C727 OA Study Guide

Lighter than Air Industries expects that it would lose $10 millino if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario?

$10 million

Lighter than Air Industries expects that it would lose $10 millino if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the annualized loss expectancy?

$100,000

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determined that there is a 5% chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10% is attributed to the land itself. What is the annualized loss expectancy?

$135,000

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determined that there is a 5% chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10% is attributed to the land itself. What is the single loss expectancy SLE of your shipping facility to avalanches?

$2,700,000

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10% likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers, who determined that the average hurricane would destroy approximately 50% of the building. What is the annualized loss expectancy ALE?

$750,000

The Children's Online Privacy Protection Act COPPA was designed to protect the privacy of children using the internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent?

13

Ruth recently obtained a utility patent covering a new invention that she created. How long will she retain legal protection for her invention?

20 years from the application date

Darren is concerned about the risk of a serious power outage affecting his organizations data center. He consults the organizations business impact analysis and determines that the ARO of a power outage is 20%. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed?

20%

Leonard and Sheldon recently coauthored a paper describing a new superfluid vacuum theory. How long with the copyright on their paper last?

70 years after the death of the last author

Renee is reporting the results of her organization's BIA to senior leaders. They express frustration at all of the detail and one of them says "look, we just need to know how much we should expect these risks to cost us each year" what measure could Renee provide to best answer this question?

ALE

During the annual review of the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated?

ALE before safeguard - ALE after implementing safeguard - annual cost of safeguard

During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset. What risk response is being exhibited by this situation?

Acceptance

What type of law does not require an act of Congress to implement that the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures?

Administrative law

Matt is supervising the installation of redundant communications links in response to a finding during his organization's BIA. What type of mitigation provision is Matt overseeing?

Alternative systems

Users log on with a username when accessing the company network from home. Management wants to implement a second factor of authentication for these users. they want a secure solution but they also want to limit costs. Which of the following best meets these requirements?

Authenticator app

The Risk Management Framework RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF has seven steps or phases. Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable?

Authorize

James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated?

Availability

Brianna is working with a US software firm that uses encryption in its products and plans to export their product outside of the United States. What federal government agency has the authority to regulate the export of encryption software?

BIS

Which OF the following provides authentication based on a physical characteristic of a subject?

Biometrics

Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance?

Business continuity manager

James was recently asked by his organizations CIO to lead a core team of four experts through a business continuity planning process for his organization. What is the first step that this core team should undertake?

Business organization analysis

An organization is planning to use a cloud provider to store some data. Management wants to ensure that all data-based security policies implemented in the organizations internal network can also be implemented in the cloud. Which of the following will support this goal?

CASB

Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objectives of security?

CIA Triad

What US state was the first to pass a comprehensive privacy law modeled after the requirements of the European Union's General Data Protection Regulation?

California

A company maintains an e-commerce server used to sell digital products via the internet. When a customer makes a purchase, the server stores the following information on the buyer: name, physical address, email address, and credit card data. Your hired as an outside consultant and advise them to change their practices. Which of the following can the company implement to avoid an apparent vulnerability?

Collection limitation

Congress passed CALEA in 1994, requiring what type of organization cooperate with law enforcement investigation?

Communications carriers

Matt recently authored an innovative algorithm for solving a math problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property IP protection. Which type of protection is best suited to his needs?

Copyright

Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees what is the first step?

Create a job description

STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation?

D

While performing a risk analysis, you identify a threat of fire and vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following is a possible risk?

Damage to equipment

Which of the following provides the best protection against the loss of confidentiality for sensitive data?

Data classifications

You are tasked with updating your organization's data policy and you need to identify the responsibilities of different roles. Which data role is responsible for implementing the protections defined by the security policy?

Data custodian

Management is concerned that users may be inadvertently transmitting sensitive data outside the organization. They want to implement a method to detect and prevent this from happening. Which of the following can detect outgoing, sensitive data based on specific data patterns and is the best choice to meet these requirements?

Data loss prevention systems

A database file includes personally identifiable info PII on several individuals, including Karen C Park. Which of the following is the best identifier for the record on Karen C Park?

Data owner

An executive is reviewing governance and compliance issues and ensuring the security or data policy addresses them. Twhich of the following security controls is most likely driven by a legal requirement?

Data retention

Your organization is courting a new business partner, during the negotiations the other party defines several requirements of your organization's security that must be met prior to the signing of the SLA and business partners agreement BPA. One of the requirements I that your organization demonstrate their level of achievement on the Risk Maturity Model RMM. The requirement is especially that a common or standardized risk framework is adopted organization-wide. Which of the five possible levels of RMM is being required of your organization?

Defined

Administrators have been using tapes to back up servers in your organization. However, the org is converting to a diff backup system, storing backups on disk drives. What is the final stage in the lifecycle of tapes used as backup media?

Destruction

Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a disruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance?

Disaster recovery plan

The board of directors of Clashmore Circuits conducts an annual review of the business continuity planning process to ensure that adequate measures are in lace to minimize the effect of a disaster on the org's continued viability. What obligation are they satisfying by this review?

Due diligence

In today's business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following is true?

Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the security effort.

Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on?

Existing security policy

Wendy recently accepted a position as a senior cybersecurity administrator at a US government agency and is concerned about the legal requirements affecting her new position. Which law governs information security operations at federal agencies?

FISMA

Sally has a user account and has previously logged on using a biometric system. Today the biometric system did recognize her so she wasn't able to log on. What does this describe?

False rejection

What law protects the right of citizens to privacy by placing restrictions on the authority granted to gov agencies to search private residences and facilities?

Fourth Amendment

Greg recently accepted a position as the cybersecurity compliance officer with a privately held bank. What law most directly impacts the manner in which his org handles personal info?

GLBA

The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the material be revised to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change. What is the approach that is being recommended?

Gamification

Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario?

Hardware

Confidentiality, integrity, and availability are typically viewed as the primary goals and objectives of a security infrastructure. Which is not considered a violation of confidentiality?

Hardware destruction caused by arson

You have been tasked with overseeing the security improvement project for your organization. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. You decide to focus on the largest concern mentioned by your CISO. Which of the following is likely the element of the organization that is considered the weakest?

Humans

Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on understanding how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure?

ITIL

A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue?

Inherent risk

Ryan is reviewing the terms of a proposed vendor agreement between the financial institution where he works and a cloud service provider. Which one of the following items should represents the least concern to Ryan?

Is the vendor compliant with HIPAA?

What does the CER for a biometric device indicate?

It indicates the point where the false rejection rate equals the false acceptance rate

Which of the following best identifies the benefit of a passphrase?

It is easy to remember

Jake is conducting a business impact analysis for his org. as part of the process, he asks leaders from diff units to provide input on how long the enterprise resource planning ERP system could be unavailable without causing irreparable harm to the organization. What measure is he seeking to determine?

MTD

Ryan is assisting with his organization's annual business impact analysis effort. He's been asked t assign quantitative values to assets as part of the priority identification exercise. What unit of measure should he use?

Monetary

Which of the following is a true statement in regard to vendor, consultant, and contractor controls?

Multiparty risks exist when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved

Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment?

Negative Publicity

_____ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics.

Onboarding

Based on advice from the National Institute of Standards and Technology NIST when should regular users be required t ochange their passwords?

Only if the current password is compromised

A technician is about to remove disk drives from several computers. His supervisor told him to ensure that the disk drives do not hold any sensitive data. Which of the following methods will meet the supervisor's requirements?

Overwriting the disks multiple times

You are updating your organizations data policy, and you want to identify the responsibilities of various roles. Which one of the following data roles is responsible for classifying data?

Owner

It's common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?

PASTA

Justin is a cybersecurity consultant working with a retailer on the design of their new point of sale POS system. What compliance obligation relates to the processing of credit card info that might take place through this system?

PCI DSS

Security administraotrs have learned that users are switching between two passwords. When the system prompts them to change their password they use the second password. When the system prompts them to change their password again, they use the first password. What can prevent users from rotating between two passwords?

Password history

Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans?

People

Darcy is leading the BCP effort for her org and is currently in the project scope and planning phase. What should she expect will be the major resource consumed by the BCP process during this phase?

Personnel

Which of the following best expresses the primary goal when controlling access to assets?

Preserve confidentiality, integrity, and availability of systems and data

Tom is an adviser to a federal government agency that collects personal information from constituents. He would like to facilitate a research relationship between that firm that involves the sharing of personal information with several universities. What law prevents gov agencies from disclosing personal information that an individual supplies to the government under protected circumstances?

Privacy Act

A development team is working on a new project. During the early stages of systems development, the team considers vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this?

Proactive approach

1. Your organizations security policy mandates the use of symmetric encryption for sensitive data stored on servers. Which on e of the following guidelines are they implementing?

Protecting data at rest

In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team?

Provisions and processes

Developers created an app that routinely processes sensitive data. The data is encrypted and stored in a database. When the app processes the data, it retrieves it from the data bases, decrypts it for use, and stores it in memory. Which of the following methods can protect the data in memory after the application uses it?

Purge memory buffers

Your organization is donating several computers to a local school. Some of these computers include solid state drives SSDs which of the following choices is the most reliable method of destroying data on these SSDs?

Purging

During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach and determining the number of times a threat could cause harm to the company each year. What is being performed?

Quantitative risk assessment

Administrators regularly back up all the email servers within your company, and they routinely purge onsite emails older than six months to comply with the organizations security policy. They keep a copy of the backups on site and send a copy to one of the company warehouses for long term storage. Later, they discover that someone leaked sensitive emails sent between executives over three years ago. Of the following choices what policy was ignored and allowed this data breach?

Record retention

After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO decides that was the last chance and the worker is to be fired. The CSO reminds you that the organization has a formal termination process that should be followed. Which of the following is an important task to perform during the termination procedure to reduce future security issues related to the ex-employee?

Review the nondisclosure agreement

Chris is completing the risk acceptance documentation for his organization's business continuity plan. Which one of the following items is Chris least likely to include in the documentation?

Risk mitigation controls put in place to address acceptable risks

An administrator is planning to deploy a database server and wants to ensure it is secure. She reviews a list of baseline security controls and identifies the security controls that apply to this database server. What is this called?

Scoping

Often a ____ is a member of a group who decides or is assigned to take charge of leading the adoption and integration of security concepts into the groups work activities. ___ are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors

Security champion(s)

Optimally, security governance is performed by a board of directors, but smaller organizations may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance?

Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

You are performing an annual review of your company's data policy, and you come across some confusing statements related to security labeling. Which of the following could you insert to describe security labeling accurately?

Security labeling identifies the classification of data.

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it?

Security professional

Renee's organization is establishing a partnership with a firm located in France that will involve the exchange of personal information. Her partners in France want to ensure that the transfer will be compliant with the GDPR. What mechanism would be most appropriate?

Standard contractual clauses

You have been tasked with crafting a long-term security plan that is fairly stable. it needs to define the organization's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create?

Strategic plan

Kevin is assessing his organization's obligations under state data breach notification laws. Which one of the following pieces of info would generally not be covered by a data-breach notification law when it appears in conjunction with a person's name?

Student identification number

Your org issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

Synchronous token

The IT dept is updating the budget for the following year, and they want to include enough money for a hardware refresh for some older systems. Unfortunately, there is a limited budget. Which of the following should be a top priority?

Systems with an end of support EOS date that occurs in the following year

An org is planning to deploy an ecommerce site hosted on a web farm. IT administrators have identifies a list of security controls they say will provide the best protection for this project. Management is now reviewing the list and removing any security controls that do not align with the organizations mission. What is this called?

Tailoring

You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases?

The annual costs of safeguards should not exceed the expected annual cost of asset value loss

Tracy is preparing for her organization's annual business continuity exercise and encounters resistance from some managers who don't see the exercise as important and feel that it is a waste of resources. She has already told the managers that it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns?

The exercise is crucial to ensuring that the org is prepared for emergencies

Which of the following is true related to a subject?

The subject is always the entity that receives information about or data from an object

Frances learned that a user in her organization recently signed up for a cloud service without the knowledge of her supervisor and is storing corporate info in that service. Which one of the following statements is correct?

The user most likely agreed to a click-through license agreement binding the organization

An org is considering creating a cloud-based federation using a third party service to share federated identities. After its completed, what will people us as their login ID?

Their normal account

Roger is the CISO at a healthcare organization covered under HIPAA. He would like to enter into a partnership with a vendor who will manage some of the organization's data. As part of the relationship, the vendor will have access to protected health information PHI. Under what circumstances is the arrangement permissible under HIPAA?

This is permissible if the service provider enters into a business associate agreement

Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner joe she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, mary and joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property IP PROTECTION BEST suits their needs?

Trade secret

What process of event is typically hosted by an organization and is targeted to groups of employees with similar job functions?

Training

Administrators regularly backup data on all the servers within your organization, They annotate an archive copy with the server it came from and the date it was created and transfer it to an unstaffed storage warehouse. Later they discover that someone leaked sensitive emails sent between executives on the internet. Security personnel discovered some archive tapes are missing, and these tapes probably included the leaked emails. Of the following choices, what would have prevented this loss without sacrificing security?

Use a secure off site storage facility

Cathy's employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding?

Void the ATO of the vendor

Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status?

™