Comptia Security+ 01 - Risk Managememt
Framework sources can come from which of the following?
Regulatory bodies, industry standards, national standards, non-regulatory bodies
Which term defines how people get access to data and other resources?
Access control policy is correct. Access control policies dictate whether you can access resources. Password policies govern password quality and update frequency, while the remaining options explain what you can do with accessible resources.
What is the CIA triad of security?
Confidentiality, integrity, and availability is correct. The CIA triad involves keeping data secret (confidentiality), securing data and systems from unauthorized changes (integrity), and ensuring systems and data are accessible when needed (availability).
What describes the set of overarching rules that defines how an organization and its employees conduct themselves?
Governance is correct. Governance is an overarching set of conduct rules that includes laws and regulations, best practices, and common sense.
Manufacturer and vendor guides can provide:
basic setup information and some security controls options that are configurable for the device. To get the additional network configuration, other security control options, and recent security information, you will need to visit Web sites, blogs, and user groups.
When calculating asset value, you need to be worried about:
the cost to replace the item itself, and the cost of labor to replace the item and revenue lost while the asset is out of commission.
Which of the following threat actors is motivated by intent to make a public social statement?
A hacktivist is motivated by intent to make a public social statement, whereas a script kiddie is motivated by the act of successfully coding an event or the experience of hacking. Organized crime works to gain access for profit or ability to manipulate data to lead to profit. A nation state plays along the lines of espionage to gain information or to manipulate other states or governments politically.
Which one of the following is a category of security control?
Administrative (managerial) is correct. The other choices are just actions that fall under the various broad security control categories. a. Malware installation b. Installing locks c. Training users d. Administrative (managerial)
Which type of agreement is needed when two private-sector people or organizations wish to work together?
Business partners agreement (BPA) is correct. A service level agreement (SLA) is used by government and private sector. Interconnections security agreement (ISA) are used in the public sector (government). A memorandum is a notice. a. Service Level Agreement (SLA) b. Business Partners Agreement (BPA) c. Interconnections Security Agreement (ISA) d. Memorandum
A self-directed combination of administrative, physical, and technical controls is an example of:
Defense in depth. A self-directed security plan that includes administrative, physical, and technical controls is referred to as defense in depth. Vendor diversity, IT governance, and AAA are all forms of controls used in a defense in depth plan, but by themselves don't represent the defense in depth concept. Any of the controls should be used in a good security plan.
Which personnel management control allows for cross-training?
Job rotation is correct. Mandatory vacation helps prevent collusion and fraud. Separation of duties ensures no one person performs sensitive functions. The system owner is a data management role, not a control.
What is the process of having an outside or 3rd party assess an organization's security vulnerabilities?
Penetration (pen) testing is correct. Nessus is a self-diagnosing tool and the other options are types of threat.
When defining users' roles, which users have the legal responsibility and liability for the data?
The owner is legally responsible for the data, has complete control of the data element, and decides access rules. A privacy officer, as custodian, has the technical control over the information asset but is not legally responsible for the data. System administrators are also custodians of the data and their primary job is to manage the physical access to the data and equipment on which the data resides. Users and privileged users receive rights (read, write, etc) to data based on the owner's determination.
What is the purpose of a privacy threshold assessment (PTA)?
a process that a company uses to analyze how personal information is protected within an IT system. This process reviews how the information is collected, manipulated, transferred, or transmitted. This is not only related to HIPPA information, although HIPPA governance will be involved for any medical information requiring compliance with those regulations. It is not used directly to determine how to mitigate loss, although it is likely that some of the outcomes of this analysis would be considered in a loss prevention assessment.