Chapter 1: Security and Risk Management (Domain 1)

¡Supera tus tareas y exámenes ahora con Quizwiz!

Ryan is a CISSP-certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.) A. (ISC)2 Code of Ethics B. Organizational code of ethics C. Federal code of ethics D. RFC 1087

A, B. All (ISC)2 certified professionals are required to comply with the (ISC)2 Code of Ethics. All employees of an organization are required to comply with the organization's code of ethics. The federal code of ethics (or, more formally, the Code of Ethics for Government Service) would not apply to a nonprofit organization, as it only applies to federal employees. RFC 1087 does provide a code of ethics for the internet, but it is not binding on any individual.

You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.) A. Physical B. Detective C. Deterrent D. Preventive

A, C, D. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

Which of the following would normally be considered a supply chain risk? (Select all that apply.) A. Adversary tampering with hardware prior while being shipped to the end customer B. Adversary hacking into a web server run by the organization in an IaaS environment C. Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts D. Adversary conducting a denial-of-service attack using a botnet

A, C. Supply chain risks occur when the adversary is interfering with the delivery of goods or services from a supplier to the customer. This might involve tampering with hardware before the customer receives it or using social engineering to compromise a vendor employee. Hacking into a web server run in an IaaS environment is not a supply chain risk because the web server is already under the control of the customer. Using a botnet to conduct a denial-of-service attack does not involve any supply chain elements.

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using? A. Cold site B. Warm site C. Hot site D. Mobile site

A. A cold site includes the basic capabilities required for data center operations: space, power, HVAC, and communications, but it does not include any of the hardware required to restore operations. Warm sites, hot sites, and mobile sites would all include hardware.

John's network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated? A. Availability B. Integrity C. Confidentiality D. Denial

A. A smurf attack is an example of a denial-of-service attack, which jeopardizes the availability of a targeted network. Smurf attacks do not target integrity or confidentiality. While this is a denial of service attack, denial is not the correct answer because you are asked which principle is violated, not what type of attack took place. Denial of service attacks target resource availability.

Frances is reviewing her organization's business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation? A. Statement of accounts Statement of importance Statement of priorities Statement of organizational responsibility

A. Business continuity plan documentation normally includes the continuity planning goals, a statement of importance, statement of priorities, statement of organizational responsibility, statement of urgency and timing, risk assessment and risk acceptance and mitigation documentation, a vital records program, emergency response guidelines, and documentation for maintaining and testing the plan.

Helen is the owner of a U.S. website that provides information for middle and high school students preparing for exams. She is writing the site's privacy policy and would like to ensure that it complies with the provisions of the Children's Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA? A. 13 B. 15 C. 17 D. 18

A. COPPA requires that websites obtain advance parental consent for the collection of personal information from children under the age of 13.

After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called? A, A KPI B. A metric C. An awareness control D. A return on investment rate

A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.

Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions? A.USPTO B. Library of Congress C. NSA D. NIST

A. First, you must realize that a trademark is the correct intellectual property protection mechanism for a logo. Therefore, Gina should contact the United States Patent and Trademark Office (USPTO), which bears responsibility for the registration of trademarks. The Library of Congress administers the copyright program. The National Security Agency (NSA) and the National Institute for Standards and Technology (NIST) play no role in intellectual property protection.

Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add? A. Hashing B. ACLs C. Read-only attributes D. Firewalls

A. Hashing allows you to computationally verify that a file has not been modified between hash evaluations. ACLs and read-only attributes are useful controls that may help you prevent unauthorized modification, but they cannot verify that files were not modified. Firewalls are network security controls and do not verify file integrity.

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? A. Integrity B. Availability C. Confidentiality D. Denial

A. Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information. There is no evidence of an attack against availability or confidentiality. Denial is an objective of attackers, rather than of security professionals and is not relevant in this scenario that targets integrity.

Frank discovers a keylogger hidden on the laptop of his company's chief executive officer. What information security principle is the keylogger most likely designed to disrupt? A. Confidentiality B. Integrity C. Availability D. Denial

A. Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws? A. Student identification number B. Social Security number C. Driver's license number D. Credit card number

A. Most state data breach notification laws are modeled after California's data breach notification law, which covers Social Security number, driver's license number, state identification card number, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). California's breach notification law also protects some items not commonly found in other state laws, including medical records and health insurance information. These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.

Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation? A. Patent B. Trade secret C. Copyright D. Trademark

A. Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case. Copyrights are used to protect creative works, while trademarks are used to protect names, logos, and symbols.

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model? A. Repudiation B. Information disclosure C. Tampering D. Elevation of privilege

A. Repudiation threats allow an attacker to deny having performed an action or activity without the other party being able to prove differently. There is no evidence that the attacker engaged in information disclosure, tampering, or elevation of privilege.

Which one of the following issues is not normally addressed in a service-level agreement (SLA)? A. Confidentiality of customer information B. Failover time C. Uptime D. Maximum consecutive downtime

A. SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).

What important function do senior managers normally fill on a business continuity planning team? A. Arbitrating disputes about criticality B. Evaluating the legal environment C. Training staff D. Designing failure controls

A. Senior managers play several business continuity planning roles. These include setting priorities, obtaining resources, and arbitrating disputes among team members.

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? A. His supply chain B. His vendor contracts C. His post-purchase build process D. The original equipment manufacturer (OEM)

A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

Tim's organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HIPAA D. GISRA

A. The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.

Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation? A. GLBA B. SOX C. HIPAA D. FERPA

A. The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.

Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing's data center? A. $25,000 B. $50,000 C. $250,000 D. $500,000

A. The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies? A. Data custodian B. Data owner C. User D. Auditor

A. The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.

Which one of the following components should be included in an organization's emergency response guidelines? A. List of individuals who should be notified of an emergency incident B. Long-term business continuity protocols C. Activation procedures for the organization's cold sites D. Contact information for ordering equipment

A. The emergency response guidelines should include the immediate steps an organization should follow in response to an emergency situation. These include immediate response procedures, a list of individuals who should be notified of the emergency, and secondary response procedures for first responders. They do not include long-term actions such as activating business continuity protocols, ordering equipment, or activating DR sites.

The following graphic shows the NIST risk management framework with step 4 missing. What is the missing step? A. Assess security controls. B. Determine control gaps. C. Remediate control gaps. D. Evaluate user activity.

A. The fourth step of the NIST risk management framework is assessing security controls. This is an important component of the process. The organization has already categorized the system, selected appropriate controls, and implemented those controls. Before authorizing the use of the system, they must assess the effectiveness of those controls to ensure that they meet security requirements.

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred? (Ransomware image) A. Availability B. Confidentiality C. Disclosure D. Distributed

A. The message displayed is an example of ransomware, which encrypts the contents of a user's computer to prevent legitimate use. This is an example of an availability attack. There is no indication that the data was disclosed to others, so there is no confidentiality/disclosure risk. There is also no indication that other systems were involved in a distributed attack.

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention? A. I B. II C. III D. IV

A. The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.

Rick recently engaged critical employees in each of his organization's business units to ask for their assistance with his security awareness program. They will be responsible for sharing security messages with their peers and answering questions about cybersecurity matters. What term best describes this relationship? Security champion Security expert Gamification Peer review

A. This is an example of a security champion program that uses individuals employed in other roles in a business unit to share security messaging. The individuals in these roles are not necessarily security experts and do not have a peer review role.

Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software? A. Trademark B. Copyright C. Patent D. Trade secret

A. Trademarks protect words and images that represent a product or service and would not protect computer software.

Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan

B. A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities—healthcare providers, health information clearinghouses, and health insurance plans—as well as the business associates of any of those covered entities.

Chas recently completed the development of his organization's business continuity plan. Who is the ideal person to approve an organization's business continuity plan? A. Chief information officer B. Chief executive officer C. Chief information security officer D. Chief operating officer

B. Although the CEO will not normally serve on a BCP team, it is best to obtain top-level management approval for your plan to increase the likelihood of successful adoption.

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing? A. Policy B. Baseline C. Guideline D. Procedure

B. Baselines provide the minimum level of security that every system throughout the organization must meet. This type of information would not appear in a policy, guideline, or procedure.

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception

B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs? A. ITIL B. ISO 27002 C. CMM D. PMBOK Guide

B. ISO 27002 is an international standard focused on information security and titled "Information technology—Security techniques—Code of practice for information security management." The Information Technology Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on software development, and the Project Management Body of Knowledge (PMBOK) Guide focuses on project management.

Greg's company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action? A. The breach laws in the state where they are headquartered. B. The breach laws of states they do business in. C. Only federal breach laws. D. Breach laws only cover government agencies, not private businesses.

B. In general, companies should be aware of the breach laws in any location where they do business. U.S. states have a diverse collection of breach laws and requirements, meaning that in this case, Greg's company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state's residents.

After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending? A. Accept B. Transfer C. Reduce D. Reject

B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence? A. Quantitative B. Qualitative C. Annualized loss expectancy D. Reduction

B. Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

Which one of the following actions might be taken as part of a business continuity plan? A. Restoring from backup tapes B. Implementing RAID C. Relocating to a cold site D. Restarting business operations

B. RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

The (ISC)2 Code of Ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code? A. Protect society, the common good, the necessary public trust and confidence, and the infrastructure. B. Disclose breaches of privacy, trust, and ethics. C. Provide diligent and competent service to the principles. D. Advance and protect the profession.

B. The (ISC)2 Code of Ethics also includes "Act honorably, honestly, justly, responsibly, and legally" but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt's clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests? A. ECPA B. CALEA C. Privacy Act D. HITECH Act

B. The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices? A. FERPA B. GLBA C. HIPAA D. HITECH

B. The Gramm-Leach-Bliley Act (GLBA) places strict privacy regulations on financial institutions, including providing written notice of privacy practices to customers.

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions? A. HIPAA B. PCI DSS C. SOX D. GLBA

B. The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Gramm Leach Bliley Act (GLBA) regulates the handling of personal financial information.

Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA? A. Banks B. Defense contractors C. School districts D. Hospitals

B. The U.S. Federal Information Security Management Act (FISMA) applies to federal government agencies and contractors. Of the entities listed, a defense contractor is the most likely to have government contracts subject to FISMA.

Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing's data center? A. 0.0025 B. 0.005 C. 0.01 D. 0.015

B. The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornados once every 200 years, or 0.005 times per year.

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors? A. Compliance with all laws and regulations B. Handling information in the same manner the organization would C. Elimination of all identified security risks D. Compliance with the vendor's own policies

B. The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor's security controls meet the organization's own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendor's policy may be weaker than the organization's own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.

Which one of the following individuals would be the most effective organizational owner for an information security program? A. CISSP-certified analyst B. Chief information officer (CIO) C. Manager of network security D. President and CEO

B. The owner of information security programs may be different from the individuals responsible for implementing the controls. This person should be as senior an individual as possible who is able to focus on the management of the security program. The president and CEO would not be an appropriate choice because an executive at this level is unlikely to have the time necessary to focus on security. Of the remaining choices, the CIO is the most senior position who would be the strongest advocate at the executive level.

Gavin is creating a report to management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk? A. Inherent risk B. Residual risk C. Control risk D. Mitigated risk

B. The residual risk is the level of risk that remains after controls have been applied to mitigate risks. Inherent risk is the original risk that existed prior to the controls. Control risk is new risk introduced by the addition of controls to the environment. Mitigated risk is the risk that has been addressed by existing controls.

Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: "Advance and protect the profession." Who may bring ethics charges against Henry for this violation? A. Anyone may bring charges. B. Any certified or licensed professional may bring charges. C. Only Henry's employer may bring charges. D. Only the affected employee may bring charges.

B. This is a question about who has standing to bring an ethics complaint. The group of individuals who has standing differs based upon the violated canon. In this case, we are examining Canon IV, which permits any certified or licensed professional who subscribes to a code of ethics to bring charges. Charges of violations of Canons I or II may be brought by anyone. Charges of violations of Canon III may only be brought by a principal with an employer/contractor relationship with the accused.

Users in the two offices would like to access each other's file servers over the internet. What control would provide confidentiality for those communications? A. Digital signatures B. Virtual private network C. Virtual LAN D. Digital content management

B. Virtual private networks (VPNs) provide secure communications channels over otherwise insecure networks (such as the internet) using encryption. If you establish a VPN connection between the two offices, users in one office could securely access content located on the other office's server over the internet. Digital signatures are used to provide nonrepudiation, not confidentiality. Virtual LANs (VLANs) provide network segmentation on local networks but do not cross the internet. Digital content management solutions are designed to manage web content, not access shared files located on a file server.

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? A. Mandatory vacation B. Separation of duties C. Defense in depth D. Job rotation

B. When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner. Mandatory vacations and job rotations are designed to detect fraud, not prevent it. Defense in depth is not the relevant principle here because the answer is seeking an initial control. We may choose to add additional controls at a later date, but the primary objective here would be to implement separation of duties.

Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan's company's rights? A. Trade secret B. Copyright C. Trademark D. Patent

B. Written works, such as website content, are normally protected by copyright law. Trade secret status would not be appropriate here because the content is online and available outside the company. Patents protect inventions, and trademarks protect words and symbols used to represent a brand, neither of which is relevant in this scenario.

Laura has been asked to perform an SCA. What type of organization is she most likely in? A. Higher education B. Banking C. Government D. Healthcare

C. A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.

When developing a business impact analysis, the team should first create a list of assets. What should happen next? A. Identify vulnerabilities in each asset. B. Determine the risks facing the asset. C. Develop a value for each asset. D. Identify threats facing each asset.

C. After developing a list of assets, the business impact analysis team should assign values to each asset. The other activities listed here occur only after the assets are assigned values.

Alyssa is responsible for her organization's security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk? A. Gamification B. Computer-based training C. Content reviews D. Live training

C. Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization's needs and is up-to-date based upon the evolving risk landscape. She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.

In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe? A. Regression testing B. Code review C. Change management D. Fuzz testing

C. Change management is a critical control process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn't bring back old flaws, while fuzz testing feeds unexpected input to code. Code review reviews the source code itself and may be involved in the change management process but isn't what is described here.

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce? A. Availability B. Denial C. Confidentiality D. Integrity

C. Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

What principle of information security states that an organization should implement overlapping security controls whenever possible? A. Least privilege B. Separation of duties C. Defense in depth D. Security through obscurity

C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure. Least privilege ensures that an individual only has the minimum set of permissions necessary to carry out their assigned job functions and does not require overlapping controls. Separation of duties requires that one person not have permission to perform two separate actions that, when combined, carry out a sensitive function. Security through obscurity attempts to hide the details of security controls to add security to them. Neither separation of duties nor security through obscurity involve overlapping controls.

Chris' organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted? A. Confidentiality B. Integrity C. Availability D. Denial

C. Denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks try to disrupt the availability of information systems and networks by flooding a victim with traffic or otherwise disrupting service.

Who should receive initial business continuity plan training in an organization? A. Senior executives B. Those with specific business continuity roles C. Everyone in the organization D. First responders

C. Everyone in the organization should receive basic training on the nature and scope of the business continuity program. Those with specific roles, such as first responders and senior executives, should also receive detailed, role-specific training.

James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization's primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation? A. Purchase cost B. Depreciated cost C. Replacement cost D. Opportunity cost

C. If the organization's primary concern is the cost of rebuilding the data center, James should use the replacement cost method to determine the current market price for equivalent servers.

Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements shown here. What tool is he using? A. Vulnerability assessment B. Fuzzing C. Reduction analysis D. Data modeling

C. In reduction analysis, the security professional breaks the system down into five core elements: trust boundaries, data flow paths, input points, privileged operations, and details about security controls.

John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover? A. Spoofing B. Repudiation C. Information disclosure D. Elevation of privilege

C. Information disclosure attacks rely upon the revelation of private, confidential, or controlled information. Programming comments embedded in HTML code are an example of this type of attack.

Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement? A. NCA B. SLA C. NDA D. RTO

C. Nondisclosure agreements (NDAs) typically require either mutual or one-way confidentiality in a business relationship. Service-level agreements specify service uptime and other performance measures. Noncompete agreements (NCAs) limit the future employment possibilities of employees. Recovery time objectives (RTOs) are used in business continuity planning.

Roger's organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter? A. FBI B. Local law enforcement C. Bank D. PCI SSC

C. PCI DSS is a standard promulgated by the Payment Card Industry Security Standards Council (PCI SSC), but is enforced through contractual relationships between merchants and their banks. Therefore, the bank would be the appropriate entity to initiate an investigation under PCI DSS. Local and federal law enforcement agencies (such as the FBI) could decide to pursue a criminal investigation if the circumstances warrant, but they do not have the authority to enforce PCI DSS requirements.

You are also concerned about the availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What control allows you to add robustness without adding additional servers? A. Server clustering B. Load balancing C. RAID D. Scheduled backups

C. RAID uses additional hard drives to protect the server against the failure of a single device. Load balancing and server clustering do add robustness but require the addition of a server. Scheduled backups protect against data loss but do not provide immediate access to data in the event of a hard drive failure.

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

C. Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk avoidance alters business activities to make a risk irrelevant. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.

Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat? A. Unpatched web application B. Web defacement C. Malicious hacker D. Operating system

C. Risks are the combination of a threat and a vulnerability. Threats are the external forces seeking to undermine security, such as the malicious hacker in this case. Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat) attempts a SQL injection attack against the unpatched server (vulnerability), the result is website defacement.

Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law? A. United States Code B. Supreme Court rulings C. Code of Federal Regulations D. Compendium of Laws

C. The Code of Federal Regulations (CFR) contains the text of all administrative laws promulgated by federal agencies. The United States Code contains criminal and civil law. Supreme Court rulings contain interpretations of law and are not laws themselves. The Compendium of Laws does not exist.

Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party's copyright. What law governs the actions that Francine must take? A. Copyright Act B. Lanham Act C. Digital Millennium Copyright Act D. Gramm Leach Bliley Act

C. The Digital Millennium Copyright Act (DMCA) sets forth the requirements for online service providers when handling copyright complaints received from third parties. The Copyright Act creates the mechanics for issuing and enforcing copyrights but does not cover the actions of online service providers. The Lanham Act regulates the issuance of trademarks to protect intellectual property. The Gramm-Leach-Bliley Act regulates the handling of personal financial information.

Wanda is working with one of her organization's European Union business partners to facilitate the exchange of customer information. Wanda's organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance? A.Binding corporate rules B. Privacy Shield C. Standard contractual clauses D. Safe harbor

C. The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid.

Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use? A. CMM B. SW-CMM C. RMM D. COBIT

C. The Risk Maturity Model (RMM) is specifically designed for the purpose of assessing enterprise risk management programs. Jeff could conceivably use the more generic capability maturity model (CMM), but this would not be as good of a fit. The software capability maturity model (SW-CMM) is designed for assessing development projects, not risk management efforts. The Control Objectives for Information Technology (COBIT) are a set of security control objectives and not a maturity model.

Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. Due diligence B. Separation of duties C. Due care D. Least privilege

C. The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.

Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing's data center? A. 10 percent B. 25 percent C. 50 percent D. 75 percent

C. The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5million in damage divided by the $10million facility value, or 50 percent.

Brenda's organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition? A. Consolidation of security functions B. Integration of security tools C. Protection of intellectual property D. Documentation of security policies

C. The protection of intellectual property is a greater concern during a divestiture, where a subsidiary is being spun off into a separate organization, than an acquisition, where one firm has purchased another. Acquisition concerns include consolidating security functions and policies as well as integrating security tools.

Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule

C. The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in the United States in 1991.

FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed? A. The right to access B. Privacy by design C. The right to be forgotten D. The right of data portability

C. The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.

Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet? A. Beyond the shadow of a doubt B. Preponderance of the evidence C. Beyond a reasonable doubt D. Majority of the evidence

C. There are two steps to answering this question. First, you must realize that for the case to lead to imprisonment, it must be the result of a criminal investigation. Next, you must know that the standard of proof for a criminal investigation is normally the beyond a reasonable doubt standard.

Which one of the following stakeholders is not typically included on a business continuity planning team? A. Core business function leaders B. Information technology staff C. CEO D. Support departments

C. While senior management should be represented on the BCP team, it would be highly unusual for the CEO to fill this role personally.

Which of the following is not typically included in a prehire screening process? A. A drug test B. A background check C. Social media review D. Fitness evaluation

D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting? A. Informing other employees of the termination B. Retrieving the employee's photo ID C. Calculating the final paycheck D. Revoking electronic access rights

D. Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.

HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services? A. Risk mitigation B. Risk acceptance C. Risk transference D. Risk avoidance

D. HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk mitigation takes measures to reduce the likelihood and/or impact of a risk. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.

Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando's organization pursue? A. Risk avoidance B. Risk mitigation C. Risk transference D. Risk acceptance

D. In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.

Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model? A. Spoofing B. Repudiation C. Tampering D. Elevation of privilege

D. In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure? A. Impact B. RPO C. MTO D. Likelihood

D. Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack. Adding a firewall will not address the impact of a risk, the recovery point objective (RPO) or the maximum tolerable outage (MTO).

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce? A. Denial B. Confidentiality C. Integrity D. Availability

D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? A. Separation of duties B. Least privilege C. Defense in depth D. Mandatory vacation

D. Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. The purpose of these required vacation periods is to disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve? A. Authentication B. Authorization C. Integrity D. Nonrepudiation

D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Craig is selecting the site for a new data center and must choose a location somewhere within the United States. He obtained the earthquake risk map shown here from the United States Geological Survey. Which of the following would be the safest location to build his facility if he were primarily concerned with earthquake risk? A. New York B. North Carolina C. Indiana D. Florida

D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk of a major earthquake.

Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process? A. An exit interview B. Recovery of property C. Account termination D. Signing an NCA

D. Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process. During the exit interview, the team may choose to review employment agreements and policies that remain in force, such as a noncompete or nondisclosure agreement.

Renee is designing the long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing? A. Operational B. Tactical C. Summary D. Strategic

D. Strategic plans have a long-term planning horizon of up to five years in most cases. They are designed to strategically align the security function with the business' objectives. Operational and tactical plans have shorter horizons of a year or less.

Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges? A. Copyright law B. Lanham Act C. Glass-Steagall Act D. Economic Espionage Act

D. The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation.

You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal? A. SOC 1 B. FISMA C. PCI DSS D. SOC 2

D. The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.

Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown here, and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area? A. 100 B. 1 C. 0.1 D. 0.01

D. The annualized rate of occurrence (ARO) is the frequency at which you should expect a risk to materialize each year. In a 100-year flood plain, risk analysts expect a flood to occur once every 100 years, or 0.01 times per year.

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations? A. Memory chips B. Office productivity applications C. Hard drives D. Encryption software

D. The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are unlikely to be covered by these regulations.

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning? A. Structured analysis of the organization B. Review of the legal and regulatory landscape C. Creation of a BCP team D. Documentation of the plan

D. The project scope and planning phase includes four actions: a structured analysis of the organization, the creation of a BCP team, an assessment of available resources, and an analysis of the legal and regulatory landscape.

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Neither quantitative nor qualitative risk assessment D. Combination of quantitative and qualitative risk assessment

D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.

The International Information Systems Security Certification Consortium uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo? A. Copyright B. Patent C. Trade secret D. Trademark

D. Trademark protection extends to words and symbols used to represent an organization, product, or service in the marketplace. Copyrights are used to protect creative works. Patents and trade secrets are used to protect inventions and similar intellectual property.

Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation? A. Preponderance of the evidence B. Beyond a reasonable doubt C. Beyond the shadow of a doubt D. There is no standard

D. Unlike criminal or civil cases, administrative investigations are an internal matter, and there is no set standard of proof that Kelly must apply. However, it would still be wise for her organization to include a standard burden of proof in their own internal procedures to ensure the thoroughness and fairness of investigations.

You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next? A. Implement new security controls to reduce the risk level. B. Design a disaster recovery plan. C. Repeat the business impact assessment. D. Document your decision-making process.

D. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated? A. Integrity B. Denial C. Availability D. Confidentiality

D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

Match the following numbered laws or industry standards to their lettered description: Laws and industry standards GLBA PCI DSS HIPAA SOX Descriptions A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis B. A U.S. law that requires internal controls assessments, including IT transaction flows for publicly traded companies C. An industry standard that covers organizations that handle credit cards D. A U.S. law that provides data privacy and security requirements for medical information

The laws or industry standards match to the descriptions as follows: GLBA: A. A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis PCI DSS: C. An industry standard that covers organizations that handle credit cards HIPAA: D. A U.S. law that provides data privacy and security requirements for medical information SOX: B. A U.S. law that requires internal controls assessments including IT transaction flows for publicly traded companies


Conjuntos de estudio relacionados

Chapter 4 Quiz - Intro to Psychology

View Set

PSY104 Midterm 1 (Ch 1, 2, 11, 3, 4)

View Set

308 Ch. 29: Heart Disease Management

View Set

(PrepU) Chapter 39: Management of Patients with Oral and Esophageal Disorders

View Set

PreCalc_Trig- 1.02 Quiz: Sequence and Series

View Set

Macroeconomics Exam 3 Chapter 20

View Set