Security Program Management and Oversight Flashcards
A company is developing its cybersecurity policies and procedures. While doing so, they refer to industry best practices that are not legally required but are recommended for improving security. What type of document are they most likely using?
A. Compliance regulations
B. Guidelines
C. Secure configuration guides
D. Benchmarks
β
Correct Answer: B. Guidelines
πΉ Explanation: Guidelines provide recommendations for best practices but are not mandatory for compliance. They help organizations shape their security policies.
πΈ Why other choices are incorrect:
A. Compliance regulations β These are legally binding and must be followed.
C. Secure configuration guides β These provide specific settings for secure system configurations.
D. Benchmarks β These are industry-accepted standards for security but can be mandatory in regulated industries.
A companyβs cybersecurity team is responsible for ensuring compliance with evolving regulations. Since some regulatory requirements change more frequently than others, they must monitor for updates regularly.
Which of the following regulations is most likely to require frequent monitoring for updates?
A. A globally recognized standard, such as ISO 27001
B. A national cybersecurity law, such as FISMA
C. A local industry-specific regulation
D. A constitutional law regarding consumer privacy
β
Correct Answer: C. A local industry-specific regulation
πΉ Explanation:
Regulations created by smaller governing bodies, such as state or industry-specific regulatory groups, are more prone to revision compared to national laws or international standards.
πΈ Why other choices are incorrect:
A. Global standards (ISO 27001) β These are guidelines, not legally mandated, and do not change as frequently.
B. National cybersecurity laws (FISMA) β National regulations are less frequently updated than local or industry-specific regulations.
D. Constitutional laws β Laws established at the constitutional level are very difficult to change and do not require frequent monitoring.
Which of the following best describes the purpose of an Acceptable Use Policy (AUP) in an organization?
A. To define how employees can use the organizationβs network, systems, or devices
B. To provide high-level security policies for securing organizational data
C. To outline procedures for responding to cybersecurity incidents
D. To establish how the organization will continue operations after a disaster
β
Correct Answer: A. To define how employees can use the organizationβs network, systems, or devices
πΉ Explanation: An Acceptable Use Policy (AUP) defines what users are allowed and not allowed to do when using company resources such as networks, computers, and mobile devices.
πΈ Why other choices are incorrect:
B. Information Security Policy (ISP) β Covers broad security policies, not just system usage.
C. Incident Response (IR) Plan β Focuses on responding to cybersecurity incidents.
D. Disaster Recovery (DR) Plan β Focuses on restoring operations after disasters.
Which type of procedure defines how a new employee is securely added to an organizationβs systems and networks?
A. Access control procedure
B. Incident response playbook
C. Disaster Recovery (DR) Plan
D. Onboarding procedure
β
Correct Answer: D. Onboarding procedure
πΉ Explanation: An onboarding procedure ensures that new employees are securely added to company systems by defining account creation, access provisioning, security training, and asset assignment steps.
πΈ Why other choices are incorrect:
A. Access control procedure β Covers authentication and authorization policies, but does not define the full onboarding process.
B. Incident response playbook β Focuses on cybersecurity threats, not employee onboarding.
C. Disaster Recovery (DR) Plan β Ensures business continuity after a disaster, but does not cover hiring procedures.
Which of the following policies provides a broad overview of how an organization secures information and data across its systems?
A. Incident Response (IR) Plan
B. Business Continuity (BC) Plan
C. Information Security Policy (ISP)
D. Change Management Policy
β
Correct Answer: C. Information Security Policy (ISP)
πΉ Explanation: An ISP defines the high-level policies that guide an organizationβs overall security strategy, including credential management, encryption, and onboarding/offboarding.
πΈ Why other choices are incorrect:
A. IR Plan β Defines incident handling steps, not broad security policies.
B. BC Plan β Focuses on continuing business operations during disruptions.
D. Change Management Policy β Manages system and operational changes, not overall security policies.
A multinational company operates in both the United States and the European Union (EU) and collects customer data from both regions. The security team is tasked with ensuring the company follows all applicable data protection laws.
Which of the following best describes the type of security considerations the company must account for?
A. Industry considerations
B. Local/Regional considerations
C. National considerations
D. Global considerations
β
Correct Answer: B. Local/Regional considerations
πΉ Explanation: The company must comply with both U.S. and EU data protection laws. Since the General Data Protection Regulation (GDPR) applies to all organizations handling EU residentsβ data, and U.S. laws apply to businesses within the U.S., these regional laws impact compliance requirements.
πΈ Why other choices are incorrect:
A. Industry considerations β Industry-specific regulations apply only within certain sectors, while this scenario involves geographic laws.
C. National considerations β National laws apply only within a single country, but this scenario spans multiple regions.
D. Global considerations β Global standards provide guidelines, but the company is legally required to follow regional laws.
Match each governance structure to its correct description.
Governance Structures:
1-Board of Directors
2-Committee
3-Government Entity
4-Centralized Governance
5-Decentralized Governance
Descriptions:
A. A hierarchical governance model where decisions flow from a top entity to all lower levels.
B. A group of individuals appointed by shareholders to oversee management.
C. A government-sponsored agency responsible for policy creation and enforcement.
D. A group of experts and managers responsible for a specific organizational function.
E. A governance model that allows lower levels of an organization to decide how to implement security policies.
β Correct Answer:
1 β B (Board of Directors = Oversees management, appointed by shareholders)
2 β D (Committee = Group responsible for a specific function, often with subject matter experts)
3 β C (Government Entity = Creates and enforces security policies, e.g., CISA)
4 β A (Centralized Governance = Hierarchical decision-making, top-down enforcement)
5 β E (Decentralized Governance = Provides policy direction but allows lower levels flexibility in implementation)
A company recently suffered a data breach and is conducting a risk assessment to determine the cause and severity of the incident. This assessment is being conducted in direct response to the breach and is being expedited to quickly address the issue.
Which type of risk assessment is the company performing?
A. Recurring
B. One-time
C. Ad hoc
D. Continuous
β
Correct Answer: C. Ad hoc
πΉ Explanation:
An ad hoc risk assessment is performed in response to a specific event, such as a security breach, to quickly evaluate and address the risk.
πΈ Why other choices are incorrect:
A. Recurring β A recurring assessment is conducted at preset intervals, not in response to a sudden event.
B. One-time β A one-time assessment provides a broad overview of risk, rather than addressing an immediate concern.
D. Continuous β Continuous assessments are automated and ongoing, not reactive to a single incident.
A cybersecurity analyst is assessing potential threats to a financial institution. Since some risks cannot be easily quantified, the analyst assigns subjective ratings (e.g., low, medium, high) based on personal experience and expert judgment.
Which type of risk assessment is being conducted?
A. Qualitative
B. Quantitative
C. Exposure Factor (EF)
D. Probability Analysis
β
Correct Answer: A. Qualitative
πΉ Explanation:
A qualitative risk assessment relies on expert judgment and subjective scales (e.g., 1-5 or low-high) to evaluate risks that lack precise numerical data.
πΈ Why other choices are incorrect:
B. Quantitative β Uses numerical values, formulas, and probability metrics, rather than subjective ratings.
C. Exposure Factor (EF) β Measures asset damage as a percentage, not risk rating.
D. Probability Analysis β Assigns numerical probability values, while qualitative assessments are subjective.
Which of the following formulas is used to determine the Annualized Loss Expectancy (ALE) in risk analysis?
A. ALE = ARO Γ SLE
B. ALE = EF Γ AV
C. ALE = Probability Γ Impact
D. ALE = Risk Severity Γ Likelihood
β
Correct Answer: A. ALE = ARO Γ SLE
πΉ Explanation:
The Annualized Loss Expectancy (ALE) formula is: ALE=AROΓSLE where:
ARO (Annualized Rate of Occurrence) = How often the risk is expected to occur in a year
SLE (Single Loss Expectancy) = The monetary loss per incident
πΈ Why other choices are incorrect:
B. EF Γ AV β This formula calculates Single Loss Expectancy (SLE), not ALE.
C. Probability Γ Impact β Does not determine financial loss expectancy per year.
D. Risk Severity Γ Likelihood β Used in qualitative assessments, but not for ALE
A financial institution maintains a comprehensive document that tracks all potential cybersecurity risks, their likelihood, impact, and mitigation strategies. The document also includes a visual representation that helps executives make risk-based decisions.
Which of the following is the document and visualization method being used?
A. Key Risk Indicator (KRI) and Risk Appetite Statement
B. Risk Matrix and Risk Register
C. Risk Owner Report and Risk Threshold Graph
D. Risk Heat Map and Risk Tolerance Table
β
Correct Answer: B. Risk Matrix and Risk Register
πΉ Explanation:
A Risk Register is a detailed document listing risks, their impact, likelihood, and potential mitigation strategies.
A Risk Matrix (Heat Map) is a visual tool used to quickly assess risk severity based on impact and likelihood.
πΈ Why other choices are incorrect:
A. KRI and Risk Appetite Statement β KRIs track risk indicators, but do not map risks visually.
C. Risk Owner Report and Risk Threshold Graph β Risk owners manage risks, but there is no such thing as a βRisk Owner Reportβ.
D. Risk Heat Map and Risk Tolerance Table β βRisk Tolerance Tableβ is not a standard concept in risk management.
An organization uses automated security tools to monitor network traffic, detect potential security threats, and alert administrators in real time.
Which type of risk assessment is being used?
A. One-time
B. Recurring
C. Ad hoc
D. Continuous
β
Correct Answer: D. Continuous
πΉ Explanation:
A continuous risk assessment is automated and ongoing, constantly analyzing security threats and alerting the organization to emerging risks.
πΈ Why other choices are incorrect:
A. One-time β A one-time assessment provides a risk snapshot at a single point in time.
B. Recurring β Recurring assessments occur at scheduled intervals, not continuously.
C. Ad hoc β Ad hoc assessments are reactive to specific events, rather than running continuously.
Which policy ensures that an organization continues to operate during and after a cybersecurity breach or incident?
A. Disaster Recovery (DR) Plan
B. Business Continuity (BC) Plan
C. Incident Response (IR) Plan
D. Software Development Lifecycle (SDLC) Policy
β
Correct Answer: B. Business Continuity (BC) Plan
πΉ Explanation: A Business Continuity (BC) Plan ensures that an organization continues to function even after an incident, such as a cyberattack or hardware failure.
πΈ Why other choices are incorrect:
A. DR Plan β Focuses on restoring services after a disaster, not maintaining operations during an incident.
C. IR Plan β Focuses on detecting and responding to security incidents, not ensuring continuity.
D. SDLC Policy β Governs secure software development, not business operations.
A cybersecurity analyst is responding to a ransomware attack and follows a documented set of specific steps to contain and eliminate the threat. What is the analyst most likely using?
A. Incident Response (IR) Plan
B. Change Management Policy
C. Disaster Recovery (DR) Plan
D. Playbook
β
Correct Answer: D. Playbook
πΉ Explanation: A playbook provides detailed procedural steps for responding to specific incidents, such as ransomware attacks. It guides security teams through containment, eradication, and recovery actions.
πΈ Why other choices are incorrect:
A. IR Plan β Provides general guidelines for handling incidents, but playbooks give step-by-step instructions.
B. Change Management Policy β Governs system modifications, not incident response.
C. Disaster Recovery (DR) Plan β Focuses on restoring IT services after a disaster, not responding to a cybersecurity attack.
A financial institution is updating its security policies to comply with mandatory, legally enforceable security regulations at different levels. Match each regulatory requirement to the correct category:
Regulatory Requirements:
HIPAA β Governs security of medical records.
GDPR β Regulates privacy and security of EU residentsβ personal data.
FISMA β Requires cybersecurity protections for U.S. federal agencies.
ISO 27001 β Provides internationally recognized security best practices.
Categories:
A. Industry Considerations
B. Local/Regional Considerations
C. National Considerations
D. Global Considerations
β Correct Answer:
HIPAA β A. Industry Considerations
GDPR β B. Local/Regional Considerations
FISMA β C. National Considerations
ISO 27001 β D. Global Considerations
πΉ Explanation:
HIPAA is an industry-specific regulation for medical entities.
GDPR applies regionally to all businesses handling EU residentsβ data.
FISMA is a national law for U.S. federal agencies.
ISO 27001 is a global security framework, but not legally required.
A multinational organization needs a governance model that allows its regional offices to implement security policies in a way that best fits their unique operational needs. However, they must still adhere to corporate security requirements.
Which type of governance model should the company adopt?
A. Centralized governance
B. Decentralized governance
C. Government entity oversight
D. Board of directors oversight
β
Correct Answer: B. Decentralized governance
πΉ Explanation:
A decentralized governance model allows each regional office to decide how to implement security policies while still adhering to overall corporate requirements.
πΈ Why other choices are incorrect:
A. Centralized governance β Would require strict top-down enforcement, limiting flexibility.
C. Government entity oversight β External government agencies regulate compliance but do not dictate internal company structure.
D. Board of directors oversight β A board sets high-level policies but does not handle daily governance structure decisions.
Which of the following best describes the risk identification process in cybersecurity?
A. Assigning a severity value to a risk based on likelihood and impact
B. Determining any risk an organization and its environment may face
C. Implementing technical controls to mitigate identified risks
D. Conducting risk assessments at scheduled intervals
β
Correct Answer: B. Determining any risk an organization and its environment may face
πΉ Explanation:
Risk identification is the process of determining and categorizing potential risks that an organization may face, including malicious risks, environmental risks, compliance risks, and financial risks.
πΈ Why other choices are incorrect:
A. Assigning a severity value β This is part of risk assessment, not risk identification.
C. Implementing controls β This falls under risk mitigation, which happens after risks are identified.
D. Conducting scheduled assessments β This describes recurring risk assessments, but risk identification happens before assessments are conducted.
Which of the following best describes the role of a data controller in data management?
A. The individual or entity that makes decisions about what data is collected and how it is processed.
B. The highest authority responsible for overseeing all data protection and compliance.
C. A third party responsible for processing data on behalf of another entity.
D. A technical specialist responsible for implementing security controls to protect data.
β
Correct Answer: A. The individual or entity that makes decisions about what data is collected and how it is processed.
πΉ Explanation:
A data controller decides why data is collected, what data is collected, and how it will be used. This role is primarily used in EU-based regulations, such as GDPR.
πΈ Why other choices are incorrect:
B. Data owner β A data owner has higher authority over security and compliance.
C. Data processor β A processor carries out data operations but does not make decisions about collection or purpose.
D. Data custodian β A custodian secures data but does not control its processing rules.
Which of the following best describes the role of a government entity in cybersecurity governance?
A. It is responsible for overseeing a specific department within an organization.
B. It determines how an organization implements security policies at the operational level.
C. It is a group of shareholders that define an organizationβs security priorities.
D. It creates and enforces security policies and compliance regulations.
β
Correct Answer: D. It creates and enforces security policies and compliance regulations.
πΉ Explanation:
Government entities, such as the Cybersecurity and Infrastructure Security Agency (CISA), are responsible for developing, enforcing, and monitoring cybersecurity policies and regulations to ensure compliance and national security.
πΈ Why other choices are incorrect:
A. Oversees a department β This describes a committee, not a government entity.
B. Determines operational security β This describes a decentralized governance model, not government oversight.
C. Group of shareholders β Shareholders appoint a board of directors, but they do not enforce security regulations.
A hurricane severely damages an organizationβs primary data center. Which policy will guide the organization in restoring services as quickly as possible?
A. Business Continuity (BC) Plan
B. Disaster Recovery (DR) Plan
C. Incident Response (IR) Plan
D. Change Management Policy
β
Correct Answer: B. Disaster Recovery (DR) Plan
πΉ Explanation: A Disaster Recovery (DR) Plan focuses on recovering IT services after a major disaster (e.g., hurricanes, fires, floods).
πΈ Why other choices are incorrect:
A. BC Plan β Ensures operations continue during disruptions, but DR focuses on recovery after disasters.
C. IR Plan β Manages cybersecurity incidents, not natural disasters.
D. Change Management Policy β Governs system changes, not disaster recovery.
Which of the following best describes a security standard in an organization?
A. A high-level policy outlining security objectives
B. A detailed set of required security controls and configurations
C. A flexible guide with recommended best practices
D. A step-by-step guide for performing a specific security task
β
Correct Answer: B. A detailed set of required security controls and configurations
πΉ Explanation: A standard is a mandatory set of security requirements that organizations must follow to ensure compliance. It serves as a baseline for security controls and may include minimum configurations and best practices.
πΈ Why other choices are incorrect:
A. High-level policy β Describes policies, which define security objectives but are not as detailed or technical.
C. Flexible guide β Describes guidelines, which are not mandatory like standards.
D. Step-by-step guide β Describes procedures, which outline how to execute tasks but are more specific than standards.
A U.S.-based healthcare provider is expanding its telemedicine services to patients in the European Union (EU). The IT security team is responsible for ensuring compliance with all applicable security regulations for protecting patient data.
Which of the following two regulations must the organization comply with? (Select TWO.)
A. Federal Information Security Modernization Act (FISMA)
B. General Data Protection Regulation (GDPR)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. International Organization for Standardization (ISO 27001)
E. California Consumer Privacy Act (CCPA)
β
Correct Answers: B. GDPR and C. HIPAA
πΉ Explanation:
HIPAA applies to U.S. healthcare providers, ensuring the security and privacy of patient records.
GDPR applies because the company is handling data from EU residents.
πΈ Why other choices are incorrect:
A. FISMA β Applies only to U.S. federal agencies, not private healthcare providers.
D. ISO 27001 β A voluntary global security standard, not a legally required regulation.
E. CCPA β A California-specific law that does not apply to EU residents
A financial institution conducts a risk assessment every quarter to evaluate potential threats to its network and ensure its risk response strategies remain appropriate.
Which type of risk assessment is the organization using?
A. One-time
B. Ad hoc
C. Recurring
D. Continuous
β
Correct Answer: C. Recurring
πΉ Explanation:
A recurring risk assessment is conducted at preset intervals (such as quarterly) to monitor changes in risk over time and ensure appropriate risk management strategies are in place.
πΈ Why other choices are incorrect:
A. One-time β One-time assessments are performed only once and do not recur.
B. Ad hoc β Ad hoc assessments are performed only in response to specific incidents, not on a set schedule.
D. Continuous β Continuous assessments run nonstop and are often automated, rather than scheduled quarterly.
A company wants to perform a data-driven risk assessment to calculate the potential financial losses associated with a cyberattack. They use statistical models, probability values, and cost estimations to determine how much money they could lose if an incident occurs.
Which type of risk assessment is the company performing?
A. Qualitative
B. Quantitative
C. Impact Analysis
D. Likelihood Estimation
β
Correct Answer: B. Quantitative
πΉ Explanation:
A quantitative risk assessment uses mathematical models, probability values, and financial data to produce replicable numerical results for risk evaluation.
πΈ Why other choices are incorrect:
A. Qualitative β Uses subjective ratings (e.g., low, medium, high) instead of numerical calculations.
C. Impact Analysis β Focuses on the effects of a risk, but does not include numerical calculations.
D. Likelihood Estimation β Determines how likely a risk will occur but does not assign financial values.
A startup technology company is willing to take on high-risk ventures to expand its market share quickly. The company understands the potential consequences but is willing to proceed with aggressive business strategies.
Which risk appetite best describes the companyβs approach?
A. Conservative
B. Neutral
C. Expansionary
D. Risk-averse
β
Correct Answer: C. Expansionary
πΉ Explanation:
An expansionary risk appetite means the organization is willing to accept higher risks for the potential of greater rewards, such as rapid market expansion or aggressive investments.
πΈ Why other choices are incorrect:
A. Conservative β A conservative approach would prioritize protecting assets and avoiding risks.
B. Neutral β A neutral risk appetite balances risk-taking with protection, not aggressively pursuing high-risk strategies.
D. Risk-averse β This describes a company that avoids risk, which is the opposite of an expansionary approach.
Which of the following best describes risk tolerance in an organization?
A. The ability of an organization to continue operating despite risks exceeding its defined risk appetite
B. The process of identifying and analyzing potential risks before they impact business operations
C. The document that tracks all potential risks and their mitigation strategies
D. The threshold at which a risk becomes too high and requires immediate action
β
Correct Answer: A. The ability of an organization to continue operating despite risks exceeding its defined risk appetite.
πΉ Explanation:
Risk tolerance is an organizationβs ability to endure risks beyond its predefined appetite while maintaining operations.
πΈ Why other choices are incorrect:
B. Identifying and analyzing risks β Describes Risk Analysis, not tolerance.
C. Document tracking risks β Describes a Risk Register, not tolerance.
D. Threshold where risk is too high β Describes Risk Threshold, not tolerance
A well-established corporation with a dominant market position prioritizes protecting its assets and avoiding unnecessary risks. The company focuses on long-term stability over rapid expansion.
Which risk appetite best describes the companyβs approach?
A. Expansionary
B. Neutral
C. Conservative
D. High-risk
β
Correct Answer: C. Conservative
πΉ Explanation:
A conservative risk appetite means the organization avoids unnecessary risks and prioritizes protecting existing assets and stability.
πΈ Why other choices are incorrect:
A. Expansionary β Expansionary risk appetite seeks high risk for high rewards, which this company does not do.
B. Neutral β Neutral risk appetite balances risk-taking and stability, while this company strictly avoids risk.
D. High-risk β Not a formal risk appetite classification, but closest to expansionary.
Which of the following is included in an Incident Response (IR) Plan?
A. Steps for responding to security incidents and lessons learned
B. Procedures for testing software before deployment
C. Guidelines for employees on acceptable use of IT resources
D. A roadmap for maintaining business operations during an outage
β
Correct Answer: A. Steps for responding to security incidents and lessons learned
πΉ Explanation: An IR Plan outlines detection, response, and recovery steps when a security incident occurs. It also includes post-incident analysis (lessons learned).
πΈ Why other choices are incorrect:
B. Software testing procedures β Covered under SDLC Policy.
C. AUP β Defines acceptable IT resource usage, not incident response.
D. Business Continuity (BC) Plan β Focuses on keeping the business running, not incident handling.
Which of the following best describes global security considerations in a cybersecurity program?
A. They are legally binding regulations that organizations must follow.
B. They apply only to businesses operating in multiple countries.
C. They provide recommended best practices but are not mandatory.
D. They override national and regional security regulations.
β
Correct Answer: C. They provide recommended best practices but are not mandatory.
πΉ Explanation:
Global security frameworks, such as ISO 27001, provide widely accepted cybersecurity best practices, but they are not legally required since no international governing body enforces them.
πΈ Why other choices are incorrect:
A. Legally binding regulations β Global frameworks are recommendations, not mandatory laws.
B. Apply to multinational businesses only β They can be followed by any organization, not just international ones.
D. Override national laws β National and regional laws take precedence over global frameworks.
Which of the following elements would most likely be included in an access control standard?
A. Acceptable use of IT resources
B. Steps for revoking access after an employee leaves the company
C. Minimum password requirements and account lifecycle policies
D. Encryption algorithms for securing data at rest
β
Correct Answer: C. Minimum password requirements and account lifecycle policies
πΉ Explanation: An access control standard outlines minimum security requirements for accounts and authentication, including password policies, onboarding/offboarding procedures, and shared account restrictions.
πΈ Why other choices are incorrect:
A. Acceptable use of IT resources β Describes Acceptable Use Policies (AUPs), not access control standards.
B. Revoking access after employee departure β Part of offboarding procedures, but access control standards cover broader account lifecycle policies.
D. Encryption algorithms β Falls under encryption standards, not access control standards.
An organization is expanding and needs to establish a governance structure to oversee its cybersecurity program. The governance model must ensure that security policies are enforced uniformly across all departments and that lower-level teams have limited control over how policies are implemented.
Which type of governance model best fits these requirements?
A. Centralized governance
B. Decentralized governance
C. Committee-based governance
D. Industry-specific governance
β
Correct Answer: A. Centralized governance
πΉ Explanation:
A centralized governance model ensures that security policies, standards, and procedures are enforced consistently across all departments. Lower-level teams must comply with policies rather than deciding how to implement them independently.
πΈ Why other choices are incorrect:
B. Decentralized governance β Gives lower levels control over implementation, which is not required in this case.
C. Committee-based governance β Committees oversee specific functions, but do not enforce security across an organization.
D. Industry-specific governance β Industry standards (e.g., HIPAA) define security controls but do not dictate internal governance structure.
A company purchases cybersecurity insurance to cover the financial impact of a potential data breach. This ensures that if an attack occurs, the insurance provider will handle the costs associated with recovery.
Which risk management strategy is the company using?
A. Mitigation
B. Acceptance
C. Transfer
D. Avoidance
β
Correct Answer: C. Transfer
πΉ Explanation:
Risk transfer (transference) shifts the financial or operational burden of a risk to a third party, such as an insurance provider. This is commonly done through cyber insurance, outsourcing, or third-party agreements.
πΈ Why other choices are incorrect:
A. Mitigation β Reduces the risk impact but does not shift responsibility to another party.
B. Acceptance β Means choosing to do nothing about the risk, rather than transferring it.
D. Avoidance β Involves eliminating the risk entirely, not transferring liability
Which of the following best describes risk mitigation?
A. Reducing the potential for and impact of a risk
B. Completely eliminating the risk from the organization
C. Documenting risk information and presenting it to stakeholders
D. Transferring risk responsibility to a third party
β
Correct Answer: A. Reducing the potential for and impact of a risk
πΉ Explanation:
Risk mitigation is the strategy that reduces a riskβs likelihood or impact through security measures, such as firewalls, monitoring, encryption, or multi-factor authentication (MFA).
πΈ Why other choices are incorrect:
B. Completely eliminating the risk β Describes risk avoidance, not mitigation.
C. Documenting risk and presenting it β Describes risk reporting, not mitigation.
D. Transferring responsibility to another party β Describes risk transfer, not mitigation
A large corporation needs to define clear roles for managing and securing employee data. The head of Human Resources (HR) has the highest level of responsibility for ensuring the confidentiality, integrity, and availability of employee records.
Which role does the head of HR most likely hold?
A. Data owner
B. Data processor
C. Data controller
D. Data custodian
β
Correct Answer: A. Data owner
πΉ Explanation:
A data owner is the highest-level entity responsible for ensuring proper security measures and compliance for a specific data set. Since HR handles employee records, the head of HR is the data owner in this case.
πΈ Why other choices are incorrect:
B. Data processor β A processor handles data on behalf of an owner/controller but does not control the data itself.
C. Data controller β A controller defines processing rules, but the head of HR has broader ownership responsibilities.
D. Data custodian β A custodian focuses on data security controls but does not own the data.
Which of the following best describes the impact of a risk?
A. The probability that a risk will occur within a specific time frame
B. The estimated financial or operational effect of a risk occurring
C. The number of times a risk is expected to occur annually
D. The overall risk score assigned to a potential threat
β
Correct Answer: B. The estimated financial or operational effect of a risk occurring.
πΉ Explanation:
Impact refers to the effect a risk would have on an organization if it were to occur, including financial, operational, and reputational impacts.
πΈ Why other choices are incorrect:
A. Probability of risk occurrence β Describes Likelihood, not impact.
C. Number of occurrences per year β This is Annualized Rate of Occurrence (ARO).
D. Risk score assigned to a threat β This is Risk Severity, not impact.
A company requires that all sensitive information be protected both while stored and during transmission using industry-approved cryptographic methods. Which type of security standard would most likely define these requirements?
A. Access control standard
B. Physical security standard
C. Encryption standard
D. Password standard
β
Correct Answer: C. Encryption Standard
πΉ Explanation: An encryption standard defines the minimum encryption algorithms, key lengths, and protocols required to secure data at rest and in transit.
πΈ Why other choices are incorrect:
A. Access control standard β Governs account security and authentication, not encryption methods.
B. Physical security standard β Covers physical asset protection, not data encryption.
D. Password standard β Focuses on password complexity and reuse policies, not encryption mechanisms.
Which policy defines how an organization submits, approves, and implements changes while considering security risks?
A. Software Development Lifecycle (SDLC) Policy
B. Incident Response (IR) Plan
C. Information Security Policy (ISP)
D. Change Management Policy
β
Correct Answer: D. Change Management Policy
πΉ Explanation: A Change Management Policy ensures that changes to systems and processes are properly submitted, reviewed, approved, and implemented while considering both security risks and operational impact.
πΈ Why other choices are incorrect:
A. SDLC Policy β Covers software development security, not organizational change management.
B. Incident Response (IR) Plan β Focuses on handling security incidents, not managing routine changes.
C. ISP β Provides broad security guidelines, not a structured change approval process.
Question 2 (PBQ-Like Multi-Select)
Match each data role with its correct description.
Roles:
1-Data Owner
2-Data Controller
3-Data Processor
4-Data Custodian
5-Data Steward
Descriptions:
A. Makes decisions about what data is collected, why it is collected, and how it is processed.
B. Responsible for ensuring the safekeeping and protection of data, focusing on security controls and technical aspects.
C. Processes data on behalf of another entity based on pre-defined instructions.
D. The highest authority responsible for the data and accountable for its use and protection.
E. Manages the content and usage of collected data rather than its security.
β Correct Answer:
1 β D (Data Owner = The highest authority responsible for data security and compliance)
2 β A (Data Controller = Decides what data is collected and how it is processed)
3 β C (Data Processor = Handles data processing based on controller/owner requirements)
4 β B (Data Custodian = Focuses on securing and storing data)
5 β E (Data Steward = Ensures data accuracy, integrity, and compliance with regulations)
An organization chooses not to apply security patches to a non-critical system because the cost of patching exceeds the potential risk impact.
Which risk management strategy is the organization using?
A. Accept
B. Mitigate
C. Avoid
D. Transfer
β
Correct Answer: A. Accept
πΉ Explanation:
Risk acceptance means the organization acknowledges the risk but decides to take no action because the cost of mitigation outweighs the impact.
πΈ Why other choices are incorrect:
B. Mitigate β Would involve applying security patches or implementing compensating controls.
C. Avoid β Would mean removing the system entirely, which is not happening here.
D. Transfer β Would mean outsourcing responsibility, such as purchasing insurance.
An IT security team formally documents and approves the continued use of a legacy system that falls outside the companyβs risk tolerance due to business requirements. This decision requires executive approval and a defined expiration date.
Which risk management approach is being used?
A. Exception
B. Exemption
C. Mitigation
D. Transfer
β
Correct Answer: B. Exemption
πΉ Explanation:
A risk exemption is a formal acceptance of risk that exceeds an organizationβs normal risk appetite or tolerance. It requires executive approval and documentation, often with an expiration date or review period.
πΈ Why other choices are incorrect:
A. Exception β Allows temporary non-compliance with security policies but is usually granted on a case-by-case basis without formal expiration.
C. Mitigation β Would involve reducing the risk, not approving its acceptance.
D. Transfer β Would involve outsourcing risk responsibility, which is not happening here.
A company estimates that a cyberattack could cause $50,000 in damages per occurrence. The company also determines that this attack has a 20% chance of happening each year.
Which of the following values represents the Annualized Loss Expectancy (ALE)?
A. $10,000
B. $25,000
C. $50,000
D. $100,000
β
Correct Answer: A. $10,000
πΉ Explanation:
ALE is calculated using the formula: π΄πΏπΈ=π΄π
πΓππΏπΈ
where:
ARO = 0.2 (since 20% = 0.2 occurrences per year)
SLE = $50,000
π΄πΏπΈ=0.2Γ50,000=10,000
A company processes customer credit card payments through a third-party service provider. The third party does not own or control the data but processes transactions based on the companyβs requirements.
Which role best describes the third-party service provider?
A. Data owner
B. Data controller
C. Data processor
D. Data custodian
β
Correct Answer: C. Data processor
πΉ Explanation:
A data processor is responsible for handling data on behalf of the data owner or controller based on predefined instructions. In this case, the third-party service processes transactions but does not decide what data is collected or why.
πΈ Why other choices are incorrect:
A. Data owner β The company that collects and owns the credit card data is the data owner, not the processor.
B. Data controller β The controller decides what data is collected and how itβs processed, but this role belongs to the company, not the third-party processor.
D. Data custodian β A custodian focuses on securing and storing data, not actively processing transactions.
Which policy focuses on securing software through its entire lifecycle, including testing, execution, and maintenance?
A. Change Management Policy
B. Incident Response (IR) Plan
C. Acceptable Use Policy (AUP)
D. Software Development Lifecycle (SDLC) Policy
β
Correct Answer: D. Software Development Lifecycle (SDLC) Policy
πΉ Explanation: An SDLC Policy ensures that software is developed, tested, deployed, and maintained securely throughout its entire lifecycle to minimize vulnerabilities.
πΈ Why other choices are incorrect:
A. Change Management Policy β Governs system modifications, but does not focus on software security.
B. Incident Response (IR) Plan β Handles security incidents, but does not govern software development security.
C. AUP β Defines acceptable IT usage, not software lifecycle security.
An organization is implementing security measures such as access controls, visitor management, and surveillance systems to protect its facilities and critical assets. Which type of standard would most likely define these requirements?
A. Encryption standard
B. Physical security standard
C. Playbook
D. Change management procedure
β
Correct Answer: B. Physical Security Standard
πΉ Explanation: A physical security standard defines minimum security requirements for protecting an organizationβs premises, assets, and personnel. This can include access control measures, security monitoring, and visitor entry protocols.
πΈ Why other choices are incorrect:
A. Encryption standard β Focuses on data encryption, not securing physical premises.
C. Playbook β Provides step-by-step response actions for incidents, not general security standards.
D. Change management procedure β Governs how system and process changes are implemented, not physical security measures.
Which of the following best describes a procedure in cybersecurity?
A. A document outlining security goals and intent
B. A set of flexible recommendations for security best practices
C. A mandatory, step-by-step guide for performing specific tasks
D. A set of guidelines for handling security incidents
β
Correct Answer: C. A mandatory, step-by-step guide for performing specific tasks
πΉ Explanation: A procedure provides a detailed, step-by-step process that must be followed to ensure consistency and compliance in security tasks.
πΈ Why other choices are incorrect:
A. Security goals and intent β Describes policies, which define broad security objectives.
B. Flexible recommendations β Describes guidelines, which are not mandatory like procedures.
D. Guidelines for handling security incidents β Describes playbooks, which focus on incident response scenarios.
Match each risk assessment type with its correct description.
Risk Assessments:
1-Ad hoc
2-Recurring
3-One-time
4-Continuous
Descriptions:
A. Performed at regular intervals to monitor ongoing risks and ensure risk responses remain appropriate.
B. Conducted in response to a specific event or occurrence, often expedited.
C. Used to provide a high-level snapshot of an organizationβs current risk state at a single point in time.
D. Runs automatically and continuously to detect emerging threats and alert the organization.
β Correct Answer:
1 β B (Ad hoc = In response to a specific event, expedited assessment)
2 β A (Recurring = Performed at regular intervals to monitor risk over time)
3 β C (One-time = A broad, high-level risk assessment at a specific point in time)
4 β D (Continuous = Ongoing, automated risk monitoring and alerting)
Match each risk analysis concept with its correct description.
Risk Analysis Concepts:
Exposure Factor (EF)
Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
Likelihood
Descriptions:
A. The estimated percentage of damage an asset will suffer when a specific risk occurs.
B. The expected monetary loss per occurrence of a risk.
C. The number of times a risk is expected to occur in a year.
D. The total monetary loss an organization expects to incur from a risk per year.
E. The probability that a risk will occur, commonly expressed as a percentage.
β Correct Answer:
1 β A (Exposure Factor = Percentage of damage an asset incurs per risk occurrence)
2 β B (SLE = Monetary loss per incident)
3 β C (ARO = Expected risk occurrences per year)
4 β D (ALE = Total yearly monetary loss expectation)
5 β E (Likelihood = Probability of risk occurrence, expressed as a percentage)
Which of the following best describes risk reporting?
A. The process of documenting and communicating risk information to stakeholders
B. The strategy of reducing risk through security controls
C. The maximum risk level an organization is willing to accept
D. The ability of an organization to withstand risks beyond its predefined limits
β
Correct Answer: A. The process of documenting and communicating risk information to stakeholders
πΉ Explanation:
Risk reporting ensures that risk-related data is collected, maintained, and presented to decision-makers to inform security strategies.
πΈ Why other choices are incorrect:
B. Reducing risk through security controls β Describes risk mitigation, not reporting.
C. Maximum risk level an organization is willing to accept β Describes risk threshold, not reporting.
D. Ability to withstand risks beyond limits β Describes risk tolerance, not reporting.
An organization experiences a server outage and must restore operations within four hours to avoid significant business disruptions. This time constraint defines how long the company can tolerate system downtime before recovery.
Which BIA metric is being measured?
A. Recovery Time Objective (RTO)
B. Recovery Point Objective (RPO)
C. Mean Time to Repair (MTTR)
D. Mean Time Between Failures (MTBF)
β
Correct Answer: A. Recovery Time Objective (RTO)
πΉ Explanation:
Recovery Time Objective (RTO) defines the maximum allowable downtime before operations must be restored. In this scenario, the company must recover within four hours, which is the RTO.
πΈ Why other choices are incorrect:
B. RPO β Defines acceptable data loss, not downtime.
C. MTTR β Measures average repair time, not maximum downtime tolerance.
D. MTBF β Measures average time between failures, not system recovery time.
A company is evaluating a potential cloud service provider to ensure it meets agreed-upon security requirements before signing a contract. The company plans to review penetration test results, audit reports, and independent security certifications.
Which process is the company conducting?
A. Supply Chain Analysis
B. Right-to-Audit Clause Enforcement
C. Vendor Assessment
D. Independent Assessment
β
Correct Answer: C. Vendor Assessment
πΉ Explanation:
A vendor assessment ensures that a third-party provider meets security and compliance requirements. This can involve penetration testing, audits, independent assessments, and supply chain reviews.
πΈ Why other choices are incorrect:
A. Supply Chain Analysis β Focuses on supply chain security, not vendor compliance verification.
B. Right-to-Audit Clause Enforcement β A contractual right to audit, but the company hasnβt signed a contract yet.
D. Independent Assessment β Conducted by a third party, but the company is performing its own assessment.
Two government agencies agree to share cybersecurity intelligence and outline their roles and responsibilities in a legally binding document.
Which type of agreement is being used?
A. Memorandum of Agreement (MOA)
B. Memorandum of Understanding (MOU)
C. Master Service Agreement (MSA)
D. Service-Level Agreement (SLA)
β
Correct Answer: A. Memorandum of Agreement (MOA)
πΉ Explanation:
A Memorandum of Agreement (MOA) is a legally binding document that defines the relationship and responsibilities of two or more parties, such as government agencies or organizations.
πΈ Why other choices are incorrect:
B. MOU β An informal, non-binding agreement, which would not be legally enforceable.
C. MSA β Used for long-term vendor-client relationships, not interagency cooperation.
D. SLA β Defines service performance guarantees, not organizational relationships.
A company is in the process of selecting a cloud service provider. To ensure security and compliance, the company evaluates the vendorβs financial stability, reputation, security protocols, and regulatory compliance before signing a contract.
Which process is the company performing?
A. Vendor Assessment
B. Due Diligence
C. Conflict of Interest Review
D. Supply Chain Analysis
β
Correct Answer: B. Due Diligence
πΉ Explanation:
Due diligence is the process of thoroughly evaluating a vendor before selection, including assessing financial stability, security measures, and regulatory compliance.
πΈ Why other choices are incorrect:
A. Vendor Assessment β Typically verifies security compliance after the vendor is selected.
C. Conflict of Interest Review β Focuses on vendor-client conflicts, not general vendor evaluation.
D. Supply Chain Analysis β Examines security risks in the supply chain, not vendor selection.
A healthcare provider fails to secure patient records in accordance with HIPAA regulations. As a result, the government imposes a $2 million penalty for the violation.
Which consequence of non-compliance is being applied?
A. Contractual Impacts
B. Sanctions
C. Fines
D. Reputational Damage
β
Correct Answer: C. Fines
πΉ Explanation:
Fines are monetary penalties imposed for non-compliance with regulations, such as HIPAA, GDPR, or PCI DSS.
πΈ Why other choices are incorrect:
A. Contractual Impacts β Would apply if a business contract was terminated due to the violation.
B. Sanctions β Includes business restrictions or criminal charges, but fines alone do not count as sanctions.
D. Reputational Damage β The companyβs public image may suffer, but the primary consequence is a financial penalty.
A healthcare organization in the United States is required to comply with a national law that protects patient health information. Which of the following regulations applies to this scenario?
A. GDPR
B. HIPAA
C. CCPA
D. ISO 27001
β
Correct Answer: B. HIPAA
Explanation:
HIPAA (Health Insurance Portability and Accountability Act) is a U.S. national law that protects patient health information.
Why not the others?
A. GDPR: This is a European Union regulation, not specific to the U.S.
C. CCPA: This is a California state law focused on consumer privacy, not healthcare data.
D. ISO 27001: This is an international standard for information security management, not a law.
A financial institution hires a third-party auditing firm to evaluate its adherence to PCI-DSS standards. The auditors review the institutionβs systems, processes, and documentation, and provide a formal report detailing compliance gaps and recommendations.
Which compliance monitoring method is being used?
A. External Compliance Monitoring
B. Internal Compliance Monitoring
C. Automation
D. Attestation and Acknowledgment
β
Correct Answer: A. External Compliance Monitoring
Explanation: The use of a third-party auditing firm to assess compliance with regulatory standards is an example of external compliance monitoring.
A company is conducting an ongoing review of a vendorβs security policies, contractual performance, and compliance with business agreements.
Which process is the company performing?
A. Vendor Monitoring
B. Vendor Selection
C. Supply Chain Analysis
D. Right-to-Audit Clause Enforcement
β
Correct Answer: A. Vendor Monitoring
πΉ Explanation:
Vendor monitoring is the continuous evaluation of a vendorβs compliance, performance, and security posture throughout the entire vendor-client relationship.
πΈ Why other choices are incorrect:
B. Vendor Selection β Occurs before choosing a vendor, not for ongoing monitoring.
C. Supply Chain Analysis β Focuses on supply chain security, not vendor contract compliance.
D. Right-to-Audit Clause Enforcement β Allows audits, but vendor monitoring is broader, including performance and compliance tracking.
A company performs nightly backups at 12:00 AM. If a system failure occurs at 11:00 PM, the organization can only restore data from the previous nightβs backup.
Which BIA metric is affected by this limitation?
A. Recovery Time Objective (RTO)
B. Recovery Point Objective (RPO)
C. Mean Time to Repair (MTTR)
D. Mean Time Between Failures (MTBF)
β
Correct Answer: B. Recovery Point Objective (RPO)
πΉ Explanation:
Recovery Point Objective (RPO) defines how much data loss is acceptable in a system failure. Since the last backup was at 12:00 AM, the organization risks losing up to 23 hours of data, which is the RPO value.
πΈ Why other choices are incorrect:
A. RTO β Defines maximum downtime, not data loss.
C. MTTR β Measures repair time, not data recovery limits.
D. MTBF β Tracks system reliability, not backup frequency
A financial institution requires all third-party vendors to provide their internal audit results upon request. This requirement helps ensure vendors are following proper risk management and security controls.
Which process is being used?
A. Vendor Penetration Testing
B. Supply Chain Analysis
C. Right-to-Audit Clause
D. Evidence of Internal Audits
β
Correct Answer: D. Evidence of Internal Audits
πΉ Explanation:
Evidence of internal audits allows an organization to review a vendorβs internal security documentation and controls to verify risk management practices.
πΈ Why other choices are incorrect:
A. Vendor Penetration Testing β Penetration testing involves simulated attacks, not reviewing audit documentation.
B. Supply Chain Analysis β Focuses on supply chain security, not vendor risk management practices.
C. Right-to-Audit Clause β Allows clients to perform audits, but this scenario is about reviewing vendor audit reports, not conducting an audit.
A security firm is considering hiring a cybersecurity consulting company to assess its network security. However, during the vendor selection process, the firm discovers that the consulting company also provides services to one of its direct competitors.
Which risk is present in this situation?
A. Due Diligence Failure
B. Vendor Mismanagement
C. Conflict of Interest
D. Supply Chain Risk
β
Correct Answer: C. Conflict of Interest
πΉ Explanation:
A conflict of interest occurs when a vendor serves multiple clients with competing interests, which may lead to security risks or biased decision-making.
πΈ Why other choices are incorrect:
A. Due Diligence Failure β The company did identify the issue during vendor evaluation, so due diligence was conducted correctly.
B. Vendor Mismanagement β No evidence suggests the vendor is mismanaging resources or security.
D. Supply Chain Risk β This involves product and distribution security, not competing client interests.
A cybersecurity team is evaluating a vendorβs security posture by sending a detailed survey about data protection policies, regulatory compliance, and security practices.
Which vendor monitoring method is being used?
A. Compliance Monitoring
B. Rules of Engagement
C. Questionnaires
D. Financial Monitoring
β
Correct Answer: C. Questionnaires
πΉ Explanation:
Questionnaires are used to gather vendor insights regarding security practices, data handling, and compliance. They are a common tool in vendor assessments and monitoring.
πΈ Why other choices are incorrect:
A. Compliance Monitoring β Ensures vendor follows security policies, but this question refers to collecting vendor-provided information.
B. Rules of Engagement β Defines system access and vendor interactions, not security surveys.
D. Financial Monitoring β Reviews financial stability, not security posture.
A healthcare organization is audited by a regulatory body and found to be non-compliant with HIPAA requirements due to inadequate data protection measures. As a result, the organization is prohibited from processing patient data until corrective actions are implemented.
Which consequence of non-compliance is being applied?
A. Contractual Impacts
B. Sanctions
C. Loss of License
D. Fines
Explanation:
The correct answer is B. Sanctions, as the organization is being prohibited from processing patient data (a form of restriction or penalty) until compliance is restored.
Why not the others?
A. Contractual Impacts: This would involve breaches of agreements with third parties, not regulatory penalties.
C. Loss of License: This would involve the revocation of a business license, which is not mentioned here.
D. Fines: This would involve monetary penalties, which are not described in the scenario.
A company prepares compliance documentation that details how its security policies align with industry regulations. The report is intended for internal executives and board members to assess the organizationβs compliance posture and identify gaps.
Which type of compliance reporting is being performed?
A. Internal Compliance Reporting
B. External Compliance Reporting
C. Regulatory Compliance Audit
D. Risk Management Review
β
Correct Answer: A. Internal Compliance Reporting
πΉ Explanation:
Internal compliance reporting is used to inform high-level internal stakeholders, such as executives or board members, about compliance gaps, security posture, and areas for improvement.
πΈ Why other choices are incorrect:
B. External Compliance Reporting β Intended for government agencies or business partners, not internal executives.
C. Regulatory Compliance Audit β Involves formal assessments by auditors, not internal reporting.
D. Risk Management Review β Evaluates risk exposure, not compliance status
Which of the following best describes Mean Time to Repair (MTTR)?
A. The average time required to repair and restore a failed system
B. The maximum time an organization can tolerate system downtime
C. The estimated data loss an organization can afford during an outage
D. The expected time between system failures, measuring reliability
β
Correct Answer: A. The average time required to repair and restore a failed system
πΉ Explanation:
MTTR (Mean Time to Repair) is the average time it takes to restore a failed system to normal operations, including troubleshooting, fixing, and verifying repairs.
πΈ Why other choices are incorrect:
B. RTO β Defines maximum tolerable downtime, not actual repair time.
C. RPO β Refers to acceptable data loss, not repair time.
D. MTBF β Measures time between failures, not repair duration.
Which of the following best describes an independent assessment in third-party risk management?
A. A security evaluation conducted by a third party unaffiliated with both the vendor and the client
B. A mandatory security review performed internally by a vendorβs IT security team
C. A penetration test conducted by the client to assess vendor security vulnerabilities
D. A process that tracks a productβs movement through the supply chain to identify security risks
β
Correct Answer: A. A security evaluation conducted by a third party unaffiliated with both the vendor and the client
πΉ Explanation:
An independent assessment is performed by an external entity that is not associated with the client or the vendor, ensuring an unbiased security evaluation.
πΈ Why other choices are incorrect:
B. Internal security review by vendor β This describes internal audits, not independent assessments.
C. Penetration test by client β Penetration testing is different from independent third-party security reviews.
D. Supply chain tracking β Describes supply chain analysis, not independent assessments.
Which of the following best describes Rules of Engagement in vendor monitoring?
A. A survey used to assess a vendorβs compliance with security and operational requirements
B. A set of predefined conditions detailing how vendor testing, access, and monitoring may occur
C. A contract that outlines the minimum level of service a vendor must provide
D. An agreement between business partners outlining roles, responsibilities, and expectations
β
Correct Answer: B. A set of predefined conditions detailing how vendor testing, access, and monitoring may occur
πΉ Explanation:
Rules of Engagement establish what systems a vendor can access, what actions they can perform, and when testing or monitoring is permitted.
πΈ Why other choices are incorrect:
A. Security questionnaires β Used for vendor assessments but do not set access or testing boundaries.
C. SLA (Service-Level Agreement) β Defines service expectations, not testing permissions.
D. BPA (Business Partners Agreement) β Governs partnerships, not vendor security access rules.
A vendor agreement states that the vendor must maintain at least 99.5% uptime. The client regularly tracks server availability and response times to ensure the vendor meets this requirement.
Which type of vendor monitoring is being performed?
A. Compliance Monitoring
B. Financial Monitoring
C. Rules of Engagement
D. Performance Monitoring
β
Correct Answer: D. Performance Monitoring
πΉ Explanation:
Performance Monitoring tracks a vendorβs ability to meet service obligations, such as uptime, response times, and issue resolution, ensuring adherence to the agreement.
πΈ Why other choices are incorrect:
A. Compliance Monitoring β Focuses on regulatory and security compliance, not service-level agreements.
B. Financial Monitoring β Evaluates vendor financial health, not operational uptime.
C. Rules of Engagement β Establishes testing conditions and vendor access, but does not track performance metrics.
A cybersecurity team compiles detailed compliance documentation to be shared with external auditors and government regulators.
Which type of compliance reporting is being performed?
A. Internal Compliance Reporting
B. Security Control Validation
C. Risk Assessment Review
D. External Compliance Reporting
β
Correct Answer: D. External Compliance Reporting
πΉ Explanation:
External compliance reporting provides formal documentation to government regulators, auditors, or external business partners to prove compliance with security laws and standards.
πΈ Why other choices are incorrect:
A. Internal Compliance Reporting β Intended for executives and board members, not external auditors.
B. Security Control Validation β Focuses on testing security controls, not compliance reporting.
C. Risk Assessment Review β Assesses risk exposure, not regulatory compliance documentation.
A cloud service provider is found to be non-compliant with data residency laws in a specific country. As a result, the government revokes the providerβs authorization to operate within that country until the issue is resolved.
Which consequence of non-compliance is being applied?
A. Contractual Impacts
B. Sanctions
C. Loss of License
D. Fines
Explanation:
The correct answer is C. Loss of License, as the providerβs authorization to operate (a form of license) is revoked by the government.
Why not the others?
A. Contractual Impacts: This would involve breaches of agreements with clients or partners, not regulatory penalties.
B. Sanctions: This would involve restrictions or penalties imposed by a regulatory body, but not necessarily the revocation of a license.
D. Fines: This would involve monetary penalties, which are not described in the scenario.
A company has implemented a process where employees are required to review and sign off on the organizationβs security policies annually. Additionally, the company uses automated tools to track policy adherence and generates reports for management review.
Which compliance monitoring method is being used?
A. External Compliance Monitoring
B. Internal Compliance Monitoring
C. Automation
D. Attestation and Acknowledgment
Explanation:
The correct answer is D. Attestation and Acknowledgment, as employees are required to review and sign off on policies, which is a key aspect of this method.
Why not the others?
A. External Compliance Monitoring: This involves third-party audits or assessments, which are not mentioned in the scenario.
B. Internal Compliance Monitoring: While the company is monitoring compliance internally, the focus here is on employee attestation and acknowledgment, which is a specific method.
C. Automation: Although automated tools are used, the primary method being described is employee attestation.
Under which regulation does an individual have the right to request the deletion of their personal data when it is no longer needed for the purpose it was collected?
A. HIPAA
B. GDPR
C. CCPA
D. Privacy Act of 1974
β
Correct Answer: B. GDPR
Explanation:
The General Data Protection Regulation (GDPR) includes the βRight to Be Forgotten,β allowing individuals to request data deletion under specific conditions.
Why not the others?
A. HIPAA: This focuses on healthcare data privacy and does not include a right to be forgotten.
C. CCPA: This provides rights to access and delete data but is not as comprehensive as GDPR.
D. Privacy Act of 1974: This U.S. law governs federal agency use of personal data but does not include a right to be forgotten.
A company collects customer data and decides how it will be used for marketing purposes. A third-party vendor processes the data on behalf of the company. Which role does the company play in this scenario?
A. Data Subject
B. Data Processor
C. Data Controller
D. Data Owner
β
Correct Answer: C. Data Controller
Explanation:
The data controller decides the purpose and methods of data processing.
Why not the others?
A. Data Subject: This is the individual (e.g., customer) whose data is being processed.
B. Data Processor: This is the third-party vendor that processes the data on behalf of the controller.
D. Data Owner: This refers to the entity responsible for protecting the data, often a high-level employee, not the organization as a whole.
A company is conducting a data inventory to identify the types of sensitive information it holds. Which of the following is an example of PII?
A. Employee salary data
B. Company financial reports
C. Publicly available marketing materials
D. Encrypted customer passwords
β
Correct Answer: A. Employee salary data
Explanation:
Personally Identifiable Information (PII) refers to data that can identify an individual, such as salary data linked to an employee.
Why not the others?
B. Company financial reports: This is corporate data, not tied to an individual.
C. Publicly available marketing materials: This is not sensitive or personal data.
D. Encrypted customer passwords: While sensitive, passwords alone are not PII unless linked to an individual.
A manufacturing company wants to evaluate the reliability of its equipment by measuring the average time between failures of a production server.
Which metric should be used?
A. Recovery Time Objective (RTO)
B. Recovery Point Objective (RPO)
C. Mean Time to Repair (MTTR)
D. Mean Time Between Failures (MTBF)
β
Correct Answer: D. Mean Time Between Failures (MTBF)
πΉ Explanation:
MTBF (Mean Time Between Failures) measures how long a system operates before it fails again, making it a key indicator of system reliability.
πΈ Why other choices are incorrect:
A. RTO β Refers to maximum downtime tolerance, not system reliability.
B. RPO β Measures acceptable data loss, unrelated to system failures.
C. MTTR β Measures repair duration, not time between failures.
A cybersecurity team is evaluating potential security risks within a manufacturing companyβs supply chain. The team is analyzing third-party suppliers, distribution centers, and logistics providers to ensure security measures are in place.
Which process is being conducted?
A. Vendor Assessment
B. Independent Assessment
C. Supply Chain Analysis
D. Right-to-Audit Clause Enforcement
β
Correct Answer: C. Supply Chain Analysis
πΉ Explanation:
Supply Chain Analysis examines security risks within the supply chain, including third-party vendors, logistics, and distribution.
πΈ Why other choices are incorrect:
A. Vendor Assessment β Evaluates a specific vendor, not the entire supply chain.
B. Independent Assessment β Conducted by external auditors, but the organization is performing this analysis itself.
D. Right-to-Audit Clause Enforcement β This involves auditing a vendor, not analyzing supply chain security.
Which of the following organizations develops international standards for data privacy and cybersecurity, such as ISO 27001?
A. NIST
B. ISO
C. GDPR
D. CCPA
β
Correct Answer: B. ISO
Explanation:
The International Organization for Standardization (ISO) develops global standards like ISO 27001 for information security management.
Why not the others?
A. NIST: This is a U.S.-based organization that develops frameworks like NIST SP 800-53, not global standards.
C. GDPR: This is a European Union regulation, not an organization.
D. CCPA: This is a California state law, not related to global standards.
Which of the following best describes the purpose of compliance reporting?
A. To document how an organization meets applicable security standards and regulations
B. To evaluate and mitigate potential security risks within an organization
C. To provide real-time alerts for cybersecurity threats and vulnerabilities
D. To enforce penalties against organizations that fail compliance audits
β
Correct Answer: A. To document how an organization meets applicable security standards and regulations
πΉ Explanation:
Compliance reporting ensures that an organization documents and communicates how it meets regulatory and security standards for internal or external review.
πΈ Why other choices are incorrect:
B. Evaluating security risks β Describes risk management, not compliance reporting.
C. Providing real-time alerts β Describes security monitoring, not reporting compliance.
D. Enforcing penalties β Regulatory agencies enforce penalties, but compliance reporting itself does not.
A company deploys a software tool that continuously scans its systems for deviations from security policies, such as unauthorized software installations or misconfigured settings. The tool automatically generates alerts and remediation tickets for the IT team.
Which compliance monitoring method is being used?
A. External Compliance Monitoring
B. Internal Compliance Monitoring
C. Automation
D. Attestation and Acknowledgment
β
Correct Answer: C. Automation
Explanation: The use of a software tool to continuously scan, detect, and alert on policy deviations is a clear example of automation in compliance monitoring.
A customer requests access to their personal data that a company has collected. Under which regulation is this right explicitly granted?
A. HIPAA
B. GDPR
C. CCPA
D. All of the above
β
Correct Answer: D. All of the above
Explanation:
GDPR, CCPA, and HIPAA all grant individuals the right to access their personal data, though the specifics vary by regulation.
The head of the Human Resources department is assigned responsibility for protecting employee data. Which data privacy concept does this represent?
A. Data Controller
B. Data Processor
C. Data Ownership
D. Data Subject
β
Correct Answer: C. Data Ownership
Explanation:
Data Ownership refers to assigning responsibility for protecting specific types of data to a high-level individual or role.
Why not the others?
A. Data Controller: This refers to the entity that decides how data is processed, not necessarily who owns it.
B. Data Processor: This is the entity that processes data on behalf of the controller.
D. Data Subject: This is the individual whose data is being processed.
A company must retain financial records for seven years to comply with legal requirements. Which data privacy concept does this represent?
A. Data Inventory
B. Data Retention
C. Data Ownership
D. Right to Be Forgotten
β
Correct Answer: B. Data Retention
Explanation:
Data Retention refers to how long data must be stored before it can be securely destroyed.
Why not the others?
A. Data Inventory: This refers to identifying what data is held, not how long it is retained.
C. Data Ownership: This refers to who is responsible for the data, not retention periods.
D. Right to Be Forgotten: This allows individuals to request data deletion, not retention.
A company fails to comply with a data privacy regulation and faces significant fines. Which of the following best describes this consequence?
A. Contractual Impact
B. Sanction
C. Loss of License
D. Data Breach
β
Correct Answer: B. Sanction
Explanation:
Sanctions are penalties imposed by regulatory bodies for non-compliance with data privacy laws.
Why not the others?
A. Contractual Impact: This refers to breaches of agreements with third parties, not regulatory fines.
C. Loss of License: This would involve the revocation of a business license, which is not mentioned here.
D. Data Breach: This refers to unauthorized access to data, not the consequence of non-compliance.
An organization hires a third-party firm to review its data protection policies and issue a formal report confirming compliance with GDPR. Which of the following best describes this process?
A. Internal Audit
B. Attestation
C. Self-Assessment
D. Penetration Testing
β
Correct Answer: B. Attestation
Explanation:
Attestation is a formal review by a third party to confirm compliance with standards or regulations.
Why not the others?
A. Internal Audit: This is conducted by the organization itself, not a third party.
C. Self-Assessment: This is an internal evaluation, not a formal third-party review.
D. Penetration Testing: This is a technical assessment to identify vulnerabilities, not a compliance review.
A company has a dedicated team that conducts quarterly reviews of its security policies, performs internal audits, and ensures that all departments are adhering to regulatory requirements. The findings are reported to senior management for corrective action.
Which compliance monitoring method is being used?
A. External Compliance Monitoring
B. Internal Compliance Monitoring
C. Automation
D. Attestation and Acknowledgment
β
Correct Answer: B. Internal Compliance Monitoring
Explanation: The company is using its own team to review, audit, and enforce compliance internally, which is the definition of internal compliance monitoring.
A penetration tester attempts to bypass a companyβs security access controls by picking locks and compromising surveillance equipment. Which type of penetration testing is being performed?
A. Offensive Penetration Testing
B. Physical Penetration Testing
C. Defensive Penetration Testing
D. Integrated Penetration Testing
β
Correct Answer: B. Physical Penetration Testing
Explanation:
Physical Penetration Testing involves attempting to infiltrate the physical environment of a network or organization, such as bypassing locks or surveillance.
Why not the others?
A. Offensive Penetration Testing: This focuses on logical network infiltration, not physical security.
C. Defensive Penetration Testing: This tests the organizationβs response to attacks, not physical infiltration.
D. Integrated Penetration Testing: This combines offensive and defensive techniques, not specifically physical testing.
A company sends fake phishing emails to employees to test their ability to recognize and report phishing attempts. Employees who fall for the fake emails are directed to a training video. Which security awareness practice is being implemented?
A. Phishing Campaign
B. Phishing Simulation
C. Anomalous Behavior Recognition
D. Risky Behavior Training
β
Correct Answer: B. Phishing Simulation
Explanation:
A Phishing Simulation involves sending fake phishing messages to employees to test their awareness and provide training if they fall for the attempt.
Why not the others?
A. Phishing Campaign: This is a broader training program that may include posters, rewards, and awareness materials, not just simulations.
C. Anomalous Behavior Recognition: This focuses on identifying unusual behavior, not phishing attempts.
D. Risky Behavior Training: This addresses risky actions by employees, not phishing awareness.
An employee receives a suspicious email and forwards it to the IT department for analysis. Which security awareness practice is being demonstrated?
A. Phishing Simulation
B. Recognizing Phishing Attempts
C. Responding to Reported Suspicious Messages
D. Anomalous Behavior Recognition
β
Correct Answer: C. Responding to Reported Suspicious Messages
Explanation:
Responding to Reported Suspicious Messages involves training employees to properly report suspicious emails to a designated location for analysis.
Why not the others?
A. Phishing Simulation: This involves sending fake phishing emails to test employees, not reporting suspicious messages.
B. Recognizing Phishing Attempts: This involves identifying phishing emails, not reporting them.
D. Anomalous Behavior Recognition: This focuses on identifying unusual behavior, not reporting suspicious emails.
An organization provides employees with a written resource that outlines security procedures and protocols. Which of the following best describes this resource?
A. Situational Awareness Training
B. Policy Handbook
C. Social Engineering Training
D. Operational Security Training
β
Correct Answer: B. Policy Handbook
Explanation:
A Policy Handbook is a written resource that provides employees with security procedures and protocols.
Why not the others?
A. Situational Awareness Training: This involves educating employees about current threats, not providing written procedures.
C. Social Engineering Training: This focuses on recognizing and mitigating social engineering attacks, not providing written procedures.
D. Operational Security Training: This involves educating employees on protecting data during normal operations, not providing written procedures.
An organization conducts an assessment before starting its security awareness training program to establish a baseline for future evaluations. Which type of assessment is being performed?
A. Recurring Assessment
B. Initial Assessment
C. Development Assessment
D. Execution Assessment
β
Correct Answer: B. Initial Assessment
Explanation:
An Initial Assessment is conducted before starting a security awareness program to establish a baseline for comparison.
Why not the others?
A. Recurring Assessment: This is conducted periodically to evaluate the programβs effectiveness, not to establish a baseline.
C. Development Assessment: This refers to creating the program, not evaluating it.
D. Execution Assessment: This focuses on how well the program is implemented, not establishing a baseline.
An organization uses a variety of training methods, such as videos, quizzes, and interactive workshops, to ensure its security awareness program is engaging and effective. Which of the following best describes this approach?
A. Initial Assessment
B. Recurring Assessment
C. Program Development
D. Program Execution
A red team uses tools like Kali Linux and Metasploit to simulate an attack on a companyβs network. Which type of penetration testing is being performed?
A. Physical Penetration Testing
B. Offensive Penetration Testing
C. Defensive Penetration Testing
D. Integrated Penetration Testing
β
Correct Answer: B. Offensive Penetration Testing
Explanation:
Offensive Penetration Testing involves using tools and simulated attacks to infiltrate a network and identify vulnerabilities.
Why not the others?
A. Physical Penetration Testing: This focuses on physical security, not logical network attacks.
C. Defensive Penetration Testing: This tests the organizationβs response to attacks, not the attack itself.
D. Integrated Penetration Testing: This combines offensive and defensive techniques, not just offensive testing.
A companyβs internal audit team reviews its access control policies to ensure they align with industry best practices. Which of the following best describes this activity?
A. External Audit
B. Regulatory Examination
C. Internal Audit
D. Independent Third-Party Audit
β
Correct Answer: C. Internal Audit
Explanation:
Internal Audits are conducted by the organizationβs own staff to evaluate policies, procedures, and controls.
Why not the others?
A. External Audit: This is conducted by a third party, not the organizationβs internal team.
B. Regulatory Examination: This is a focused review initiated by a regulatory body, not an internal team.
D. Independent Third-Party Audit: This is conducted by an external entity, not internally.
A company uses posters, emails, and rewards to educate employees about phishing techniques and encourage them to report suspicious messages. Which security awareness practice is being implemented?
A. Phishing Simulation
B. Phishing Campaign
C. Anomalous Behavior Recognition
D. Unintentional Behavior Training
β
Correct Answer: B. Phishing Campaign
Explanation:
A Phishing Campaign is a comprehensive training program that uses various methods (e.g., posters, rewards) to raise awareness about phishing techniques.
Why not the others?
A. Phishing Simulation: This involves sending fake phishing emails to test employees, not a broader awareness program.
C. Anomalous Behavior Recognition: This focuses on identifying unusual behavior, not phishing awareness.
D. Unintentional Behavior Training: This addresses unintentional actions by employees, not phishing awareness.
An organization educates employees about current threats and how to recognize their indicators. Which type of training is being implemented?
A. Policy Handbook
B. Situational Awareness Training
C. Insider Threat Training
D. Password Management Training
β
Correct Answer: B. Situational Awareness Training
Explanation:
Situational Awareness Training informs employees about current threats and how to recognize them.
Why not the others?
A. Policy Handbook: This provides written procedures, not education about current threats.
C. Insider Threat Training: This focuses on identifying threats from within the organization, not current external threats.
D. Password Management Training: This focuses on creating and protecting passwords, not recognizing threats.
An organization conducts periodic evaluations of its security awareness training program to identify areas for improvement. Which type of assessment is being performed?
A. Initial Assessment
B. Recurring Assessment
C. Development Assessment
D. Execution Assessment
β
Correct Answer: B. Recurring Assessment
Explanation:
A Recurring Assessment is conducted periodically to evaluate the effectiveness of the program and identify areas for improvement.
Why not the others?
A. Initial Assessment: This is conducted before the program starts, not periodically.
C. Development Assessment: This refers to creating the program, not evaluating it.
D. Execution Assessment: This focuses on how well the program is implemented, not its effectiveness.
An organization ensures its security awareness training program is conducted on a set schedule, provides an inclusive learning environment, and offers feedback to participants. Which of the following best describes this approach?
A. Initial Assessment
B. Recurring Assessment
C. Program Development
D. Program Execution
β
Correct Answer: D. Program Execution
Explanation:
Program Execution focuses on implementing the program effectively, including sticking to a schedule, creating an inclusive environment, and providing feedback.
Why not the others?
A. Initial Assessment: This establishes a baseline before the program starts, not implementing it.
B. Recurring Assessment: This evaluates the programβs effectiveness, not its implementation.
C. Program Development: This involves creating the program, not implementing it.
A penetration tester is provided with full details about the target system, including network diagrams and system configurations, before conducting the test. Which type of environment is this?
A. Black Box
B. Gray Box
C. White Box
D. Active Reconnaissance
β
Correct Answer: C. Known Environment (White Box)
Explanation:
A Known Environment (White Box) provides the tester with full information about the target system before testing begins.
Why not the others?
A. Unknown Environment (Black Box): The tester is given no information about the target system.
B. Partially Known Environment (Gray Box): The tester is given partial information about the target system.
D. Active Reconnaissance: This refers to collecting information by interacting with the target system, not the type of environment.
A government agency conducts a focused review of an organizationβs employee cybersecurity training program to ensure compliance with industry regulations. Which of the following best describes this activity?
A. Internal Audit
B. Regulatory Examination
C. Independent Third-Party Audit
D. Self-Assessment
β
Correct Answer: B. Regulatory Examination
Explanation:
A Regulatory Examination is a focused review initiated by a regulatory body to ensure compliance with specific requirements.
Why not the others?
A. Internal Audit: This is conducted by the organization itself, not a regulatory body.
C. Independent Third-Party Audit: This is broader and not necessarily focused on a specific regulatory requirement.
D. Self-Assessment: This is an internal activity, not a regulatory review.
A penetration tester gathers information about a target organization by reviewing its social media profiles and news articles. Which type of reconnaissance is being performed?
A. Active Reconnaissance
B. Passive Reconnaissance
C. Offensive Penetration Testing
D. Defensive Penetration Testing
β
Correct Answer: B. Passive Reconnaissance
Explanation:
Passive Reconnaissance involves collecting information from external sources, such as social media or news reports, without interacting with the target system.
Why not the others?
A. Active Reconnaissance: This involves interacting with the target system directly, such as using packet capture tools.
C. Offensive Penetration Testing: This involves simulating attacks, not just gathering information.
D. Defensive Penetration Testing: This tests the organizationβs response to attacks, not information gathering.
An employee receives an email claiming their bank account will be locked unless they click a link to verify their personal information. Which of the following best describes this scenario?
A. Phishing Simulation
B. Phishing Attempt
C. Anomalous Behavior
D. Risky Behavior
β
Correct Answer: B. Phishing Attempt
Explanation:
A Phishing Attempt involves a fraudulent message designed to trick the recipient into revealing sensitive information or taking harmful actions.
Why not the others?
A. Phishing Simulation: This is a training tool used by organizations, not an actual phishing attempt.
C. Anomalous Behavior: This refers to unusual actions by individuals, not phishing emails.
D. Risky Behavior: This refers to actions that may pose a threat to the organization, not phishing emails.
An organization collects employee feedback and conducts knowledge assessments to evaluate the effectiveness of its security awareness training program. Which of the following best describes this activity?
A. Initial Assessment
B. Recurring Assessment
C. Program Development
D. Program Execution
β
Correct Answer: B. Recurring Assessment
Explanation:
A Recurring Assessment involves collecting feedback and conducting knowledge assessments to evaluate the programβs effectiveness over time.
Why not the others?
A. Initial Assessment: This establishes a baseline before the program starts, not evaluating its effectiveness.
C. Program Development: This involves creating the program, not evaluating it.
D. Program Execution: This focuses on implementing the program, not evaluating its effectiveness.
An organization trains employees to identify anomalous behavior from contractors and other internal personnel. Which type of training is being implemented?
A. Situational Awareness Training
B. Insider Threat Training
C. Social Engineering Training
D. Operational Security Training
β
Correct Answer: B. Insider Threat Training
Explanation:
Insider Threat Training focuses on identifying threats from within the organization, such as employees or contractors.
Why not the others?
A. Situational Awareness Training: This focuses on recognizing external threats, not internal ones.
C. Social Engineering Training: This focuses on recognizing social engineering attacks, not insider threats.
D. Operational Security Training: This focuses on protecting data during normal operations, not identifying insider threats.
A penetration testing team combines offensive techniques to simulate attacks and defensive techniques to evaluate the organizationβs response. Which type of penetration testing is being performed?
A. Physical Penetration Testing
B. Offensive Penetration Testing
C. Defensive Penetration Testing
D. Integrated Penetration Testing
β
Correct Answer: D. Integrated Penetration Testing
Explanation:
Integrated Penetration Testing combines both offensive and defensive techniques to provide a comprehensive evaluation of the organizationβs security posture.
Why not the others?
A. Physical Penetration Testing: This focuses on physical security, not combining offensive and defensive techniques.
B. Offensive Penetration Testing: This involves only simulating attacks, not evaluating defenses.
C. Defensive Penetration Testing: This involves only testing the organizationβs response, not simulating attacks.
A financial institution is required by a government regulator to undergo an audit of its cybersecurity practices. Which of the following best describes this type of audit?
A. Internal Audit
B. Self-Assessment
C. Independent Third-Party Audit
D. Regulatory Examination
β
Correct Answer: C. Independent Third-Party Audit
Explanation:
An Independent Third-Party Audit is conducted by an external entity, often at the request of a regulator or customer.
Why not the others?
A. Internal Audit: This is conducted by the organization itself, not a third party.
B. Self-Assessment: This is an internal activity, not an external audit.
D. Regulatory Examination: While related, this term typically refers to a narrower, more focused review initiated by a regulator.
An organization educates employees on creating strong passwords and protecting them from unauthorized access. Which type of training is being implemented?
A. Policy Handbook
B. Situational Awareness Training
C. Password Management Training
D. Removable Media Training
β
Correct Answer: C. Password Management Training
Explanation:
Password Management Training focuses on creating strong passwords and protecting them.
Why not the others?
A. Policy Handbook: This provides written procedures, not specific training on passwords.
B. Situational Awareness Training: This focuses on recognizing threats, not password management.
D. Removable Media Training: This focuses on the risks of removable media, not password management.
An employee who typically works Monday to Friday is seen in the office on a Saturday. Which type of anomalous behavior is this?
A. Risky Behavior
B. Unexpected Behavior
C. Unintentional Behavior
D. Phishing Attempt
β
Correct Answer: B. Unexpected Behavior
Explanation:
Unexpected Behavior refers to actions that are unusual or out of the ordinary, such as an employee being in the office on an atypical day.
Why not the others?
A. Risky Behavior: This refers to actions that may pose a threat, such as writing down passwords.
C. Unintentional Behavior: This refers to actions with unintended consequences, such as placing a call on speakerphone.
D. Phishing Attempt: This refers to fraudulent messages, not employee behavior.
A penetration tester uses a packet capture program to gather information about the target system by interacting with it directly. Which type of reconnaissance is being performed?
A. Passive Reconnaissance
B. Active Reconnaissance
C. White Box
D. Gray Box
β
Correct Answer: B. Active Reconnaissance
Explanation:
Active Reconnaissance involves interacting with the target system directly, such as using packet capture tools.
Why not the others?
A. Passive Reconnaissance: This involves collecting information from external sources, not interacting with the target system.
C. White Box (Known Environment): This refers to a known environment, not a reconnaissance technique.
D. Gray Box (Partially Known Environment): This refers to a partially known environment, not a reconnaissance technique.
An organization hires a cybersecurity firm to perform a simulated attack on its network to identify vulnerabilities. Which of the following best describes this activity?
A. Internal Audit
B. Penetration Testing
C. Regulatory Examination
D. Attestation
β
Correct Answer: B. Penetration Testing
Explanation:
Penetration Testing is a technical assessment that simulates attacks to identify vulnerabilities.
Why not the others?
A. Internal Audit: This is a broader review of policies and procedures, not a technical test.
C. Regulatory Examination: This is a compliance-focused review, not a technical assessment.
D. Attestation: This is a formal compliance review, not a vulnerability test.
