Compliance and Risk Management Final Exam Review
How can you determine the importance of a system? -By when the system was last updated -By why the system functions -By what the organization does -By how the system is used
By how the system is used
HIPPA covers any organization that handles storage, use and transmission of data and applies to? -Medical facilities -Insurance companies -Any company with a health plan if employees handle health data -All the above
All the above
Wen is evaluating Core Business Functions, what of the following should he consider? Assess to the internet Web server availability Database avaiability All the above
All the above
Ideally, when should you perform threat modeling? -After writing an application or deploying a system -Before writing an application, but after deploying a system -After writing an application, but before deploying a system -Before writing an application or deploying a system
Before writing an application or deploying a system
Which of the following is not one of the three primary objectives of controls? -Detect -Eliminate -Recover -Prevent
Eliminate
Exploit assessments are very different from vulnerability, threat and risk assessment by which of the following reasons? -Exploit analysis will provide you a gap analysis that would be useful to develop a remediation plan -Its a point in time assessment -It will check compliance with rules and guidelines -Assessments will identify vulnerabilities across networks, servers, workstations, and people.
Exploit analysis will provide you a gap analysis that would be useful to develop a remediation plan
Based upon a 2019 General Accounting Office audit, all federal government agencies have successfully implemented risk managment policies. -True -False
False
Critical success factors (CSFs) include functions considered critical to an organization. True False
False
Every control must meet all three primary objectives of controls: prevent, detect, and recover. -True -False
False
Telecommuters are not key to a business continuity plan (BCP) because they work from remote locations. Therefore, any disruptions would not affect them. True False
False
The seven steps of a business impact analysis (BIA) are the same as the seven steps of contingency planning. True False
False
which of the following is not a common category of control implementation? -Functional -Physical -Procedural -Technical
Functional
What are the differences between a Threat Assessment and Vulnerability Assessment? -There is no differences between the two -Goal of a vulnerability assessment is to identify potential weaknesses in controls whereas threat assessment is focused on threats -Vulnerability assessment is a point in time assessment whereas threat assessment is a continuous assessment -A vulnerability assessment is focused on assesssing plans whereas a threat assessments is focused on network architecture
Goal of a vulnerability assessment is to identify potential weaknesses in controls whereas threat assessment is focused on threats
A business impact analysis (BIA) identifies: -vulnerability. -Identifies systems critical for business survival. -risk to an IT infrastructure. -threat to the IT infrastructure.
Identifies systems critical for business survival.
Identifying mission-critical business functions can be difficult. Therefore, the best way to identify these Critical Business Functions is to: Identify vital functions and map them to critical success factors Identify a single critical success factor with a successful business and then map it to critical business factors. Map the critical business factors to those vital functions None of the above.
Identify a single critical success factor with a successful business and then map it to critical business factors.
A Business Impact Analysis allows you to identify which of the following (multiple)? Identify outage impacts Identify Critical Business Functions Identify Maximum Acceptable Outage Solutions and strategies to prevent impacts in the future
Identify outage impacts Identify Critical Business Functions Identify Maximum Acceptable Outage Solutions and strategies to prevent impacts in the future
What are the first two steps in the business impact analysis (BIA) process? -Identify the environment and identify critical resources -Identify the environment and identify stakeholders -Identify stakeholders and identify critical resources -Identify recovery priorities and identify stakeholders
Identify the environment and identify stakeholders
User domain refers to which of the following? -Includes PCs so risk includes theft and updates -Includes personal data so significant risk is loss of confidentiality. -Includes connection to internet so risk to provide protection to external threats via firewalls -Include VPN via tunnel protocols with strict access control protocols
Includes personal data so significant risk is loss of confidentiality.
Which of the 7 IT domains will exploit assessments be focused on lack of configuration control to and to capture internal network traffic seeking encrypted traffic. -Workstation domain -User domain -LAN domain -LAN to WAN domain
LAN domain
According to NIST 800-39, what is not a valid consideration in setting up a risk management construct within an organization Framing Assess Respond Legal Compliance
Legal Compliance
Which key planning principle guides the development of a business continuity plan (BCP)? Budget for recovery operations Length of time expected before returning to normal operations Scope of the business impact analysis (BIA) Level of effort required to interview all stakeholders
Length of time expected before returning to normal operations
After developing a business impact analysis (BIA) for her organization, Maria was asked by her manager to update the BIA recommendations with a higher recovery time objective (RTO). What is the most likely reason management would argue for a higher RTO? Higher RTOs expose critical business functions (CBFs) to higher risk. Lower RTOs are technically infeasible. Lower RTOs are more expensive. Higher RTOs increase customer confidence.
Lower RTOs are more expensive.
Your team is developing a business impact analysis (BIA). You have identified the critical business functions (CBFs) and associated processes. What should you do next? -Prioritize IT asset recovery options. -Map processes to IT systems. -Identify stakeholders. -Evaluate the recovery cost of each proposed option.
Map processes to IT systems.
Some controls are identified based on the function they perform. What are the broad classes of controls based on function? -Preventative, recovery, corrective -Preventative, detective, corrective -In-place, planned, in-progress -Maintenance, continuity, disaster
Preventative, detective, corrective
__________ provide the detailed steps needed to carry out ___________. -Policies, procedures -Access controls, a disaster recovery plan -Procedures, policies -Policies, incident response
Procedures, policies
You are reviewing historical data in an attempt to identify potential threats to your business. What would not be helpful to you in this process? -Reading news articles about thefts that occurred last year in a different part of the U.S. -Understand the limitations of your network and IT architecture -Searching the Internet for stories about incidents that commonly occur in businesses like yours -Identifying past user errors to ensure training is upgraded to address these shortfalls
Reading news articles about thefts that occurred last year in a different part of the U.S.
which of the following is not true: -Once you have assessed risks and proposed countermeasures, then you then implement those solutions using a risk mitigation plan. -Risk assessments map countermeasures to threats, vulnerabilities, and the assets being protected -A risk assessment is used to identify, estimate, and prioritize risk to the operations of an organization -Risk = Threat x Vulnerability
Risk assessments map countermeasures to threats, vulnerabilities, and the assets being protected
Susan works for a U.S. investment firm that is required to be registered with the Securities and Exchange Commission. Susan is responsible for implementing access controls on the organization's database servers. Which one of the following laws must her organization comply with? Health Insurance Portability and Accountability Act (HIPAA) Family Educational Rights and Privacy Act (FERPA) General Data Protection Regulation (GDPR) Sarbanes-Oxley Act (SOX)
Sarbanes-Oxley Act (SOX)
Failover cluster is often used to protect critical system functions and data by eliminating __________. -Single Point of Failure -Nodes -Redundancy -Operational Availability
Single point of Failure
Which factor most directly affects the scope of a business impact analysis (BIA)? -Degree of organizational automation -Reliance of revenue stream on IT resources -Geographical diversity of the organization -Size of the organization
Size of the organization
An access control such as a firewall or intrusion prevention system cannot protect against which of the following? -Malicious network traffic -Social engineering -Denial of service (DoS) attack -Unknown malware attacks
Social engineering
What does the principle of least privilege have in common with the principle of need to know? -They both attempt to prevent threats from external attackers. -They both specify that users be granted access only to what they need to perform their jobs. -They are both terms for the same principle. -They both lack the ability to address threats from internal attackers.
They both specify that users be granted access only to what they need to perform their jobs.
What is the primary benefit of a business continuity plan (BCP)? To reduce the cost of recovery To better prepare the organization to respond to an interruption To reduce the probability of an interruption To inform the organization as to the expected cost of annual interruptions
To better prepare the organization to response to respond to interruption
What is the purpose of a business continuity plan (BCP)? To ensure that mission-critical elements of an organization continue to operate during and after a disruption To ensure that mission-critical elements of an organization are properly restored after a disruption To prevent loss of mission-critical activities of organization employees in case of a disruption To identify mission-critical elements of an organization in case of a disruption
To ensure that mission-critical elements of an organization continue to operate during and after a disruption
What is the purpose of a risk mitigation plan? To bolster a risk assessment To implement countermeasures To eliminate threats To ensure compliance
To implement countermeasures
What is the purpose of nonrepudiation techniques? -To ensure the proper function of controls -To grant permission to perform a vulnerability test -To prevent people from denying they took actions -To mitigate threats to a system
To prevent people from denying they took actions
A DOS attack is meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash -True -False
True
A mission-critical system is any system that must continue to run to ensure a business continues to function. True False
True
According to NIST 800-39, risk framing component is to produce a risk management strategy. -True -False
True
According to NIST 800-39, the 3 risk management framework include Tier 1- Organizational, Tier 2 - Mission/Business Process and Tier 3 - Information Systems. -True -False
True
Based upon a 2019 General Accounting Office audit, Federal Agencies noted decentralized or federated organizations create difficulty in implementing standardized IT and effective cybersecurity programs. -True -False
True
Business Impact Analysis can identify the maximum acceptable outage, which is the maximum amount of time a system or service can be down before the mission is affected True False
True
Conduct a threat assessment before a risk assessment to better understand the context in which their cybersecurity risks exist, and to help shape risk assessment efforts on the most relevant and likely threats. -True -False
True
Criticality is usually documented in the business impact analysis (BIA) but is repeated in the business continuity plan (BCP) for the sake of clarity. True False
True
Determining which systems require 99.999 percent access and availability can be done by identifying the value of the service provided. True False
True
Even though the business impact analysis (BIA) identifies priorities, it is common to reaffirm them in a business continuity plan (BCP). True False
True
If you encounter a firewall with 500 rules, you should consider using output analysis versus process analysis -True -False
True
Protecting software assets can be accomplished by minimizing the different types of software to create standardization making it easy to push patches and manage software versions. -True -False
True
Scope creep can occur if the scope of a business continuity plan (BCP) is not defined. True False
True
Service Level Agreement dentifies an expected level of performance and often used often as a binding contract -True -False
True
Social engineering hacks are the primary risk of User Domain. -True -False
True
Starting with clear objectives is a best practice for performing a business impact analysis (BIA). True False
True
The primary shortfall of LAN-to-WAN Domain Risks is firewall shortfalls (rules, config, exploit) True False
True
The two primary terms related to Business Impact Analysis are Maximum acceptable outage (MAO), Critical business functions (CBF) and Critical success factors (CSF) True False
True
What is the primary hazard of attempting to recover without a business impact analysis (BIA)? Duplication of effort due to a lack of communication Excessive recovery time as a result of a linear recovery path Wasted effort due to a lack of direction as to which resources are most critical Budget overruns as a result of no formal spending authorization
Wasted effort due to a lack of direction as to which resources are most critical
When completing a Business Impact Analysis, which of the following is not a valid question to ask? What is the Maximum Acceptable Outage of the service? How will an outage affect employees? What are the Seven domains of the typical IT infrastructure? How does this service affect the organization's survivability?
What are the Seven domains of the typical IT infrastructure?
When an emergency is declared, the ____________ contact(s) appropriate teams or team leads. -business continuity plan (BCP) program manager -stakeholders -business continuity plan (BCP) coordinator -department heads
business continuity plan (BCP) coordinator.
Background checks, software testing, and awareness training are all categories of: -rules of behavior -procedural controls -corrective controls -technical controls.
procedural controls
The actual methods used to protect against data loss are __________ controls, but the program that identifies which data to protect is a ___________ control. -mechanical, procedural -procedural, technical -manual, technical -technical, procedural
technical, procedural
Gap analysis reports for security are often used when dealing with: -legal compliance. -incident response teams. -business process compliance. - data warehousing.
legal compliance.
Controls are meant to _________ risk, which means to reduce or neutralize threats or vulnerabilities to an acceptable level. -transfer -assess -avoid -mitigate
mitigate
Regarding business continuity, what is the first phase of activity if a disruption occurs? Planning phase The reconstitution phase The recovery phase notification and activation phase
notification and activation phase
Symmetric encryption involves the use of 2 keys to encrypt and decrypt information. -True -False
False
Which of the below would you use to create a threat model (check multiple answers)? -Evaluate MITRE ATT&CK Framework -Construct an Attack Graph -Review NIST Standards -Create a Risk Cube
-Evaluate MITRE ATT&CK Framework -Construct an Attack Graph
How are system logs different from audit trails? -System Logs record events generated by the operating system or applications whereas audit trail records events to track user activity -Audit trail is often used to diagnose issues and maintain system health -System logs are used to ensure users are following policies and regulations. -None of the above
-System Logs record events generated by the operating system or applications whereas audit trail records events to track user activity
What characteristic is common to risk assessments and threat assessments? -They are both ongoing processes -They are both automated processes -They are both performed for a specific time. -They are both manual processes
-They are both performed for a specific time.
NIST 800-53B defines "Baseline Controls" and NIST 800-53A defines Control Assessment Instructions. Which of the following are valid assessment control approaches? -Red Teaming -Audit checks -Penetration Testing -All the above
All of the above
What are benefits to implementing automation? -Value to customer -Value to company -Protecting data -All the above
All of the above
What are the reasons to implement security controls? -Compliance -Protect -Fiduciary -All of the above
All of the above
What would be good sources of data for a vulnerability assessment? -Previous firewall logs -Previous audit logs -Review Intrusion Detection System logs -All of the above
All of the above
Which of the following are considerd Technical Controls? Firewall Encryption Operating System Hardening All of the above
All of the above
How are business continuity plans (BCPs) and disaster recovery plans (DRPs) related? A DRP is a part of the larger BCP. A BCP is part of the larger DRP. The two plans are distinct and are not related. A BCP is only useful when creating a business impact analysis (BIA), while the DRP is an operational plan.
A DRP is a part of the larger BCP.
According to NIST 800-39, which of the following are outcomes of governance related to organization-wide risk management? -Strategic alignment of risk management decisions with missions and business functions consistent with organizational goals and objectives; -Effective and efficient allocation of risk management resources; -Delivered value by optimizing risk management investments in support of organizational objectives. -All the above
All of the Above
What are common questions you should ask to create a threat model ? -What systems need to be protected? -What are the potential adversaries? -How might a potential adversary conduct an attack ? -All of the above
All of the Above
What are the activities in the second step of a control assessment planning? Develop objective for the security assessment Develop the roadmap of the assessment Develop assessment procedures All the above
All of the Above
The National Institute of Standards and Technology (NIST) publishes SP 800-53. This document describes a variety of IT security controls, such as access control, incident response, and configuration management. Controls are grouped into families. Which NIST control family helps an organization recover from failures and disasters? Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Physical and Environmental Protection (PE)
Contingency Planning (CP)
Which of the following is a valid action in selecting the necessary controls? Criticality Analysis Threat Asseessment Vulnerability Assessment Cost Benefit Analysis
Cost Benefit Analysis
Which of the following is not a correct step to scope the Risk Management Strategy for an Organization? Critical Business Operations Customer Service Delivery Seven Domains of IT Cost Benefit Analysis
Cost Benefit Analysis
When an emergency is declared, the ____________ contact(s) appropriate teams or team leads. business continuity plan (BCP) program manager stakeholders business continuity plan (BCP) coordinator department heads
Critical contractor
What is the difference between data mining and data warehousing? -Data mining extracts useful patterns and insights whereas data warehousing organizes large amounts of data. -Data warehousing extracts useful patterns and insights whereas data mining organizes large amounts of data. -Data warehousing and data mining are synonymous terms. -None of the above
Data mining extracts useful patterns and insights whereas data warehousing organizes large amounts of data.
