Security and Risk

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

What changes plaintext data to ciphered data?

Encryption

What is NOT a common category of control implementation?

Functional

What is a whitelist?

A list of approved email addresses or domains

Functional descriptions of systems are often used for documenting __________.

critical business functions (CBFs)

What should you do if you discover that a security gap has not been closed?

Address the gap.

Which of the following statements is NOT true of cost-benefit analysis?

A control always eliminates the loss.

All of the following terms have the same meaning, EXCEPT:

Internal network zone

What is NOT an example of an intangible value?

Software application

What is the primary difference between a functional exercise and a full-scale exercise?

A full-scale exercise is more realistic than a functional exercise.

Email addresses or domains ______________ are automatically marked as spam.

on a blacklist

Which term is defined as "elements necessary to perform the mission of an organization"?

CSF

What business continuity plan (BCP) team is responsible for declaring the severity of an incident?

DAT

What are overlapping countermeasures?

Different countermeasures that attempt to mitigate the same risk

Which term describes entities who have a direct interest in, or are affected by, a business impact analysis (BIA)?

Stakeholders

_________ is the process of creating a list of threats.

Threat identification

Kevin is a disgruntled employee who was recently laid off from a major technology company. He wants to launch an attack on the company. Where might Kevin learn about vulnerabilities that he can exploit?

A blog

Which type of alternate location is the hardest to test for disaster readiness?

Cold site

Which of the following is NOT true of data and information assets?

Data classified at different levels, such as public and private, receives the same levels of protection.

Which of the following is NOT true of threats?

No action can reduce the potential for a threat to occur.

Alice is a security professional. While writing a risk assessment report, she is defining what the current email system does. She is using statements such as "Accepting email from external email servers and routing to internal clients" and "Scanning all email attachments and removing malware." Which of the following is she most likely defining?

The mission of the system

What is the function of job rotation?

To prevent or reduce fraudulent activity

What is the purpose of a plan of action and milestones (POAM)?

Tracks risk response actions

Functionality testing is primarily used with ____________.

software development

What are the first two steps in the business impact analysis (BIA) process?

Identify the environment and identify stakeholders

_____________ is the likelihood that a threat will exploit a vulnerability.

Probability

How are business continuity plans (BCPs) and disaster recovery plans (DRPs) related?

A DRP is a part of the larger BCP.

You are a stakeholder who has just designated a business function as critical. What must you do now?

Dedicate resources to protect the function.

Why should an organization regularly review and update its disaster recovery plan (DRP)?

To ensure the plan reflects changes to IT systems

When the Federal Trade Commission (FTC) was created in 1914, what was its primary goal?

To prevent unfair methods of competition

Which of the following can determine that a business function is critical?

Any stakeholder

What is NOT one of the three primary types of business liability insurance?

Cybersecurity

Which of the following is NOT true of big data?

Data in a warehouse is frequently modified.

What is critical data?

Data that supports critical business functions (CBFs)

Lin is writing a risk management report. Of the major categories of reporting requirements, which one becomes the actual risk response plan?

Documenting and tracking implementation of accepted recommendations

ABC Wholesale Pet Supply sells pet supplies to retailers. Every transaction results in a duplicate hardcopy paper shipping document and invoice. The person picking up the order signs the documents and takes one copy. Two other copies stay at the warehouse. How would using multiple hardcopies of each transaction affect ABC's recovery point objective (RPO)?

Duplicate hardcopies of transactions increase complexity and decrease tolerable data loss.

What is NOT one of the three primary objectives of controls?

Eliminate

What is NOT a risk management step?

Eliminating all risks

Which of the following mainly applies to any organization that handles health information?

HIPPA

Wren is defining the scope for his organization's disaster recovery plan (DRP). What items should he consider?

Hardware, software, data, and connectivity

Which of the following best describes the purpose of the Health Insurance Portability and Accountability Act (HIPAA)?

It helps to protect health information.

In a risk assessment, what refers to how responsibilities are assigned?

Management structure

Which of the following is often the weakest link in IT security

People

What are the four major categories of risk management reporting requirements?

Present recommendations; document management response to recommendations; document and track implementation of accepted recommendations; and create a plan of action and milestones (POAM)

You are reviewing historical data in an attempt to identify potential threats to your business. What would NOT be helpful to you in this process?

Reading news articles about thefts that occurred last year in a different part of the U.S.

What causes a disaster recovery plan (DRP) to be activated?

Realizing criteria specified in the DRP

What is NOT a common classification of data?

Risk

Maria runs a bank. She wants to update the physical security at each bank branch and update the technological security of the bank's private financial data. What is the best way to determine whether physical security or technological security has a higher priority of protection?

Risk assessment

__________ is the biggest problem you can face if you do not identify the scope of your risk management project.

Scope creep

Which factor most directly affects the scope of a business impact analysis (BIA)?

Size of the organization

An access control such as a firewall or intrusion prevention system cannot protect against which of the following?

Social engineer

What is a major type of vulnerability for the User Domain?

Social engineering

The following statements regarding compliance laws are true, EXCEPT:

The Federal Information Security Management Act (FISMA) requires covered organizations to share student records with students or their parents.

What is the relationship between Enron and the Sarbanes-Oxley Act (SOX)?

The bankruptcy and scandal surrounding Enron was one of the major scandals that inspired the creation of SOX.

What is the safeguard value in a quantitative risk assessment?

The cost of a control

What characteristic is common to risk assessments and threat assessments?

They are both performed for a specific time.

What are critical resources?

Those that are required to support critical business functions (CBFs)

Which tool is most commonly used to prioritize mitigation efforts?

Threat likelihood/impact matrix

Why is process analysis performed?

To determine if vulnerabilities exist in the process

What is NOT a best practice when performing a business impact analysis (BIA)?

Using the same data collection methods

A ___________ plan can help ensure that mission-critical systems continue to function after a disaster.

business continuity

A(n) ____________ assessment attempts to identify vulnerabilities that can be exploited

exploit

The term "big data" is most closely associated with _____________.

large databases

Gap analysis reports for security are often used when dealing with ___________.

legal compliance

To _________ risk means to reduce or neutralize threats or vulnerabilities to an acceptable level.

mitigate

Qualitative risk assessments determine the level of risk based on the __________ and _________ of risk.

probability, impact

Background checks, software testing, and awareness training are all categories of ____________.

procedural controls

In a SQL injection attack, an attacker can _________________.

read sections of a database or a whole database without authorization

The Remote Access Domain of a typical IT infrastructure allows __________ to access the ________ network.

remote users, private

Purchasing insurance is the primary way for an organization to ______ or _______ risk.

share, transfer

Piggybacking is also known as _____________.

tailgating

System logs and audit trails are a type of __________ control.

technical

The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control.

technical, procedural

When your bank or credit card company sends you a notification of changes in how it collects or shares data, it is sending that notification in compliance with ________________.

the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA)

Regarding risk assessments, _____________ define(s) what a system does.

the mission of the system

By identifying critical business functions (CBFs) first, you use a ________ approach.

top-down

A business continuity plan (BCP) is an example of a ___________.

security plan

How does a countermeasure's cost most directly impact the decision to implement it?

A countermeasure's cost should not exceed the impact if the risk to be mitigated is realized.

Alice has completed a cost-benefit analysis (CBA) of recommended countermeasures. For a specific risk, four countermeasures have been recommended. How can Alice use the CBA to choose the countermeasure to recommend?

Choose the countermeasure with the highest countermeasure value.

What is the Delphi Method?

A way to complete a qualitative risk assessment

Jiang has been working on a risk management plan for his government agency. What information should he include in the report to management when he presents his risk management recommendations?

Findings, recommendation cost and time frame, and cost-benefit analysis (CBA)

A teenager learning about computers and programming for the first time writes a simple program meant to disrupt the function of his sister's computer. While she's with friends at the mall, the teenager enters his sister's IP address, launches the program, and waits to see what will happen. The teenager is an example of a ___________.

script kiddie

Jonathan is a security professional. He is part of a small group of people launching a startup company that will handle patient medical information. Jonathan is attempting to determine threats the company may face, criteria that will allow each threat to succeed, and the potential result. Which of the following would be most useful to Jonathan?

Affinity diagram

How can you determine the importance of a system?

By how the system is used

A __________ is a computer joined to a botnet.

zombie

Regarding business continuity, what is the first phase of activity if a disruption occurs?

The notification and activation phase

What is the minimum number of nodes required by a failover cluster?

2

Which of the following is most likely to describe how to perform test restores?

A backup plan

Isabella is preparing to write a disaster recovery plan (DRP). What must she have before she proceeds with writing?

A clear idea of her primary concerns

Choose the most accurate statement with respect to creating a risk management plan.

A risk management plan can help ensure your business is in compliance with important regulations.

Alice is a risk management specialist. She wants to communicate a risk and the resulting impact to her superiors. Which of the following should she use?

A risk statement

What is NOT something to consider when determining the value of an asset?

Departmental ownership

When should you establish objectives for a risk management plan?

During the planning phase of a project

What is an important element of following up on a risk mitigation plan?

Ensuring that security gaps are closed

All of the following are reasons why configuration management is an important risk management process, EXCEPT:

It reduces unintended outages.

Kyle works for the IT department. He is working in the asset management system. He is assigning the relevant IT infrastructure domain to each asset. Which is the best domain to assign to elements used to connect systems and servers together, such as hubs, switches, and routers?

LAN domain

Some controls are identified based on the function they perform. What are the broad classes of controls based on function?

Preventative, detective, corrective

What is the primary determination as to whether an incident is included in a business continuity plan (BCP)?

Probability of occurrence and impact

What is the most important consideration of a disaster recovery plan (DRP)?

Protecting personnel

What are the two primary methods used to create a risk assessment?

Quantitative and qualitative

What is one source of risk reduction?

Reducing the impact of the loss

What is the practice of identifying, assessing, controlling, and mitigating risks?

Risk management

You receive an email from someone named Bob in the IT department who needs to access your login information for a scheduled internal vulnerability assessment. You know an assessment is taking place because your manager notified your group last week. Normally, you wouldn't give your password or other login information to anybody, but doing so seems appropriate in this situation. Which of the following could be taking place?

Social engineering attack

Which of the following refer(s) to when users or customers need a system or service?

System access and availability

Which business continuity plan (BCP) test type brings all participants together in a conference room or similar environment to walk through BCP scenarios?

Tabletop exercise

What is the primary reason for testing a disaster recovery plan (DRP)?

To ensure it performs as expected

Lower recovery time objectives (RTOs) are _______ but _______.

achievable, costly

A ___________ plan can help you identify steps needed to restore a failed system.

disaster recovery

A redundant backup site is _______________.

hosted by a third-party vendor

All of the following are steps involved in creating an affinity diagram, EXCEPT ______________.

identifying a project's scope

A ______ to an asset occurs only when an attacker can exploit a vulnerability.

loss

Critical business functions (CBFs) support _________.

mission-critical operations

An exploit assessment is also known as a(n) ___________.

penetration test

POAM stands for_____.

plan of action and milestones

A(n) _____ is the likelihood that something unexpected is going to occur.

risk

A(n) ___________________ is performed to identify and evaluate risks.

risk assessment

Primary considerations for assessing threats based on historical data in your local area are _______ and ________.

weather conditions, natural disasters

What is NOT true of a qualitative risk assessment?

It provides a cost-benefit analysis (CBA).

What is NOT true of a quantitative risk assessment?

It uses relative terms such as high, medium, and low.

Which of the following allows one person to act for another for legal issues and sometimes is used if someone becomes mentally incapacitated.

Power of attorney

Rodrigo is a network security specialist. He wants to perform real-time analysis of security data gathered from networked systems. Which of the following is the best solution for Rodrigo to implement?

Security information and event management (SIEM)

Which of the following is NOT true of state attorneys general (AGs)?

They are appointed by the Department of Homeland Security.

Jiang has been working on a risk management plan for his government agency. He collected data on risks and recommendations, included that information in a report, and submitted it to management. What is the purpose of the report?

To help management decide which recommendations to use

Health Insurance Portability and Accountability Act (HIPAA) fines for mistakes can be as high as __________ a year.

25,000

Carl is a security specialist. He is updating the organization's hardware inventory in the asset management system. Which of the following would be least helpful to record?

A competitor's product

The Family Educational Rights and Privacy Act (FERPA) applies to all of the following, EXCEPT:

A medical center that hired recent nursing graduates

What is CIPA?

A law designed to limit offensive content from school and library computers

You are creating objectives for your risk management plan. What do you NOT include at this stage?

A plan of action and milestones (POAM)

Who is responsible for activating the business continuity plan (BCP)?

BCP coordinator

What is NOT one of the three primary bureaus of the Federal Trade Commission (FTC)?

Bureau of the Census

How do you start a risk assessment?

By defining what you will assess

The National Institute of Standards and Technology (NIST) publishes SP 800-53. This document describes a variety of IT security controls, such as access control, incident response, and configuration management. Controls are grouped into families. Which NIST control family helps an organization recover from failures and disasters?

Contingency Planning (CP)

Which of the following is a business continuity plan (BCP) phase that focuses on returning to normal operations?

Reconstitution phase

_____________ value is the cost to purchase a new asset in place of an existing asset.

Replacement

What is the primary reason to avoid risk?

The impact of the risk outweighs the benefit of the asset.

What is the primary benefit of a business continuity plan (BCP)?

To better prepare the organization to respond to an interruption

When does a threat/vulnerability pair occur?

When a threat exploits a vulnerability

The following are true of risk assessment critical area identification, EXCEPT:

When critical areas are identified, areas that are least critical to the business should be the first priority.

At what point in the risk mitigation process should you identify and analyze threats and vulnerabilities to your organization?

After you identify assets

Who is the most common person to authorize business continuity plan (BCP) activation in the order of succession if the chief executive officer (CEO) is unavailable?

Chief information officer (CIO)

Which of the following is a type of control that is implemented with a written document?

Procedural

A business impact analysis (BIA) is an important part of a _____________, and it can also be part of a __________.

business continuity plan, disaster recovery plan

Tonya is performing a quantitative risk assessment for a piece of software. The single loss expectancy (SLE) is $500, and the associated annual rate of occurrence (ARO) is 3. What is the annual loss expectancy (ALE)?

$1,500

What is a publicly traded company?

Any company that has stock that outside investors can buy or sell

What are the six principles of Payment Card Industry Data Security Standard (PCI DSS)?

Build and maintain a secure network; protect cardholder data; maintain a vulnerability management program; implement strong access control measures; regularly monitor and test networks; and maintain an information security policy

You plan to perform a vulnerability assessment on your company's servers. You know that your assessment may simulate the effects of a denial of service (DoS) attack for a brief period of time. What is the most important task to complete before you perform the assessment?

Obtain written permission from the proper authority.

The following are examples of hardware assets, EXCEPT:

Operating system

__________ provide the detailed steps needed to carry out ___________.

Procedures, policies

The formulas used in a quantitative risk assessment typically look at a single year. The calculations can become quite complex if other costs are included. Which of the following is NOT usually included in the calculations?

The cost to maintain a control

What is the overall goal of business continuity plan (BCP) exercises?

To demonstrate how the BCP will work

What is the purpose of nonrepudiation techniques?

To prevent people from denying they took actions

Why is system testing performed?

To test individual systems for vulnerabilities

What process generally causes a plan of action and milestones (POAM) to expand?

Transforming the risk assessment into a risk mitigation plan

When performing threat assessments, it's important to ensure you understand the system or application you are evaluating. To understand a given system or application, you need to understand all of the following EXCEPT:

Where a system is manufactured

Disaster recovery procedures begin after ___________ and ___________.

activating the disaster recovery plan (DRP), assessing the damage

You book a hotel online, and the registration process is clear and streamlined. This is an example of a(n) ______________ process that has _______________.

automated, high value to customers

When an emergency is declared, the ____________ contact(s) appropriate teams or team leads.

business continuity plan (BCP) coordinator

Bob is the project manager for his company's security countermeasure implementation project. Michael informs Bob that task #12 (implementing a failover cluster) will not finish on time. Because task #12 is on the project's _______________, Bob knows that the project will not complete on time and sets up a meeting to inform the stakeholders.

critical path

When compliance is mandated by law, companies often participate in _______, which provide third-party verification that requirements are being met.

external audits

According to the World Intellectual Property Organization (WIPO), the two categories of intellectual property (IP) are _______________ and _______________.

industrial property, copyright

The primary risks associated with the User Domain of a typical IT infrastructure are related to _____________.

social engineering

A business continuity plan (BCP) program manager within a large organization _________.

usually manages multiple BCP projects

A(n) _________ provides secure access to a private network over a public network such as the Internet.

virtual private network (VPN)

A __________ consists of multiple servers using ______________.

web farm, network load balancing

What is NOT an example of unintentional threat?

A script kiddie writes and runs malware to "see what it can do."

Which of the following is best described as attackers who focus on a specific target, have high levels of expertise, have almost unlimited resources, and are often sponsored by nation-states or terrorist groups?

Advanced persistent threats (APTs)

In a quantitative risk assessment, what describes the loss that will happen to the asset as a result of a threat?

Exposure factor (EF)

Which formula is used to determine the cost-benefit of a control, such as antivirus software?

Loss before control implementation − Loss after control implementation − Cost of control

Which of the following is NOT a vulnerability that might affect the website of an online company?

Loss of internet connectivity

Which of the following is a division of the U.S. Department of Commerce and publishes the Risk Management Framework (RMF) 800 special publications series?

National Institute of Standards and Technology (NIST)

____________ assessments are objective, while ___________ assessments are subjective.

Quantitative, qualitative

A new company does not have a lot of revenue for the first year. Installing antivirus software for all the company's computers would be very costly, so the owners decide to forgo purchasing antivirus software for the first year of the business. In what domain of a typical IT infrastructure is a vulnerability created

Workstation Domain

Which of the following is NOT a direct cost?

Costs to regain market share

You have created a risk assessment and management has approved it. What do you do next?

Create a risk mitigation plan.

You are a top-level executive at your own company. You are worried that your employees may steal confidential data by downloading data onto thumb drives. What is the best way to prevent this from happening?

Create and enforce a written company policy against the use of thumb drives and install a technical control on the computers to prevent the use of thumb drives.

What is NOT one of the three commonly used business continuity plan (BCP) teams?

Critical contractor

Hajar is a security professional for a government contractor. Her company recently hired three new employees for a special project, all of whom have a security clearance for Secret data. Rather than granting the employees access to all files and folders in the data repository, she is granting them access only to the data they need for the project. What principle is Hajar following?

Principle of need to know

What are the seven components of Control Objectives for Information and Related Technology (COBIT)?

Principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behavior; information; services, infrastructure, and applications; and people, skills, and competencies

Bill is a security professional. He is in a meeting with co-workers and describes a system that will make web sessions more secure. He says when a user connects to the web server and starts a secure session, the server sends a certificate to the user. The certificate includes a public key. The user can encrypt data with the public key and send it to the server. Because the server holds the private key, it can decrypt the data. Because no other entity has the private key, no one else can decrypt the data. What is Bill describing?

Public key infrastructure (PKI)

What is NOT a valuable area of consideration when defining the scope of a risk management project?

The maximum acceptable outage (MAO) for servers

In a business continuity plan (BCP), if a system houses data, the data must be protected according to _______.

its level of classification

Total risk = _______________

threat × vulnerability × asset value

A disaster recovery plan (DRP) simulation ___________.

goes through the steps and procedures in a controlled manner

Another term for data range and reasonableness checks is ______________.

input validation

Bonding is a type of ________ that covers against losses by theft, fraud, or dishonesty.

insurance

Having supplies on hand for continued production _______________.

may conflict with other organizational planning principles

When a fiduciary does not exercise due diligence, it can be considered __________.

negligence

All of the following would be specified in a password policy, EXCEPT _____________.

password management

Which term is best defined as a weakness?

Vulnerability

Complete the equation for the relationship between risk, vulnerabilities, and threats: Risk = _________.

Vulnerability × Threat

What is the primary hazard of attempting to recover without a business impact analysis (BIA)?

Wasted effort due to a lack of direction as to which resources are most critical

What does the scope section of a disaster recovery plan (DRP) define?

What is and is not covered in the plan

A warm site is _________________.

a compromise between a hot site and a cold site

A business impact analysis (BIA) identifies an impact that can result from a ____________.

disruption in a business

A __________ grants the authority to perform an action on a system. A __________ grants access to a resource.

right, permission

Which of the following is most likely to be warez?

A file on your computer of a new TV episode you downloaded for free

What is NOT a true statement about AES?

AES is the primary asymmetric encryption protocol used today.

____________ is the process of determining fair market value of an asset.

Asset valuation

According to the Sarbanes-Oxley Act (SOX), who in an organization must verify and attest to the accuracy of financial data as a matter of legal compliance?

High-level officers

What is the primary purpose of identifying critical resources in the business impact analysis (BIA) process?

Identify all IT assets that support critical business functions (CBFs).

What are the steps of a business continuity plan (BCP)?

Identify scope, identify key business areas, identify critical functions, identify dependencies between key business areas and critical functions, determine acceptable downtime, and create a plan to maintain operations

The following are major components of risk assessments, EXCEPT:

Identifying insurance options

Which approach to firewall rules starts off by blocking all traffic and then adding rules to allow approved traffic?

Implicit deny

After developing a business impact analysis (BIA) for her organization, Maria was asked by her manager to update the BIA recommendations with a higher recovery time objective (RTO). What is the most likely reason management would argue for a higher RTO?

Lower RTOs are more expensive.

Which term is sometimes referred to as the maximum tolerable period of disruption (MTPD)?

Maximum acceptable outage (MAO)

Threat ___________ is a process used to identify possible threats on a system.

Modeling

___________ prevents individuals from denying they took an action.

Nonrepudiation

What is the primary tool used to ensure countermeasures are implemented?

Plan of action and milestones (POAM)

Isabella is a risk management specialist for her organization. She is training Arturo, a new hire, on aspects of risk management. Arturo asks her what factors he should consider when assigning a value to an asset. Which of the following does Isabella tell him is the least useful?

Qualitative risk assessment

________ help(s) prevent a hard drive from being a single point of failure. __________ help(s) prevent a server from being a single point of failure. _________ help(s) prevent a person from being a single point of failure.

RAID, Failover clusters, Cross-training

What communication elements are important to the success of a disaster recovery plan (DRP)?

Recall, users, customers, and a communication plan

Susan works for a U.S. investment firm that is required to be registered with the Securities and Exchange Commission. Susan is responsible for implementing access controls on the organization's database servers. Which one of the following laws must her organization comply with?

Sarbanes-Oxley Act (SOX)

What is the purpose of a business continuity plan (BCP)?

To ensure that mission-critical elements of an organization continue to operate during and after a disruption

Scaling _______ means that you increase resources to a server, and scaling _______ means that you add additional servers.

up, out

Which of the following is a law that ensures that federal agencies protect their systems and data, comply with all elements of the law, and integrate security in all processes?

Federal Information Security Modernization Act (FISMA)

What is a security policy?

I high-level overview of security goals

The following are true of risk assessment scope identification, EXCEPT:

The system or network administrator ultimately decides what is included in the scope of a risk assessment.

What can you control about threat/vulnerability pairs?

The vulnerability only

What is the purpose of a mandatory vacation?

embezzlement

It is common to focus the scope of a risk assessment on system ownership, because doing so ____________.

makes it easier to implement recommendations

A _____________ policy governs how patches are understood, tested, and rolled out to systems and clients.

patch management

Another term for risk mitigation is _______.

risk reduction

Hardening a server refers to ____________.

the combination of all the steps that it takes to protect a vulnerable system and make it more secure than the default installation

The Health Insurance Portability and Accountability Act (HIPAA) requires that organizations that handle health information follow standards for the ________________ of that data.

storage, use, and transmission

_________ are acts that are hostile to an organization.

Intentional threats

When should you perform a risk assessment? When should you perform a risk assessment?

Periodically after a control has been implemented

Oscar works for a health insurance company. He is creating a Health Insurance Portability and Accountability Act (HIPAA) compliance plan. In the section on monitoring, what should Oscar specify to be continuously monitored for changes?

Regulations and risks

What is the primary reason security professionals automate some processes?

To reduce human error

Identify the true statement.

Exploited vulnerabilities result in losses.

After risk management recommendations have been presented to management, the managers can ___________, ___________, or _____________ the recommendations.

accept, defer, modify

Stakeholders should have ownership of a project, which is also referred to as project ________.

buy-in

A(n) _____________ is a process used to determine how to manage risk.

cost-benefit analysis (CBA)

___________ is the negative result if the risk occurs.

impact

Companies use risk assessment strategies to differentiate ___________ from _________.

severe risks, minor risks

In a cost-benefit analysis (CBA), if the benefits of a control outweigh the costs of implementing that control, then the control can be implemented to reduce risk. However, if the cost outweighs the benefit, then ______________.

the risk can be accepted

What are the elements of the security triad?

Confidentiality, integrity, and availability

Which of the following is NOT an indirect cost?

Cost to re-create or recover data

What key element is necessary for a disaster recovery plan (DRP) to succeed in a time of crisis?

Management support

Your team is developing a business impact analysis (BIA). You have identified the critical business functions (CBFs) and associated processes. What should you do next?

Map processes to IT systems.

The recovery time objective (RTO) is derived from what value from the business impact analysis (BIA)?

Maximum acceptable outage (MAO)

Which term is defined as the minimum level of services that are acceptable to an organization to meet its operational business needs?

Minimum business continuity objective (MBCO)

MAO is sometimes referred to as ____________.

MTPOD

Tonya has been asked research compliance and then provide a report to upper management. Management wants to know what the organization must do to comply with a regulation that protects the privacy of citizens in the European Union. Which of the following will Tonya research?

General Data Protection Regulation (GDPR)

Devaki is the office manager for a small medical practice in California. Part of her duties is to ensure the practice is in compliance with any relevant regulations or standards. Self-pay patients pay for services via cash, check, or payment card. Which of the following does Devaki need to ensure compliance with?

HIPAA and PCI DSS

Wen is performing a cost-benefit analysis (CBA). He needs to determine whether the organization should move workloads from the in-house data center to the cloud. The projected benefit is $50,000. The cost of the control is $1,500. What is the control value?

48,500

What is NOT commonly included in a cost-benefit analysis (CBA)?

A business continuity plan

What is a service level agreement (SLA)?

A document that identifies an expected level of performance

What is a transaction in a database?

A group of statements that either succeed or fail as a whole

Which of the following is a physical control that is most likely to be used with a proximity card?

A locked door

What is the primary purpose of a disaster recovery plan (DRP)?

To restore critical business processes or systems to operation

Ideally, when should you perform threat modeling?

Before writing an application or deploying a system

Alice is an aspiring hacker. She wants to get information on computer and network vulnerabilities and ways to exploit applications. Which of the following is the best source?

Dark web

Carl is a risk specialist. He has determined the laws and regulations with which his organization must comply. What must he do next?

Determine the impact of these laws and regulations on the organization.

Aditya is assessing the value of IT systems. His company sells sporting goods online. One factor of his evaluation is the required availability of each system. Some systems must be available 24/7, while others must be available during regular business hours Monday through Friday. Which of the following would have the highest availability requirements?

E-commerce website server

What step of a business continuity plan (BCP) comes after providing training?

Testing and exercising plans

__________ damage for the sake of doing damage, and they often choose targets of opportunity.

Vandals

In which of the following domains does the IT infrastructure link to a wide area network (WAN) and the Internet?

LAN-to-WAN Domain

Tonya is part of central IT at a public university. Her group has been tasked with creating a service catalog that will list and describe which services central IT provides to the campus community. The group has been asked to follow Information Technology Infrastructure Library (ITIL) practices. Because the group has only begun, which phase are they most likely at in the ITIL life cycle?

Service Strategy phase

What is the difference between fault tolerance and disaster recovery?

Fault tolerance mitigates component failures, and disaster recovery restores operations after a major loss.

___________ increases the availability of systems even when an isolated outage occurs, while ___________ provides the procedures to recover systems after a major failure.

Fault tolerance, disaster recovery

In a risk management plan, how should you complete the step of describing the procedures and schedules for accomplishment?

For any threat or vulnerability, recommend a solution that attempts to mitigate associated risks; justify your recommendation; list the tasks necessary for addressing the vulnerability; and provide management with an estimate of how long it will take to complete the recommendation.

Which of the following is NOT true of the WAN Domain of a typical IT infrastructure?

Internal-facing servers are configured in the demilitarized zone between two firewalls.

Which key planning principle guides the development of a business continuity plan (BCP)?

Length of time expected before returning to normal operations

What might occur if you do NOT include the scope when defining the risk assessment?

Missed deadlines

Why might you need to verify risk elements if a substantial amount of time has passed since you performed a risk assessment?

To make sure that the threats or vulnerabilities you want to mitigate still exist

What is the primary purpose of personnel policies, such as separation of duties?

To prevent fraud

A technician in a large corporation fixes a printer that was not receiving an IP address automatically by manually assigning it an address. The address was assigned to a server that was offline and being upgraded. When the server was brought online, it was no longer accessible. How could this problem have been avoided?

Through change management

Why should the people on the risk assessment team be different from the people responsible for correcting deficiencies?

To avoid conflicts of interest

Why are audits performed?

To check compliance with rules and guidelines

What is the purpose of a risk mitigation plan?

To implement countermeasures

What is an indirect objective of a business impact analysis (BIA)?

To justify funding

Which of the following is a significant part of control evaluation to determine which controls to implement?

Cost-benefit analysis (CBA)

A hacker wants to launch an attack on an organization. The hacker uses a tool to capture data sent over the network in cleartext, hoping to gather information that will help make the attack successful. What tool is the hacker using?

A packet analyzer

Carl is a security professional preparing to perform a risk assessment on database servers. He is reviewing the findings of a previous risk assessment. He is trying to determine which controls should be in place but were not implemented. Which of the following is typically found in a risk assessment report and would address Carl's needs?

Current status of accepted recommendations

A threat is any activity that represents a possible danger, which includes any circumstances or events with the potential to cause an adverse impact on the following, EXCEPT:

Assessments

What is NOT a way that you can measure the value of a system when determining if the system requires five nines?

Confidentiality

After being fired, an employee becomes disgruntled. The managers never disabled his login information, and his best friend still works at the company. The disgruntled employee gives his friend his login information for the company's private network and convinces the friend to delete important files from the company's database. You are confused when you review the audit logs and see that the disgruntled employee has been logging in from within the office every day for the past week. What has been lost in this scenario?

Nonrepudiation

Isabelle is a project manager. Her company is regulated and subject to regular audits for compliance. One regulation the company needs to comply with is Health Insurance Portability and Accountability Act (HIPAA). Isabelle needs a tool for tracking the company's progress in meeting HIPAA compliance. The tool should also enable her to assign responsibility for tasks, and it should provide management an easy way to check the status of the project. Which of the following would be most useful in this situation?

Plan of action and milestones (POAM)

Isabella works as a risk specialist for her company. She wants to determine which risks should be managed and which should not by applying a test to each risk. Risks that don't meet the test are accepted. What type of test does she apply?

Reasonableness test

Hajar is a security specialist. Her organization has about 500 systems that must be tracked for inventory purposes. She is preparing an email to her manager that describes the benefits of including specific details about software in the inventory, as well as the use of an automated asset management system. Which of the following is NOT one of those benefits?

The frequency of operating system upgrades will be reduced.

What does the principle of least privilege have in common with the principle of need to know?

They both specify that users be granted access only to what they need to perform their jobs.


Ensembles d'études connexes

Chapter 17 APUSH Multiple Choice

View Set

Chapter 4 (Slavery, Freedom, and the Struggle for Empire, to 1763)

View Set

Post test: Developing an Academic and Career Path

View Set

Intro to Coding - Internal Data Representation

View Set

Chapter 2 - Choices in a World of Scarcity (05)

View Set

Chapter 44- Shareholder Rights In Corporations

View Set

Medical Terminology Systems, Chapter 2, Suffixes - Addendum

View Set

Module 5 - Communicating Effectively in the Workplace

View Set