Chapter 4
Which of the following is not true of gap analysis?
A gap analysis can be performed only through a formal investigation
Which of the following is an example of an authorization control?
Access Control List
Tom is the IT manager for an organization that experienced a server failure that affected a single business function. What type of plan should guide the organization's recovery effort?
Business Continuity Plan (BCP)
What compliance regulation is similar to the European Union (EU) General Data Protection Regulation (GDPR) of 2016 and focuses on individual privacy and rights of data owners?
California Consumer Privacy Act (CCPA) of 2018
Rodrigo is a security professional. He is creating a policy that gives his organization control over mobile devices used by employees while giving them some options as to the type of device they will use. Which approach to mobile devices is Rodrigo focusing on in the policy?
Choose Your Own Device (CYOD)
What is the first priority when responding to a disaster recovery effort?
Ensuring that everyone is safe
Which regulation requires schools to receive written permission from a parent or an eligible student before releasing any information contained in a student's education record?
FERPA
Aditya recently assumed an information security role for a financial institution located in the United States. He is tasked with assessing the institution's risk profile and cybersecurity maturity level. What compliance regulation applies specifically to Aditya's institution?
FFIEC
Which of the following is an example of a direct cost that might result from a business disruption?
Facility Repair
True or False? An uninterruptible power supply (UPS) is an example of a reactive component of a disaster recovery plan (DRP).
False
True or False? Authorization controls include biometric devices.
False
True or False? In most organizations, focusing on smaller issues rather than planning for the most wide-reaching disaster results in a more comprehensive disaster recovery plan.
False
True or False? Regarding data-center alternatives for disaster recovery, a mobile site is the least expensive option but at the cost of the longest switchover time.
False
True or False? The business continuity plan (BCP) identifies the resources for which a business impact analysis (BIA) is necessary.
False
True or False? The term "risk methodology" refers to a list of identified risks that results from the risk identification process.
False
What compliance regulation focuses on management and evaluation of the security of unclassified and national security systems?
Government Information Security Reform Act (Security Reform Act) of 2000
Dawn is selecting an alternative processing facility for her organization's primary data center. She needs a facility with the least switchover time, even if it's the most expensive option. What is the most appropriate option in this situation?
Hot Site
Which of the following is an example of a reactive disaster recovery plan?
Moving to a warm site
What is not a commonly used endpoint security technique?
Network Firewall (its not an endpoint at all)
What level of technology infrastructure should you expect to find in a cold site alternative data center facility?
No technology infrastructure
A hospital is planning to introduce a new point-of-sale system in the cafeteria that will handle credit card transactions. Which one of the following governs the privacy of information handled by those point-of-sale terminals?
PCI DSS
Hajar is developing a business impact assessment for her organization. She is working with business units to determine the target state of recovered data that allows the organization to continue normal processing after a major interruption. Which of the following is Hajar determining?
Recovery Point Objective
Which is the typical risk equation?
Risk = Threat X Vulnerability
As a follow-up to her annual testing, Isabella would like to conduct quarterly disaster recovery tests. These tests should include role-playing and introduce as much realism as possible without affecting live operations. What type of test should Isabella conduct?
Simulation Test
What is the main purpose of risk identification in an organization?
To make the organization's personnel aware of existing risk
True or False? A business continuity plan (BCP) directs all activities required to ensure that an organization's critical business functions continue when an interruption occurs that affects the organization's viability.
True
True or False? A disaster recovery plan (DRP) is part of a business continuity plan (BCP) and is necessary to ensure the restoration of resources required by the BCP to an available state.
True
True or False? A threat analysis identifies and documents threats to critical resources, which means considering the types of disasters that are possible and what kind of damage they can cause.
True
True or False? Authentication controls include passwords and personal identification numbers (PINs).
True
Isabella is in charge of the disaster recovery plan (DRP) team. She needs to ensure that data center operations will transfer smoothly to an alternate site in the event of a major interruption. She plans to run a complete test that will interrupt the primary data center and transfer processing capability to a hot site. What option is described in this scenario?
Full-interuption Test
True or False? The Gramm-Leach-Bliley Act (GLBA) addresses information security concerns in the financial industry.
Gramm-Leach-Bliley Act (GLBA)
True or False? OCTAVE is an approach to risk-based strategic assessment and planning.
True
True or False? Remote wiping is a device security control that allows an organization to remotely erase data or email in the event of loss or theft of the device.
True
True or False? Screen locks are a form of endpoint device security control.
True
True or False? Storage segmentation is a mobile device control that physically separates personal data from business data.
True
True or False? The recovery time objective (RTO) expresses the maximum allowable time in which to recover the function after a major interruption.
True
True or False? The term "risk management" describes the process of identifying, assessing, prioritizing, and addressing risks.
True
True or False? The tools for conducting a risk analysis can include the documents that define, categorize, and rank risks.
True
True or False? Changes to external requirements, such as legislation, regulation, or industry standards, that require control changes can result in a security gap for an organization.
True
True or False? Mobile device management (MDM) includes a software application that allows organizations to monitor, control, data wipe, or data delete business data from a personally owned device.
True