Security + 501 Chapter 5 Risk Management
12. Which of the following plans best identifies critical systems and components to ensure the assets are protected? A. DRP B. BCP C. IT contingency plan D. Succession plan
B. A business continuity plan is a policy that describes and approves the company's overall business continuity strategy. This also includes identifying critical systems to protect.
143. Your IT team has created a disaster recovery plan to be used in case a SQL database server fails. What type of control is this? A. Detective B. Corrective C. Preventive D. Deterrent
B. A corrective control is designed to correct a situation
40. Which of the following might you find in a DRP? A. Single point of failure B. Prioritized list of critical computer systems C. Exposure factor D. Asset value
B. A disaster recovery plan (DRP) is a plan that helps a company recover from an incident with minimal loss of time and money. It prioritizes critical computer systems.
130. Which of the following require careful handling and special policies for data retention and distribution? (Choose two.) A. Personal electronic devices B. MOU C. PII D. NDA
A and C. Personally identifiable information (PII) is personal information that can be used to identify an individual. PII must be carefully handled and distributed to prevent ID theft and fraud. Personal electronic devices, in a BYOD environment, should be protected and secured because these devices can be used for personal and business purposes.
144. Which of the following is not a step in the incident response process? A. Snapshot B. Preparation C. Recovery D. Containment
A. A snapshot is the state of a system at a particular point in time. It's also known as a system image and is not a step in the incident response process
8. Which of the following is not a step of the incident response process? A. Snapshot B. Preparation C. Recovery D. Containment
A. A snapshot is the state of a system at a particular point in time. It's also known as a system image and is not a step in the incident response process.
95. In the initial stages of a forensics investigation, Zack, a security administrator, was given the hard drive of the compromised workstation by the incident manager. Which of the following data acquisition procedures would Zack need to perform in order to begin the analysis? (Choose two.) A. Take hashes B. Take screenshots C. Capture the system image D. Start the order of volatility
A and C. Taking hashes of the hard drive will preserve the evidence. If the hash has not been changed, the data hasn't changed. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation
99. What should human resources personnel be trained in regarding security policies? A. Guidelines and enforcement B. Order of volatility C. Penetration assessment D. Vulnerability assessment
A. A standard operating procedure (SOP) is a document that details the processes that a company will have in place to ensure that routine operations are delivered consistently every time. Guidelines and enforcement are items that are included in a SOP.
43. Zack is a security administrator who has been given permission to run a vulnerability scan on the company's wireless network infrastructure. The results show TCP ports 21 and 23 open on most hosts. What port numbers do these refer to? (Choose two.) A. FTP B. SMTP C. Telnet D. DNS
A and C. FTP (File Transport Protocol) uses port 21 and Telnet uses port 23. These protocols are considered weak and are not recommended for use. They are susceptible to eavesdropping
52. You maintain a network of 150 computers and must determine which hosts are secure and which are not. Which of the following tools would best meet your need? A. Vulnerability scanner B. Protocol analyzer C. Port scanner D. Password cracker
A. A vulnerability scanner attempts to identify weaknesses in a system
65. You are the network director and are creating the following year's budget. You submit forensic dollar amounts for the cyber incident response team. Which of the following would you not submit? (Choose two.) A. ALE amounts B. SLE amounts C. Training expenses D. Man-hour expenses
A and B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor).
35. You are a security administrator and advise the web development team to include a CAPTCHA on the web page where users register for an account. Which of the following controls is this referring to? A. Deterrent B. Detective C. Compensating D. Degaussing
A. As users register for an account, they enter letters and numbers they are given on the web page before they can register. This is an example of a deterrent control as it prevents bots from registering and proves this is a real person.
4. You are a security engineer and discovered an employee using the company's computer systems to operate their small business. The employee installed their personal software on the company's computer and is using the computer hardware, such as the USB port. What policy would you recommend the company implement to prevent any risk of the company's data and network being compromised? A. Acceptable use policy B. Clean desk policy C. Mandatory vacation policy D. Job rotation policy
A. Acceptable use policy is a document stating what a user may or may not have access to on a company's network or the Internet
129. Which of the following are examples of alternate business practices? (Choose two.) A. The business's point-of-sale terminal goes down, and employees use pen and paper to take orders and a calculator to determine customers' bills. B. The network system crashes due to an update, and employees are told to take time off until the company's network system is restored. C. Power is lost at a company's site and the manager posts a closed sign until power is restored. D. A bank location has lost power, and the employees are sent to another location to resume business.
A and D. An alternate business practice is a temporary substitute for normal business activities. Having employees write down customers' orders is a substitute for the point-ofsale system. Having employees work from another bank location means that the employees can continue using the computer system and phones to assist customers
82. Recently, company data that was sent over the Internet was intercepted and read by hackers. This damaged the company's reputation with its customers. You have been asked to implement a policy that will protect against these attacks. Which of the following options would you choose to help protect data that is sent over the Internet? (Choose two.) A. Confidentiality B. Safety C. Availability D. Integrity
A and D. Confidentiality allows authorized users to gain access to sensitive and protected data. Integrity ensures that the data hasn't been altered and is protected from unauthorized modification.
86. Which of the following is an example of a preventive control? (Choose two.) A. Data backups B. Security camera C. Door alarm D. Cable locks
A and D. Preventive controls are proactive and are used to avoid a security breach or an interruption of critical services before they can happen.
108. Which of the following best describes the disadvantages of quantitative risk analysis compared to qualitative risk analysis? (Choose two.) A. Quantitative risk analysis requires complex calculations. B. Quantitative risk analysis is sometimes subjective. C. Quantitative risk analysis is generally scenario-based. D. Quantitative risk analysis is more time-consuming than qualitative risk analysis.
A and D. Quantitative risk analysis requires complex calculations and is more time-consuming
84. Which of the following impact scenarios would include severe weather events? (Choose two.) A. Life B. Reputation C. Salary D. Property
A and D. The correct answer is life and property. Both of these impact scenarios include examples of severe weather events
103. Which of the following pieces of information would be summarized in the lessons learned phase of the incident response process? (Choose three.) A. When the problem was first detected and by whom B. How the problem was contained and eradicated C. The work that was performed during the recovery D. Preparing a company's team to be ready to handle an incident at a moment's notice
A, B, and C. The lessons learned process is the most critical phase because it is the phase in which you complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement
148. Which of the following defines a standard operating procedure (SOP)? (Choose three.) A. Standard B. Privacy C. Procedure D. Guideline
A, C, and D. The correct answer is standard, procedure, and guideline. A standard defines how to measure the level of adherence to the policy. A procedure contains the step-by-step instructions for implementing components of the policy. A guideline is a suggestion, recommendation, or best practices for how to meet the policy standard.
22. You are the new security administrator and have discovered your company lacks deterrent controls. Which of the following would you install that satisfies your needs? (Choose two.) A. Lighting B. Motion sensor C. No trespassing signs D. Antivirus scanner
A, C. A deterrent control is used to warn a potential attacker not to attack. Lighting added to the perimeter and warning signs such as a "no trespassing" sign are deterrent controls.
56. Which of the following are examples of custodian security roles? (Choose two.) A. Human resources employee B. Sales executive C. CEO D. Server backup operator
A, D. Custodians maintain access to data as well as the integrity.
34. Mark is an office manager at a local bank branch. He wants to ensure customer information isn't compromised when the deskside employees are away from their desks for the day. What security concept would Mark use to mitigate this concern? A. Clean desk B. Background checks C. Continuing education D. Job rotation
A. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use.
89. Which of the following would help build informed decisions regarding a specific DRP? A. Business impact analysis B. ROI analysis C. RTO D. Life impact
A. A business impact analysis (BIA) helps identify the risks that would affect business operations such as finance impact. The will help a company recover from a disaster.
149. Computer equipment was suspected to be involved in a computer crime and was seized. The computer equipment was left unattended in a corridor for 10 minutes while officers restrained a potential suspect. The seized equipment is no longer admissible as evidence because of which of the following violations? A. Chain of custody B. Order of volatility C. Preparation D. Eradication
A. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence
10. You are a security manager for your company and need to reduce the risk of employees working in collusion to embezzle funds. Which of the following policies would you implement? A. Mandatory vacations B. Clean desk C. NDA D. Continuing education
A. Companies will use mandatory vacations policies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities.
133. You are the IT manager and one of your employees asks who assigns data labels. Which of the following assigns data labels? A. Owner B. Custodian C. Privacy officer D. System administrator
A. Data owners assign labels such as top secret to data.
47. Which of the following are considered detective controls? A. Closed-circuit television (CCTV) B. Guard C. Firewall D. IPS
A. Detective controls detect intrusion as it happens and uncovers a violation
120. Which of the following methods is not recommended for removing data from a storage media that is used to store confidential information? A. Formatting B. Shredding C. Wiping D. Degaussing
A. Formatting is not a recommended method. Formatting removes the pointer to the location of the data on the storage media but does not ensure the data is removed.
44. Which of the following backup concepts is the quickest backup but slowest restore? A. Incremental B. Differential C. Full D. Snapshots
A. Incremental backups are the quickest backup method but the slowest method to restore. Incremental backup backs up all new files and any files that have changed since the last full backup or incremental backup. To restore from incremental backups, you will need the full backup and every incremental backup in order.
32. You are an IT administrator for a company and you are adding new employees to an organization's identity and access management system. Which of the following best describes the process you are performing? A. Onboarding B. Offboarding C. Adverse action D. Job rotation
A. Onboarding is the process of adding an employee to a company's identity and access management system
58. James is a security administrator and is attempting to block unauthorized access to the desktop computers within the company's network. He has configured the computers' operating systems to lock after 5 minutes of no activity. What type of security control has James implemented? A. Preventive B. Corrective C. Deterrent D. Detective
A. Preventive controls stop an action from happening—in this scenario, preventing an unauthorized user from gaining access to the network when the user steps away.
11. You are a security administrator, and your manager has asked you about protecting the privacy of personally identifiable information (PII) that is collected. Which of the following would be the best option to fulfill the request? A. PIA B. BIA C. RTO D. SPF
A. Privacy impact assessment (PIA) is a measurement of how a company can keep private information safe while the company is in possession of PII
41. Your security manager wants to decide which risks to mitigate based on cost. What is this an example of? A. Quantitative risk assessment B. Qualitative risk assessment C. Business impact analysis D. Threat assessment
A. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have.
85. Which of the following outlines a business goal for system restoration and allowable data loss? A. RPO B. Single point of failure C. MTTR D. MTBF
A. RPO (recovery point objective) specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning's maximum acceptable threshold
98. A warrant has been issued to investigate a file server that is suspected to be part of an organized crime to steal credit card information. You are instructed to follow the order of volatility. Which data would you collect first? A. RAM B. USB flash drive C. Hard disk D. Swap files
A. Random access memory (RAM) data is lost when the device is powered off. Therefore, RAM must be properly collected first
25. You are a security administrator for your company and you identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan in case the security risk occurs. Which of the following type of risk response technique are you demonstrating? A. Accept B. Transfer C. Avoid D. Mitigate
A. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has limited impact that a corrective control is not warranted.
77. Your company website is hosted by an Internet service provider. Which of the following risk response techniques is in use? A. Risk avoidance B. Risk register C. Risk acceptance D. Risk mitigation
A. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat
67. Which option is an example of a workstation not hardened? A. Risk B. Threat C. Exposure D. Mitigate
A. Risk is defined as the likelihood of occurrence of a threat and the corresponding loss potential. Risk is the probability of a threat actor to exploit vulnerability. The purpose of system hardening is to remove as many security risks as possible. Hardening is typically performed by disabling all nonessential software programs and utilities from the workstation.
26. Which of the following best visually shows the state of a computer at the time it was collected by law enforcement? A. Screenshots B. Identification C. Tabletop exercise D. Generate hash values
A. Taking screenshots gives an investigator a useful way to collect information on a computer screen. Screenshots can be acquired in many ways and allow the investigator to reproduce what happened on the screen
91. Which of the following secures access to company data in agreement to management policies? A. Technical controls B. Administrative controls C. HTTPS D. Integrity
A. Technical controls are applied through technology and may be deterrent, preventive, detective, or compensating. They include hardware or software solutions using access control in accordance with established security policies.
123. Your company has hired a new administrative assistant to a commercial lender named Leigh Ann. She will be using a web browser on a company computer at the office to access internal documents on a public cloud provider over the Internet. Which type of document should Leigh Ann read and sign? A. Internet acceptable use policy B. Audit policy C. Password policy D. Privacy policy
A. The correct answer is an Internet acceptable use policy. Leigh Ann will be using the company's equipment to access the Internet, so she should read and sign this policy
62. You are a member of your company's security response team and have discovered an incident within your network. You are instructed to remove and restore the affected system. You restore the system with the original disk image and then install patches and disable any unnecessary services to harden the system against any future attacks. Which incident response process have you completed? A. Eradication B. Preparation C. Containment D. Recovery
A. The eradication process involves removing and restoring affected systems by reimaging the system's hard drive and installing patches.
3. Why are penetration test often not advised? A. It can be disruptive for the business activities. B. It is able to measure and authenticate the efficiency of a company's defensive mechanisms. C. It's able to find both known and unknown hardware or software weaknesses. D. It permits the exploration of real risks and gives a precise depiction of a company's IT infrastructure security posture at any given time.
A. The main reason to avoid penetration tests is answer A. It's advised to perform vulnerability test often rather than penetration tests. Pentests can cause disruption to businesses. This is the main focus of the question.
20. You have an asset that is valued at $16,000, the exposure factor of a risk affecting that asset is 35%, and the annualized rate of occurrence if 75%. What is the SLE? A. $5,600 B. $5,000 C. $4,200 D. $3,000
A. The single loss expectancy (SLE) is the product of the value ($16,000) and the exposure factor (.35), or $5,600.
80. Which of the following statements is true regarding a data retention policy? A. Regulations require financial transactions to be stored for 7 years. B. Employees must remove and lock up all sensitive and confidential documents when not in use. C. It describes a formal process of managing configuration changes made to a network. D. It is a legal document that describes a mutual agreement between parties.
A. This statement refers to the data retention policy
111. Which of the following should a comprehensive data policy include? A. Wiping, disposing, storage, retention B. Disposing, patching, storage, retention C. Storage, retention, virtualization D. Onboarding, storage, disposing
A. Wiping a drive can remove sensitive data. Disposal of hard drives can be done with shredding. Storage includes types of devices and configurations of data safety. Retention can be required for legal and compliance reasons
109. Which of the following are disadvantages of using a cold site? (Choose two.) A. Expense B. Recovery time C. Testing availability D. Administration time
B and C. Cold sites require a large amount of time to bring online after a disaster. They are not easily available for testing as other alternatives.
100. Which of the following is not a basic concept of computer forensics? A. Preserve evidence B. Determine if the suspect is guilty based on the findings C. Track man-hours and expenses D. Interview all witnesses
B. Determining if the suspect is guilty is determined by the legal system and is not part of the basic concept of computer forensics
59. Which of the following terms best describes sensitive medical information? A. AES B. PHI C. PII D. TLS
B. PHI (protected health information) is any data that refers to health status, delivery of health care, or payment for health care that is gathered by a health care provider and can be linked to an individual according to U.S. law
128. Which of the following are considered administrative controls? (Choose two.) A. Firewall rules B. Personnel hiring policy C. Separation of duties D. Intrusion prevention system
B and C. A personnel hiring policy and separation of duties are administrative controls. Administrative controls are defined through policies, procedures, and guidelines
118. Your company has lost power and the salespeople cannot take orders because the computers and phone systems are unavailable. Which of the following would be the best options to an alternate business practice? (Choose two.) A. Tell the salespeople to go home for the day until the power is restored. B. Tell the salespeople to use their cell phones until the power is restored. C. Have the salespeople use paper and pen to take orders until the power is restored. D. Have the salespeople instruct customers to fax their orders until the power is restored.
B and C. An alternate business practice is a temporary substitute for normal business activities. When the power is out, the salespeople can use their cell phones to continue to sell and write the orders on a sheet of paper. Once the power is restored, the salespeople can enter the orders into the system without compromising business activities.
61. Which of the following are considered inappropriate places to store backup tapes? (Choose two.) A. Near a workstation B. Near a speaker C. Near a CRT monitor D. Near an LCD screen
B and C. Backup tapes should not be stored near power sources such as CRT monitors and speakers. These devices can cause the tapes to be degaussed
121. A SQL database server is scheduled for full backups on Sundays at 2:00 a.m. and incremental backups each weeknight at 11:00 p.m. Write verification is enabled, and backup tapes are stored off-site at a bank safety deposit box. Which of the following should be completed to ensure integrity and confidentiality of the backups? (Choose two.) A. Use SSL to encrypt the backup data. B. Encrypt the backup data before it is stored off-site. C. Ensure that an employee other than the backup operator analyzes each day's backup logs. D. Ensure that the employee performing the backup is a member of the administrators' group.
B and C. Encrypting the backup data before it is stored off-site ensures confidentiality. To avoid data tampering and ensure data integrity, a different employee should review the backup logs
73. Which of the following types of testing can help identify risks? (Choose two.) A. Quantitative B. Penetration testing C. Vulnerability testing D. Qualitative
B and C. Penetration and vulnerability testing can help identify risk. Before a tester performs these tests, they should receive written authorization
81. You are attending a meeting with your manager and he wants to validate the cost of a warm site versus a cold site. Which of the following reasons best justify the cost of a warm site? (Choose two.) A. Small amount of income loss during long downtime B. Large amount of income loss during short downtime C. Business contracts enduring no more than 72 hours of downtime D. Business contracts enduring no more than 8 hours of downtime
B and D. Companies can lose a large amount of income in a short period of downtime. Companies can have business contracts that state a minimum amount of downtime can occur if a disaster occurs. These reasons can be used to support the reason for a warm site because the warm site relies on backups to recover from a disaster
19. Your company is considering moving its mail server to a hosting company. This will help reduce hardware and server administrator costs at the local site. Which of the following documents would formally state the reliability and recourse if the reliability is not met? A. MOU B. SLA C. ISA D. BPA
B. A SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area.
96. Which of the following best describes a Computer Incident Response Team (CIRT)? A. Personnel who participate in exercises to practice incident response procedures B. Personnel who promptly and correctly handle incidents so they can be quickly contained, investigated, and recovered from C. A team to identify planning flaws before an actual incident occurs D. Team members using a walk-through checklist to ensure understanding of roles in a DRP
B. A Computer Incident Response Team (CIRT) includes personnel who promptly and correctly handle incidents so that they can be quickly contained, investigated, and recovered from.
135. You are a network administrator looking to test patches quickly and often before pushing them out to the production workstations. Which of the following would be the best way to do this? A. Create a full disk image to restore the system after each patch installation. B. Create a virtual machine and utilize snapshots. C. Create an incremental backup of an unpatched workstation. D. Create a differential backup of an unpatched workstation.
B. A snapshot is the state of a system at a particular point in time. Snapshots offer considerably easier and faster backups than any traditional backup system can
140. A security analyst is analyzing the cost the company could incur if the customer database was breached. The database contains 2,500 records with PII. Studies show the cost per record would be $300. The likelihood that the database would be breached in the next year is only 5%. Which of the following would be the ALE for a security breach? A. $15,000 B. $37,500 C. $150,000 D. $750,000
B. ALE (annual loss expectancy) = SLE (single loss expectancy) × ARO (annualized rate of occurrence). SLE equals $750,000 (2,500 records × $300), and ARO equals 5%, so $750,000 times 5% equals $37,500.
83. How do you calculate the annual loss expectancy (ALE) that may occur due to a threat? A. Exposure Factor (EF) / Single Loss Expectancy (SLE) B. Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO) C. Asset Value (AV) × Exposure Factor (EF) D. Single Loss Expectancy (SLE) / Exposure Factor (EF)
B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor).
30. You are the head of the IT department of a school and are looking for a way to promote safe and responsible use of the Internet for students. With the help of the teachers, you develop a document for students to sign that describes methods of accessing the Internet on the school's network. Which of the following best describes this document? A. Service level agreement B. Acceptable use policy C. Incident response plan D. Chain of custody
B. An acceptable use policy describes the limits and guidelines for users to make use of an organization's physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours.
115. The chief security officer (CSO) has seen four security breaches during the past 2 years. Each breach cost the company $30,000, and a third-party vendor has offered to repair the security weakness in the system for $250,000. The breached system is set to be replaced in 5 years. Which of the following risk response techniques should the CSO use? A. Accept the risk. B. Transfer the risk. C. Avoid the risk. D. Mitigate the risk.
B. Each breach cost the company $60,000 per year and over the course of 5 years, the total amount will total $300,000. Transferring the risk will help save money for the company because the third-party vendor's solution will cost $250,000
117. You are a network administrator and have purchased two devices that will work as failovers for each other. Which of the following does this best demonstrate? A. Integrity B. Availability C. Authentication D. Confidentiality
B. Failover is the continuous ability to automatically and flawlessly switch to a highly reliable backup. This can be activated in a redundant manner or in a standby operating mode should the primary server fail. The main purpose of failover is to provide availability of data or service to a user.
127. Zackary has been assigned the task of performing a penetration test on a server and was given limited information about the inner workings of the server. Which of the following tests will he be performing? A. White box B. Gray box C. Black box D. Clear box
B. Gray-box testing uncovers any application vulnerabilities within the internal structure, devices, and components of a software application. During gray-box testing, limited information regarding the internal devices and structure is given to the testing team
68. Which of the following elements should not be included in the preparation phase of the incident response process? A. Policy B. Lesson learned documentation C. Response plan/strategy D. Communication
B. Lessons learned documentation is a phase of the incident response process
72. During which step of the incident response process does root cause analysis occur? A. Preparation B. Lessons learned C. Containment D. Recovery
B. Lessons learned process is the most critical phase because it is the phase to complete any documentation that may be beneficial in future incidents. Documentation should include information such as when the problem was first detected and by whom, how the problem was contained and eradicated, the work that was performed during the recovery, and areas that may need improvement.
13. After your company implemented a clean desk policy, you have been asked to secure physical documents every night. Which of the following would be the best solution? A. Department door lock B. Locking cabinets and drawers C. Proximity card D. Onboarding
B. Locking cabinets and drawers is the best solution because the employee would be the only one with a key
110. Which of the following policies should be implemented to minimize data loss or theft? A. Password policy B. PII handling C. Chain of custody D. Detective control
B. Personally identifiable information (PII) is personal information that can be used to identify an individual. Protecting PII is important because if an attacker gains PII, they can use it for financial gain at the expense of the individual.
38. Users are currently accessing their personal email through company computers, so you and your IT team have created a security policy for email use. What is the next step after creating and approving the email use policy? A. Encrypt all user email messages. B. Provide security user awareness training. C. Provide every employee with their own device to access their personal email. D. Forward all personal emails to their company email account.
B. Provide security user awareness training to all employees regarding the risk of using personal email through company computers. The ability to access personal email is a security risk because the company is unable to filter emails through the company's Exchange server
132. Categorizing residual risk is most important to which of the following risk response techniques? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transfer
B. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has such limited impact that a corrective control is not warranted
17. Your competitors are offering a new service that is predicted to sell strong. After much careful research, your company has decided not to launch a competing service due to the uncertainty of the market and the enormous investment required. Which of the following best describes the company's decision? A. Risk transfer B. Risk avoidance C. Risk acceptance D. Risk mitigation
B. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat
145. Which of the following threats is mitigated by shredding paper documents? A. Shoulder surfing B. Physical C. Adware D. Spyware
B. Shredding documents can prevent physical threats such as theft of the documents or obtaining information from the documents
27. You are asked to protect the company's data should a complete disaster occur. Which action would be the best option for this request? A. Back up all data to tape, and store those tapes at an alternate location within the city. B. Back up all data to tape, and store those tapes at an alternate location in another city. C. Back up all data to disk, and store the disk in a safe in the company's basement. D. Back up all data to disk, and store the disk in a safe at the network administrator's home.
B. Storing backup data at an alternate site in another city will help protect the data if there were a complete disaster at the primary location. Storing backups outside of the original location is known as off-site backups. Also, the distance associated with an offsite backup can be a logistics challenge
7. Katelyn is a network technician for a manufacturing company. She is testing a network forensic capturing software and plugs her laptop into an Ethernet switch port and begins capturing network traffic. Later she begins to analyze the data and notices some broadcast and multicast packets, as well as her own laptop's network traffic. Which of the following statements best describes why Katelyn was unable to capture all network traffic on the switch? A. Each port on the switch is an isolated broadcast domain. B. Each port on the switch is an isolated collision domain. C. Promiscuous mode must be enabled on the NIC. D. Promiscuous mode must be disabled on the NIC.
B. Switches forwards data only to the devices that need to receive it, so when capturing network traffic the computer will see only broadcast and multicast packets along with traffic being sent and received to the connected computer.
9. Which of the following is another term for technical controls? A. Access controls B. Logical controls C. Detective controls D. Preventive controls
B. Technical controls are used to restrict data access and operating system components, security applications, network devices, and encryption techniques. Logical controls use authentication mechanisms.
104. You receive a phone call from an employee reporting that their workstation is acting strangely. You gather information from the intrusion detection system and notice unusual network traffic from the workstation, and you determine the event may be an incident. You report the event to your manager, who then begins to collect evidence and prepare for the next steps. Which phase of the incident response process is this? A. Preparation B. Identification C. Containment D. Eradication
B. The identification phase deals with the discovery and determination of whether a deviation from normal operations within a company is an incident. This phase requires a person to collect events from various sources and report the incident as soon as possible
2. Which of the following principles stipulates that multiple changes to a computer system should not be made at the same time? A. Due diligence B. Acceptable use C. Change management D. Due care
C. Change management is the process of documenting all changes made to a company's network and computers. Avoiding making changes at the same time makes tracking any problems that can occur much simpler
122. You are planning to perform a security audit and would like to see what type of network traffic is transmitting within your company's network. Which of the following tools would you use? A. Port scanner B. Vulnerability scanner C. Protocol analyzer D. Network intrusion detection system
C. A protocol analyzer used with a promiscuous mode NIC can capture all network traffic
101. The Chief Information Officer (CIO) wants to set up a redundant server location so that the production server images can be moved within 36 hours and the servers can be restored quickly, should a catastrophic failure occur at the primary location. Which of the following can be implemented? A. Hot site B. Cold site C. Warm site D. Load balancing
C. A warm site is harder to test because it contains only the equipment and no employees or company data.
106. Which of the following statements best defines change management? A. Responding to, containing, analyzing, and recovering from a computer-related incident B. Means used to define which access permissions subjects have for a specific object C. Procedures followed when configuration changes are made to a network D. Categorizing threats and vulnerabilities and their potential impacts to a network
C. Change management ensures that proper procedures are followed when configuration changes are made to a network
150. Which of the following should be performed when conducting a qualitative risk analysis? (Choose two.) A. ARO B. SLE C. Asset estimation D. Rating potential threats
C and D. The correct answers are asset estimation and rating potential threats. Qualitative risk analysis measures the probability of risks that will hinder normal business operations and rate them relative to one another. Assets that are protected from risks must have assigned value to determine whether the cost of risk mitigation is justified
125. Which of the following policies would you implement to help prevent the company's users from revealing their login credentials for others to view? A. Job rotation B. Data owner C. Clean desk D. Separation of duties
C. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use.
50. Your team powered off the SQL database server for over 7 hours to perform a test. Which of the following is the most likely reason for this? A. Business impact analysis B. Succession plan C. Continuity of operations plan D. Service level agreement
C. A continuity of operations plan focuses on restoring critical business functions after an outage to an alternate site. The plan will determine if a company can continue its operations during the outage.
71. Which of the following statements best describes a differential backup? A. Only the changed portions of files are backed up. B. All files are copied to storage media. C. Files that have changed since the last full backup are backed up. D. Only files that have changed since the last full or incremental backup are backed up.
C. A differential backup copies files that have changed since the last full backup.
6. Which recovery site is the easiest to test? A. Warm site B. Cold siteC. Hot site D. Medium site
C. A hot site contains all of the alternate computer and telecommunication equipment needed in a disaster. Testing this environment is simple.
78. A call center leases a new space across town, complete with a functioning computer network that mirrors the current live site. A high-speed network link continuously synchronizes data between the two sites. Which of the following describes the site at the new leased location? A. Cold site B. Warm site C. Hot site D. Differential site
C. A hot site, also known as an alternate processing site, contains all of the alternate computer and telecommunication equipment needed in a disaster. Testing this environment is simple
141. Your team must perform a test of a specific system to be sure the system operates at the alternate site. The results of the test must be compared with the company's live environment. Which test is your team performing? A. Cutover test B. Walk-through C. Parallel test D. Simulation
C. A parallel test can test certain systems to confirm their operation at alternate sites. Compare the results of the test to the results of the original system to confirm that the alternate site operates as close to normal as possible
1. You are a manager of a bank and you suspect one of your tellers has stolen money from their station. After talking with your supervisor, you place the employee on leave with pay, suspend their computer account, and obtain their proximity card and keys to the building. Which of the following policies did you follow? A. Mandatory vacations B. Exit interviews C. Adverse actions D. Onboarding
C. Adverse actions are administrative actions that are placed against employees. These actions include letters of reprimand, leave with or without pay, or termination. Along with these actions the policy should include actions such as disabling user accounts and revoking privileges, such as access to facilities to prevent data from being compromised. When an employee has been placed with administrative actions, the company shouldn't worry about vindictive actions they will take against the company.
31. You are the security administrator and have discovered a malware incident. Which of the following responses should you do first? A. Recovery B. Eradication C. Containment D. Identification
C. After identifying the malware incident, the next step you would perform based on the incident response process is to contain the malware to further study the incident and prevent it from spreading across the network
131. Matt is the head of IT security for a university department. He recently read articles about security breaches that involved malware on USB removable devices and is concerned about future incidents within the university. Matt reviews the past incident responses to determine how these occurrences may be prevented and how to improve the past responses. What type of document should Matt prepare? A. MOU B. SLA C. After-action report D. Nondisclosure agreement
C. An after-action report examines a response to an incident or exercise and identifies its strengths that will be maintained and built on. Also, it helps recognize potential areas of improvement.
21. During a meeting, you present management with a list of access controls used on your network. Which of the following controls is an example of a corrective control? A. IDS B. Audit logs C. Antivirus software D. Router
C. Antivirus is an example of a corrective control. A corrective control is designed to correct a situation
39. Which of the following is not a physical security control? A. Motion detector B. Fence C. Antivirus software D. CCTV
C. Antivirus software is used to protect computer systems from malware and is not a physical security control
116. Which of the following would not be a guideline for performing a BIA? A. Identify impact scenarios that put your business operations at risk. B. Identify mission-essential functions and the critical systems within each function. C. Approve and execute changes in order to ensure maximum security and availability of IT services. D. Calculate RPO, RTO, MTTR, and MTBF.
C. Approving and executing changes to ensure maximum security and availability of a company's IT services is considered change management. A business impact analysis (BIA) identifies a company's risk and determines the effect on ongoing, mission-critical operations and processes
66. Computer evidence of a crime is preserved by making an exact copy of the hard disk. Which of the following does this demonstrate? A. Chain of custody B. Order of volatility C. Capture system image D. Taking screenshots
C. Capturing the system image involves making an exact image of the drive so that it can be referenced later in the investigation.
45. Which of the following operations should you undertake to avoid mishandling of tapes, removal drives, CDs, and DVDs? A. Degaussing B. Acceptable use C. Data labeling D. Wiping
C. Data labeling policy includes how data is labeled such as confidential, private, or public. It should also include how the data is handled and disposed of for all classifications of data. Before data can be disposed of, you will need to destroy it with a data sanitization tool
134. Which of the following is the most pressing security concern related to social media networks? A. Other users can view your MAC address. B. Other users can view your IP address. C. Employees can leak a company's confidential information. D. Employees can express their opinion about their company.
C. Employees can leak a company's confidential information. Exposing a company's information could put the company's security position at risk because hackers can use this information to gain unauthorized access to the company
15. Which of the following is an example of PHI? A. Passport number B. Criminal record C. Fingerprints D. Name of school attended
C. Fingerprints are considered PHI (Protected Health Information), according to HIPPA rules
28. Which of the following would not be a purpose of a privacy threshold analysis? A. Identify programs and systems that are privacy-sensitive. B. Demonstrate the inclusion of privacy considerations during the review of a program or system. C. Identify systems that are considered a single point of failure. D. Demonstrate compliance with privacy laws and regulations.
C. Identifying systems that are considered a single point of failure is not a purpose of PTA.
60. An accounting employee changes roles with another accounting employee every 4 months. What is this an example of? A. Separation of duties B. Mandatory vacation C. Job rotation D. Onboarding
C. Job rotation allows individuals to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee's attack is easier when multiple employees understand the company's security posture
92. You are a server administrator for your company's private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives? A. MTTR B. RPO C. MTBF D. ALE
C. Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is.
69. Which of the following does not minimize security breaches committed by internal employees? A. Job rotation B. Separation of duties C. Nondisclosure agreements signed by employees D. Mandatory vacations
C. Nondisclosure agreements (NDAs) are signed by an employee at the time of hiring, and they impose a contractual obligation on employees to maintain the confidentiality of information. Disclosure of information can lead to legal ramifications and penalties. NDAs cannot ensure a decrease in security breaches
147. You are a network administrator and have been given the duty of creating users accounts for new employees the company has hired. These employees are added to the identity and access management system and assigned mobile devices. What process are you performing? A. Offboarding B. System owner C. Onboarding D. Executive user
C. Onboarding is the process of adding an employee to a company's identity and access management system
37. As the IT security officer, you are configuring data label options for your company's research and development file server. Regular users can label documents as contractor, public, or internal. Which label should be assigned to company trade secrets? A. High B. Top secret C. Proprietary D. Low
C. Proprietary data is a form of confidential information, and if the information is revealed, it can have severe effects on the company's competitive edge
29. You have purchased new laptops for your salespeople. You plan to dispose of the hard drives of the former laptops as part of a company computer sale. Which of the following methods would you use to properly dispose of the hard drives? A. Destruction B. Shredding C. Purging D. Formatting
C. Purging removes all the data from a hard drive and the data cannot be rebuilt
97. Which of the following decreases the success of brute-force attacks? A. Password complexity B. Password hints C. Account lockout threshold D. Enforce password history
C. The account lockout threshold setting defines the number of failed sign-in attempts that will cause a user account to be locked. This policy best mitigates brute-force password attacks.
142. Which of the following concepts defines a company goal for system restoration and acceptable data loss? A. MTBF B. MTTR C. RPO D. ARO
C. RPO (recovery point objective) specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning's maximum acceptable threshold.
53. You have been instructed to introduce an affected system back into the company's environment and be sure that it will not lead to another incident. You test, monitor, and validate that the system is not being compromised by any other means. Which of the incident response processes have you completed? A. Lessons learned B. Preparation C. Recovery D. Containment
C. Recovery process brings affected systems back into the company's production environment carefully to avoid leading to another incident
87. You are a security administrator for your company and you identify a security risk that you do not have in-house skills to address. You decide to acquire contract resources. The contractor will be responsible for handling and managing this security risk. Which of the following type of risk response technique are you demonstrating? A. Accept B. Mitigate C. Transfer D. Avoid
C. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk
75. You are a network administrator and have been asked to send a large file that contains PII to an accounting firm. Which of the following protocols would it be best to use? A. Telnet B. FTP C. SFTP D. SMTP
C. SFTP (secure FTP) encrypts data that is transmitted over the network.
70. You find one of your employees posting negative comments about the company on Facebook and Twitter. You also discover the employee is sending negative comments from their personal email on the company's computer. You are asked to implement a policy to help the company avoid any negative reputation in the marketplace. Which of the following would be the best option to fulfill the request? A. Account policy enforcement B. Change management C. Security policy D. Risk assessment
C. Security policy defines how to secure physical and information technology assets. This document should be continuously updated as technology and employee requirements change
137. What concept is being used when user accounts are created by one employee and user permissions are configured by another employee? A. Background checks B. Job rotation C. Separation of duties D. Collusion
C. Separation of duties is the concept of having more than one person required to complete a task
49. Which of the following is typically included in a BPA? A. Clear statements detailing the expectation between a customer and a service provider B. The agreement that a specific function or service will be delivered at the agreed-upon level of performance C. Sharing of profits and losses and the addition or removal of a partner D. Security requirements associated with interconnecting IT systems
C. Sharing of profits and losses and the addition or removal of a partner are typically included in a BPA (business partner agreement). Also included are the responsibilities of each partner.
74. What can a company do to prevent sensitive data from being retrieved by dumpster diving? A. Degaussing B. Capture system image C. Shredding D. Wiping
C. Shredding is the process of reducing the size of objects so the information is no longer usable. Other practices includes burning, pulping, and pulverizing
93. You are replacing a number of devices with a mobile appliance that combines several functions. Which of the following describes the new implementation? A. Cloud computing B. Load balancing C. Single point of failure D. Virtualization
C. Single point of failure is a single weakness that can bring an entire system down and prevent it from working.
88. You are an IT manager and discovered your department had a break-in, and the company's computers were physically damaged. What type of impact best describes this situation? A. Life B. Reputation C. Property D. Safety
C. The correct answer is property. Physical damage to a building and the company's computer equipment can be caused by intentional man-made attacks
107. During which step of the incident response process does identification of incidents that can be prevented or mitigated occur? A. Containment B. Eradication C. Preparation D. Lessons learned
C. The preparation phase of the incident response process prepares a company's team to be ready to handle an incident at a moment's notice. During this step, a company may identify incidents that can be prevented or mitigated
136. You have instructed your junior network administrator to test the integrity of the company's backed-up data. Which of the following is the best way to test the integrity of a backup? A. Review written procedures. B. Use software to recover deleted files. C. Restore part of the backup. D. Conduct another backup.
C. To test the integrity of backed-up data, restore part of the backup
64. You are attending a risk analysis meeting and are asked to define internal threats. Which of the following is not considered an internal threat? A. Employees accessing external websites through the company's hosts B. Embezzlement C. Threat actors compromising a network through a firewall D. Users connecting a personal USB thumb drive to a workstation
C. Unauthorized access of a network through a firewall by a threat actor is considered an external threat
113. You plan to provide a word processing program to the employees in your company. You decide not to install the program on each employee's workstation but rather have a cloud service provider host the application. Which of the following risk response techniques best describes the situation? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transfer
D. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk.
76. Zackary is a network backup engineer and performs a full backup each Sunday evening and an incremental backup Monday through Friday evenings. One of the company's network servers crashes on Thursday afternoon. How many backups will Zack need to do to restore the server? A. Two B. Three C. Four D. Five
C. Zackary will need four backups to restore the server if it crashes on Thursday afternoon. The four backups are Sunday evening full backup, Monday evening incremental backup, Tuesday evening incremental backup, and Wednesday evening incremental backup. Incremental backups require the full backup and all the incremental backups in order.
18. Which of the following agreements is less formal than a traditional contract but still has a certain level of importance to all parties involved? A. SLA B. BPA C. ISA D. MOU
D. A memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money
57. You are the network administrator of your company, and the manager of a retail site located across town has complained about the loss of power to their building several times this year. The branch manager is asking for a compensating control to overcome the power outage. What compensating control would you recommend? A. Firewall B. Security guard C. IDS D. Backup generator
D. A backup generator is a compensating control—an alternate control that replaces the original control when it cannot be used due to limitations of the environment.
119. Leigh Ann is the new network administrator for a local community bank. She studies the current file server folder structures and permissions. The previous administrator didn't properly secure customer documents in the folders. Leigh Ann assigns appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming? A. Power user B. Data owner C. User D. Custodian
D. A custodian configures data protection based on security policies
146. Your company hires a third-party auditor to analyze the company's data backup and long-term archiving policy. Which type of organization document should you provide to the auditor? A. Clean desk policy B. Acceptable use policy C. Security policy D. Data retention policy
D. A data retention policy states how data should be stored based on various types; such as storage location, amount of time the data should be retained, and the type of storage medium should be used
42. Your company has outsourced its proprietary processes to Acme Corporation. Due to technical issues, Acme Corporation wants to include a third-party vendor to help resolve the technical issues. Which of the following must Acme Corporation consider before sending data to the third party? A. This data should be encrypted before it is sent to the third-party vendor. B. This may constitute unauthorized data sharing. C. This may violate the privileged user role-based awareness training. D. This may violate a nondisclosure agreement.
D. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands
94. Which of the following can help mitigate adware intrusions? A. Antivirus B. Antispam C. Spyware D. Pop-up blocker
D. A pop-up blocker program can help prevent pop-ups from displaying in a user's web browser. Pop-ups can contain adware or spyware
90. Each salesperson who travels has a cable lock to lock down their laptop when they step away from the device. Which of the following controls does this apply? A. Administrative B. Compensating C. Deterrent D. Preventive
D. A preventive control is used to avoid a security breach or an interruption of critical services before they can happen.
46. Which of the following can be classified as a single point of failure? A. Failover B. A cluster C. Load balancing D. A configuration
D. A single point of failure is a weakness in the design or configuration of a system in which one fault or malfunction will cause the whole system to halt operating.
63. You are a security administrator and have decided to implement a unified threat management (UTM) appliance within your network. This appliance will provide antimalware, spam filtering, and content inspection along with other protections. Which of the following statements best describes the potential problem with this plan? A. The protections can only be performed one at a time. B. This is a complex plan because you will manage several complex platforms. C. This could create the potential for a single point of failure. D. You work with a single vendor and its support department.
D. A unified threat management (UTM) appliance is a single console a security administrator can monitor and manage easily. This could create a single point of failure
124. During a conversation with another colleague, you suggest there is a single point of failure in the single load balancer in place for the company's SQL server. You suggest implementing two load balancers in place with only one in service at a given time. What type of load balancing configuration have you described? A. Active-active B. Active directory C. Round robin D. Active-passive
D. Active-passive is a configuration that involves two load-balancers. Traffic is sent to the primary node, and the secondary node will be in listening mode. When too much traffic is sent to the main server, the second server will handle some of the requests. This will prevent a single point of failure
48. Your CIO wants to move the company's large sets of sensitive data to an SaaS cloud provider to limit the storage and infrastructure costs. Both the cloud provider and the company are required to have a clear understanding of the security controls that will be applied to protect the sensitive data. What type of agreement would the SaaS cloud provider and your company initiate? A. MOU B. BPA C. SLA D. ISA
D. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.
114. Which of the following statements is true about incremental backup? A. It backs up all files. B. It backs up all files in a compressed format. C. It backs up all new files and any files that have changed since the last full backup without resetting the archive bit. D. It backs up all new files and any files that have changed since the last full or incremental backup and resets the archive bit.
D. An incremental backup backs up all new files and any files that have changed since the last full backup or incremental backup. Incremental backups clear the archive bit
33. Your company is partnering with another company and requires systems to be shared. Which of the following agreements would outline how the shared systems should be interfaced? A. BPA B. MOU C. SLA D. ISA
D. An interconnection security agreement (ISA) is an agreement that specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between at least two companies
126. Which of the following are part of the chain of custody? A. Delegating evidence collection to your manager B. Capturing the system image to another hard drive C. Capturing memory contents before capturing hard disk contents D. Preserving, protecting, and documenting evidence
D. Chain of custody offers assurances that evidence has been preserved, protected, and handled correctly after it has been collected. Documents show who handled the evidence and when they handled it
54. You discover that an investigator made a few mistakes during a recent forensic investigation. You want to ensure the investigator follows the appropriate process for the collection, analysis, and preservation of evidence. Which of the following terms should you use for this process? A. Incident handling B. Legal hold C. Order of volatility D. Chain of custody
D. Chain of custody refers to the chronological documentation showing the custody, control, transfer, analysis, and disposition of physical or electronic evidence.
102. Choose the correct order of volatility when collecting digital evidence. A. Hard disk drive, DVD-R, RAM, swap file B. Swap file, RAM, DVD-R, hard disk drive C. RAM, DVD-R, swap file, hard disk drive D. RAM, swap file, hard disk drive, DVD-R
D. Digital evidence for forensic review must first be collected from the most volatile (not permanent) locations such as RAM and swap files. A swap file is a location on a hard disk drive used as the virtual memory extension of a computer's RAM. A hard disk drive is the next least volatile, then DVD-R. Some digital evidence can be gathered by using a live boot media.
105. Your manager has asked you to recommend a way to transmit PII via email and maintain its confidentiality. Which of the following options is the best solution? A. Hash the information before sending. B. Protect the information with a digital signature. C. Protect the information by using RAID. D. Encrypt the information before sending.
D. Encrypting PII ensures confidentiality.
5. What should be done to back up tapes that are stored off-site? A. Generate a file hash for each backup file. B. Scan the backup data for viruses. C. Perform a chain of custody on the backup tape. D. Encrypt the backup data.
D. Encrypting the backup data before storing it off-site ensures data confidentiality
24. Which step of the incident response process occurs after containment? A. Preparation B. Recovery C. Identification D. Eradication
D. Eradication is the next step after containment
138. Your company is requesting the installation of a fence around the property and cipher locks on all front entrances. Which of the following concepts is your company concerned about? A. Confidentiality B. Integrity C. Availability D. Safety
D. Safety is a common goal of security that includes providing protection for personnel and other assets
139. Which of the following is an example of a vulnerability assessment tool? A. Ophcrack B. John the Ripper C. L0phtCrack D. Nessus
D. Nessus is considered a vulnerability scanner. It attempts to identify weaknesses in a system.
36. Which of the following is not a common security policy type? A. Acceptable use policy B. Social media policy C. Password policy D. Parking policy
D. Parking policy generally outlines parking provisions for employees and visitors. This includes the criteria and procedures for allocating parking spaces for employees
16. Which of the following techniques attempts to predict the likelihood a threat will occur and assigns monetary values should a loss occur? A. Change management B. Vulnerability assessment C. Qualitative risk assessment D. Quantitative risk assessment
D. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have
112. You have revealed a recent intrusion within the company's network and have decided to execute incident response procedures. The incident response team has identified audit logs that hold information about the recent security breach. Prior to the incident, a security consultant firm recommended that your company install a NTP server within the network. Which of the following is a setback the incident response team will likely encounter during the assessment? A. Order of volatility B. Chain of custody C. Eradication D. Record time offset
D. Record time offset is used to validate the date and time stamps of digital forensic evidence
51. Which of the following role-based positions should receive training on how to manage a particular system? A. Users B. Privileged users C. Executive users D. System owners
D. System owner is a type of employee who would receive role-based training on how best to manage a particular system.
79. A security administrator is reviewing the company's continuity plan, and it specifies an RTO of 4 hours and an RPO of 1 day. Which of the following is the plan describing? A. Systems should be restored within 1 day and should remain operational for at least 4 hours. B. Systems should be restored within 4 hours and no later than 1 day after the incident. C. Systems should be restored within 1 day and lose, at most, 4 hours' worth of data. D. Systems should be restored within 4 hours with a loss of 1 day's worth of data at most.
D. Systems should be restored within four hours with a minimum loss of one day's worth of data. RTO is the amount of time within which a process must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. RPO specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning's maximum acceptable threshold
23. Your company's security policy includes system testing and security awareness training guidelines. Which of the following control types is this? A. Detective technical control B. Preventive technical control C. Detective administrative control D. Preventive administrative control
D. Testing and training are preventative administrative controls. Administrative controls dictate how security policies should be executed to accomplish the company's security goals
55. You receive a call from the help desk manager stating that there has been an increase in calls from users reporting their computers are infected with malware. Which of the following incident response steps should be completed first? A. Containment B. Eradication C. Lessons learned D. Identification
D. The first response from the incident response should be identification. The malware needs to be identified as well as the computers
14. Your manager has instructed the team to test certain systems based on the business continuity plan to ensure they are operating properly. The manager wants to ensure there are no overlaps in the plan before implementing the test. Which continuity of operation planning concept is your manager referring to? A. After-action report B. Failover C. Eradication D. Tabletop exercise
D. The tabletop exercise test is considered a cost-effective and efficient way to identify areas of overlaps in a plan before implementing a test
