CSA + Chapter 9
4. Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?
B. Contain The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.
2. Which one of the following statements is not true about compensating controls under PCI DSS?
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
3. What law creates cybersecurity obligations for healthcare providers and others in the health industry?
A. HIPAA
17. Tina is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization's network. What type of control is Tina designing?
A. Logical control
5. What ISO standard applies to information security management controls?
B. 27001
1. Joe is authoring a document that explains to system administrators one way that they might comply with the organization's requirement to encrypt all laptops. What type of document is Joe writing?
B. Guideline
10. Which one of the following would not normally be found in an organization's information security policy?
B. Requirement to use AES-256 encryption
8. What law governs the financial records of publicly traded companies?
B. SOX The Sarbanes-Oxley (SOX) Act applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.
18. Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing?
B. Standard
9. What TOGAF domain provides the organization's approach to storing and managing information assets?
C. Data architecture
7. What SABSA architecture layer corresponds to the designer's view of security architecture?
C. Logical security architecture
COBIT
Control Objective for Information and related Technologies - set of best practices for IT governance developer by the information System. Uses four domains: - Plan and organize - Acquire and implement - Deliver and Support -Monitor and evaluate
11. Darren is helping the Human Resources department create a new policy for background checks on new hires. What type of control is Darren creating?
D. Administrative
19. Which one of the following is not a common use of the NIST Cybersecurity Framework?
D. Create specific technology requirements for an organization.
14. Which one of the following policies would typically answer questions about when an organization should destroy records?
D. Data retention policy
16. Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?
D. Guideline
12. Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement?
D. ITIL The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise
13. What compliance obligation applies to merchants and service providers who work with credit card information?
D. PCI DSS
6. Which one of the following documents must normally be approved by the CEO or similarly high-level executive?
D. Policy Policies require approval from the highest level of management, usually the CEO.
20. Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?
D. Procedure
15. While studying an organization's risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure?
D. Tier 4 The description provided matches the definition of a Tier 4 (Adaptive) organization's risk management practices under the NIST Cybersecurity Framework.
