagement (including social meia)
6. Mobile Device: Use, configuration, activity and device protection
7. Remote Access: Use, configuration, activity, and physical security
8. Incident Reporting: Instructions on how to spot and report suspicious activity

Question 191

By signing this policy the user acknowledges that they understand, and agree to abide by the rules and standards including monitoring and limitations of privacy

Answer 191

Acceptable Use Policy

Question 192

Establishes data ownership and reason data is being provided

Answer 192

Confidentiality / Non-disclosure agreement (NDA)

Question 193

Relationships including service providers, business partners, consultants, and contractors

Answer 193

Non-employee relationships

Question 194

Document that details user-focused policies and standards

Answer 194

Acceptable Use Policy (AUP)

Question 195

The section of the AUP that documents login requirements including password standards and use of tokens and/or biometrics

Answer 195

Authentication

Question 196

Agreement that should be executed prior to being granted access to information and information systems

Answer 196

Acceptable Use Agreement

Question 197

Agreement used to establish data ownership and protect data from unauthorized use and/or disclosure

Answer 197

Confidentiality / Non-disclosure agreement (NDA)

Question 198

Stages of the employee life cycle

Answer 198

1. Hiring Process
2. Onboarding
3. Employment
4. Offboarding

Question 199

Process of integrating a new employee with a company and culture as well as getting the tools and information they need to be successful

Answer 199

Onboarding

Question 200

Assigning the minimal rights and permissions needed to accomplish a task

Answer 200

Least Privilege

Question 201

Rotating assignments (fraud deterrent and detection)

Answer 201

Job rotation

Question 202

Requiring employees to take a set amount of vacation time (fraud deterrent and detection)

Answer 202

Mandatory Vacation

Question 203

Breaking tasks into separate processes to that no one subject is in complete control

Answer 203

Separation of Duties

Question 204

Requiring more than one subject or key to complete a specific task

Answer 204

Dual Control

Question 205

Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel

Answer 205

Clean Desk

Question 206

Process for transitioning employees out of an organization

Answer 206

Offboarding

Question 207

Process of integrating a new employee

Answer 207

Onboarding

Question 208

Primary reasons for job rotation and mandatory vacation

Answer 208

Fraud deterrent and detection

Question 209

This process includes creating user accounts and assigning credentials

Answer 209

Provisioning

Question 210

Requiring more than one user to complete a specific task

Answer 210

Dual Control

Question 211

Termination that has been mutually agreed to

Answer 211

Friendly termination

Question 212

Case where burden of proof is beyond a reasonable doubt

Answer 212

Criminal case

Question 213

The distinguishing feature of this type of intellectual property is that it remains undisclosed

Answer 213

Trade Secret

Question 214

These are high level statements intended to communicate rules and expectations

Answer 214

Policies

Question 215

In which type of governance document would you most likely find the statement “password complexity must include uppercase, lower case and at least one symbol”?

Answer 215

Standard

Question 216

This type of procedure is generally used if decision making is required

Answer 216

Flowchart

Question 217

This plan addresses the overall strategy and plan for sustaining a business

Answer 217

BCP

Question 218

During the BIA process, a business unit stated that they could nto afford to lose more than 30 minutes of data. Which statement best expresses this requirement?

Answer 218

RPO (Recovery Point Objective) = 30 minutes

Question 219

This group is responsible for determining the maximum tolerable downtime (MTD)
1. Information Security department
2. Board of Directors
3. IT department
4. Business Unit

Answer 219

Business unit

Question 220

This agreement should clearly state monitoring and limitations of privacy.
1. Service Level Agreement
2. Nondisclosure Agreement
3. Remote Access Agreement
4. Acceptable Use Policy Agreement

Answer 220

4. Acceptable Use Policy agreement

Question 221

Uncertainty of outcome, whether positive opportunity or negative threat of actions and events

Answer 221

Risk

Question 222

Level of risk that an organization is comfortable with

Answer 222

Risk appetite

Question 223

Risk category that relates to activities that can affect the institutions overall mission, objectives and viability

Answer 223

Strategic Risk

Question 224

Risk category that relates to the confidence and trust of stakeholders, customers, and community

Answer 224

Reputational risk

Question 225

Risk category that relates to overall capacity and capability to deliver products and services

Answer 225

Operational risk

Question 226

Risk category that relates to short- and long-term impact on capital

Answer 226

Financial risk

Question 227

Risk category that relates to conformity with policies, laws, and regulatory requirements

Answer 227

Compliance risk

Question 228

Risk category that relates tothe capacity to withstand adverse and/or unexpected conditions

Answer 228

Resilience risk

Question 229

Evaluation of the combination of the likelihood of something happening, and the impact if it does happen

Answer 229

Risk assessment

Question 230

risk assessment using descriptive terminology

Answer 230

Qualitative risk assessment

Question 231

Risk assessment assigning numeric and monetary values to all elements of the assessment

Answer 231

Quantitative risk assessment

Question 232

Taking actions to mitigate the impact of an unfavorable outcome and/or enhance the likelihood of a positive outcome

Answer 232

Risk management

Question 233

Risk Management steps

Answer 233

Risk Identification (Assessment)
Risk Treatment
Risk Monitoring
Repeat the process

Question 234

Act as if the risk doesn’t exist

Answer 234

Ignore the risk

Question 235

Acknowledge and accept the level of risk and monitor it

Answer 235

Accept the risk

Question 236

Reduce the impact or likelihood by implementing controls or safeguards

Answer 236

Mitigate the risk

Question 237

Spread the risk among multiple parties

Answer 237

Share the risk

Question 238

Assign the risk to another party via insurance or contractual agreement (subject to legal and regulatory constraints)

Answer 238

Transfer the risk

Question 239

Eliminate the cause or terminate the associated activity

Answer 239

Avoid the risk

Question 240

Insurance to mitigate financial losses from a variety of cyber incidents

Answer 240

Cyber Insurance

Question 241

Track known risks, evaluate treatment effectiveness, identify new risks, and schedule on-going assessments

Answer 241

Risk Monitoring

Question 242

Uncertainty of outcome

Answer 242

Risk

Question 243

Level of risk an organization is willing to accept

Answer 243

Risk Appetite

Question 244

Process used to identify and measure risk

Answer 244

Risk Assessment

Question 245

Assign risk to another party

Answer 245

Risk transfer

Question 246

Tool used to document organizational risks

Answer 246

Risk register

Question 247

A disciplined and structured approach used to oversee and manage risk for an enterprise

Answer 247

Risk Management Framework (RMF)

Question 248

Risk Management components

Answer 248

Governance
Identification
Assessment
Mitigation
Reporting and monitoring

Question 249

Who are responsible for ensuring that risk-related considerations are viewed from an organization-wide perspective

Answer 249

Executives (e.g., CEO) as an individual or as a group

Question 250

US Risk Management Framework

Answer 250

NIST Risk Management Framework

Question 251

International Risk Management Framework

Answer 251

ISO 27005 Information Security Risk Management

Question 252

NIST RMF Steps

Answer 252

1. Categorize: categorize the systems and the information processed, stored and transmitted
2. Select: select an initial set of baseline security controls for the system based on the security categorization.
3. Implement: implement the security controls and document how the controls are deployed within the system and environment of operation.
4. Assess: assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.
5. Authorize: authorize system operation based upon a determination of residual risk.
6. Monitor: monitor and assess selected security controls in the system on an ongoing basis.

Question 253

model designed to assess strength and weaknesses of the risk program, set goals, and plan for improvement

Answer 253

Risk Maturity Model
1. Initial
2. Fragmented
3. Top-down
4. Integrated
5. Risk Intelligent

Question 254

Structured and disciplined approach

Answer 254

Framework

Question 255

United State agency tasked with developing federal government RMF

Answer 255

National Institute of Standards and Technology (NIST)

Question 256

Measurement of continuous improvement

Answer 256

Maturity Model

Question 257

Risk maturity stage that reflects individual actions and capabilities

Answer 257

Initial (Ad hoc)

Question 258

Evaluation of the combination of the likelihood of something happening, and the impact if it does happen

Answer 258

Risk Assessment (Risk Analysis)

Question 259

The level of risk before controls or safeguards have been implemented

Answer 259

Inherent risk

Question 260

The level of risk after controls or safeguards have been implemented

Answer 260

Residual risk

Question 261

Risk Assessment workflow

Answer 261

1. Determine the risk assessment approach (qualitative, quantitative, hybrid)
2. Identify the inherent risk based on relevant threats and related vulnerabilities
3. Assess the impact if the threat source was successful
4. Identify applicable controls and their effectiveness
5. Assess the likelihood of occurence, taking into consideration the control environment
6. Determine the level of residual risk

Question 262

Risk assessment using descriptive terminology such as high, medium and low

Answer 262

Qualitative risk assessment

Question 263

Risk assessment assigning numeric values to all elements

Answer 263

Quantitative risk assessment

Question 264

Data visualization tool used to communicate qualitative risk levels and prioritization requirements

Answer 264

Risk Matrix (Heat Map)

Question 265

Worth of a resource to the organization

Answer 265

Asset Value (AV)

Question 266

Percent of asset value that would be lost

Answer 266

Exposure Factor (EF)

Question 267

Monetary impact for a single event

Answer 267

Single Loss Expectancy (SLE)

Question 268

How often in a single year wil the event occur

Answer 268

Annualized Rate of Occurrence (ARO)

Question 269

The annualized monetary impact

Answer 269

Annualized Loss Expectancy (ALE)

Question 270

Quantitative Risk Assessment workflow

Answer 270

1. Determine Asset Value (AV)
2. Determine Exposure Factor (EF)
3. Calculate Single Loss Expectancy (SLE) = AV * EF
4. Determine Annualized Rate of Occurrence (ARO)
5. Calculate Annualized Loss Expectancy (ALE) = ARO * SLE

Question 271

Level of risk after treatment

Answer 271

Residual Risk

Question 272

Risk assessment approach that uses descriptive terminology

Answer 272

Qualitative

Question 273

AV x EF =?

Answer 273

Single Loss Expectancy (SLE)

Question 274

SLExARO=?

Answer 274

Annualized Loss Expectancy (ALE)

Question 275

Data visualization tool used to communicate risk level

Answer 275

Risk Matrix or Heat Map

Question 276

A tactic, mechanism, or strategy that accomplishes one or more of:
- Reduces or eliminates a vulnerability
- Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability
- Reduces or eliminates the impact of an exploit

Answer 276

Control (countermeasure)

Question 277

What a control does

Answer 277

Functionality

Question 278

How well a control works

Answer 278

Effectiveness.

Question 279

Controls applied in multiple layers

Answer 279

Defense-in-depth
Layered security

Question 280

Statement of desired result or purpose to be achieved by implementing a control or set of controls

Answer 280

Control Objective

Question 281

Controls relating to decision making, oversight, strategic alignment and compliance

Answer 281

Administrative (Management)

Question 282

Controls that can have a material structure (seen, heard, touched)

Answer 282

Physical

Question 283

Controls provided using technology

Answer 283

Technical (Logical)

Question 284

Control that discourages a threat agent from acting

Answer 284

Deterrent control

Question 285

Control that stops a threat agent from being successful

Answer 285

Preventative control

Question 286

Control that identifies and reports a threat agent or action

Answer 286

Detective control

Question 287

Control that minimizes the impact of a threat agent or modify or fix a situation (recovery)

Answer 287

Corrective control

Question 288

Controls that are alternate measures that organizations can use to fulfill a compliance standard, policy, or contractual requirements

Answer 288

Compensating controls

Question 289

Control category relating to oversight, decision making, strategic alignment, and compliance

Answer 289

Management control (administrative control)

Question 290

Control that minimizes the impact of a threat agent

Answer 290

Corrective control

Question 291

Control designed to accomplish the intent of recommended control as closely as possible

Answer 291

Compensating control

Question 292

Control that discourages a threat agent from acting

Answer 292

Deterrent control

Question 293

Term used to describe how well a control works

Answer 293

Effectiveness

Question 294

Potential danger

Answer 294

Threat

Question 295

Adversary with malicious intent

Answer 295

Threat actor

Question 296

A weakness in a system, process or person

Answer 296

Vulnerability

Question 297

Successfully taking advantage of a vulnerability

Answer 297

Exploit

Question 298

Threat actor choosees a target for a specific objective
- Influence by perceived value of outcome

Answer 298

Targeted Attack

Question 299

Threat actor takes advantage of a vulnerable target (not previously known to them - influenced by workfactor

Answer 299

Opportunistic Attack

Question 300

Threat actor motivated by bragging rights, notoriety

Answer 300

Script kiddies

Question 301

Threat actor motivated by financial gain

Answer 301

Criminal Syndicate

Question 302

Threat actor motivated by political statement

Answer 302

Hacktivist

Question 303

Threat actor motivated by grievance, perceived morality, blackmail, external pressure

Answer 303

Insider

Question 304

Threat actor motivated by espionage, disruption, IP theft

Answer 304

Competitors

Question 305

Threat actor motivated by surveillance, espionage, targeting critical infrastructure, tactical advantage, data collection

Answer 305

Nation-States

Question 306

Security practitioner or hobbyist whose motivation is to identify security vulnerabilities and exploits; and responsibly disclose them to a manufacturer or client organization

Answer 306

Authorized “Ethical Hacker”

Question 307

Individuals whose motivation is to identify security vulnerabilities and exploits for personal or financial gain

Answer 307

Unauthorized hacker

Question 308

Individuals whose motivation is to identify security vulnerabilities and exploits for a reward or recognition
- Research is conducted without permission
- They may publicly disclose the vulnerabilities if the entity does not respond in line with their expectations

Answer 308

Semi-authorized hacker

Question 309

Those with the most advancded, accurate, and agile tools.

Answer 309

Established Actors

Question 310

Those with defined processes and targetted operations

Answer 310

Emerging Actors

Question 311

Generally, those associated with low-level cybercriminal activity

Answer 311

Opportunistic Actors

Question 312

Successfully taking advantage of a vulnerability

Answer 312

Exploit

Question 313

Characteristic of this attack is a threat actor taking advantage of a vulnerable target not previously known to them

Answer 313

Opportunistic Attack

Question 314

Espionage and IP theft are their motivation

Answer 314

Competitor

Question 315

The focus of this activity is financial gain

Answer 315

Cybercrime

Question 316

A security professional who works to identify vulnerabilities with the permission of the system owner

Answer 316

Ethical Hacker

Question 317

a structured process by which potential threats can be identified, enumerated and prioritized

Answer 317

Threat modeling

Question 318

What are the three threat modeling approaches

Answer 318

1. Asset-centric (WHAT/WHY) - identifies valued assets
2. Architecture-centric (HOW) - identifies system design, component strength and vulnerabilities
3. Attacker-centric (WHO) - identifies adversaries

Question 319

Are we aware of the latest threats, tools, and techniques

Answer 319

Threat Intelligence

Question 320

How hard would it be for an adversary to achieve their objective

Answer 320

Work factor

Question 321

the time, effort and resources needed for an attacker to successfully achieve their objective

Answer 321

Workfactor

Question 322

evidence-based knowledge about an emerging threat that can be used to inform control decisions

Answer 322

Threat intelligence

Question 323

trusted, sector=specific entity that facilitates sector-specific and/or geographic-specific information sharing about vulnerabilities, threats, and incidents

Answer 323

Information Sharing and Analysis Center (ISAC)

Question 324

standardized language by MITRE and OASIS for describing cyber threat information

Answer 324

Structured Threat Information Expression (STIX)

Question 325

defines how cyber threat information can be shared via services and message exchanges

Answer 325

TAXII

Question 326

TIme, effort and talent needed to achieve an objective

Answer 326

Workfactor

Question 327

Threat model that focuses on system design

Answer 327

Architecture-centric

Question 328

Sector-specific member-driven information sharing organizations

Answer 328

Information Sharing and Analysis Center (ISAC)

Question 329

a method or pathway used by an attacker to access or penetrate the target system or environment

Answer 329

attack vector

Question 330

Disruption, manipulation, or compromise of Information Technology (IT) or operational technology (OT) systems or software

Answer 330

Digital Infrastructure attack

Question 331

Disruption, manipulation, or compromise of people

Answer 331

Human attack

Question 332

Disruption or destruction of physical structures and facilities

Answer 332

Physical Infrastructure attack

Question 333

Attacker chooses a target for a specific objective

Answer 333

Targeted attack

Question 334

Attacker takes advantage of a vulnerable target (not previously known to them)

Answer 334

Opportunistic attack

Question 335

Attacker uses an amplification factor to multiply its power

Answer 335

Amplification attack

Question 336

Attack on a previously unknown vulnerability for which a fix is not yet available

Answer 336

Zero-day attack

Question 337

Impersonating an address, system, or person

Answer 337

Spoofing:
- IP address spoofing
- MAC address spoofing

Question 338

Manipulating a trusted source of data

Answer 338

Poisoning:
- ARP cache poisoning
- DNS poisoning

Question 339

Intercepting communication between two systems

Answer 339

Hijacking:
- Man-in-the-Middle (MitM) - Spoofing and/or poisoning exploiting real-time processing of transactions, conversations or data transfer
- Man-in-the-Browser (MitB) - Manipulating the browser to control a session including what is displayed
- Session Hijacking: stealing session cookies to “take over” a user’s active session
- Domain Hijacking: unauthorized modification of domain name registration
- URL Squatting: registering or using an Internet domain name belonging to someone else
- Typo squatting: taking advantage of common typos (in domains) to create fraudulent websites

Question 340

Overwhelming system resources

Answer 340

Denial of Service:
- DoS: Transmitting malformed packets or unusual requests
- DDoS: massive volume of service requests from multiple sources, often “bots” configured in a botnet

Question 341

Exploiting weaknesses in server- or client-side code or applications

Answer 341

Code attack:
- Injection: tricking an application into including unintended commands
- Buffer Overflow: writing excess data into system memory that overruns the buffers boundary and overwrites adjacent memory locations
- Refactoring: restructuring code without changing external behavior, manipulating code with malicious intent
- Cross-site scripting (XSS) - injection of malicious code that executes in a browser
- Cross-site Request Forgery (CSRF) - Exploiting the trust relationship between a website and a browser

Question 342

Impersonating an address, system or person

Answer 342

Spoofing

Question 343

Manipulating a trusted source of data

Answer 343

Poisoning

Question 344

Intercepting communications between two or more systems

Answer 344

Hijacking

Question 345

Attack designed to overwhelm system resources

Answer 345

Denial of Services

Question 346

Tricking an application into including unintended commands

Answer 346

Injection

Question 347

evidence-based knowledge about emerging threats that can be used to inform control decisions

Answer 347

Threat intelligence

Question 348

Four properties of useful threat intelligence

Answer 348

1. Aggregated from reliable sources and cross-correlated for accuracy
2. Analyzed by trained specialists
3. Assessed for relevancy
4. Actionable. Often includes context, mechanisms, indicator of compromise (IOC), implications and response / remediation advice

Question 349

Artifacts that identify potentially malicious activity on a system or network

Answer 349

Indicators of Compromise (IOC) - clue about an event that has already happened

Question 350

Real-time behaviors and artifacts relating to something that is happening or has happened

Answer 350

Indicators of Attack (IOA)

Question 351

term used to refer to the data collected from publicly available soiurces to be used in an intelligence context

Answer 351

Open Source Intelligence (OSINT)

Question 352

Structured collection of OSINT tools

Answer 352

OSINT framework

Question 353

Intelligence data collected from publicly available sources

Answer 353

Open Source Intelligence (OSINT)

Question 354

Accessing this “area” requires an anonymizing browser

Answer 354

Dark Web

Question 355

Visualization of Cyber Attacks

Answer 355

Cyber Threat Map

Question 356

ecosystem of organizations, processes, people and resources involved in providing a product or service

Answer 356

Supply Chain

Question 357

the reliance on a source to provide a product or service

Answer 357

Supply chain dependency

Question 358

a disturbance of the normal flow of goods, materials and services in a supply chain

Answer 358

Supply Chain disruption

Question 359

attack that occurs when a system is infiltrated through a supply chain partner or provider with access to the systems and data

Answer 359

Supply chain attack

Question 360

the implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure continuity in the supply chain

Answer 360

Supply chain risk management

Question 361

Term used to describe reliance on a source to provide a product or service

Answer 361

Supply chain dependency

Question 362

Term used to describe the disruption of the normal flow of goods, material and services

Answer 362

Supply chain disruption

Question 363

When a system is infiltrated through a supply chain partner

Answer 363

Supply chain attack