Cybersecurity Management I - Strategic - C727 PreAssessment Test
A company uses a document management system to classify documents created by employees. Ownership of the document management system belongs to the chief information officer (CIO). The department managers classify documents that were created by employees in their department as business-critical and sensitive. The information security officer (ISO) maintains the system security plan for the documents created and used by the corresponding department, and the system administrator (SA) ensures that the system is deployed based on the security requirements. Who is the owner of the data in this company?
The department managers
Which description suggests that a process has reached the highest level of maturity possible under capability maturity model integration?
The process is optimized, with a focus on continuous improvement.
A company plans to implement a new authentication system for customers accessing the company website. When customers log on, the website indicates that it sent a text message that includes a code to the customer's mobile phone. To complete the log-on process, the customer is required to enter the appropriate code within five minutes. Which authentication mechanism is this system based on?
Time-based one-time password
What is the purpose of threat modeling tools?
To consider the range of compromise concerns and focus on the end result of an attack
Which group of security controls is necessary to protect accounts against stolen credentials?
Two-factor authentication
Which integrity measure should be applied to enforce nonrepudiation of emails sent from internal users?
Use digital signatures on emails
Which type of attack exclusively uses the telephone system or VoIP to perform the attack?
Vishing
A company conducts a quantitative risk analysis. The exposure factor (EF) is 25% and the single loss expectancy (SLE) is $100,000.What is the asset value?
$400,000
A company has a data center estimated to be worth $10 million located in an area known for earthquakes. Based on the design of the building, if an earthquake strikes the data center it will cause a 50% loss. What is the single loss expectancy (SLE) of an earthquake striking the data center?
$5 million
A server with critical data is valued at $8,000 and the exposure factor to a hack is 10%.What is the single loss expectancy (SLE)?
$800
2) A company develops project management software. The design requires the project manager to control access to the project files.Which access control model should this project manager use?
2) Discretionary
3) A word-processing program uses document labels to determine which users can access files. For example, only members of the legal department can access files labeled legal.Which access control model is applied?
3) Mandatory
4) Which environment type allows a user to gain access to objects using classification labels in a compartmentalized environment?
4) Mandatory access control
6) Which framework is focused solely on process and process maturity and has five levels of maturity?
6) CMMI
A company receives numerous complaints from employees about the high number of usernames and passwords each employee must maintain. Which solution would allow employees to store usernames and passwords
A credential management system
An employee manages a perimeter network in a retail company that sells health supplements. The company wants to establish an online presence. Which preventive control should this employee recommend for the perimeter network?
A firewall device
What is a risk management framework?
A guideline or recipe for how risk is to be assessed, resolved, and monitored
An information security manager has been asked to develop security policies and to deploy security solutions for an organization. Which security principles must be considered in addition to CIA triad principles?
AAA
An attacker uses multiple websites to collect public information and pieces together a profile to be used for identity impersonation.Which type of attack is this?
Access aggregation
A company has an online log-on page for employees to access limited data while working remotely. The log-on is a username and password. Which access control would help prevent an attack on the log-on page given an attacker has unlimited time?
Account lockout
Which security control is appropriate to protect database applications and associated data from creeping privileges?
Account review
Which security concept includes the process of reviewing the activities of an identity?
Accountability
A company needs to improve the security of systems on the corporate network using multiple layers of access control to achieve the strongest level of security possible.Which access control methods should be implemented?
Administrative, technical, and physical
Which host-based control should be implemented to ensure that infected web file downloads are isolated?
Anti-malware
Which security control should be employed to remedy access aggregation attacks?
Applying need-to-know principle
State law requires that offices retain medical records for six years.What should the personnel in a medical office do with unneeded patient records before those six years have passed?
Archive
An organization plans to design and implement a new IT architecture. The architecture should be flexible, and the access-control management system should use several different characteristics of users, the network, and devices on the network. Which access-control model can be used to implement the new architecture?
Attribute-based
Which security concept includes comparing a user's fingerprint against authorized fingerprints stored in a database?
Authentication
A company hires a consulting group to perform a security audit on its network. The audit finds that the email servers are vulnerable to SMTP relay attacks. The company decides to migrate email services to a cloud-based provider and decommission the email servers.Which strategic risk response is applied?
Avoidance
What is an example of an administrative access control?
Background checks
In an organization, the information security management department (ISMD) standardized data classification levels, identifying safeguards and controls for every level. The ISMD started to ask business units (BUs) to classify data. Why is the ISMD asking BUs to classify data before implementing the controls and safeguards?
Because BUs are data owners
A company implements an information security management system (ISMS). The company uses the system to implement security controls and publish security policies. After an assessment, the company discovers that ISMS processes are unpredictable and changing in reaction to events. Which framework should this company implement to improve ISMS processes?
Capability Maturity Model Integration (CMMI)
Which security principle uses countermeasures such as encryption and data classification?
Confidentiality
Which framework achieves the needs of stakeholders and the goals of an enterprise?
Control objectives for information and related technology (CoBIT)
Which group of security controls provides storage space for users to keep usernames and passwords stored when a single sign-on is not available?
Credential management system
A firm supplies workers' compensation claims (which include supporting personal data) to an outsourced claims investigator. The claims investigator is responsible for packaging the claim data supplied by the firm into a claim file, validating the supplied data, obtaining additional data where warranted, and then recommending a final claim disposition to the firm. Which role is this claims provider fulfilling under the General Data Protection Regulation (GDPR)?
Data processor
A company has created a honeypot on the network with fake data.Which type of access control is this honeypot?
Detective
A company discovers that employees are accessing restricted areas. To discourage employees, the security manager posts restricted access signs. What is this security manager's risk response?
Deterrence
The vice president of a company distributes corporate policies by emailing employees links to the files. An IT professional needs to implement a solution that allows only the vice president to manage who can edit corporate policies.Which access control model should this professional implement?
Discretionary
A company stores sensitive data on backup tapes. The data must be secured from unauthorized access.How should the backup tapes be secured to minimize unauthorized access?
Encrypt data, and then store it in a safe location
Which security control can be applied to prevent eavesdropping attacks?
Encryption
An organization stores hashed passwords using Secure Hash Algorithm 256 (SHA-256). The organization has concerns about data breaches that result from rainbow table attacks. Which security control should this organization implement?
Enforcing salting before storing the data
What is a characteristic of discretionary access controls?
Every object has an owner.
Which identity management solution allows multiple organizations to share identities based on a common method?
Federated identity management (FIM)
Which type of security documentation offers recommendations and suggestions on creating a strong password?
Guidelines
An organization deploys multifactored authentication. One of the required factors is a username and password.What is the purpose of this username?
Identification
A company is headquartered in a region that has frequent internet connectivity issues due to inclement weather. The company's primary reporting servers are located in this office and are critical to the sales team in the field for accurate product pricing. Employees require 24/7 access to the most up-to-date information, as the data frequently changes. Which solution will ensure a higher availability of these servers outside this company?
Implement a secondary internet connectivity solution at headquarters, which fails over when the primary connection is unavailable
Which security control should prevent unauthorized access from spoofing attacks?
Implement multifactor authentication
A company is concerned about unauthorized alteration of data in a customer database. Which security principle is implicated?
Integrity
On an employee's first day of work, she notices a large number of file shares available, most of which do not pertain to her position. The employee went to her manager about the level of access. The employee's manager said she has the same level of access as her predecessor.Which principle does this level of access violate?
Least privilege
Which security control should be employed as part of a comprehensive process to address the physical theft of virtual servers?
Limiting physical access to the hosting servers
Which type of access control do smart cards for employees represent?
Logical
A company wants to enforce strict penalties on a former employee who uploaded sensitive company technical schematics onto a personal website. Which type of document will this company use to enforce penalties?
Nondisclosure agreement
Which identity technology is an open request for comments (RFC) standard that provides access delegation of online websites?
Open Authentication (OAuth) 2.0
All of an organization's offices have cable laptop locks to secure a laptop when the user walks away.Which access control type are these locks?
Physical
Which data classification would cause serious damage to the mission of an organization, is less damaging than its highest classification, and is the label used by most organizations for the classification of PII and PHI data?
Private
Which security concept controls access to the network?
Provide individuals access after they supply a username and password
The document policy of an organization is that there is no negative impact if documents are released outside the organization. What is the data classification of the documents?
Public
A company wants to provide authentication, authorization, and accounting (AAA) protocols for employees who use virtual private networks (VPNs). Which protocol provides this company with AAA?
RADIUS
A private company identifies a risk with a high-value asset. A threat has been reported to be attacking only government entities. The company's board of directors has concluded that the threat will likely never materialize for private companies, and that nothing should be done about it. What is the risk response?
Rejection
An employee using a public key infrastructure (PKI) receives an unsigned email from a coworker. Which category of the STRIDE threat model is applicable to this scenario?
Repudiation
Which process identifies factors that could damage or disclose data, evaluates those factors considering data value and countermeasure cost, and implements cost-effective solutions?
Risk management
A company wants only members of its database administrator team to have administrative access to all SQL server databases.Which access control model should this company apply?
Role-based
A company secures its network by closing specific ports on its firewalls.Which access control method is being applied?
Rule-based
What is the correct order of the steps in the risk assessment life cycle?
Security categorization Security control selection Security control implementation Security control assessment Information system authorization Security control monitoring
Research department members encrypt their Office 365 files by using keys residing in an on-premises key store. Due to a failure of on-premises network connectivity, the files cannot be decrypted. What should be done to maintain the availability of these files without compromising their confidentiality and integrity?
Set up redundant internet connectivity
Which type of an attack involves an attacker looking at a victim's computer screen to capture sensitive information?
Shoulder surfing
Which type of attack is passive and noninvasive and intended to observe the operation of a device?
Side channel
The management team of an organization creates a document stating employees who access the company's enterprise resource planning (ERP) system must use a certain browser and are required to have antivirus installed on their machines. Which type of document is this?
Standard
Which type of controls involves the use of software or hardware mechanisms and may include authentication methods, the use of encryption, firewalls, or intrusion detection systems?
Technical