Security and Risk
What changes plaintext data to ciphered data?
Encryption
What is NOT a common category of control implementation?
Functional
What is a whitelist?
A list of approved email addresses or domains
Functional descriptions of systems are often used for documenting __________.
critical business functions (CBFs)
What should you do if you discover that a security gap has not been closed?
Address the gap.
Which of the following statements is NOT true of cost-benefit analysis?
A control always eliminates the loss.
All of the following terms have the same meaning, EXCEPT:
Internal network zone
What is NOT an example of an intangible value?
Software application
What is the primary difference between a functional exercise and a full-scale exercise?
A full-scale exercise is more realistic than a functional exercise.
Email addresses or domains ______________ are automatically marked as spam.
on a blacklist
Which term is defined as "elements necessary to perform the mission of an organization"?
CSF
What business continuity plan (BCP) team is responsible for declaring the severity of an incident?
DAT
What are overlapping countermeasures?
Different countermeasures that attempt to mitigate the same risk
Which term describes entities who have a direct interest in, or are affected by, a business impact analysis (BIA)?
Stakeholders
_________ is the process of creating a list of threats.
Threat identification
Kevin is a disgruntled employee who was recently laid off from a major technology company. He wants to launch an attack on the company. Where might Kevin learn about vulnerabilities that he can exploit?
A blog
Which type of alternate location is the hardest to test for disaster readiness?
Cold site
Which of the following is NOT true of data and information assets?
Data classified at different levels, such as public and private, receives the same levels of protection.
Which of the following is NOT true of threats?
No action can reduce the potential for a threat to occur.
Alice is a security professional. While writing a risk assessment report, she is defining what the current email system does. She is using statements such as "Accepting email from external email servers and routing to internal clients" and "Scanning all email attachments and removing malware." Which of the following is she most likely defining?
The mission of the system
What is the function of job rotation?
To prevent or reduce fraudulent activity
What is the purpose of a plan of action and milestones (POAM)?
Tracks risk response actions
Functionality testing is primarily used with ____________.
software development
What are the first two steps in the business impact analysis (BIA) process?
Identify the environment and identify stakeholders
_____________ is the likelihood that a threat will exploit a vulnerability.
Probability
How are business continuity plans (BCPs) and disaster recovery plans (DRPs) related?
A DRP is a part of the larger BCP.
You are a stakeholder who has just designated a business function as critical. What must you do now?
Dedicate resources to protect the function.
Why should an organization regularly review and update its disaster recovery plan (DRP)?
To ensure the plan reflects changes to IT systems
When the Federal Trade Commission (FTC) was created in 1914, what was its primary goal?
To prevent unfair methods of competition
Which of the following can determine that a business function is critical?
Any stakeholder
What is NOT one of the three primary types of business liability insurance?
Cybersecurity
Which of the following is NOT true of big data?
Data in a warehouse is frequently modified.
What is critical data?
Data that supports critical business functions (CBFs)
Lin is writing a risk management report. Of the major categories of reporting requirements, which one becomes the actual risk response plan?
Documenting and tracking implementation of accepted recommendations
ABC Wholesale Pet Supply sells pet supplies to retailers. Every transaction results in a duplicate hardcopy paper shipping document and invoice. The person picking up the order signs the documents and takes one copy. Two other copies stay at the warehouse. How would using multiple hardcopies of each transaction affect ABC's recovery point objective (RPO)?
Duplicate hardcopies of transactions increase complexity and decrease tolerable data loss.
What is NOT one of the three primary objectives of controls?
Eliminate
What is NOT a risk management step?
Eliminating all risks
Which of the following mainly applies to any organization that handles health information?
HIPPA
Wren is defining the scope for his organization's disaster recovery plan (DRP). What items should he consider?
Hardware, software, data, and connectivity
Which of the following best describes the purpose of the Health Insurance Portability and Accountability Act (HIPAA)?
It helps to protect health information.
In a risk assessment, what refers to how responsibilities are assigned?
Management structure
Which of the following is often the weakest link in IT security
People
What are the four major categories of risk management reporting requirements?
Present recommendations; document management response to recommendations; document and track implementation of accepted recommendations; and create a plan of action and milestones (POAM)
You are reviewing historical data in an attempt to identify potential threats to your business. What would NOT be helpful to you in this process?
Reading news articles about thefts that occurred last year in a different part of the U.S.
What causes a disaster recovery plan (DRP) to be activated?
Realizing criteria specified in the DRP
What is NOT a common classification of data?
Risk
Maria runs a bank. She wants to update the physical security at each bank branch and update the technological security of the bank's private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection?
Risk assessment
__________ is the biggest problem you can face if you do not identify the scope of your risk management project.
Scope creep
Which factor most directly affects the scope of a business impact analysis (BIA)?
Size of the organization
An access control such as a firewall or intrusion prevention system cannot protect against which of the following?
Social engineer
What is a major type of vulnerability for the User Domain?
Social engineering
The following statements regarding compliance laws are true, EXCEPT:
The Federal Information Security Management Act (FISMA) requires covered organizations to share student records with students or their parents.
What is the relationship between Enron and the Sarbanes-Oxley Act (SOX)?
The bankruptcy and scandal surrounding Enron was one of the major scandals that inspired the creation of SOX.
What is the safeguard value in a quantitative risk assessment?
The cost of a control
What characteristic is common to risk assessments and threat assessments?
They are both performed for a specific time.
What are critical resources?
Those that are required to support critical business functions (CBFs)
Which tool is most commonly used to prioritize mitigation efforts?
Threat likelihood/impact matrix
Why is process analysis performed?
To determine if vulnerabilities exist in the process
What is NOT a best practice when performing a business impact analysis (BIA)?
Using the same data collection methods
A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.
business continuity
A(n) ____________ assessment attempts to identify vulnerabilities that can be exploited
exploit
The term "big data" is most closely associated with _____________.
large databases
Gap analysis reports for security are often used when dealing with ___________.
legal compliance
To _________ risk means to reduce or neutralize threats or vulnerabilities to an acceptable level.
mitigate
Qualitative risk assessments determine the level of risk based on the __________ and _________ of risk.
probability, impact
Background checks, software testing, and awareness training are all categories of ____________.
procedural controls
In a SQL injection attack, an attacker can _________________.
read sections of a database or a whole database without authorization
The Remote Access Domain of a typical IT infrastructure allows __________ to access the ________ network.
remote users, private
Purchasing insurance is the primary way for an organization to ______ or _______ risk.
share, transfer
Piggybacking is also known as _____________.
tailgating
System logs and audit trails are a type of __________ control.
technical
The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control.
technical, procedural
When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with ________________.
the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA)
Regarding risk assessments, _____________ define(s) what a system does.
the mission of the system
By identifying critical business functions (CBFs) first, you use a ________ approach.
top-down
A business continuity plan (BCP) is an example of a ___________.
security plan
How does a countermeasure's cost most directly impact the decision to implement it?
A countermeasure's cost should not exceed the impact if the risk to be mitigated is realized.
Alice has completed a cost-benefit analysis (CBA) of recommended countermeasures. For a specific risk, four countermeasures have been recommended. How can Alice use the CBA to choose the countermeasure to recommend?
Choose the countermeasure with the highest countermeasure value.
What is the Delphi Method?
A way to complete a qualitative risk assessment
Jiang has been working on a risk management plan for his government agency. What information should he include in the report to management when he presents his risk management recommendations?
Findings, recommendation cost and time frame, and cost-benefit analysis (CBA)
A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister's computer. While she's with friends at the mall, the teenager enters his sister's IP address, launches the program, and waits to see what will happen. The teenager is an example of a ___________.
script kiddie
Jonathan is a security professional. He is part of a small group of people launching a startup company that will handle patient medical information. Jonathan is attempting to determine threats the company may face, criteria that will allow each threat to succeed, and the potential result. Which of the following would be most useful to Jonathan?
Affinity diagram
How can you determine the importance of a system?
By how the system is used
A __________ is a computer joined to a botnet.
zombie
Regarding business continuity, what is the first phase of activity if a disruption occurs?
The notification and activation phase
What is the minimum number of nodes required by a failover cluster?
2
Which of the following is most likely to describe how to perform test restores?
A backup plan
Isabella is preparing to write a disaster recovery plan (DRP). What must she have before she proceeds with writing?
A clear idea of her primary concerns
Choose the most accurate statement with respect to creating a risk management plan.
A risk management plan can help ensure your business is in compliance with important regulations.
Alice is a risk management specialist. She wants to communicate a risk and the resulting impact to her superiors. Which of the following should she use?
A risk statement
What is NOT something to consider when determining the value of an asset?
Departmental ownership
When should you establish objectives for a risk management plan?
During the planning phase of a project
What is an important element of following up on a risk mitigation plan?
Ensuring that security gaps are closed
All of the following are reasons why configuration management is an important risk management process, EXCEPT:
It reduces unintended outages.
Kyle works for the IT department. He is working in the asset management system. He is assigning the relevant IT infrastructure domain to each asset. Which is the best domain to assign to elements used to connect systems and servers together, such as hubs, switches, and routers?
LAN domain
Some controls are identified based on the function they perform. What are the broad classes of controls based on function?
Preventative, detective, corrective
What is the primary determination as to whether an incident is included in a business continuity plan (BCP)?
Probability of occurrence and impact
What is the most important consideration of a disaster recovery plan (DRP)?
Protecting personnel
What are the two primary methods used to create a risk assessment?
Quantitative and qualitative
What is one source of risk reduction?
Reducing the impact of the loss
What is the practice of identifying, assessing, controlling, and mitigating risks?
Risk management
You receive an email from someone named Bob in the IT department who needs to access your login information for a scheduled internal vulnerability assessment. You know an assessment is taking place because your manager notified your group last week. Normally, you wouldn't give your password or other login information to anybody, but doing so seems appropriate in this situation. Which of the following could be taking place?
Social engineering attack
Which of the following refer(s) to when users or customers need a system or service?
System access and availability
Which business continuity plan (BCP) test type brings all participants together in a conference room or similar environment to walk through BCP scenarios?
Tabletop exercise
What is the primary reason for testing a disaster recovery plan (DRP)?
To ensure it performs as expected
Lower recovery time objectives (RTOs) are _______ but _______.
achievable, costly
A ___________ plan can help you identify steps needed to restore a failed system.
disaster recovery
A redundant backup site is _______________.
hosted by a third-party vendor
All of the following are steps involved in creating an affinity diagram, EXCEPT ______________.
identifying a project's scope
A ______ to an asset occurs only when an attacker can exploit a vulnerability.
loss
Critical business functions (CBFs) support _________.
mission-critical operations
An exploit assessment is also known as a(n) ___________.
penetration test
POAM stands for_____.
plan of action and milestones
A(n) _____ is the likelihood that something unexpected is going to occur.
risk
A(n) ___________________ is performed to identify and evaluate risks.
risk assessment
Primary considerations for assessing threats based on historical data in your local area are _______ and ________.
weather conditions, natural disasters
What is NOT true of a qualitative risk assessment?
It provides a cost-benefit analysis (CBA).
What is NOT true of a quantitative risk assessment?
It uses relative terms such as high, medium, and low.
Which of the following allows one person to act for another for legal issues and sometimes is used if someone becomes mentally incapacitated.
Power of attorney
Rodrigo is a network security specialist. He wants to perform real-time analysis of security data gathered from networked systems. Which of the following is the best solution for Rodrigo to implement?
Security information and event management (SIEM)
Which of the following is NOT true of state attorneys general (AGs)?
They are appointed by the Department of Homeland Security.
Jiang has been working on a risk management plan for his government agency. He collected data on risks and recommendations, included that information in a report, and submitted it to management. What is the purpose of the report?
To help management decide which recommendations to use
Health Insurance Portability and Accountability Act (HIPAA) fines for mistakes can be as high as __________ a year.
25,000
Carl is a security specialist. He is updating the organization's hardware inventory in the asset management system. Which of the following would be least helpful to record?
A competitor's product
The Family Educational Rights and Privacy Act (FERPA) applies to all of the following, EXCEPT:
A medical center that hired recent nursing graduates
What is CIPA?
A law designed to limit offensive content from school and library computers
You are creating objectives for your risk management plan. What do you NOT include at this stage?
A plan of action and milestones (POAM)
Who is responsible for activating the business continuity plan (BCP)?
BCP coordinator
What is NOT one of the three primary bureaus of the Federal Trade Commission (FTC)?
Bureau of the Census
How do you start a risk assessment?
By defining what you will assess
The National Institute of Standards and Technology (NIST) publishes SP 800-53. This document describes a variety of IT security controls, such as access control, incident response, and configuration management. Controls are grouped into families. Which NIST control family helps an organization recover from failures and disasters?
Contingency Planning (CP)
Which of the following is a business continuity plan (BCP) phase that focuses on returning to normal operations?
Reconstitution phase
_____________ value is the cost to purchase a new asset in place of an existing asset.
Replacement
What is the primary reason to avoid risk?
The impact of the risk outweighs the benefit of the asset.
What is the primary benefit of a business continuity plan (BCP)?
To better prepare the organization to respond to an interruption
When does a threat/vulnerability pair occur?
When a threat exploits a vulnerability
The following are true of risk assessment critical area identification, EXCEPT:
When critical areas are identified, areas that are least critical to the business should be the first priority.
At what point in the risk mitigation process should you identify and analyze threats and vulnerabilities to your organization?
After you identify assets
Who is the most common person to authorize business continuity plan (BCP) activation in the order of succession if the chief executive officer (CEO) is unavailable?
Chief information officer (CIO)
Which of the following is a type of control that is implemented with a written document?
Procedural
A business impact analysis (BIA) is an important part of a _____________, and it can also be part of a __________.
business continuity plan, disaster recovery plan
Tonya is performing a quantitative risk assessment for a piece of software. The single loss expectancy (SLE) is $500, and the associated annual rate of occurrence (ARO) is 3. What is the annual loss expectancy (ALE)?
$1,500
What is a publicly traded company?
Any company that has stock that outside investors can buy or sell
What are the six principles of Payment Card Industry Data Security Standard (PCI DSS)?
Build and maintain a secure network; protect cardholder data; maintain a vulnerability management program; implement strong access control measures; regularly monitor and test networks; and maintain an information security policy
You plan to perform a vulnerability assessment on your company's servers. You know that your assessment may simulate the effects of a denial of service (DoS) attack for a brief period of time. What is the most important task to complete before you perform the assessment?
Obtain written permission from the proper authority.
The following are examples of hardware assets, EXCEPT:
Operating system
__________ provide the detailed steps needed to carry out ___________.
Procedures, policies
The formulas used in a quantitative risk assessment typically look at a single year. The calculations can become quite complex if other costs are included. Which of the following is NOT usually included in the calculations?
The cost to maintain a control
What is the overall goal of business continuity plan (BCP) exercises?
To demonstrate how the BCP will work
What is the purpose of nonrepudiation techniques?
To prevent people from denying they took actions
Why is system testing performed?
To test individual systems for vulnerabilities
What process generally causes a plan of action and milestones (POAM) to expand?
Transforming the risk assessment into a risk mitigation plan
When performing threat assessments, it's important to ensure you understand the system or application you are evaluating. To understand a given system or application, you need to understand all of the following EXCEPT:
Where a system is manufactured
Disaster recovery procedures begin after ___________ and ___________.
activating the disaster recovery plan (DRP), assessing the damage
You book a hotel online, and the registration process is clear and streamlined. This is an example of a(n) ______________ process that has _______________.
automated, high value to customers
When an emergency is declared, the ____________ contact(s) appropriate teams or team leads.
business continuity plan (BCP) coordinator
Bob is the project manager for his company's security countermeasure implementation project. Michael informs Bob that task #12 (implementing a failover cluster) will not finish on time. Because task #12 is on the project's _______________, Bob knows that the project will not complete on time and sets up a meeting to inform the stakeholders.
critical path
When compliance is mandated by law, companies often participate in _______, which provide third-party verification that requirements are being met.
external audits
According to the World Intellectual Property Organization (WIPO), the two categories of intellectual property (IP) are _______________ and _______________.
industrial property, copyright
The primary risks associated with the User Domain of a typical IT infrastructure are related to _____________.
social engineering
A business continuity plan (BCP) program manager within a large organization _________.
usually manages multiple BCP projects
A(n) _________ provides secure access to a private network over a public network such as the Internet.
virtual private network (VPN)
A __________ consists of multiple servers using ______________.
web farm, network load balancing
What is NOT an example of unintentional threat?
A script kiddie writes and runs malware to "see what it can do."
Which of the following is best described as attackers who focus on a specific target, have high levels of expertise, have almost unlimited resources, and are often sponsored by nation-states or terrorist groups?
Advanced persistent threats (APTs)
In a quantitative risk assessment, what describes the loss that will happen to the asset as a result of a threat?
Exposure factor (EF)
Which formula is used to determine the cost-benefit of a control, such as antivirus software?
Loss before control implementation − Loss after control implementation − Cost of control
Which of the following is NOT a vulnerability that might affect the website of an online company?
Loss of internet connectivity
Which of the following is a division of the U.S. Department of Commerce and publishes the Risk Management Framework (RMF) 800 special publications series?
National Institute of Standards and Technology (NIST)
____________ assessments are objective, while ___________ assessments are subjective.
Quantitative, qualitative
A new company does not have a lot of revenue for the first year. Installing antivirus software for all the company's computers would be very costly, so the owners decide to forgo purchasing antivirus software for the first year of the business. In what domain of a typical IT infrastructure is a vulnerability created
Workstation Domain
Which of the following is NOT a direct cost?
Costs to regain market share
You have created a risk assessment and management has approved it. What do you do next?
Create a risk mitigation plan.
You are a top-level executive at your own company. You are worried that your employees may steal confidential data by downloading data onto thumb drives. What is the best way to prevent this from happening?
Create and enforce a written company policy against the use of thumb drives and install a technical control on the computers to prevent the use of thumb drives.
What is NOT one of the three commonly used business continuity plan (BCP) teams?
Critical contractor
Hajar is a security professional for a government contractor. Her company recently hired three new employees for a special project, all of whom have a security clearance for Secret data. Rather than granting the employees access to all files and folders in the data repository, she is granting them access only to the data they need for the project. What principle is Hajar following?
Principle of need to know
What are the seven components of Control Objectives for Information and Related Technology (COBIT)?
Principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies
Bill is a security professional. He is in a meeting with co-workers and describes a system that will make web sessions more secure. He says when a user connects to the web server and starts a secure session, the server sends a certificate to the user. The certificate includes a public key. The user can encrypt data with the public key and send it to the server. Because the server holds the private key, it can decrypt the data. Because no other entity has the private key, no one else can decrypt the data. What is Bill describing?
Public key infrastructure (PKI)
What is NOT a valuable area of consideration when defining the scope of a risk management project?
The maximum acceptable outage (MAO) for servers
In a business continuity plan (BCP), if a system houses data, the data must be protected according to _______.
its level of classification
Total risk = _______________
threat × vulnerability × asset value
A disaster recovery plan (DRP) simulation ___________.
goes through the steps and procedures in a controlled manner
Another term for data range and reasonableness checks is ______________.
input validation
Bonding is a type of ________ that covers against losses by theft, fraud, or dishonesty.
insurance
Having supplies on hand for continued production _______________.
may conflict with other organizational planning principles
When a fiduciary does not exercise due diligence, it can be considered __________.
negligence
All of the following would be specified in a password policy, EXCEPT _____________.
password management
__________ damage for the sake of doing damage, and they often choose targets of opportunity.
Vandals
Which term is best defined as a weakness?
Vulnerability
Complete the equation for the relationship between risk, vulnerabilities, and threats: Risk = _________.
Vulnerability × Threat
What is the primary hazard of attempting to recover without a business impact analysis (BIA)?
Wasted effort due to a lack of direction as to which resources are most critical
What does the scope section of a disaster recovery plan (DRP) define?
What is and is not covered in the plan
A warm site is _________________.
a compromise between a hot site and a cold site
A business impact analysis (BIA) identifies an impact that can result from a ____________.
disruption in a business
A __________ grants the authority to perform an action on a system. A __________ grants access to a resource.
right, permission
Which of the following is most likely to be warez?
A file on your computer of a new TV episode you downloaded for free
What is NOT a true statement about AES?
AES is the primary asymmetric encryption protocol used today.
____________ is the process of determining fair market value of an asset.
Asset valuation
According to the Sarbanes-Oxley Act (SOX), who in an organization must verify and attest to the accuracy of financial data as a matter of legal compliance?
High-level officers
What is the primary purpose of identifying critical resources in the business impact analysis (BIA) process?
Identify all IT assets that support critical business functions (CBFs).
What are the steps of a business continuity plan (BCP)?
Identify scope, identify key business areas, identify critical functions, identify dependencies between key business areas and critical functions, determine acceptable downtime, and create a plan to maintain operations
The following are major components of risk assessments, EXCEPT:
Identifying insurance options
Which approach to firewall rules starts off by blocking all traffic and then adding rules to allow approved traffic?
Implicit deny
After developing a business impact analysis (BIA) for her organization, Maria was asked by her manager to update the BIA recommendations with a higher recovery time objective (RTO). What is the most likely reason management would argue for a higher RTO?
Lower RTOs are more expensive.
Which term is sometimes referred to as the maximum tolerable period of disruption (MTPD)?
Maximum acceptable outage (MAO)
Threat ___________ is a process used to identify possible threats on a system.
Modeling
___________ prevents individuals from denying they took an action.
Nonrepudiation
What is the primary tool used to ensure countermeasures are implemented?
Plan of action and milestones (POAM)
Isabella is a risk management specialist for her organization. She is training Arturo, a new hire, on aspects of risk management. Arturo asks her what factors he should consider when assigning a value to an asset. Which of the following does Isabella tell him is the least useful?
Qualitative risk assessment
________ help(s) prevent a hard drive from being a single point of failure. __________ help(s) prevent a server from being a single point of failure. _________ help(s) prevent a person from being a single point of failure.
RAID, Failover clusters, Cross-training
What communication elements are important to the success of a disaster recovery plan (DRP)?
Recall, users, customers, and a communication plan
Susan works for a U.S. investment firm that is required to be registered with the Securities and Exchange Commission. Susan is responsible for implementing access controls on the organization's database servers. Which one of the following laws must her organization comply with?
Sarbanes-Oxley Act (SOX)
What is the purpose of a business continuity plan (BCP)?
To ensure that mission-critical elements of an organization continue to operate during and after a disruption
Scaling _______ means that you increase resources to a server, and scaling _______ means that you add additional servers.
up, out
Which of the following is a law that ensures that federal agencies protect their systems and data, comply with all elements of the law, and integrate security in all processes?
Federal Information Security Modernization Act (FISMA)
What is a security policy?
I high-level overview of security goals
The following are true of risk assessment scope identification, EXCEPT:
The system or network administrator ultimately decides what is included in the scope of a risk assessment.
What can you control about threat/vulnerability pairs?
The vulnerability only
What is the purpose of a mandatory vacation?
embezzlement
It is common to focus the scope of a risk assessment on system ownership, because doing so ____________.
makes it easier to implement recommendations
A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.
patch management
Another term for risk mitigation is _______.
risk reduction
Hardening a server refers to ____________.
the combination of all the steps that it takes to protect a vulnerable system and make it more secure than the default installation
The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations that handle health information follow standards for the ________________ of that data.
storage, use, and transmission
_________ are acts that are hostile to an organization.
Intentional threats
When should you perform a risk assessment? When should you perform a risk assessment?
Periodically after a control has been implemented
Oscar works for a health insurance company. He is creating a Health Insurance Portability and Accountability Act (HIPAA) compliance plan. In the section on monitoring, what should Oscar specify to be continuously monitored for changes?
Regulations and risks
Tonya is part of central IT at a public university. Her group has been tasked with creating a service catalog that will list and describe which services central IT provides to the campus community. The group has been asked to follow Information Technology Infrastructure Library (ITIL) practices. Because the group has only begun, which phase are they most likely at in the ITIL life cycle?
Service Strategy phase
What is the primary reason security professionals automate some processes?
To reduce human error
Identify the true statement.
Exploited vulnerabilities result in losses.
After risk management recommendations have been presented to management, the managers can ___________, ___________, or _____________ the recommendations.
accept, defer, modify
Stakeholders should have ownership of a project, which is also referred to as project ________.
buy-in
A(n) _____________ is a process used to determine how to manage risk.
cost-benefit analysis (CBA)
___________ is the negative result if the risk occurs.
impact
Companies use risk assessment strategies to differentiate ___________ from _________.
severe risks, minor risks
In a cost-benefit analysis (CBA), if the benefits of a control outweigh the costs of implementing that control, then the control can be implemented to reduce risk. However, if the cost outweighs the benefit, then ______________.
the risk can be accepted
What are the elements of the security triad?
Confidentiality, integrity, and availability
Which of the following is NOT an indirect cost?
Cost to re-create or recover data
Which of the following is a significant part of control evaluation to determine which controls to implement?
Cost-benefit analysis (CBA)
Carl is a security professional preparing to perform a risk assessment on database servers. He is reviewing the findings of a previous risk assessment. He is trying to determine which controls should be in place but were not implemented. Which of the following is typically found in a risk assessment report and would address Carl's needs?
Current status of accepted recommendations
In which of the following domains does the IT infrastructure link to a wide area network (WAN) and the Internet?
LAN-to-WAN Domain
Which key planning principle guides the development of a business continuity plan (BCP)?
Length of time expected before returning to normal operations
What key element is necessary for a disaster recovery plan (DRP) to succeed in a time of crisis?
Management support
Your team is developing a business impact analysis (BIA). You have identified the critical business functions (CBFs) and associated processes. What should you do next?
Map processes to IT systems.
The recovery time objective (RTO) is derived from what value from the business impact analysis (BIA)?
Maximum acceptable outage (MAO)
Which term is defined as the minimum level of services that are acceptable to an organization to meet its operational business needs?
Minimum business continuity objective (MBCO)
What might occur if you do NOT include the scope when defining the risk assessment?
Missed deadlines
After being fired, an employee becomes disgruntled. The managers never disabled his login information, and his best friend still works at the company. The disgruntled employee gives his friend his login information for the company's private network and convinces the friend to delete important files from the company's database. You are confused when you review the audit logs and see that the disgruntled employee has been logging in from within the office every day for the past week. What has been lost in this scenario?
Nonrepudiation
Isabelle is a project manager. Her company is regulated and subject to regular audits for compliance. One regulation the company needs to comply with is Health Insurance Portability and Accountability Act (HIPAA). Isabelle needs a tool for tracking the company's progress in meeting HIPAA compliance. The tool should also enable her to assign responsibility for tasks, and it should provide management an easy way to check the status of the project. Which of the following would be most useful in this situation?
Plan of action and milestones (POAM)
Isabella works as a risk specialist for her company. She wants to determine which risks should be managed and which should not by applying a test to each risk. Risks that don't meet the test are accepted. What type of test does she apply?
Reasonableness test
MAO is sometimes referred to as ____________.
MTPOD
Tonya has been asked research compliance and then provide a report to upper management. Management wants to know what the organization must do to comply with a regulation that protects the privacy of citizens in the European Union. Which of the following will Tonya research?
General Data Protection Regulation (GDPR)
Devaki is the office manager for a small medical practice in California. Part of her duties is to ensure the practice is in compliance with any relevant regulations or standards. Self-pay patients pay for services via cash, check, or payment card. Which of the following does Devaki need to ensure compliance with?
HIPAA and PCI DSS
Wen is performing a cost-benefit analysis (CBA). He needs to determine whether the organization should move workloads from the in-house data center to the cloud. The projected benefit is $50,000. The cost of the control is $1,500. What is the control value?
48,500
What is NOT commonly included in a cost-benefit analysis (CBA)?
A business continuity plan
What is a service level agreement (SLA)?
A document that identifies an expected level of performance
What is a transaction in a database?
A group of statements that either succeed or fail as a whole
Which of the following is a physical control that is most likely to be used with a proximity card?
A locked door
A hacker wants to launch an attack on an organization. The hacker uses a tool to capture data sent over the network in cleartext, hoping to gather information that will help make the attack successful. What tool is the hacker using?
A packet analyzer
What is the primary purpose of a disaster recovery plan (DRP)?
To restore critical business processes or systems to operation
A threat is any activity that represents a possible danger, which includes any circumstances or events with the potential to cause an adverse impact on the following, EXCEPT:
Assessments
Ideally, when should you perform threat modeling?
Before writing an application or deploying a system
What is NOT a way that you can measure the value of a system when determining if the system requires five nines?
Confidentiality
Which of the following is NOT true of the WAN Domain of a typical IT infrastructure?
Internal-facing servers are configured in the demilitarized zone between two firewalls.
Alice is an aspiring hacker. She wants to get information on computer and network vulnerabilities and ways to exploit applications. Which of the following is the best source?
Dark web
Carl is a risk specialist. He has determined the laws and regulations with which his organization must comply. What must he do next?
Determine the impact of these laws and regulations on the organization.
Aditya is assessing the value of IT systems. His company sells sporting goods online. One factor of his evaluation is the required availability of each system. Some systems must be available 24/7, while others must be available during regular business hours Monday through Friday. Which of the following would have the highest availability requirements?
E-commerce website server
What is the difference between fault tolerance and disaster recovery?
Fault tolerance mitigates component failures, and disaster recovery restores operations after a major loss.
___________ increases the availability of systems even when an isolated outage occurs, while ___________ provides the procedures to recover systems after a major failure.
Fault tolerance, disaster recovery
In a risk management plan, how should you complete the step of describing the procedures and schedules for accomplishment?
For any threat or vulnerability, recommend a solution that attempts to mitigate associated risks; justify your recommendation; list the tasks necessary for addressing the vulnerability; and provide management with an estimate of how long it will take to complete the recommendation.
What step of a business continuity plan (BCP) comes after providing training?
Testing and exercising plans
Hajar is a security specialist. Her organization has about 500 systems that must be tracked for inventory purposes. She is preparing an email to her manager that describes the benefits of including specific details about software in the inventory, as well as the use of an automated asset management system. Which of the following is NOT one of those benefits?
The frequency of operating system upgrades will be reduced.
What does the principle of least privilege have in common with the principle of need to know?
They both specify that users be granted access only to what they need to perform their jobs.
A technician in a large corporation fixes a printer that was not receiving an IP address automatically by manually assigning it an address. The address was assigned to a server that was offline and being upgraded. When the server was brought online, it was no longer accessible. How could this problem have been avoided?
Through change management
Why should the people on the risk assessment team be different from the people responsible for correcting deficiencies?
To avoid conflicts of interest
Why are audits performed?
To check compliance with rules and guidelines
What is the purpose of a risk mitigation plan?
To implement countermeasures
What is an indirect objective of a business impact analysis (BIA)?
To justify funding
Why might you need to verify risk elements if a substantial amount of time has passed since you performed a risk assessment?
To make sure that the threats or vulnerabilities you want to mitigate still exist
What is the primary purpose of personnel policies, such as separation of duties?
To prevent fraud