Compliance and Risk Management Final Exam Review

¡Supera tus tareas y exámenes ahora con Quizwiz!

How can you determine the importance of a system? -By when the system was last updated -By why the system functions -By what the organization does -By how the system is used

By how the system is used

HIPPA covers any organization that handles storage, use and transmission of data and applies to? -Medical facilities -Insurance companies -Any company with a health plan if employees handle health data -All the above

All the above

Wen is evaluating Core Business Functions, what of the following should he consider? Assess to the internet Web server availability Database avaiability All the above

All the above

Ideally, when should you perform threat modeling? -After writing an application or deploying a system -Before writing an application, but after deploying a system -After writing an application, but before deploying a system -Before writing an application or deploying a system

Before writing an application or deploying a system

Which of the following is not one of the three primary objectives of controls? -Detect -Eliminate -Recover -Prevent

Eliminate

Exploit assessments are very different from vulnerability, threat and risk assessment by which of the following reasons? -Exploit analysis will provide you a gap analysis that would be useful to develop a remediation plan -Its a point in time assessment -It will check compliance with rules and guidelines -Assessments will identify vulnerabilities across networks, servers, workstations, and people.

Exploit analysis will provide you a gap analysis that would be useful to develop a remediation plan

Based upon a 2019 General Accounting Office audit, all federal government agencies have successfully implemented risk managment policies. -True -False

False

Critical success factors (CSFs) include functions considered critical to an organization. True False

False

Every control must meet all three primary objectives of controls: prevent, detect, and recover. -True -False

False

Telecommuters are not key to a business continuity plan (BCP) because they work from remote locations. Therefore, any disruptions would not affect them. True False

False

The seven steps of a business impact analysis (BIA) are the same as the seven steps of contingency planning. True False

False

which of the following is not a common category of control implementation? -Functional -Physical -Procedural -Technical

Functional

What are the differences between a Threat Assessment and Vulnerability Assessment? -There is no differences between the two -Goal of a vulnerability assessment is to identify potential weaknesses in controls whereas threat assessment is focused on threats -Vulnerability assessment is a point in time assessment whereas threat assessment is a continuous assessment -A vulnerability assessment is focused on assesssing plans whereas a threat assessments is focused on network architecture

Goal of a vulnerability assessment is to identify potential weaknesses in controls whereas threat assessment is focused on threats

A business impact analysis (BIA) identifies: -vulnerability. -Identifies systems critical for business survival. -risk to an IT infrastructure. -threat to the IT infrastructure.

Identifies systems critical for business survival.

Identifying mission-critical business functions can be difficult. Therefore, the best way to identify these Critical Business Functions is to: Identify vital functions and map them to critical success factors Identify a single critical success factor with a successful business and then map it to critical business factors. Map the critical business factors to those vital functions None of the above.

Identify a single critical success factor with a successful business and then map it to critical business factors.

A Business Impact Analysis allows you to identify which of the following (multiple)? Identify outage impacts Identify Critical Business Functions Identify Maximum Acceptable Outage Solutions and strategies to prevent impacts in the future

Identify outage impacts Identify Critical Business Functions Identify Maximum Acceptable Outage Solutions and strategies to prevent impacts in the future

What are the first two steps in the business impact analysis (BIA) process? -Identify the environment and identify critical resources -Identify the environment and identify stakeholders -Identify stakeholders and identify critical resources -Identify recovery priorities and identify stakeholders

Identify the environment and identify stakeholders

User domain refers to which of the following? -Includes PCs so risk includes theft and updates -Includes personal data so significant risk is loss of confidentiality. -Includes connection to internet so risk to provide protection to external threats via firewalls -Include VPN via tunnel protocols with strict access control protocols

Includes personal data so significant risk is loss of confidentiality.

Which of the 7 IT domains will exploit assessments be focused on lack of configuration control to and to capture internal network traffic seeking encrypted traffic. -Workstation domain -User domain -LAN domain -LAN to WAN domain

LAN domain

According to NIST 800-39, what is not a valid consideration in setting up a risk management construct within an organization Framing Assess Respond Legal Compliance

Legal Compliance

Which key planning principle guides the development of a business continuity plan (BCP)? Budget for recovery operations Length of time expected before returning to normal operations Scope of the business impact analysis (BIA) Level of effort required to interview all stakeholders

Length of time expected before returning to normal operations

After developing a business impact analysis (BIA) for her organization, Maria was asked by her manager to update the BIA recommendations with a higher recovery time objective (RTO). What is the most likely reason management would argue for a higher RTO? Higher RTOs expose critical business functions (CBFs) to higher risk. Lower RTOs are technically infeasible. Lower RTOs are more expensive. Higher RTOs increase customer confidence.

Lower RTOs are more expensive.

Your team is developing a business impact analysis (BIA). You have identified the critical business functions (CBFs) and associated processes. What should you do next? -Prioritize IT asset recovery options. -Map processes to IT systems. -Identify stakeholders. -Evaluate the recovery cost of each proposed option.

Map processes to IT systems.

Some controls are identified based on the function they perform. What are the broad classes of controls based on function? -Preventative, recovery, corrective -Preventative, detective, corrective -In-place, planned, in-progress -Maintenance, continuity, disaster

Preventative, detective, corrective

__________ provide the detailed steps needed to carry out ___________. -Policies, procedures -Access controls, a disaster recovery plan -Procedures, policies -Policies, incident response

Procedures, policies

You are reviewing historical data in an attempt to identify potential threats to your business. What would not be helpful to you in this process? -Reading news articles about thefts that occurred last year in a different part of the U.S. -Understand the limitations of your network and IT architecture -Searching the Internet for stories about incidents that commonly occur in businesses like yours -Identifying past user errors to ensure training is upgraded to address these shortfalls

Reading news articles about thefts that occurred last year in a different part of the U.S.

which of the following is not true: -Once you have assessed risks and proposed countermeasures, then you then implement those solutions using a risk mitigation plan. -Risk assessments map countermeasures to threats, vulnerabilities, and the assets being protected -A risk assessment is used to identify, estimate, and prioritize risk to the operations of an organization -Risk = Threat x Vulnerability

Risk assessments map countermeasures to threats, vulnerabilities, and the assets being protected

Susan works for a U.S. investment firm that is required to be registered with the Securities and Exchange Commission. Susan is responsible for implementing access controls on the organization's database servers. Which one of the following laws must her organization comply with? Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) General Data Protection Regulation (GDPR) Sarbanes-Oxley Act (SOX)

Sarbanes-Oxley Act (SOX)

Failover cluster is often used to protect critical system functions and data by eliminating __________. -Single Point of Failure -Nodes -Redundancy -Operational Availability

Single point of Failure

Which factor most directly affects the scope of a business impact analysis (BIA)? -Degree of organizational automation -Reliance of revenue stream on IT resources -Geographical diversity of the organization -Size of the organization

Size of the organization

An access control such as a firewall or intrusion prevention system cannot protect against which of the following? -Malicious network traffic -Social engineering -Denial of service (DoS) attack -Unknown malware attacks

Social engineering

What does the principle of least privilege have in common with the principle of need to know? -They both attempt to prevent threats from external attackers. -They both specify that users be granted access only to what they need to perform their jobs. -They are both terms for the same principle. -They both lack the ability to address threats from internal attackers.

They both specify that users be granted access only to what they need to perform their jobs.

What is the primary benefit of a business continuity plan (BCP)? To reduce the cost of recovery To better prepare the organization to respond to an interruption To reduce the probability of an interruption To inform the organization as to the expected cost of annual interruptions

To better prepare the organization to response to respond to interruption

What is the purpose of a business continuity plan (BCP)? To ensure that mission-critical elements of an organization continue to operate during and after a disruption To ensure that mission-critical elements of an organization are properly restored after a disruption To prevent loss of mission-critical activities of organization employees in case of a disruption To identify mission-critical elements of an organization in case of a disruption

To ensure that mission-critical elements of an organization continue to operate during and after a disruption

What is the purpose of a risk mitigation plan? To bolster a risk assessment To implement countermeasures To eliminate threats To ensure compliance

To implement countermeasures

What is the purpose of nonrepudiation techniques? -To ensure the proper function of controls -To grant permission to perform a vulnerability test -To prevent people from denying they took actions -To mitigate threats to a system

To prevent people from denying they took actions

A DOS attack is meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash -True -False

True

A mission-critical system is any system that must continue to run to ensure a business continues to function. True False

True

According to NIST 800-39, risk framing component is to produce a risk management strategy. -True -False

True

According to NIST 800-39, the 3 risk management framework include Tier 1- Organizational, Tier 2 - Mission/Business Process and Tier 3 - Information Systems. -True -False

True

Based upon a 2019 General Accounting Office audit, Federal Agencies noted decentralized or federated organizations create difficulty in implementing standardized IT and effective cybersecurity programs. -True -False

True

Business Impact Analysis can identify the maximum acceptable outage, which is the maximum amount of time a system or service can be down before the mission is affected True False

True

Conduct a threat assessment before a risk assessment to better understand the context in which their cybersecurity risks exist, and to help shape risk assessment efforts on the most relevant and likely threats. -True -False

True

Criticality is usually documented in the business impact analysis (BIA) but is repeated in the business continuity plan (BCP) for the sake of clarity. True False

True

Determining which systems require 99.999 percent access and availability can be done by identifying the value of the service provided. True False

True

Even though the business impact analysis (BIA) identifies priorities, it is common to reaffirm them in a business continuity plan (BCP). True False

True

If you encounter a firewall with 500 rules, you should consider using output analysis versus process analysis -True -False

True

Protecting software assets can be accomplished by minimizing the different types of software to create standardization making it easy to push patches and manage software versions. -True -False

True

Scope creep can occur if the scope of a business continuity plan (BCP) is not defined. True False

True

Service Level Agreement dentifies an expected level of performance and often used often as a binding contract -True -False

True

Social engineering hacks are the primary risk of User Domain. -True -False

True

Starting with clear objectives is a best practice for performing a business impact analysis (BIA). True False

True

The primary shortfall of LAN-to-WAN Domain Risks is firewall shortfalls (rules, config, exploit) True False

True

The two primary terms related to Business Impact Analysis are Maximum acceptable outage (MAO), Critical business functions (CBF) and Critical success factors (CSF) True False

True

What is the primary hazard of attempting to recover without a business impact analysis (BIA)? Duplication of effort due to a lack of communication Excessive recovery time as a result of a linear recovery path Wasted effort due to a lack of direction as to which resources are most critical Budget overruns as a result of no formal spending authorization

Wasted effort due to a lack of direction as to which resources are most critical

When completing a Business Impact Analysis, which of the following is not a valid question to ask? What is the Maximum Acceptable Outage of the service? How will an outage affect employees? What are the Seven domains of the typical IT infrastructure? How does this service affect the organization's survivability?

What are the Seven domains of the typical IT infrastructure?

When an emergency is declared, the ____________ contact(s) appropriate teams or team leads. -business continuity plan (BCP) program manager -stakeholders -business continuity plan (BCP) coordinator -department heads

business continuity plan (BCP) coordinator.

Background checks, software testing, and awareness training are all categories of: -rules of behavior -procedural controls -corrective controls -technical controls.

procedural controls

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control. -mechanical, procedural -procedural, technical -manual, technical -technical, procedural

technical, procedural

Gap analysis reports for security are often used when dealing with: -legal compliance. -incident response teams. -business process compliance. - data warehousing.

legal compliance.

Controls are meant to _________ risk, which means to reduce or neutralize threats or vulnerabilities to an acceptable level. -transfer -assess -avoid -mitigate

mitigate

Regarding business continuity, what is the first phase of activity if a disruption occurs? Planning phase The reconstitution phase The recovery phase notification and activation phase

notification and activation phase

Symmetric encryption involves the use of 2 keys to encrypt and decrypt information. -True -False

False

Which of the below would you use to create a threat model (check multiple answers)? -Evaluate MITRE ATT&CK Framework -Construct an Attack Graph -Review NIST Standards -Create a Risk Cube

-Evaluate MITRE ATT&CK Framework -Construct an Attack Graph

How are system logs different from audit trails? -System Logs record events generated by the operating system or applications whereas audit trail records events to track user activity -Audit trail is often used to diagnose issues and maintain system health -System logs are used to ensure users are following policies and regulations. -None of the above

-System Logs record events generated by the operating system or applications whereas audit trail records events to track user activity

What characteristic is common to risk assessments and threat assessments? -They are both ongoing processes -They are both automated processes -They are both performed for a specific time. -They are both manual processes

-They are both performed for a specific time.

NIST 800-53B defines "Baseline Controls" and NIST 800-53A defines Control Assessment Instructions. Which of the following are valid assessment control approaches? -Red Teaming -Audit checks -Penetration Testing -All the above

All of the above

What are benefits to implementing automation? -Value to customer -Value to company -Protecting data -All the above

All of the above

What are the reasons to implement security controls? -Compliance -Protect -Fiduciary -All of the above

All of the above

What would be good sources of data for a vulnerability assessment? -Previous firewall logs -Previous audit logs -Review Intrusion Detection System logs -All of the above

All of the above

Which of the following are considerd Technical Controls? Firewall Encryption Operating System Hardening All of the above

All of the above

How are business continuity plans (BCPs) and disaster recovery plans (DRPs) related? A DRP is a part of the larger BCP. A BCP is part of the larger DRP. The two plans are distinct and are not related. A BCP is only useful when creating a business impact analysis (BIA), while the DRP is an operational plan.

A DRP is a part of the larger BCP.

According to NIST 800-39, which of the following are outcomes of governance related to organization-wide risk management? -Strategic alignment of risk management decisions with missions and business functions consistent with organizational goals and objectives; -Effective and efficient allocation of risk management resources; -Delivered value by optimizing risk management investments in support of organizational objectives. -All the above

All of the Above

What are common questions you should ask to create a threat model ? -What systems need to be protected? -What are the potential adversaries? -How might a potential adversary conduct an attack ? -All of the above

All of the Above

What are the activities in the second step of a control assessment planning? Develop objective for the security assessment Develop the roadmap of the assessment Develop assessment procedures All the above

All of the Above

The National Institute of Standards and Technology (NIST) publishes SP 800-53. This document describes a variety of IT security controls, such as access control, incident response, and configuration management. Controls are grouped into families. Which NIST control family helps an organization recover from failures and disasters? Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Physical and Environmental Protection (PE)

Contingency Planning (CP)

Which of the following is a valid action in selecting the necessary controls? Criticality Analysis Threat Asseessment Vulnerability Assessment Cost Benefit Analysis

Cost Benefit Analysis

Which of the following is not a correct step to scope the Risk Management Strategy for an Organization? Critical Business Operations Customer Service Delivery Seven Domains of IT Cost Benefit Analysis

Cost Benefit Analysis

When an emergency is declared, the ____________ contact(s) appropriate teams or team leads. business continuity plan (BCP) program manager stakeholders business continuity plan (BCP) coordinator department heads

Critical contractor

What is the difference between data mining and data warehousing? -Data mining extracts useful patterns and insights whereas data warehousing organizes large amounts of data. -Data warehousing extracts useful patterns and insights whereas data mining organizes large amounts of data. -Data warehousing and data mining are synonymous terms. -None of the above

Data mining extracts useful patterns and insights whereas data warehousing organizes large amounts of data.


Conjuntos de estudio relacionados

Chapter 4: State of Consciousness

View Set

Microbiology Ch 9 biotechnology and Recombinant DNA

View Set

Nursing Health Assessment - ATI Health Assess 2.0 Questions

View Set

H&C Ch 54 Mgmt of Pt W/ Kidney Disorders

View Set