Security Management Programs and Oversight Quiz Flashcards

1
Q

A huge customer data breach occurred at a retail store. It originated from the store’s point-of-sales system contractor, who did not have adequate malware protection. Which risk mitigation concept could the store have implemented to avoid the breach?

A) Risk register
B) Risk response techniques
C) Likelihood of occurrence
D) Supply chain assessment

A

Supply chain assessment, or supply chain analysis, might have stopped the store’s data breach. The breach was initiated with the failure of a contractor to have adequate anti-malware protection. Supply chain assessment would include verifying that vendors and contractors have adequate safeguards in place before they can access your network.

A risk register is a scatter graph of problem areas identified in a business impact analysis.

Risk response techniques include avoidance, transference, mitigation, and acceptance.

Analyzing the likelihood of occurrence compares the potential threat with the probability that the threat will occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In a security awareness training session, employees are taught to recognize various types of behaviors that may indicate a security threat. Which type of behavior involves actions that are not in line with established security policies or procedures, potentially putting sensitive information at risk?

A) Risky
B) Suspicious
C) Unintentional
D) Unexplained

A

Unexplained behavior involves actions that are not in line with established security policies or procedures. This type of behavior lacks a clear justification or explanation within the context of an individual’s job responsibilities or typical behavior patterns. As an example, accessing files or systems that are unrelated to one’s role, attempting to modify critical settings without proper authorization, or logging into the network at odd hours without a valid reason could all be considered unexplained behavior. Behavior such as this may indicate a potential security threat or unauthorized access attempt.

Risky behavior refers to actions taken by individuals that knowingly or recklessly disregard established security policies and procedures, putting sensitive information at risk. Examples of risky behavior include sharing passwords, using unauthorized software or devices, accessing sensitive data without proper authorization, or bypassing security controls intentionally. Risky behavior often stems from a lack of awareness or disregard for security protocols.

Unintentional behavior refers to actions that occur inadvertently or accidentally, without malicious intent. This could include clicking on phishing emails or links, falling victim to social engineering tactics, inadvertently sharing sensitive information, or mishandling data due to lack of awareness or training. Unintentional behavior often results from human error, ignorance of security best practices, or a failure to recognize potential risks.

Suspicious behavior involves actions or activities that raise concerns or suspicions regarding potential security threats. This could include attempting to access restricted areas or information without proper authorization, exhibiting unusual patterns of behavior or communication, displaying aggressive or confrontational behavior when questioned about security practices, or attempting to circumvent security controls. Suspicious behavior may indicate insider threats, malicious intent, or attempts to compromise the security of systems or data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is defined in an acceptable use policy?

A) which users require access to certain company data
B) the sensitivity of company data
C) which method administrators should use to back up network data
D) how users are allowed to employ company hardware

A

n acceptable use policy defines how users are allowed to employ company hardware. For example, an acceptable use policy, which is sometimes referred to as a use policy, might answer the following questions: Are employees allowed to store personal files on company computers? Are employees allowed to play network games on breaks? Are employees allowed to “surf the Web” after hours? The acceptable use policy should define the rules of behavior and any penalties or adverse actions that will arise from non-compliance.

An information policy defines the sensitivity of a company’s data. In part, a security policy defines separation of duties, which determines who needs access to certain company information. A backup policy defines the procedure that administrators should use to back up company information.

A privacy policy defines which information is considered private and how this information should be handled, stored, and destroyed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which penetration-testing concept is used to detect vulnerabilities that are found by means other than testing the system directly?

A) Active reconnaissance
B) Passive reconnaissance
C) Initial exploitation
D) Pivot

A

Passive reconnaissance detects vulnerabilities through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing. Active reconnaissance accesses the system directly to detect vulnerabilities. Tools and techniques such as network mapping, port scans, and network sniffing are used to test the system and identify potential sources of attack.

Pivots use a compromised system to attack another system. Initial exploitation compromises one system so that it can be used in a pivot test against another system.

Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student’s notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which type of external audit or assessment encompasses a broad range of evaluations conducted by external parties, potentially covering financial audits, security audits, or compliance audits?

A) Examinations
B) Regulatory
C) Assessments
D) Compliance

A

Examinations refer to a comprehensive category of assessments that encompasses a broad range of evaluations and can include various types of evaluations conducted by external parties. These assessments may encompass financial audits, security audits, compliance audits, or other examinations aimed at evaluating different aspects of organizational performance, governance, or risk management. Unlike regulatory audits, which specifically focus on compliance with laws and regulations, examinations are more inclusive and may cover a wider scope of assessments conducted by external entities.

Assessment generally refers to the process of evaluating systems, processes, or controls to identify strengths, weaknesses, and areas for improvement. While assessments may include external evaluations conducted by third-party auditors, they are not inherently focused on regulatory compliance. Assessments can encompass a wide range of objectives, such as risk assessments, security assessments, or performance assessments, and may involve internal or external parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are regulatory audits?

A

Regulatory audits and assessments involve evaluating adherence to laws, regulations, or industry standards set forth by governing bodies or regulatory agencies. These audits typically assess compliance with requirements related to data protection, privacy, financial reporting, or industry-specific regulations. The primary purpose is to ensure that the organization meets legal and regulatory obligations and avoids potential penalties or sanctions for non-compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are compliance audits?

A

Compliance audits specifically target adherence to applicable laws, regulations, or industry standards. These audits assess whether the organization’s policies, procedures, and practices align with regulatory requirements and whether it has implemented adequate controls to mitigate compliance risks. Compliance audits aim to verify that the organization operates within legal and regulatory boundaries and fulfills its obligations to stakeholders, but they are not synonymous with the broader category of examinations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which component of effective security compliance involves regularly assessing and verifying adherence to security policies and regulations to identify and address gaps or deficiencies?

A) Compliance monitoring
B) Compliance reporting
C) Privacy
D) Consequences of non-compliance

A

Compliance monitoring involves the ongoing process of assessing and verifying adherence to security policies, procedures, and regulations to ensure that the organization meets its compliance obligations. This component includes activities such as conducting regular audits, assessments, and reviews to identify compliance gaps, monitoring changes in regulatory requirements, and implementing controls to mitigate compliance risks. Effective compliance monitoring helps organizations proactively detect and address issues before they escalate into compliance failures. For example, organizations may use automated monitoring tools to track access controls, analyze security logs, and detect unauthorized activities.

Compliance reporting involves the process of documenting and communicating the organization’s compliance status, activities, and findings to relevant stakeholders, such as management, regulatory authorities, or auditors. This component ensures transparency and accountability in compliance efforts and helps stakeholders understand the organization’s adherence to security policies and regulations. For example, compliance reports may include summaries of audit findings, assessments of control effectiveness, and recommendations for improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The consequences of non-compliance?

A

The consequences of non-compliance encompass the potential penalties, sanctions, or impacts that organizations may face as a result of failing to meet security requirements or regulations. These consequences can include legal liabilities, financial penalties, reputational damage, or loss of business opportunities. Effective compliance programs aim to mitigate these risks by proactively identifying and addressing compliance gaps to avoid adverse outcomes. For instance, non-compliance with data protection regulations such as the General Data Protection Regulation (GDPR) may result in hefty fines, legal disputes, and damage to an organization’s reputation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does Privacy entail?

A

Privacy refers to the protection of individuals’ personal information from unauthorized access, use, or disclosure, in accordance with applicable privacy laws, regulations, and organizational policies. Ensuring privacy compliance involves implementing measures to safeguard personal data, such as encryption, access controls, data minimization, and privacy impact assessments. Compliance with privacy requirements helps build trust with customers, enhances organizational reputation, and mitigates the risk of legal and financial liabilities resulting from data breaches or privacy violations. For example, organizations subject to the European Union’s General Data Protection Regulation (GDPR) must comply with strict requirements for data protection, privacy, and individual rights, such as the right to access and control personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which process defines the scope, objectives, and guidelines for conducting third-party risk assessments and engagements?

A) Vendor monitoring
B) Rules of engagement
C) Questionnaires
D) Vendor assessment

A

Rules of engagement define the scope, objectives, and guidelines for conducting third-party risk assessments and engagements. They outline the roles and responsibilities of both parties, the methods and tools to be used, the timing and frequency of assessments, and the reporting and communication protocols. These rules help ensure that third-party risk assessments are conducted in a consistent, thorough, and transparent manner, fostering effective communication, collaboration, and risk management between the parties.

Vendor monitoring involves continuously monitoring the activities, performance, and security practices of third-party vendors to ensure ongoing compliance with security requirements and contractual obligations. It may include real-time monitoring of vendor systems and networks, analyzing security logs and alerts, and conducting periodic reviews of vendor performance. Vendor monitoring helps detect and address security incidents, breaches, or performance issues promptly, reducing the risk of disruptions or security breaches.

Questionnaires involve sending standardized surveys or questionnaires to third-party vendors to gather information about their security practices, policies, controls, and compliance with security standards and regulations. The questionnaires typically cover a wide range of topics, including network security, data protection, access controls, incident response, and regulatory compliance. The responses provided by vendors help assess their security posture and identify potential risks or areas for improvement.

Vendor assessment involves evaluating the security controls, practices, and processes of third-party vendors to assess their security posture and compliance with security requirements. These assessments play a crucial role in third-party risk management and allow organizations to evaluate the security posture and compliance of their vendors. The vendor assessments that are included in the SY0-701 objectives are penetration testing, right-to-audit clause, evidence of internal audits, independent assessments, and supply chain analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

On-boarding/off-boarding business partners: Security Implications and risk

A

On-boarding/off-boarding business partners – When you bring new business partners on board, you must ensure that all of your organization’s security policies and regulations are fully understood and implemented by the partner organization. The transfer, storage, and collection of any data must be protected according to your organization’s security policy, unless a valid reason exists for ignoring certain security tenets (such as if they contradict local, state, or federal laws, etc.) When you are terminating a business partner, you must ensure that the partner organization transfers all assets back to your organization and that the partner organization understands the legal ramifications if the data is compromised at their facilities AFTER the transfer has occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Social media networks and applications: Security Implications and risk

A

Social media networks and applications – Organizations should analyze the security implications of social media networks and applications and should adopt a formal policy regarding their usage. Any security awareness training should fully cover the organization’s policy regarding such usage. If usage is forbidden, repercussions for non-compliance should be fully spelled out in any employment agreements. Keep in mind that social media networks and their applications are often under attack because of the proliferation of usage. Companies should not allow users to authenticate to a company’s Web applications using credentials from a popular social media site because password breaches to the social media site would affect the company application as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Personal email - Security Implications and risk

A

Personal email – Organizations should analyze the security implications of allowing access to personal email and should adopt a formal policy regarding it access. Any security awareness training should fully cover the organization’s policy regarding such access. If usage is forbidden, repercussions for non-compliance should be fully spelled out in any employment agreements. Keep in mind that email is often used to spread viruses and malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Privacy considerations - Security Implications and risk

A

Privacy considerations – Any organization that collects and stores personally identifiable information (PII) or any other protected information should be concerned with the security of that data. If the privacy data that your organization collects is stored or managed by a third party, you must ensure that the other organization properly secures the data. In addition, personnel should be trained to recognize PII, as well as how to protect this data. If for any reason you need to be able to transmit PII, you should use SSH or PGP/GPG. The best ways to address customer data privacy concerns are to employ encryption and stronger access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why is it important for risk awareness when integrating with third party vendors?

A

Risk awareness – It is vital that your organization understands the risks involved with integrating systems and data with third parties. You should ensure that a risk assessment is carried out and the results are presented to management. Both organizations should periodically review the security risks of the partnership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Third party integration risk: Unauthorized data sharing?

A

Unauthorized data sharing – Whenever systems and data are integrated with third parties, personnel from both organizations should have clear guidelines on the data that can and cannot be shared between the organizations. These guidelines should include the methods of sharing as well as the type of data that can and cannot be shared and penalties for noncompliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Third party Integrating implications: Data Ownership

A

Data ownership – Organizations should fully define the ownership of any data that is collected, stored, and exchanged. Without a clear definition, legal issues could arise if the partnership is ever dissolved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Third party Integrating implications: Data Backup

A

Data backups – The frequency of any data backups should be documented in a formal backup plan. In addition, the formal backup plan should include storage guidelines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Third party Integrating implications: Follow security policy and procedures

A

Follow security policy and procedures – Any third parties with which your organization deals should modify their security policies and procedures to follow your organization’s policies and procedures if your policies and procedures are stricter unless they contradict local, state, or federal laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Third party Integrating implications: Agreement requirements

A

Agreement requirements – You should review agreement requirements to verify compliance and performance standards. This should be done at least annually to ensure that they comply with regulations and laws and to ensure that performance is maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Your organization wants to use the Open-Source Security Testing Methodology Manual (OSSTMM) framework for meeting your organization’s compliance requirements.

Which type of compliances is NOT recognized by the OSSTMM framework?

A) Legislative
B) Security
C) Contractual
D) Standards-based

A

Security is not a type of compliance recognized by the OSSTMM framework. A security audit is used to evaluate the effectiveness of implemented security controls within your organization. Audits can be internal or external. Internal audits are conducted by independent audit teams to evaluate the effectiveness of controls. However, external audits are conducted by independent third-party organizations to evaluate the effectiveness of controls against regulatory or standard requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the OSSTMM frame work?

A

The OSSTMM framework recognizes three types of compliance:

Legislative – Legislative compliance is enforced by regional regulatory bodies. It is mandatory to comply with regulatory requirements enforced by the government. Failing to comply with the regulatory requirements can lead to heavy fines and charges. Examples of legislative requirements are Sarbanes-Oxley (SOX), the EU General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA).

Contractual – Contractual compliance is enforced by groups such as customers and vendors through documented contractual requirements in master service agreements (MSAs). Parties signing the contract must comply with contractual requirements. Failure to comply with contractual requirements may lead to fines, penalties, and loss of reputation. An example of a contractual requirement is the Payment Card Industry Data Security Standard (PCI DSS), enforced by VISA and Mastercard. Merchants who handle credit card data must comply with it.

Standards-based – Compliance with standards is enforced within the organization or by the customer to whom the organization is providing services. Failure to comply with standard requirements may lead to loss of reputation or dismissal of certification from the certifying body. For example, ISO 27001 is the international standard for information security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Your organization has decided to outsource its e-mail service. The company chosen for this purpose has provided a document that details the e-mail functions that will be provided for a specified period, along with guaranteed performance metrics. What is this document called?

A) SLA
B) BPA
C) MOU
D) ISA

A

A service level agreement (SLA) is an agreement between a company and a vendor in which the vendor agrees to provide certain functions for a specified period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is a BPA?

A

A business partner agreement (BPA) is an agreement between two companies that ensures that both parties implement the appropriate security measures. This type of agreement is particularly important when the two partners exchange data that could harm the companies’ Reputations if the data was accessed by an attacker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is an MOU?

A

A memorandum of understanding (MOU) is a mutual agreement between two parties to perform a common action or relationship. If well-defined legal elements are included, the MOU is considered binding. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. An MOU is also known as a memorandum of agreement (MOA) or letter of agreement (LOA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is ISA?

A

An interconnection security agreement (ISA) is an agreement established between organizations that own and operate connected systems to document the technical requirements of the connection. An ISA can also be used to ensure both parties have a clear understanding of the controls needed to protect the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which policy outlines the procedures and protocols for managing and responding to a security breach?

A) Incident response policy
B) SDLC
C) Disaster recovery policy
D) Change management policy

A

An incident response policy would outline the procedures and protocols for managing and responding to (among other things) a security breach. Incident response policies define the procedures and protocols for detecting, assessing, and responding to many types of security incidents. These policies outline the steps to be taken in the event of a security breach or incident, including incident identification, containment, eradication, recovery, and post-incident analysis. Incident response policies help ensure a coordinated and effective response to security incidents, minimizing the impact on the organization’s operations and data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is SDLC?

A

The Software Development Lifecycle (SDLC) is not a policy. It refers to the process of planning, designing, developing, testing, deploying, and maintaining software. While SDLC involves policies and procedures for ensuring the quality, security, and reliability of software products, it is not specifically focused on incident response or security governance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are change management policies?

A

Change management policies govern the process of planning, implementing, and controlling changes to systems, applications, and infrastructure. These policies outline procedures for assessing the impact of proposed changes, obtaining approval, managing risks, and ensuring changes are implemented smoothly and efficiently. While change management policies are essential for maintaining system stability and security, they do not specifically address incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are discovery policies?

A

Disaster recovery policies outline the strategies and procedures for recovering systems, applications, and data following a catastrophic event or significant disruption. These policies focus on restoring operations and services to minimize downtime and data loss, ensuring the organization can continue functioning despite adverse conditions. While disaster recovery is a critical component of security governance, it is not specifically focused on incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following types of guidance and training is most effective in mitigating risks associated with employees inadvertently exposing sensitive information through actions like clicking on phishing emails or sharing passwords?

A) Hybrid/remote work environments
B) Operational security
C) Social engineering
D) Removable media and cables

A

Social engineering training is the most effective in mitigating the risks as described. This training is critical in educating employees about the various tactics used by malicious actors to manipulate individuals into divulging confidential information or performing actions that compromise security. This type of training often includes simulated phishing attacks, awareness campaigns, and interactive modules to teach employees how to recognize and respond to social engineering attempts effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is OPSEC?

A

Operational security (OPSEC) training focuses on safeguarding sensitive information by controlling access, implementing security protocols, and promoting a culture of security awareness within an organization. While OPSEC encompasses a broad range of security practices, it may not specifically target user behaviors related to falling prey to social engineering tactics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Guidance training, what does it entail?

A

Situational awareness training focuses on educating users about recognizing and responding to potential security threats. Further, the emphasis is on teaching users to be observant and alert to potential security threats in their environment. This training encourages employees to pay attention to unusual behaviors, unauthorized access attempts, or other suspicious activities. As an example, an employee trained in situational awareness might notice a stranger wandering around the office without a visitor badge and report it to security, potentially preventing a physical security breach.

While providing guidance on the proper use of removable media and cables is important for physical security and data transfer protocols, it does not directly address the issue of employees falling victim to social engineering attacks or sharing sensitive information.

Training tailored to hybrid or remote work environments is essential for educating employees on the unique security challenges associated with working from different locations and using various devices to access corporate networks and data. This includes topics such as secure remote access, endpoint security, data encryption, and secure communication tools. While addressing remote work security concerns is important, it may not directly address the specific issue of employees being tricked into disclosing sensitive information through social engineering tactics.

Other types of user guidance and training are policy/handbooks, situational awareness, insider threat, password management.

Policies and handbooks outline rules and procedures related to security practices within an organization. While they provide important guidance on acceptable behavior, they might not always directly address recognizing and responding to security threats. For example, an employee handbook might include sections on acceptable computer usage, but it may not specifically cover how to identify phishing emails or social engineering attempts.

Situational awareness training focuses on educating users about recognizing and responding to potential security threats. Further, the emphasis is on teaching users to be observant and alert to potential security threats in their environment. This training encourages employees to pay attention to unusual behaviors, unauthorized access attempts, or other suspicious activities. As an example, an employee trained in situational awareness might notice a stranger wandering around the office without a visitor badge and report it to security, potentially preventing a physical security breach.

Insider threat training raises awareness among employees about the risks posed by individuals within the organization who may intentionally or unintentionally harm the organization’s security. This type of training often includes examples of insider threats, such as employees stealing data for personal gain or inadvertently exposing sensitive information through negligent actions. For example, insider threat training might educate employees about the dangers of sharing passwords or clicking on links in suspicious emails, which could lead to data breaches.

Password management training educates users on best practices for creating and safeguarding passwords. This includes using strong, complex passwords, avoiding password reuse across multiple accounts, and protecting passwords from unauthorized access. An example of password management training might involve teaching employees how to create passphrases using a combination of letters, numbers, and special characters, as well as using password managers to securely store and manage passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which vendor assessment evaluates the security controls and practices of third-party vendors through an external evaluation process?

A) Evidence of internal audits
B) Supply chain analysis
C) Penetration testing
D) Right-to-audit clause
E) Independent assessments

A

In an independent assessment, third-party auditors or assessors are engaged to evaluate the security posture of a vendor independently. These assessments are conducted by impartial and qualified professionals who review the vendor’s security controls, policies, and procedures against industry standards, best practices, and regulatory requirements. Independent assessments provide an objective evaluation of the vendor’s security practices and help validate their compliance with security standards and contractual obligations.

When you bring new business partners on board, you must ensure that all of your organization’s security policies and regulations are fully understood and implemented by the partner organization. The transfer, storage, and collection of any data must be protected according to your organization’s security policy, unless a valid reason exists for ignoring certain security tenets (such as if they contradict local, state, or federal laws, etc.) When you are terminating a business partner, you must ensure that the partner organization transfers all assets back to your organization and that the partner organization understands the legal ramifications if the data is compromised at their facilities AFTER the transfer has occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is pen testing?

A

Penetration testing simulates cyberattacks on a vendor’s systems and networks to identify vulnerabilities and weaknesses that could be exploited by attackers. Penetration tests are typically conducted by security professionals or ethical hackers who attempt to breach the vendor’s defenses using various attack techniques. The goal is to uncover security gaps and provide recommendations for remediation to enhance the vendor’s security posture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is a right to audit?

A

A right-to-audit clause is a contractual agreement that allows the organization to audit and assess the security controls and practices of a vendor. It grants the organization the legal right to conduct audits or inspections of the vendor’s facilities, processes, and documentation to ensure compliance with security requirements. The right-to-audit clause enables the organization to verify that the vendor is implementing adequate security measures and adhering to contractual obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What does evidence of internal audits refer to?

A

Evidence of internal audits refers to documentation or reports from internal audit teams that assess the effectiveness of the vendor’s internal controls and processes. Internal audits may evaluate various aspects of the vendor’s operations, including IT security, risk management, compliance with policies and regulations, and overall governance practices. Evidence of internal audits provides insights into the vendor’s internal control environment and helps assess their risk management capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is a supply chain analysis?

A

The supply chain analysis process involves assessing the security risks associated with the vendors, suppliers, and partners within a supply chain. It examines the interconnected relationships between different entities involved in the supply chain and evaluates the potential security vulnerabilities and threats that could impact operations. Supply chain analysis helps identify risks related to dependencies on third-party vendors and enables the organization to implement risk mitigation strategies to protect against supply chain disruptions and security breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Arrange the steps in the risk response process in the appropriate order.

Establishment of risk appetite and risk tolerance
Risk identification
Risk analysis
Risk response selection and documentation
Risk response prioritization
Development of risk action plan

A

Establishment of risk appetite and risk tolerance – this is the foremost activity because management needs to determine what extent of risk is acceptable and tolerable to the organization that would not have an impact on achieving its business objectives.
Risk identification – this is done to determine all the risks that are applicable to the organization.
Risk analysis – once the risks have been identified, assessment is performed for the risk impact and likelihood.
Risk response selection and documentation – the risk response is selected based on the established risk appetite and risk tolerance.
Risk response prioritization – prioritization is based on the risk environment and cost-benefit analysis.
Development of risk action plan – this is created in order to be able to manage the risk responses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which method of ensuring compliance monitoring involves a combination of manual and automated processes, facilitating a thorough examination of adherence to security standards and regulations from multiple perspectives?

A) Due diligence/care
B) Automation
C) Attestation and acknowledgement
D) Internal and external

A

The internal and external approach to compliance monitoring ensures comprehensive validation of compliance efforts through both internal assessments conducted by personnel within the organization and external assessments conducted by independent third parties. This comprehensive approach ensures that compliance efforts are validated from multiple perspectives and helps identify potential blind spots or biases in self-assessment processes. For example, an organization may conduct internal audits to evaluate its internal controls and practices, while also undergoing external audits by regulatory agencies to verify compliance with industry regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is attestation and acknowledgment?

A

Attestation and acknowledgement involve formal processes where individuals or organizations affirm their compliance with security standards or regulations through written statements or documentation. While attestation and acknowledgement are important components of compliance programs, they primarily focus on obtaining assurances or commitments from stakeholders rather than the actual monitoring of compliance activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is automation involves?

A

Automation involves the use of technology-driven solutions and tools to streamline compliance monitoring processes, such as continuous monitoring, automated reporting, and real-time alerting mechanisms. By leveraging automation, organizations can enhance the efficiency and accuracy of compliance monitoring activities, reduce manual effort, and identify compliance issues more quickly. For instance, automated security monitoring systems can detect and respond to suspicious activities or policy violations in real-time, improving overall compliance posture and reducing the risk of non-compliance.

44
Q

You are the security administrator for your company. You identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan to implement if the security risk occurs. Which type of risk response strategy are you demonstrating?

A) transference
B) avoidance
C) acceptance
D) mitigation

A

You are demonstrating a risk response strategy of acceptance. Acceptance involves accepting the risk and leaving the security plan unchanged. Examples of acceptance would include taking no action at all or leaving the plan unchanged and developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.

45
Q

What types of risk response are there?

A

You are demonstrating a risk response strategy of acceptance. Acceptance involves accepting the risk and leaving the security plan unchanged. Examples of acceptance would include taking no action at all or leaving the plan unchanged and developing a contingency or fallback plan. It is recommended that you accept a risk when the cost of the safeguard exceeds the amount of the potential loss.

Avoidance involves modifying the security plan to eliminate the risk or its impact. Examples of avoidance would include stopping a risky activity altogether, adding security resources to eliminate the risk, or removing resources to eliminate the risk.

Transference involves transferring the risk and its consequences to a third party. The third party is then responsible for owning and managing the risk. Purchasing insurance is an example of transference.

Mitigation involves reducing the probability or impact of a risk to an acceptable risk threshold. To mitigate, you would take actions to minimize the probability of a risk occurring. Biometric locks on a server room’s doors mitigate the risk of an intruder breaking in where sensitive data is housed.

46
Q

Which of the following would be MOST affected by hiring a new CISO?

A) Types of risk scenarios in the risk register
B) Regulatory compliance
C) Incident response time
D) IT risk appetite

A

Risk appetite is derived from senior management and the corporate culture, and risk management is aligned with it. Risk management strategy planning is reflected by the established risk appetite and risk culture. A new Chief Information Security Officer (CISO) would be most likely to review and revise the IT risk appetite statement.

47
Q

List the CompTIA SY0-701 objectives of three types of risk appetite?

A

The CompTIA SY0-701 objectives list three types of risk appetite: expansionary, conservative, and neutral.

Expansionary risk appetite reflects the willingness to take on higher levels of risk to achieve significant growth, innovation, or competitive advantage. Organizations with an expansionary risk appetite are generally more risk-tolerant and may pursue opportunities that offer potentially higher returns, even if they come with elevated levels of risk. These organizations prioritize growth and market expansion, often investing in new markets, technologies, products, or business ventures. Expansionary risk appetite is common among startups, entrepreneurial firms, and companies in rapidly evolving industries where innovation and agility are critical for success.

Conservative risk appetite indicates a preference for minimizing risk exposure and prioritizing stability, security, and preservation of capital. Organizations with a conservative risk appetite tend to be risk-averse and prioritize protecting existing assets and avoiding losses over pursuing aggressive growth or innovation opportunities. These organizations may adopt more cautious investment strategies, maintain higher levels of liquidity, and focus on established markets or products with proven track records. Conservative risk appetite is prevalent in industries characterized by regulatory constraints, economic uncertainty, or mature market conditions, where stability and predictability are valued over rapid growth.

Risk scenarios in the risk register are not developed by senior management. They are developed through vulnerability analysis.

Neutral risk appetite represents a balanced approach to risk management, where organizations seek to maintain an appropriate level of risk relative to their objectives, capabilities, and risk tolerance. Organizations with a neutral risk appetite aim to achieve a reasonable balance between risk and reward, neither overly conservative nor excessively aggressive in their risk-taking behavior. These organizations adopt a pragmatic approach to risk management, carefully weighing the potential benefits and drawbacks of different opportunities and decisions. They seek to optimize risk-adjusted returns while managing risks within acceptable boundaries. Neutral risk appetite is often associated with well-established companies operating in stable industries or mature markets, where a balanced approach to risk management is essential for long-term sustainability and value creation.

Compliance with regulations should never be affected by changes in senior management. Compliance is required regardless of leadership.

The new CISO may affect the incident response (IR) response time, but not as much as they will affect the IT risk appetite statement.

48
Q

Which of the following reflects an organization’s attentiveness to risk issues?

A) Vulnerability assessment
B) Risk appetite
C) Heat map
D) Risk register

A

The risk register reflects an organization’s attentiveness to risk issues. The risk register is a document, database or repository that the organization uses for risk identification and management. You can think of a risk register as a catalog of risk issues, containing key risk indicators, risk owners and risk threshold. These are discussed below.

Key concepts related to the risk register are key risk indicators (KRIs), risk owners, and risk threshold.

49
Q

Key concepts related to the risk register are?

A

Key risk indicators (KRIs) are specific metrics or parameters used to measure and track the likelihood or impact of identified risks over time. KRIs provide early warning signals of potential risk events or issues, allowing organizations to monitor risk trends, assess the effectiveness of risk controls, and take proactive measures to mitigate risks before they materialize. Examples of KRIs include the frequency of security incidents, the percentage of project milestones delayed, compliance audit findings, or financial performance indicators. KRIs are typically defined and documented in the risk register alongside identified risks, helping stakeholders monitor risk exposure and make informed decisions.

Risk owners are individuals or groups responsible for managing and mitigating specific risks within the organization. Risk owners are accountable for understanding the nature and potential impact of their assigned risks, implementing appropriate risk mitigation strategies, and monitoring risk-related activities to ensure effective risk management. They play a crucial role in the risk management process by providing leadership, allocating resources, and facilitating communication and collaboration among stakeholders. Risk owners are typically designated and documented in the risk register, along with their roles, responsibilities, and contact information, to ensure clarity and accountability for risk management activities.

The risk threshold represents the level of risk that an organization is willing to accept or tolerate before taking action to mitigate or control it. It defines the boundaries within which risks are considered acceptable or manageable based on predefined criteria, such as impact, likelihood, or strategic objectives. The risk threshold helps organizations establish clear guidelines for decision-making regarding risk acceptance, escalation, or mitigation. When risks exceed the established threshold, action is required to address them appropriately. The risk threshold is documented in the risk register to provide guidance to stakeholders on risk tolerance levels and inform risk management decisions.

Risk appetite does not reflect attentiveness to risk issues because it does not take into consideration actions taken to address risk. Risk appetite is determined by senior management and the corporate culture. While it is reflected in the risk profile, the risk profile also includes the actions to be taken with regard to issues.

50
Q

A company has experienced a significant productivity drop because of a new multiplayer game on a social network. The company needs to create a policy which outlines the rules and guidelines for their employes while accessing the internet using the company network or on company time. Which policy should they create?

A) Disaster recovery policy
B) Acceptable use policy
C) Business continuity policy
D) Information security policies

A

The company should create an acceptable use policy (AUP). An acceptable use policy (AUP) defines the acceptable behaviors and practices for using an organization’s information technology resources, including computers, networks, internet access, and data. It outlines the permitted and prohibited uses of these resources, addressing issues such as personal use, internet browsing, software installation, and data access. The AUP helps ensure that employees understand their responsibilities and obligations regarding the use of company resources and helps protect against misuse or abuse.

51
Q

What are information security policies?

A

Information security policies encompass a set of policies that govern the organization’s approach to protecting its information assets from unauthorized access, disclosure, alteration, or destruction. These policies cover various aspects of information security, including data classification, access controls, encryption, incident response, and risk management. Information security policies provide guidelines and procedures for implementing security controls and practices to safeguard sensitive information and maintain the confidentiality, integrity, and availability of data.

52
Q

What is a BCP?

A

A business continuity policy (BCP) outlines the organization’s strategies and procedures for maintaining essential business functions and services during and after a disruptive event. It encompasses plans and protocols for responding to emergencies, disasters, or other incidents that could impact the organization’s operations. The BCP identifies critical business processes, resources, and dependencies, establishes roles and responsibilities, and outlines procedures for recovery and resumption of operations. It aims to minimize downtime, mitigate losses, and ensure the organization can continue functioning effectively in adverse conditions.

53
Q

What is a DRP?

A

A disaster recovery policy (DRP) focuses on the organization’s strategies and processes for recovering systems, applications, and data following a catastrophic event or significant disruption. The DRP outlines procedures for restoring the infrastructure, recovering data from backups, and resuming business operations within predefined recovery time objectives (RTOs) and recovery point objectives (RPOs). It includes measures such as backup and restoration processes, alternate site arrangements, and testing and validation procedures to ensure the organization can recover from disasters and resume normal operations swiftly.

54
Q

Are BCP and DRP the same?

A

The terms “business continuity policies” and “disaster recovery policies” are closely related and often confused, but there are some key differences. BCP has a broader scope and focuses on keeping the business running, while DRP specifically addresses the recovery of infrastructure and data.

55
Q

Which procedure, process, or artifact involves the creation of a set of detailed instructions or guides to help personnel respond to security incidents effectively?

A) Onboarding
B) Change management
C) Playbooks
D) Offboarding

A

Playbooks, also known as incident response plans or procedures, are a set of detailed instructions or guides that outline the steps to be taken in response to specific security incidents or events. Playbooks provide predefined actions, workflows, and escalation procedures to help personnel respond quickly and effectively to security incidents, minimize damage, and restore normal operations as soon as possible.

56
Q

What is onboarding and offboarding?

A

Onboarding is a procedure that involves integrating new employees into an organization and providing them with the necessary resources, training, and access to perform their job duties effectively. It includes activities such as orientation sessions, training programs, provisioning of accounts and access rights, and familiarization with organizational policies and procedures.

Offboarding is a procedure that involves managing the departure of employees from an organization, including resignations, terminations, or retirements. It includes activities such as revoking access to systems and data, collecting company assets, conducting exit interviews, and transitioning responsibilities to other employees or departments to ensure a smooth transition and protect the organization’s assets and information.

57
Q

Which role and associated responsibility involves managing and overseeing the use of systems and data, ensuring compliance with security policies and regulations?

A) Processors
B) Custodians and stewards
C) Owners
D) Controllers

A

Custodians and stewards are individuals or entities who are responsible for the day-to-day management and protection of systems and data assets. They ensure the proper handling, storage, and security of data in accordance with established policies and procedures. Custodians are typically responsible for implementing security controls, monitoring access, and responding to security incidents, while stewards focus on data governance, quality assurance, and metadata management.

Owners, however, are responsible for the overall governance and strategic direction of systems and data. They have ultimate accountability for the security and integrity of systems and data assets, including establishing security policies, defining access controls, and allocating resources to support security initiatives. Owners make decisions regarding risk management, compliance, and investments in security measures to protect organizational assets.

Processors act on the instructions of the controller and are responsible for implementing technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. Processors may include cloud service providers, IT service providers, or third-party vendors who handle personal data as part of their services. An example of a processor could be a cloud service provider like Amazon Web Services (AWS) or Microsoft Azure. The company would use one of these services to host and process their data. In this case, the cloud service provider acts as a processor because they handle the company’s data on behalf of the data controller (the company).

Controllers are individuals or entities responsible for ensuring the organization’s compliance with legal and regulatory requirements related to the processing of personal data. They determine the purposes and means of processing personal data and are accountable for implementing appropriate security measures to protect data privacy and confidentiality. Controllers may include data controllers under data protection laws such as the EU General Data Protection Regulation (GDPR).

58
Q

Explain the roles of Owners, controllers, processors, custodian and protection?

A

As a quick summation and easy differentiation:

Owners have ultimate accountability for the governance and strategic direction of systems and data.

Controllers ensure compliance with legal and regulatory requirements related to data processing.

Processors handle personal data on behalf of data controllers and implement security measures to protect data.

Custodians and stewards are responsible for day-to-day management and protection of systems and data assets, implementing security controls, and ensuring data integrity and quality.

59
Q

Why is it important to report the potential losses arising from a risk when reporting risk assessment results?

A) To assist with the risk assessment process
B) To identify risk owners
C) To develop a risk action plan
D) To enable risk-based decision-making

A

When reporting risk assessment results to senior management, it is important to

include potential losses compared to treatment cost. This helps to frame the risk in terms of its impact on business objectives and leads to decision-making at high levels that is risk based and not performance based.

The reason is not to develop a risk action plan. That will come after a decision has been made to accept or mitigate the risk.

The reason is not to identify risk owners. That decision is made primarily based on the business process owner most directly impacted by the risk.

The reason is not to assist with the risk assessment process. That process will have already occurred, and its output will be a source of information when reporting potential losses compared to treatment cost to senior management.

60
Q

In performing a business impact analysis (BIA), you have identified that no backup method for Internet access exists if the gateway router goes down or is compromised. What did you identify?

A) MTBF
B) Single point of failure
C) Mission-essential function
D) MTTR

A

A single point of failure is an item that, if taken out of commission, does not have a backup or redundancy. A gateway router is a perfect example. Mission-essential functions must be prioritized over non-essential functions. While Internet access may be a mission-critical function, the situation described is the issue of a single point of failure. In the event of a catastrophic outage, mission-critical functions are those business functions that are the most critical to the organization.

Mission-essential functions are those that are vital to daily business. For an online retail company, this would include all network and server functions that are necessary to keep the online site up and running.

MTBF is a value that represents mean time between failures. It is generally the amount of time that you can expect a device to be operational before it fails. MTTR is a value that represents mean time to restore. Should a component or an entire system fail, it is important to know how long it would take to repair it, or how long it would be before a replacement could be up and running.

61
Q

Senior management is accountable for which of the following?

A) Expressing risk tolerance
B) Establishing cybersecurity controls
C) Selecting risk responses
D) Performing risk assessments

A

Senior management is accountable for establishing and expressing risk tolerance. This comprises their decisions with regard to handling levels of risk and is also called risk appetite. Security management is accountable for establishing cybersecurity controls. They are the most technically knowledgeable to identify proper controls as options to present for consideration.

The risk owner is responsible for selecting the risk response. They are accountable for the risk and will select the appropriate risk treatment option, with the authority to commit resources to address the risk. The risk practitioner is accountable for performing risk assessments.

62
Q

As part of your company’s comprehensive vulnerability scanning policy, you decide to perform a passive vulnerability scan on one of your company’s subnetworks. Which statement is true of this scan?

A) It allows a more in-depth analysis than other scan types.
B) It impacts the hosts and network less than other scan types.
C) It is limited to a particular operating system.
D) It includes the appropriate permissions for the different data types.

A

A passive scan impacts the hosts and network less than other scan types. A passive scan is a non-intrusive scan, meaning you are probing for the weaknesses but not exploiting them. To perform a more in-depth analysis than other scan types, you would perform an active scan. An active scan is also considered an intrusive scan as it usually provides more meaningful results on the scan.

To include the appropriate permissions for the different data types, you should perform a credentialed scan. A non-credentialed scan does operate within the context of a user account. The appropriate permissions may be needed to be able to access all the data and applications on devices. Permissions and access to the entire hosts are provided with a credentialed scan.

Although not always possible, limiting a scan to a particular operating system can be done with an agent-based scan. With an agent-based scan, agents are installed on devices. These agents then send scan reports back to a central agent. In a server-based scan, the scanner runs from a server that then scans all the devices. Agent-based scanning is considered better than server-based scanning because it has less impact on the network. But an agent-based scan usually has more of an impact on the device on which the agent is installed.

63
Q

Which aspect of effective security compliance primarily focuses on individuals’ rights to control their personal information, including the ability to request its deletion?

A) Right to be forgotten
B) Legal implications
C) Data subject
D) Data inventory and retention

A

The right to be forgotten, also known as the right to erasure, grants individuals the right to request the deletion or removal of their personal data from an organization’s systems or records. This right is enshrined in privacy regulations such as the GDPR and allows individuals to exercise control over their personal information, particularly in cases where the data is no longer necessary for the purposes for which it was collected or processed. Compliance with the right to be forgotten requires organizations to establish procedures for handling data deletion requests and ensure that personal data is promptly and securely erased when requested by the data subject.

Legal implications of privacy compliance encompass the local/regional, national, and global laws and regulations that govern the collection, use, and protection of personal data. These legal frameworks define the rights and responsibilities of organizations regarding the processing of individuals’ personal information and establish penalties for non-compliance. For example, in the European Union, the General Data Protection Regulation (GDPR) outlines strict requirements for data protection and privacy, with significant fines for violations. Similarly, laws such as the California Consumer Privacy Act (CCPA) in the United States impose legal obligations on organizations handling personal data, with potential legal consequences for non-compliance.

The data subject refers to the individual to whom the personal data relates, whose privacy rights are protected by privacy regulations and laws. Data subjects have the right to control their personal information, including the right to access, correct, and delete their data, as well as the right to be informed about how their data is processed. Compliance with privacy regulations requires organizations to respect the rights of data subjects and implement measures to ensure the lawful and fair processing of their personal data.

Data inventory and retention practices involve identifying and categorizing the personal data collected and stored by an organization, as well as establishing policies and procedures for its proper retention and disposal. Effective data inventory and retention practices enable organizations to manage personal data responsibly, minimize data collection, and comply with legal requirements regarding data retention periods. By maintaining an accurate inventory of personal data and implementing data retention schedules, organizations can reduce the risk of unauthorized access, misuse, or retention of unnecessary data.

64
Q

What is the responsibility of the data controller?

A) Ensure that the data processor handles data rights requests.
B) Ensure that the data subject consents and protects that data.
C) Process the data on behalf of the data subject.
D) Process the data on behalf of the data owner.

A

The data controller is the entity that determines the purposes for which and the manner in which any personal data is processed. This entity determines the “why” and “how” personal data is processed. The data controller ensures that the data subject consents and makes sure to safeguard that data.

65
Q

Which of the following are key phases in implementing security awareness practices? (Choose two)

A) Anomalous behavior recognition
B) Execution
C) Development
D) Phishing

A

Development involves the creation of security awareness materials, training modules, policies, and procedures. This phase typically includes conducting a needs assessment, identifying target audiences, designing content, and tailoring materials to address specific security risks and organizational requirements. While development is essential for laying the groundwork for security awareness initiatives, it is not the phase focused on implementing those practices.

Execution is the implementation phase where security awareness practices are put into action. This includes delivering training sessions, disseminating educational materials, conducting simulated phishing exercises, and promoting a culture of security awareness. Effective execution involves engaging employees, tracking progress, and continuously evaluating and refining the security awareness program to address evolving threats and challenges.

66
Q

Anomalous behavior recognition: What is it?

A

Anomalous behavior recognition is not a phase, but a possible item to be addressed in security awareness. Anomalous behavior recognition refers to the ability to identify and respond to suspicious activities or deviations from normal patterns of behavior. This helps you identify something that is “not right” and outside the ordinary. While this is an important aspect of overall cybersecurity, it is not specifically related to the implementation of security awareness practices aimed at educating and empowering employees to recognize and mitigate security risks.

67
Q

Which external consideration of effective security governance is concerned with such topics as intellectual property rights, contracts, liability, and dispute resolution?

A) Regulatory
B) Legal
C) Global
D) National

A

Legal external considerations encompass laws, statutes, and legal precedents that govern security-related activities and obligations within a jurisdiction. This includes laws related to privacy, intellectual property rights, contracts, liability, and dispute resolution, which may impact security governance and risk management practices.

National external considerations pertain to laws, regulations, and standards that are specific to a particular country or nation. These may include national cybersecurity laws, data protection regulations, and industry-specific compliance requirements enforced by government agencies within a country’s jurisdiction.

Global external considerations encompass security standards, agreements, and initiatives that apply internationally across multiple countries and regions. Examples include global cybersecurity frameworks, international treaties, and collaborative efforts to address cybersecurity challenges on a global scale.

Regulatory external considerations involve ways that organization can meet the laws, directives, and guidelines issued by governmental bodies or industry organizations to regulate specific industries, activities, products, or sectors. Regulatory requirements often mandate compliance with security standards, data protection measures, and reporting obligations to ensure the protection of sensitive information and mitigate security risks.

68
Q

Your organization has decided to outsource its e-mail service. The company chosen for this purpose has provided a document that details the e-mail functions that will be provided for a specified period, along with guaranteed performance metrics. What is this document called?

A) BPA
B) ISA
C) SLA
D) MOU

A

A service level agreement (SLA) is an agreement between a company and a vendor in which the vendor agrees to provide certain functions for a specified period.

A business partner agreement (BPA) is an agreement between two companies that ensures that both parties implement the appropriate security measures. This type of agreement is particularly important when the two partners exchange data that could harm the companies’ Reputations if the data was accessed by an attacker.

A memorandum of understanding (MOU) is a mutual agreement between two parties to perform a common action or relationship. If well-defined legal elements are included, the MOU is considered binding. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. An MOU is also known as a memorandum of agreement (MOA) or letter of agreement (LOA).An interconnection security agreement (ISA) is an agreement established between organizations that own and operate connected systems to document the technical requirements of the connection. An ISA can also be used to ensure both parties have a clear understanding of the controls needed to protect the data.

All of these components are interoperability agreements. Security professionals should fully research the security implications of all of these types of agreements, as well as any others that their organization may employ as part of the risk assessment. This will ensure that the organization can implement the appropriate measures to prevent or at least reduce the risk.

69
Q

Your organization has decided to implement an encryption algorithm to protect data. One IT staff member suggests that the organization use IDEA. Which strength encryption key is used in this encryption algorithm?

A) 64-bit
B) 56-bit
C) 128-bit
D) 256-bit

A

International Data Encryption Algorithm (IDEA) uses a 128-bit encryption key to encrypt 64-bit blocks of data.

Data Encryption Standard (DES) uses a 56-bit key to encrypt 64-bit blocks of data. Some private key encryption standards support 256-bit encryption keys.

70
Q

You are an IT security analyst for a medium-sized company. Recently, several employees have reported receiving suspicious emails requesting sensitive information or asking them to click on suspicious links. Your manager has tasked you with enhancing security awareness practices to mitigate the risk of phishing attacks. What is the most immediate action should you take to address this situation?

A)Install and configure advanced email filtering software that can detect and block phishing attempts

B)Launch a series of phishing simulation campaigns to educate employees

C)Provide employees with comprehensive training on how to recognize phishing attempts

D)Develop clear guidelines for employees on how to respond to suspicious messages

A

As a first course of action, you should provide employees with comprehensive training on how to recognize phishing attempts. By empowering employees to identify phishing red flags, they can actively contribute to the company’s defense against such attacks. Recognizing phishing attempts early can prevent data breaches and protect sensitive information.

Launching a series of phishing simulation campaigns to educate employees would be an appropriate step to take after providing phishing training. By familiarizing employees with common phishing strategies, they are better equipped to identify and avoid falling victim to such attacks. Training and awareness campaigns are essential components of a comprehensive security awareness program.

Developing clear guidelines for employees on how to respond to suspicious messages is best employed after training employees to recognize suspicious messages. Employees should have clear procedures regarding responding to suspicious messages. Prompt reporting of suspicious emails enables the IT department to investigate and take appropriate action to mitigate potential risks. Educating employees on proper response protocols helps minimize the impact of phishing attacks on the organization.

Implementing email filtering software is a technical control that should complement employee training and awareness efforts, not replace it. Email filtering software can automatically detect and block known phishing emails, reducing the likelihood of employees encountering malicious messages. Implementing such software enhances the organization’s overall security posture and reduces reliance solely on employee vigilance.

71
Q

Match the tests on the left with the descriptions given on the right, based on how you are performing the scans and the target company’s level of awareness.

Vulnerability scan – a test carried out by Internal staff that discovers weaknesses in systems to be improved or repaired before a breach occurs

Penetration test – an activity performed using an automated tool by a trained security team rather than Internal security staff

Unknown environment test – a test conducted with the assessor having no knowledge about the systems being tested (formerly referred to as a black-box test)

Known environment test – a test conducted with the assessor having all of the knowledge about the systems being tested (formerly referred to as a white-box test)

Partially known environment test – a test conducted with the assessor having a little knowledge about the target environment (formerly referred to as a grey-box test)

A

The tests and their descriptions should be matched in the following manner:

Vulnerability scan – a test carried out by Internal staff that discovers weaknesses in systems to be improved or repaired before a breach occurs

Penetration test – an activity performed using an automated tool by a trained security team rather than Internal security staff

Unknown environment test – a test conducted with the assessor having no knowledge about the systems being tested (formerly referred to as a black-box test)

Known environment test – a test conducted with the assessor having all of the knowledge about the systems being tested (formerly referred to as a white-box test)

Partially known environment test – a test conducted with the assessor having a little knowledge about the target environment (formerly referred to as a grey-box test)

72
Q

Which aspect of effective security governance defines the framework for overseeing and modifying the rules and obligations concerning the management of technology assets?

A) Monitoring and revision
B) Roles and responsibilities for systems and data
C) Procedures
D) Types of governance structures

A

Roles and responsibilities for systems and data involve defining and assigning tasks, duties, and obligations for managing and protecting technology assets. This includes roles such as system administrators, data custodians, security officers, and compliance officers, each responsible for specific aspects of security governance. Clarifying roles and responsibilities helps ensure accountability, coordination, and effective execution of security tasks and activities.

Monitoring and revision refer to the ongoing process of tracking, assessing, and updating security measures and policies. It involves regularly reviewing security controls, policies, and procedures to ensure they remain effective and aligned with changing threats, technologies, and regulatory requirements. Monitoring and revision also include analyzing security incidents, vulnerabilities, and compliance status to identify areas for improvement and implementing necessary changes.

73
Q

The types of governance structures encompass various models?

A

Types of governance structures encompass various models and frameworks for organizing and managing security governance. This includes centralized, decentralized, and hybrid governance structures, as well as frameworks such as COBIT (Control Objectives for Information and Related Technologies), ITIL (Information Technology Infrastructure Library), and ISO/IEC 27001. These structures define how security responsibilities are distributed, decision-making processes, and accountability mechanisms to ensure effective security governance.

74
Q

What are procedures?

A

Procedures refer to documented instructions and steps for carrying out security-related tasks, processes, and activities. This includes procedures for incident response, access control, change management, risk assessment, and security awareness training. Procedures provide a structured approach for implementing security controls, ensuring consistency, repeatability, and compliance with security policies and standards.

75
Q

Your company recently conducted a penetration test for Verigon to determine compliance with several federal regulations. Six months after the test was conducted, Verigon management must provide compliance documentation of the penetration test. Which type of report is needed?

A) Attestation of findings
B) Rules of engagement
C) Lessons learned
D) Executive summary

A

An attestation of findings is needed because this is considered proof that the appropriate penetration test was completed.

An executive summary is part of the written report that was provided to Verigon for internal distribution only. A formal written Penetration testing report is not generally distributed outside the organization and as such, should not be used as compliance documentation.

The rules of engagement define the actions that a penetration tester is allowed to take, and which actions the tester is prohibited from taking.

The lessons learned documents provide information about what is learned from the penetration test. This documentation would be generated by Verigon personnel without the contractor being present. Lessons learned will help improve future penetration tests.

76
Q

Which is the best way to ensure risk levels remain within acceptable limits of the organization’s risk appetite?

A) Business impact analysis
B) Threat modeling
C) Continuous monitoring
D) Vulnerability assessments

A

Risk management is an ongoing, cyclical process that recognizes the dynamic nature of risk and the need for continuous monitoring and assessment. It is the best way to ensure risk levels are within acceptable limits of the organization’s risk appetite.

A business impact analysis is best used to quantify likelihood and impact of risk scenarios, not to assess risk levels as compared to risk appetite.

Vulnerability assessments are designed to identify vulnerabilities, without regard to risk appetite.

Threat modeling is used to examine the nature of threats and potential threat scenarios, without regard to risk appetite.

77
Q

What are the four types of risk assessments?

A

CompTIA lists four types of risk assessment in the Security+ objectives: ad hoc, recurring, one-time, and continuous.

Ad hoc risk assessments are conducted on a sporadic or irregular basis, typically in response to specific events, changes, or emerging risks. These assessments are often unplanned and may be initiated in situations where there is a perceived need to evaluate a particular risk or issue, particularly in response to an event. Ad hoc risk assessments allow organizations to address immediate concerns or uncertainties that may arise unexpectedly. However, they may lack the systematic approach and consistency of regularly scheduled assessments.

Recurring risk assessments are conducted at regular intervals, such as monthly, quarterly, or annually, to evaluate and reassess the risk landscape over time. These assessments follow a predefined schedule and involve the systematic review of risks, controls, and mitigation strategies to ensure ongoing risk management effectiveness. Recurring risk assessments help organizations maintain awareness of evolving threats, vulnerabilities, and changes in the business environment, allowing for timely adjustments to risk management practices.

A one-time risk assessment, also known as a point-in-time assessment, is conducted as a single evaluation of risks within a specific scope or context. Unlike recurring assessments, which are conducted periodically, one-time risk assessments are performed as standalone exercises to address a particular need or objective. For example, a one-time risk assessment may be conducted prior to the implementation of a new system or process, during a merger or acquisition, or in response to a significant event or incident. While one-time assessments provide valuable insights into existing risks, they may not capture changes or developments over time.

Continuous risk assessment is an ongoing and dynamic process that involves real-time monitoring and evaluation of risks, enabling organizations to detect and respond to emerging threats and vulnerabilities promptly. Unlike traditional periodic assessments, continuous risk assessment leverages automated tools, technologies, and data sources to collect and analyze risk-related information continuously. This approach allows organizations to adapt their risk management strategies quickly in response to changing circumstances and evolving risk profiles, improving resilience and agility in addressing emerging threats and opportunities.

78
Q

Which of the following types of guidance and training focuses on educating users about recognizing and responding to potential security threats in their environment?

A) Password management
B) Policy/handbooks
C) Situational awareness
D) Insider threat

A

Situational awareness training focuses on educating users about recognizing and responding to potential security threats. Further, the emphasis is on teaching users to be observant and alert to potential security threats in their environment. This training encourages employees to pay attention to unusual behaviors, unauthorized access attempts, or other suspicious activities. As an example, an employee trained in situational awareness might notice a stranger wandering around the office without a visitor badge and report it to security, potentially preventing a physical security breach.

79
Q

You work for a large healthcare company in the US that recently had a breach of over 52,000 medical records. The records contained securely encrypted payment data and plaintext patient and doctor names and were intercepted through an insecure Wi-Fi connection. The board of directors initially chose not to disclose the breach to regulators or the public. However, after a third-party audit uncovered the breach, the board reported the incident according to the relevant laws, and also notified the media and affected patients.

What is the MOST likely outcome in this scenario?

A)The organization will face financial penalties and the board of directors will face criminal charges.

B)The organization will face financial penalties and may be subject to increased auditing.

C)The organization will not face financial penalties because no sensitive data was compromised, and the patients were notified of the incident.

D)The organization will face financial penalties and insurance providers will drop it from their network due to liability concerns.

E)The organization will face financial penalties and patients may find unauthorized charges on their credit cards.

A

The organization will face financial penalties and may be subject to increased future audits. Protected health information (PHI) is a highly regulated category of data that requires specific safeguards. PHI is considered any health record (written, electronic, or verbal) associated with an identifiable individual. A record linking a patient’s name with a provider’s name is considered PHI and therefore sensitive, even if no financial data was compromised.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that mandates how entities that collect health data must handle PHI. Specifically, organizations must follow the HIPAA Breach Notification Rule when unsecured health information is compromised. In the case of a significant breach, organizations can be required to adopt a corrective action plan to bring their data handling in line with HIPAA requirements and can be audited to prove compliance. Some states have additional laws regarding data protection and may assess local penalties separately from the federal penalties.

Organizations that handle PHI and PII should have an Internal escalation process whereby any employee who discovers a data incident can notify the correct team members. They may also require an External escalation process to determine when to involve law enforcement, regulatory bodies, the news media, or third-party services.

It is not likely that the board of directors would face criminal charges. HIPAA would allow for higher fines if the board of directors failed to report the breach in the correct time frame. Criminal charges are more likely if patient data were being stolen or illegally accessed by an employee of the organization with the intent to commit financial fraud, blackmail, or harm. However, only the individual committing the theft would be charged.

It is not likely that the healthcare organization will be dropped by insurance companies due to the data breach. Because the stolen payment data was encrypted, it is not likely that patients will find unauthorized charges. However, data breaches can lead to a lack of public trust and harm to Reputation.

80
Q

Audits are regarded as a tool for current-state risk assessments mainly because:

A)They provide recommendations for process improvements.

B)They identify IT and business risk scenarios and establish suitable risk responses for each.

C)They include listings of controls and the respective control owners.

D)They perform rigorous testing of current controls in place and rely strongly on evidence

provided by process owners.

A

Audits can be used by the risk practitioner as a tool to assess the current state of risks because they perform rigorous testing of controls and rely strongly on evidence provided by the process owners. Audits provide information on the design and operating effectiveness of the controls in place.

The controls register, not the audit process, includes a listing of controls that are in place in an organization and the respective control owners.

Audits may, in some cases, provide recommendations for process improvements. However, this is not mandatory in audits, hence it is not the main reason why they are regarded as a current-state risk assessment tool.

Identification of risk scenarios and establishment of risk responses are management’s responsibility and are independent of audits.

81
Q

You are a cybersecurity consultant for your organization. Your organization has well documented security policies and s. You run a phishing test and observe that 40% of the users clicked the links in the phishing emails and provided confidential information.

Which of the following is MOST LIKELY the reason your users are failing at these phishing campaigns?

A) Lack of punitive measures.
B) Lack of awareness and training sessions.
C) Lack of security incident response at the organizational level.
D) Lack of effective spam filters.

A

Lack of awareness and training sessions is the reason for failing phishing campaigns in the given scenario. Conducting regular employee security awareness training sessions will help employees recognize phishing attacks and to avoid clicking on malicious links.

While a lack of punitive measures might result in a few users clicking the link, it is not the most likely reason for failing phishing campaigns. When 40% of users fall for the campaign, there is an overall lack of security awareness.

Lack of an intrusion detection system (IDS) is not the reason for the phishing campaign results. Phishing tests are internal to the organization which are triggered from inside the network or from trusted source. Deploying can detect certain attacks. It cannot detect phishing attacks because phishing attacks are sent via email and are not detected by IDSs.

Lack of security incident response at the organizational level is not the reason for failing phishing campaigns. Security incident response helps organizations track, analyze, and respond to security incidents, but will not educate users about security issues.

82
Q

Which vendor selection concern consists of thoroughly researching and investigating potential vendors to ensure they meet the security and compliance requirements you have established?

A) Conflict of interest
B) Due diligence
C) Regulatory compliance
D) Service-level agreements

A

Due diligence is the process of conducting comprehensive research and investigation into potential vendors before entering into a business relationship or agreement with them. It involves assessing various factors such as the vendor’s reputation, financial stability, security practices, regulatory compliance, and past performance. Due diligence helps organizations evaluate the risks associated with selecting a particular vendor and ensures that they meet security, privacy, and compliance requirements.

As an example, due diligence for a company considering a cloud provider could include an assessment of the provider’s security practices. Items to investigate could include reviewing the vendor’s security policies and procedures, evaluating the vendor’s data center facilities, verifying compliance with regulatory standards, assessing the vendor’s financial stability and reputation, and analyzing past performance and track record.

It is also vital that your organization understands the risks involved with integrating systems and data with third parties. You should ensure that a risk assessment is carried out and reported to management. Both organizations should periodically review the partnership’s security risks.

Conflicts of interest arise when a vendor’s interests or obligations conflict with those of the organization engaging their services. This could occur if a vendor has a financial interest in recommending certain products or services that may not be in the company’s best interest. Conflict of interest can compromise the integrity and impartiality of the vendor selection process, leading to biased decisions or unethical behavior. Organizations must identify and mitigate potential conflicts of interest to ensure fair and transparent vendor selection. For example, a conflict of interest could occur if a procurement manager responsible for selecting a vendor has a personal financial interest in one of the potential vendors!

83
Q

Which type of internal audit focuses on evaluating the adherence to industry regulations, standards, and internal policies?

A) Compliance
B) Audit committee
C) Process improvement
D) Self-assessments

A

Compliance audits focus on evaluating the adherence to industry regulations, standards, and internal policies. Compliance audits are conducted to ensure that an organization is operating within the boundaries of applicable laws, regulations, standards, and internal policies. These audits verify whether the organization’s processes, practices, and controls align with legal and regulatory requirements, industry standards, and internal policies. Compliance audits help identify areas of non-compliance and assess the effectiveness of controls implemented to mitigate risks.

The audit committee is not an internal audit. It is typically formed from an organization’s board of directors responsible for overseeing financial reporting, internal controls, and audit activities. While the audit committee plays a crucial role in providing oversight and governance of audit functions, it is not itself a type of internal audit.

Self-assessments involve internal stakeholders evaluating their own processes, practices, and controls against established criteria or benchmarks. These assessments are often conducted periodically to identify strengths, weaknesses, and areas for improvement within the organization. Self-assessments can help organizations proactively address issues and enhance performance without the need for external auditors.

Process improvement audits focus on evaluating and optimizing an organization’s internal processes, procedures, and workflows. These audits aim to identify inefficiencies, bottlenecks, and areas for enhancement to streamline operations, reduce costs, and improve overall performance. While process improvement is an important aspect of internal auditing, it is not a distinct type of internal audit.

84
Q

What is the purpose of quantitative risk analysis?

A) To generate an action plan for each identified risk

B) To generate a prioritized list of risks that might adversely affect the organization

C) To estimate the overall impact that a specific risk poses to the organization

D) To analyze a prioritized risk in such a way as to give it a numerical rating or value

A

The purpose of quantitative risk analysis is to analyze a prioritized risk in such a way as to give it a numerical rating. Quantitative risk analysis attempts to quantify, or assign numbers to, the prioritization, probability, and impact of a risk. These numbers could be statistical frequency or projected loss in dollars. The key benefit of quantitative risk analysis is that it produces measurable information to support decision-making regarding a risk response. Its key drawback is that it is detailed and time-consuming.

If the cost of a mitigation exceeds the likely cost of the risk, it may make sense to discontinue the mitigation and accept the impact of the risk if it occurs.

Risk assessments should begin with qualitative risk analysis, which uses expert judgment to quickly assign a probability and impact score to a risk, such as “unlikely / somewhat likely / very likely” probability and “low, medium, high” impact. These values are used to prioritize risks for response. For example, it is highly likely that employees in the accounting department will receive phishing emails. If an employee clicked a malicious link and entered company credentials on a malicious site, it could result in a high-impact breach. Therefore, the risk of a phishing attack can be qualitatively scored as very likely and high-impact, making it a high-priority risk.

Generating an action plan in response to each identified risk is part of risk response planning. Not all risks may require a response. Generating a prioritized list of risks and estimating a risk’s overall impact on the enterprise are tasks performed during risk identification and qualitative risk analysis.

85
Q

What is the quantitative analysis response relies on?

A

Quantitative analysis relies on the following values:

Single loss expectancy (SLE) – the quantitative amount of loss (in currency) incurred by a single event if a threat takes place.
Annualized loss expectancy (ALE) – the portion of a loss potential (in currency) allocated to a single year (for example, 1/5 of the projected cost of a loss that is expected to occur once every five years).
Annualized rate of occurrence (ARO) – a numeric value representing the frequency with which a threat could occur in a single year.
Exposure factor (EF) – the percentage of the expected loss when an event occurs.
To find the SLE, you would multiply the asset’s financial value by the exposure factor. To find the ALE, you would multiply the SLE value by the annualized rate of occurrence (ARO) of an event.

SLE = asset value x EF

ALE = SLE x ARO

Let’s look at an example of this: Suppose your organization has a server that is worth $10,000. When an outage occurs, you approximate that 10% of the data will be lost (exposure factor). The administrator has determined that the server will fail approximately 5 times each year. To calculate SLE, you would multiply the asset value ($10,000) times the exposure factor (10%) and get an SLE value of $1,000. This is the value of a single loss incident. Then, to determine the ALE, you would multiply the SLE ($1,000) by the approximate number of times this incident will occur annually (5), yielding an ALE value of $5,000.

86
Q

Which type of penetration testing focuses on simulating real-world attacks to evaluate the effectiveness of security controls and identify vulnerabilities in a system or network?

A) Defensive
B) Integrated
C) Offensive
D) Physical

A

Offensive penetration testing, also known as red team testing, simulates realistic cyberattacks against systems, networks, or applications. Testers employ advanced techniques and tactics used by real attackers to breach defenses, exfiltrate sensitive data, or disrupt operations. The goal is to identify weaknesses in security controls and response capabilities, allowing organizations to improve their overall security posture. Offensive penetration testing typically provides a comprehensive assessment of security readiness and resilience against sophisticated threats.

Physical penetration testing assesses the physical security measures, such as access controls, surveillance systems, and perimeter defenses such as doors. Testers attempt to gain unauthorized access to facilities, server rooms, or sensitive areas through techniques like lock picking, tailgating, or social engineering. While physical security is an important aspect of overall security posture, physical penetration testing does not specifically focus on simulating real-world cyberattacks.

Defensive penetration testing, also known as blue team testing, focuses on assessing defensive capabilities and incident response procedures. Testers work collaboratively with the defenders to identify and mitigate vulnerabilities, detect and respond to simulated attacks, and improve overall security effectiveness. While defensive penetration testing is valuable for evaluating security controls and response capabilities, it does not specifically involve simulating real-world attacks to assess vulnerabilities.

Integrated penetration testing combines elements of offensive and defensive testing approaches to provide a holistic assessment of security posture. Testers simulate real-world cyberattacks while also evaluating defensive measures and incident response capabilities. This approach helps organizations identify vulnerabilities, assess the effectiveness of security controls, and enhance overall security readiness. Integrated penetration testing leverages both offensive and defensive techniques to provide a comprehensive evaluation of security posture.

87
Q

Which governance structure provides the highest level of autonomy with regard to decision-making authority in a large organization?

A) Centralized
B) Boards
C) Government entities
D) Committee
E) Decentralized

A

Decentralized governance structures would provide the most autonomy. A decentralized structure distributes decision-making authority across multiple units or departments. In a decentralized model, individual departments or business units have a degree of autonomy and are empowered to make decisions based on their specific needs and circumstances. Rather than relying on a central authority for all decisions, decentralized governance allows for flexibility, agility, and tailored approaches to address diverse needs and challenges across different parts of the organization.

Example:

Consider a large multinational corporation with operations spanning multiple countries and regions. To effectively manage its diverse business units and adapt to local market conditions, the corporation adopts a decentralized governance structure. Each regional office or business unit is granted a level of autonomy to make decisions related to sales, marketing, operations, and customer service based on local market dynamics, regulations, and customer preferences.

Committees are groups of individuals within an organization tasked with specific responsibilities, such as policy development, risk management, or compliance oversight. Committees may be temporary or permanent, depending on the nature of their mandate, and often include representatives from different departments or functions to ensure diverse perspectives and expertise.

Government entities refer to regulatory agencies, legislative bodies, or governmental organizations responsible for establishing and enforcing laws, regulations, and standards related to security governance. These entities play a vital role in shaping security policies, setting industry standards, and ensuring compliance with legal and regulatory requirements.

88
Q

Which external factor influences effective security governance by dictating rules and compliance standards by which organizations must abide?

A) Industry standards
B) Laws
C) Local/Regional governance
D) Regulations

A

Regulations dictate the rules and compliance standards that organizations must obey or meet. Regulations can be based on laws passed by governing bodies or on standards imposed by industry organizations. A regulation provides exact guidelines for meeting the requirements of the applicable law or standard.

Regulatory considerations may include data protection laws, industry-specific regulations such as Health Insurance Portability and Accountability Act (HIPAA) for healthcare or General Data Protection Regulation (GDPR) for data privacy, and compliance frameworks such as Payment Card Industry Data Security Standard (PCI DSS) for payment card industry compliance. Non-compliance with regulatory requirements can result in legal penalties, fines, and damage to an organization’s reputation.

Even regulations issued by non-governmental agencies may have the effect of law in terms of governance. For example, the United States Department of Human Services, Office of Civil Rights enforces all HIPAA rules. PCI compliance is governed by the PCI Standards Council. GDPR is enforced by the Data Protection Authority (DPA) in each of the 27 European Union member countries. Each DPA is independent of the government of its country. The U. S. Consumer Product Safety Commission writes regulations to enforce consumer product safety laws.

As an analogy in the United States, a homeowner’s association (HOA) is a regulatory agency that may pass rules that govern behavior of its member homeowners in the community. A homeowner who paints their house in a color that was banned by the HOA would be subject to a penalty by the HOA, but the homeowner will not have broken any law.

Industry considerations pertain to standards, guidelines, and best practices established within specific sectors or industries to address security challenges and mitigate risks. These industry standards may be developed by industry associations, consortiums, or collaborative groups and often reflect the unique security requirements and concerns of particular industries. Adhering to industry standards helps organizations align their security practices with industry norms and expectations, enhancing interoperability, trust, and competitiveness.

Local/regional considerations involve factors and regulations specific to a particular geographic location or jurisdiction, such as city ordinances, state laws, or regional directives. These considerations may include local data protection laws, zoning regulations affecting physical security measures, or regional cybersecurity initiatives aimed at enhancing collaboration and resilience within a specific area. Adhering to local/regional requirements ensures compliance with local laws and addresses unique security challenges relevant to the organization’s operating environment.

89
Q

The business continuity team is interviewing users to gather information about business units and their functions. Which part of the business continuity plan includes this analysis?

A) disaster recovery plan
B) contingency plan
C) Business impact analysis
D) occupant emergency plan

A

The Business impact analysis (BIA) includes interviews to gather information about business units and their functions.

A BIA is created to identify the vital functions and prioritize them based on need. Vulnerabilities and threats are identified, and risks are calculated. It is a methodology commonly used in business continuity planning. Its primary goal is to help the business units understand how an event will impact corporate functions. The purpose of the BIA is to create a document to understand what impact a disruptive event would have on the business; it is not intended to recommend an appropriate solution.

90
Q

A contingency plan?

A

A contingency plan is created to detail how all business functions will be carried out in the event of an outage or disaster. It should address residual risks. Interviewing is not included as part of its development.

91
Q

What are the steps of BIA?

A

One of the first steps in the BIA is to identify the business units. The information gathering stage of the BIA includes deciding on which techniques to use (surveys or interviews), selecting the individuals you plan to interview, and customizing the technique to gather the appropriate information. The analytical stage of the BIA includes analyzing the gathered information, determining the critical business functions, maximum tolerable downtime (MTD) economic impact of disruption, and prioritizing the restoration of critical business functions. This leads to the establishment of a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each unit or item. The documentation stage includes documenting your findings and reporting back to managing.

Writing a BIA includes the following steps:

Analyzing the threats associated with each functional area
Determining the risk associated with each threat
Identifying the major functional areas of information

92
Q

What is RTO?

A

RTO is a calculation of how quickly you need to recover. If RTO is 2 hours, an organization will need to invest in a disaster recovery center, telecommunications, and automated systems to achieve full recovery in only 2 hours. However, if RTO is 2 weeks, then the required investment will be much lower because there will be time to acquire resources after an incident has occurred.

93
Q

What is RPO?

A

To calculate the RPO, an organization should determine how much data it can afford to lose. For example, if there is a database, is it tolerable to lose one hour of work, two hours, or maybe days? If a document is being written, can you afford to lose four hours of your work, the whole day, or a whole week’s work? This amount of time is the RPO. RPO is crucial for determining the frequency of your backups. If your RPO is four hours, then you need to perform backup at least every four hours. The more frequent the backup, the higher the cost of the backup. Because costs need to be balanced with risk, an organization may not be able to back up as frequently as they would like and must therefore accept a longer RPO.

94
Q

Match the agreement name/acronym with its characteristics

The agreement names and their characteristics should be matched as follows:

Business partners agreement (BPA) – Defines the general terms, pricing, deliverables, and responsibilities for future transactions or projects between a vendor and a client

Non-disclosure agreement (NDA) – : Establishes confidentiality obligations between parties, preventing them from disclosing confidential information shared during the course of a business relationship.

Master service agreement (MSA) – Outlines the terms and conditions for the provision of services between a vendor and a client, including scope of work, responsibilities, and service levels.

Memorandum of understanding (MOU) – Formalizes the mutual understanding and intentions regarding a specific project, initiative, or partnership between two or more parties.

Service level agreement (SLA) – Specifies the level of service expected and the metrics by which performance will be measured between a service provider and a client

Memorandum of agreement (MOA) – Records the agreement on key terms, objectives, roles, and responsibilities between parties, serving as a preliminary step in negotiations or partnerships.

Work order (WO) – Authorizes a vendor to perform specific work or services for a client, detailing the scope of work, timelines, costs, and terms.

Statement of work (SOW) – Defines the scope, objectives, deliverables, and requirements for a project or engagement between a client and a vendor.

A

Business partners agreement (BPA) – Defines the general terms, pricing, deliverables, and responsibilities for future transactions or projects between a vendor and a client

Non-disclosure agreement (NDA) – : Establishes confidentiality obligations between parties, preventing them from disclosing confidential information shared during the course of a business relationship.

Master service agreement (MSA) – Outlines the terms and conditions for the provision of services between a vendor and a client, including scope of work, responsibilities, and service levels.

Memorandum of understanding (MOU) – Formalizes the mutual understanding and intentions regarding a specific project, initiative, or partnership between two or more parties.

Service level agreement (SLA) – Specifies the level of service expected and the metrics by which performance will be measured between a service provider and a client

Memorandum of agreement (MOA) – Records the agreement on key terms, objectives, roles, and responsibilities between parties, serving as a preliminary step in negotiations or partnerships.

Work order (WO) – Authorizes a vendor to perform specific work or services for a client, detailing the scope of work, timelines, costs, and terms.

Statement of work (SOW) – Defines the scope, objectives, deliverables, and requirements for a project or engagement between a client and a vendor.

95
Q

Which risk management strategy involves acknowledging the potential impact of a risk without taking any action to mitigate or transfer it?

A) Transfer
B) Mitigate
C) Avoid
D) Accept

A

Risk acceptance involves acknowledging the existence of a risk and its potential impact on the organization’s objectives but choosing not to take any action to mitigate or transfer it. Instead, the organization consciously decides to bear the risk and its potential consequences. Risk acceptance may be appropriate when the cost of mitigation exceeds the expected loss associated with the risk, or when the organization determines that the risk is within its risk tolerance thresholds. It’s important to note that risk acceptance does not mean ignoring the risk; rather, it involves a deliberate decision to live with the risk.

In some cases, risk acceptance may involve granting exemptions or exceptions for certain risks, allowing them to proceed despite their inherent risks. Exemptions typically involve predefined criteria or conditions under which certain risks are allowed to occur, while exceptions may arise in extraordinary circumstances where deviations from standard risk management practices are justified.

Risk transfer involves shifting the financial burden or responsibility for managing a risk to another party, such as an insurance company or a third-party vendor. Organizations can transfer risks through mechanisms like insurance policies, outsourcing agreements, or contractual arrangements that allocate risk to a party better equipped to handle it. For example, purchasing cyber insurance can transfer the financial risk associated with data breaches or cyberattacks to an insurance provider, reducing the organization’s exposure to financial losses.

Risk avoidance involves taking deliberate actions to eliminate or minimize exposure to a risk by avoiding activities, situations, or decisions that could lead to the occurrence of the risk. Organizations may choose to avoid risks that pose significant threats to their objectives or that are outside their risk tolerance thresholds. For example, an organization may decide to avoid entering new markets with high political instability or regulatory uncertainty to minimize the risk of financial losses or reputational damage associated with operating in those regions.

Risk mitigation involves implementing measures to reduce the likelihood or impact of a risk to an acceptable level. Mitigation strategies may include implementing controls, safeguards, or countermeasures to prevent, detect, or mitigate the consequences of identified risks. Organizations may employ various mitigation techniques, such as implementing security controls to mitigate cybersecurity risks, diversifying investments to mitigate financial risks, or developing contingency plans to mitigate operational risks.

96
Q

Assign each element to external or internal compliance reporting.

A

The elements should be matched as follows:

Internal compliance reporting:

Policy adherence
Regular auditing
Incident response evaluation
Risk assessment
Employee training

Internal compliance reporting is the preparation and distribution of compliance-related information to the company’s stakeholders. These stakeholders can be executives, management, employee representatives and internal audit teams. Internal compliance reporting provides an accounting of how well the company follows security policies, procedures, and standards. The reporting also shines a spotlight on out-of-compliance items that need improvement and remediation.

External compliance reporting:

Regulatory adherence
Third-party audits
Data privacy and protection
Transparency and accountability
Client and partner assurance

External reporting involves sharing compliance-related information with external parties outside the organization, such as regulatory agencies, industry partners, customers, shareholders, and auditors. It typically includes compliance certifications, audit reports, regulatory filings, and other documentation required to demonstrate compliance with legal and regulatory requirements. External reporting helps build trust, credibility, and transparency with external stakeholders and regulatory authorities, as well as facilitating compliance with industry standards and regulations.

97
Q

Which standard specifies rules and guidelines for regulating which personnel or systems can use resources and data?

A)Physical security standard
B)Password standard
C)Encryption standard
D)Access control standard

A

The access control standard specifies and regulates which personnel or systems can use resources and data. The standard includes policies, procedures, and technical controls for granting, revoking, and monitoring user access rights, privileges, and permissions. Access control mechanisms may include role-based access control (RBAC), mandatory access control (MAC), discretionary access control (DAC), and multi-factor authentication (MFA).

The password standard refers to the rules and guidelines for creating, managing, and protecting passwords used to authenticate users and grant access to systems and resources. It includes recommendations for password complexity, length, expiration, and storage, as well as guidelines for password management practices such as password hashing, salting, and storage encryption.

The physical security standard outlines rules and guidelines for securing physical assets, facilities, and infrastructure to prevent unauthorized access, theft, vandalism, and other physical threats. It includes measures such as access controls, surveillance systems, alarm systems, environmental controls, and security personnel to protect physical assets and ensure the safety and security of personnel and information.

The encryption standard defines rules and guidelines for encrypting sensitive data to protect it from unauthorized access, interception, and disclosure. It includes recommendations for selecting encryption algorithms, key management practices, and encryption protocols to ensure the confidentiality, integrity, and authenticity of data in transit and at rest. Encryption is used to safeguard data stored on devices, transmitted over networks, and processed by applications.

98
Q

Which of the following agreement types outlines the terms and conditions for service delivery between a vendor and a client, including scope of work, responsibilities, and service levels?

A)MOU
B)MSA
C)NDA
D)BPA

A

A master service agreement (MSA) is a contract that establishes the terms and conditions for the service delivery between a vendor and a client. It serves as a framework agreement that outlines the general terms, pricing, deliverables, and responsibilities for future transactions or projects between the parties. MSAs provide a standardized foundation for the parties to negotiate specific details and requirements for individual projects or work orders under the agreement.

99
Q

What is a BPA?

A

A business partners agreement (BPA) is a legal contract between two or more parties who agree to cooperate to achieve mutual business goals. It outlines the rights, responsibilities, and expectations of each partner in the partnership, including contributions, profit-sharing, decision-making authority, and dispute resolution mechanisms. Business partners agreements typically cover a wide range of business activities and may involve joint ventures, strategic alliances, or collaborative projects.

Here’s an example of two companies who could easily be in a BPA. One technology company specializes in software development and the other in hardware manufacturing. The two companies entered into a BPA to collaborate on creating a new product that integrates their respective technologies. The BPA outlines the terms of their partnership, including resource sharing, joint research and development efforts, marketing strategies, revenue sharing agreements, and dispute resolution mechanisms. Both companies benefit from the collaboration by leveraging each other’s expertise and resources to bring innovative products to market more efficiently.

100
Q

What is NDA?

A

A non-disclosure agreement (NDA) is a legal contract that establishes confidentiality obligations between parties, preventing them from disclosing confidential information shared during the course of a business relationship. NDAs are commonly used to protect sensitive information, trade secrets, proprietary data, and intellectual property from unauthorized disclosure or misuse. NDAs specify the types of information covered, the duration of confidentiality, and the consequences of breach. There are many instances where an NDA would be used: business negotiations, employee agreements, partnerships and collaborations, vendor relationships, product development, and more.

101
Q

What is a MOU?

A

A memorandum of understanding (MOU) is a formal agreement between parties that outlines their mutual understanding and intentions regarding a specific project, initiative, or partnership. MOUs are less formal than contracts and may not be legally binding, but they serve as a written record of the parties’ agreement on key terms, objectives, roles, and responsibilities. MOUs often precede the negotiation and execution of more detailed agreements, such as contracts or partnership agreements. Since an MOU is used in the preliminary stages, it can be considered a high-level agreement between parties that basically says, “here’s what we’re going to do”.

102
Q

What is WO?

A

A work order (WO) is a document issued by a client to authorize a vendor to perform specific work or services. It details the scope of work, deliverables, timelines, costs, and any other relevant terms and conditions for the project or task.

103
Q

What is SOW?

A

A statement of work (SOW) is a document that defines the scope, objectives, deliverables, and requirements for a project or engagement between a client and a vendor. SOWs outline the tasks to be performed, timelines, milestones, resources, and acceptance criteria for the work to be completed.

104
Q

Which consequence is often incurred due to non-compliance with security regulations or standards, potentially leading to diminished trust and credibility in the eyes of stakeholders?

A)Reputational damage
B)Sanctions
C)Contractual impacts
D)Loss of license

A

Reputational damage occurs when non-compliance with security regulations or standards results in negative perceptions, loss of trust, and diminished credibility in the eyes of stakeholders, including customers, partners, and the public. A tarnished reputation can lead to decreased customer loyalty, difficulty attracting new business opportunities, and long-term harm to the organization’s brand image. Reputational damage can have far-reaching consequences beyond immediate financial and legal repercussions, impacting the organization’s ability to thrive in the marketplace.

105
Q

Non-compliance with security regulations have not been met? What are the consequences?

A

Reputational damage occurs when non-compliance with security regulations or standards results in negative perceptions, loss of trust, and diminished credibility in the eyes of stakeholders, including customers, partners, and the public. A tarnished reputation can lead to decreased customer loyalty, difficulty attracting new business opportunities, and long-term harm to the organization’s brand image. Reputational damage can have far-reaching consequences beyond immediate financial and legal repercussions, impacting the organization’s ability to thrive in the marketplace.

Sanctions typically refer to punitive measures imposed by regulatory bodies or authorities as a result of non-compliance with security regulations or standards. These measures can include penalties, restrictions, or disciplinary actions aimed at deterring future violations and promoting adherence to established requirements. While sanctions can have financial implications and affect an organization’s operations, they primarily focus on regulatory enforcement rather than reputation.

Loss of license involves the revocation or suspension of a business license or operating permit due to non-compliance with security regulations or standards. This consequence can severely impact the ability to conduct business legally within a certain jurisdiction or industry sector. Loss of license may result in disruptions to operations, financial losses, and legal ramifications, but its primary impact is on the organization’s legal ability to conduct business, rather than reputation.

Contractual impacts refer to the consequences of non-compliance with security requirements outlined in contractual agreements or service level agreements (SLAs) between parties. Failure to meet security obligations specified in contracts can lead to breaches of contract, legal disputes, financial liabilities, and disruptions to business relationships. While contractual impacts can affect the organization’s financial and operational stability, their primary focus is on contractual obligations rather than reputation.

Another possible consequence of non-compliance is the imposition of fines. Fines are often significant financial penalties imposed by regulatory bodies or authorities. These fines serve as a deterrent to non-compliance and emphasize the importance of adhering to security requirements to avoid costly repercussions.

106
Q

Match the term for an element of effective security governance with its brief description.

Guidelines – Detailed instructions or recommendations that help users make decisions and perform tasks securely.

Policies – High-level statements that outline the organization’s objectives, rules, and responsibilities regarding security practices and procedures.

Standards – Specific rules or criteria set by regulatory bodies, industry best practices, or legal requirements that must be adhered to for compliance.

Procedures – Step-by-step instructions for carrying out security-related tasks or actions.

External considerations – Factors outside the organization that impact security governance, such as industry standards, legal regulations, and contractual obligations.

Guidelines are detailed instructions or recommendations that assist users in making decisions and performing tasks securely. They offer practical advice and best practices for implementing security measures but are not necessarily mandatory.

Policies are high-level statements that outline an organization’s objectives, rules, and responsibilities regarding security practices and procedures. They provide a framework for decision-making and guide employees on acceptable behavior and actions related to security.

Standards are specific rules or criteria established by regulatory bodies, industry best practices, or legal requirements that must be followed for compliance. They define the minimum requirements for security controls, protocols, and processes.

Procedures are step-by-step instructions for carrying out security-related tasks or actions. They detail how policies and standards are implemented in practice and provide guidance on operational activities to ensure security objectives are met.

External considerations refer to factors outside the organization that impact security governance. These may include industry standards, legal regulations, contractual obligations, and other external requirements that organizations must adhere to in order to maintain effective security practices and compliance.

A

Guidelines – Detailed instructions or recommendations that help users make decisions and perform tasks securely.

Policies – High-level statements that outline the organization’s objectives, rules, and responsibilities regarding security practices and procedures.

Standards – Specific rules or criteria set by regulatory bodies, industry best practices, or legal requirements that must be adhered to for compliance.

Procedures – Step-by-step instructions for carrying out security-related tasks or actions.

External considerations – Factors outside the organization that impact security governance, such as industry standards, legal regulations, and contractual obligations.

Guidelines are detailed instructions or recommendations that assist users in making decisions and performing tasks securely. They offer practical advice and best practices for implementing security measures but are not necessarily mandatory.

Policies are high-level statements that outline an organization’s objectives, rules, and responsibilities regarding security practices and procedures. They provide a framework for decision-making and guide employees on acceptable behavior and actions related to security.

Standards are specific rules or criteria established by regulatory bodies, industry best practices, or legal requirements that must be followed for compliance. They define the minimum requirements for security controls, protocols, and processes.

Procedures are step-by-step instructions for carrying out security-related tasks or actions. They detail how policies and standards are implemented in practice and provide guidance on operational activities to ensure security objectives are met.

External considerations refer to factors outside the organization that impact security governance. These may include industry standards, legal regulations, contractual obligations, and other external requirements that organizations must adhere to in order to maintain effective security practices and compliance.

107
Q

Which type of reporting and monitoring is typically conducted on a regular basis to detect and respond to security incidents as part of an organization’s ongoing security operations?

A)Initial
B)Recurring
C)Compliance
D)Operational

A

Recurring reporting and monitoring is typically conducted on a regular basis. This type of reporting and monitoring activities are conducted on a regular and systematic basis to continuously assess the effectiveness of security controls, detect anomalies or suspicious behavior, and maintain a proactive security posture. This involves scheduled checks of security systems, logs, and configurations to identify deviations from normal patterns or potential security threats. Recurring monitoring also includes regular security assessments, vulnerability scans, and penetration testing to identify and remediate weaknesses in the organization’s defenses. By conducting recurring monitoring, organizations can stay vigilant against evolving threats, ensure compliance with security policies and standards, and minimize the risk of security breaches. The frequency of recurring reporting and monitoring may vary depending on factors such as the organization’s risk tolerance, regulatory requirements, and the nature of its operations.

Initial reporting and monitoring are critical steps taken when a security incident is suspected or detected for the first time. This phase involves rapidly gathering relevant information about the incident, such as the nature of the security breach, the affected systems or data, and any potential impact on the organization’s operations. Initial reporting also includes notifying key stakeholders, such as the IT security team, incident response team, and management, to initiate the incident response process promptly. During this phase, it’s crucial to contain the incident to prevent further damage, assess the severity of the situation, and determine the appropriate course of action for mitigation and recovery. While initial reporting is essential for addressing security incidents in their early stages, it primarily focuses on the immediate response rather than ongoing monitoring and analysis.

Operational reporting and monitoring focus on the day-to-day activities and processes involved in managing and maintaining security within an organization. This includes monitoring security logs, analyzing network traffic, and reviewing access control lists to ensure that security measures are functioning as intended and to identify any deviations or suspicious behavior that may indicate a security breach.

Compliance reporting and monitoring involve assessing an organization’s adherence to regulatory requirements, industry standards, and internal policies related to security practices. While compliance monitoring is important for ensuring that security measures align with legal and regulatory obligations, it may not always capture the ongoing operational aspects of security monitoring.