Chapter 1: Security and Risk Management (Domain 1)
Tim's organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HIPAA D. GISRA
A. FISMA The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation? A. GLBA B. SOX C. HIPAA D. FERPA
A. GLBA The Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions. The Sarbanes Oxley (SOX) Act regulates the financial reporting activities of publicly traded companies. The Health Insurance Portability and Accountability Act (HIPAA) regulates the handling of protected health information (PHI). The Family Educational Rights and Privacy Act (FERPA) regulates the handling of student educational records.
Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation? A. Patent B. Trade secret C. Copyright D. Trademark
A. Patent Patents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case. Copyrights are used to protect creative works, while trademarks are used to protect names, logos, and symbols.
You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.) A. Physical B. Detective C. Deterrent D. Preventive
A. Physical C. Deterrent D. Preventive A, C, D. A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.
Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws? A. Student identification number B. Social Security number C. Driver's license number D. Credit card number
A. Student identification number Most state data breach notification laws are modeled after California's data breach notification law, which covers Social Security number, driver's license number, state identification card number, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). California's breach notification law also protects some items not commonly found in other state laws, including medical records and health insurance information. These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.
Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: "Advance and protect the profession." Who may bring ethics charges against Henry for this violation? A. Anyone may bring charges. B. Any certified or licensed professional may bring charges. C. Only Henry's employer may bring charges. D. Only the affected employee may bring charges.
B. Any certified or licensed professional may bring charges. This is a question about who has standing to bring an ethics complaint. The group of individuals who has standing differs based upon the violated canon. In this case, we are examining Canon IV, which permits any certified or licensed professional who subscribes to a code of ethics to bring charges. Charges of violations of Canons I or II may be brought by anyone. Charges of violations of Canon III may only be brought by a principal with an employer/ contractor relationship with the accused.
Which one of the following actions might be taken as part of a business continuity plan? A. Restoring from backup tapes B. Implementing RAID C. Relocating to a cold site D. Restarting business operations
B. Implementing RAID RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.
Gavin is creating a report to management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk? A. Inherent risk B. Residual risk C. Control risk D. Mitigated risk
B. Residual risk The residual risk is the level of risk that remains after controls have been applied to mitigate risks. Inherent risk is the original risk that existed prior to the controls. Control risk is new risk introduced by the addition of controls to the environment. Mitigated risk is the risk that has been addressed by existing controls.
After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending? A. Accept B. Transfer C. Reduce D. Reject
B. Transfer Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!
Alyssa is responsible for her organization's security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk? A. Gamification B. Computer-based training C. Content reviews D. Live training
C. Content reviews Alyssa should use periodic content reviews to continually verify that the content in her program meets the organization's needs and is up-to-date based upon the evolving risk landscape. She may do this using a combination of computer-based training, live training, and gamification, but those techniques do not necessarily verify that the content is updated.
When developing a business impact analysis, the team should first create a list of assets. What should happen next? A. Identify vulnerabilities in each asset. B. Determine the risks facing the asset. C. Develop a value for each asset. D. Identify threats facing each asset.
C. Develop a value for each asset. After developing a list of assets, the business impact analysis team should assign values to each asset. The other activities listed here occur only after the assets are assigned values.
Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party's copyright. What law governs the actions that Francine must take? A. Copyright Act B. Lanham Act C. Digital Millennium Copyright Act D. Gramm Leach Bliley Act
C. Digital Millennium Copyright Act The Digital Millennium Copyright Act (DMCA) sets forth the requirements for online service providers when handling copyright complaints received from third parties. The Copyright Act creates the mechanics for issuing and enforcing copyrights but does not cover the actions of online service providers. The Lanham Act regulates the issuance of trademarks to protect intellectual property. The Gramm-Leach-Bliley Act regulates the handling of personal financial information.
Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances? A. Due diligence B. Separation of duties C. Due care D. Least privilege
C. Due care The due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.
Laura has been asked to perform an SCA. What type of organization is she most likely in? A. Higher education B. Banking C. Government D. Healthcare
C. Government A security controls assessment (SCA) most often refers to a formal U.S. government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.
Brenda's organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition? A. Consolidation of security functions B. Integration of security tools C. Protection of intellectual property D. Documentation of security policies
C. Protection of intellectual property The protection of intellectual property is a greater concern during a divestiture, where a subsidiary is being spun off into a separate organization, than an acquisition, where one firm has purchased another. Acquisition concerns include consolidating security functions and policies as well as integrating security tools.
Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for information security matters? A. Due diligence rule B. Personal liability rule C. Prudent man rule D. Due process rule
C. Prudent man rule The prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in the United States in 1991
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
C. Risk mitigation Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation. Risk acceptance involves making a conscious decision to accept a risk as-is with no further action. Risk avoidance alters business activities to make a risk irrelevant. Risk transfer shifts the costs of a risk to another organization, such as an insurance company.
Wanda is working with one of her organization's European Union business partners to facilitate the exchange of customer information. Wanda's organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance? A. Binding corporate rules B. Privacy Shield C. Standard contractual clauses D. Safe harbor
C. Standard contractual clauses The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid
FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed? A. The right to access B. Privacy by design C. The right to be forgotten D. The right of data portability
C. The right to be forgotten The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.
Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use? A. Quantitative risk assessment B. Qualitative risk assessment C. Neither quantitative nor qualitative risk assessment D. Combination of quantitative and qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.
You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next? A. Implement new security controls to reduce the risk level. B. Design a disaster recovery plan. C. Repeat the business impact assessment. D. Document your decision-making process.
D. Document your decision-making process. Whenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).
Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges? A. Copyright law B. Lanham Act C. Glass-Steagall Act D. Economic Espionage Act
D. Economic Espionage Act The Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a U.S. corporation. It gives true teeth to the intellectual property rights of trade secret owners. Copyright law does not apply in this situation because there is no indication that the information was copyrighted. The Lanham Act applies to trademark protection cases. The Glass-Steagall Act was a banking reform act that is not relevant in this situation
Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model? A. Spoofing B. Repudiation C. Tampering D. Elevation of privilege
D. Elevation of privilege In an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.
Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations? A. Memory chips B. Office productivity applications C. Hard drives D. Encryption software
D. Encryption software The export of encryption software to certain countries is regulated under U.S. export control laws. Memory chips, office productivity applications, and hard drives are unlikely to be covered by these regulations.
Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation? A. Preponderance of the evidence B. Beyond a reasonable doubt C. Beyond the shadow of a doubt D. There is no standard
D. There is no standard Unlike criminal or civil cases, administrative investigations are an internal matter, and there is no set standard of proof that Kelly must apply. However, it would still be wise for her organization to include a standard burden of proof in their own internal procedures to ensure the thoroughness and fairness of investigations.