c727 oa prep

You are reviewing access control models and want to implement a model that allows the owner of an object to grant privileges to other users. Which of the following meets this requirement? Mandatory Access Control (MAC) model Discretionary Access Control (DAC) model Role-Based Access Control (RBAC) model Rule-based access control model

Discretionary Access Control (DAC) model

What are some common steps that employers take to notify employees of system monitoring?

Employment contracts are one way that employers notify employees of monitoring. The contract would state that the employee should not expect privacy while using corporate equipment, informing them that all communications are subject to monitoring.

identify the difference between EOL and EOS.

End of Life is the date/time that a vendor is planning to stop selling a product. The difference between EOL and EOS is that End of Service is the date/time that the vendor will stop supporting the EOL product. EOS is a much later date than EOL.

List some physical and logical access controls used to protect assets.

Physical access controls used to protect assets consist of items that you can touch such as fences/gates, ballards, HVAC systems, mantraps, etc. Logical access controls used to protect assets consist of authentication and authorization controls. These technical controls help to control access by forcing the user to prove their identity.

Identify common uses of pseudonymization, tokenization, and anonymization.

Pseudonymization: Process used to create a dataset that can be transferred to others. This process adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms. Tokenization: Process used when processing payment card data. Companies do not need to maintain the credit card data as they only need to hold the token which is mapped and maintained by a third party. Anonymization: Process used when removing all privacy data from a dataset. When done correctly, GDPR no longer applies to the data as it is no longer classified as personal data.

What is the difference between quantitative and qualitative assessment?

Quantitative Impact assessment involves the use of numbers and formulas to reach a decision. This assessment expresses results in terms of monetary values. Qualitative Impact assessment uses categories of security concerns and prioritizes them in ways such as high, medium, and low when expressing results.

A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? DAC model An access control list (ACL) Rule-based access control model RBAC model

RBAC model

What are the basic formulas or values used in quantitative risk assessment?

SLE = asset value (AV) * exposure factor (EF). AV = money $$ EF = percentage of loss ARO = Annual Rate of Occurrence - number of times it happens a year ALE = Annual Loss Expectancy - SLE * ARO

Describe the difference between scoping and tailoring.

Scoping refers to the process of reviewing a list of security controls and selecting only the items that apply to your information system. Tailoring refers to the process of modifying a list of controls to ensure that they align with the organization's mission. Tailoring includes Scoping.

After a security incident, our legal counsel presents the logs from the time of the attack in court. They constitute which type of evidence? Circumstantial evidence Real evidence Direct evidence Secondary evidence

Secondary Evidence - This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

Identify the PowerShell cmdlet that allows you to run PowerShell commands indirectly.

The PowerShell cmdlet that allows you to run PowerShell commands indirectly is Invoke-Expression.

What are the four main steps of the business continuity planning process?

The four main steps of the business continuity planning process are: Project scope and planning, Business impact analysis, Continuity planning, Approval and implementation.

Name the method that allows the user to log on once and access resources in multiple organizations without authenticating again.

The method that allows the user to log on once and access resources in multiple organizations without authenticating again is called having a Federated Identity. A federated identity allows for single sign-on (SSO) to be extended beyond a single organization. SAML is a common language used to exchange federated identity info between organizations.

Name several types or methods of social engineering.

phishing, vishing, whaling, spear phishing, water hole, typosquatting, shoulder surfing, dumpster diving, campaigns

James was recently asked by his organization's CIO to lead a core team of four experts through a business continuity planning process for his organization. What is the first step that this core team should undertake? A. BCP team selection B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment

B. Business organization analysis

While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following are possible risks? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information

B. Damage to equipment

_________________ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. A. Reissue B. Onboarding C. Background checks D. Site survey

B. Onboarding

A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this? A. Threat hunting B. Proactive approach C. Qualitative approach D. Adversarial approach

B. Proactive approach

Renee is reporting the results of her organization's BIA to senior leaders. They express frus- tration at all of the detail, and one of them says, "Look, we just need to know how much we should expect these risks to cost us each year." What measure could Renee provide to best answer this question? A. ARO B. SLE C. ALE D. EF

C. ALE

During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset. What risk response is being exhibited by this situation? A. Mitigation B. Ignoring C. Acceptance D. Assignment

C. Acceptance

Which of the following statements is true related to the RBAC model? A RBAC model allows users membership in multiple groups. A RBAC model allows users membership in a single group. A RBAC model is nonhierarchical. A RBAC model uses labels.

A RBAC model allows users membership in multiple groups.

Brianna is working with U.S. software firm that uses encryption in its products and plans to export their product outside of the United States. What federal government agency has the authority to regulate the export of encryption software? A. NSA B. NIST C. BIS D. FTC

C. BIS

You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers, who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)? A. $750,000 B. $1.5 million C. $7.5 million D. $15 million

A. $750,000

Match the term to its definition: 1. Asset 2. Threat 3. Vulnerability 4. Exposure 5. Risk I. The weakness in an asset, or the absence or the weakness of a safeguard or countermeasure. II. Anything used in a business process or task. III. Being susceptible to asset loss because of a threat; there is the possibility that a vulnera- bility can or will be exploited. IV. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. V. Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset. A. 1-II, 2-V, 3-I, 4-III, 5-IV B. 1-I, 2-II, 3-IV, 4-II, 5-V C. 1-II, 2-V, 3-I, 4-IV, 5-III D. 1-IV, 2-V, 3-III, 4-II, 5-I

A. 1-II, 2-V, 3-I, 4-III, 5-IV

Darren is concerned about the risk of a serious power outage affecting his organization's data center. He consults the organization's business impact analysis and determines that the ARO of a power outage is 20 percent. He notes that the assessment took place three years ago and no power outage has occurred. What ARO should he use in this year's assessment, assuming that none of the circumstances underlying the analysis have changed? A. 20 percent B. 50 percent C. 75 percent D. 100 percent

A. 20 percent

During the annual review of the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safe- guard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap

A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safe- guard

Which of the following are valid definitions for risk? (Choose all that apply.) A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure E. The presence of a vulnerability when a related threat exists

A. An assessment of probability, possibility, or chance C. Risk = threat * vulnerability D. Every instance of exposure

Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.

A. Create a job description.

Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different con- trols to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.) A. Layering B. Classifications C. Zones D. Realms E. Compartments F. Silos G. Segmentations H. Lattice structure I. Protection rings

A. Layering B. Classifications C. Zones D. Realms E. Compartments F. Silos G. Segmentations H. Lattice structure I. Protection rings

In today's business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.) A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. B. Due care is developing a formalized security structure containing a security policy, stan- dards, baselines, guidelines, and procedures. C. Due diligence is the continued application of a security structure onto the IT infrastruc- ture of an organization.9 D. Due care is practicing the individual activities that maintain the security effort. E. Due care is knowing what should be done and planning for it. F. Due diligence is doing the right action at the right time.

A. Due diligence is establishing a plan, policy, and process to protect the interests of an organization. D. Due care is practicing the individual activities that maintain the security effort.

Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements? (Choose all that apply.) A. Each link in the supply chain should be responsible and accountable to the next link in the chain. B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips. C. If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements. D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.

A. Each link in the supply chain should be responsible and accountable to the next link in the chain. B. Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips. D. Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.

Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establish- ment of minimum security requirements of the third party. What should these requirements be based on? A. Existing security policy B. Third-party audit C. On-site assessment D. Vulnerability scan results

A. Existing security policy

Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the map- ping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles? (Choose all that apply.) A. Holistic Approach B. End-to-End Governance System C. Provide Stakeholder Value D. Maintaining Authenticity and Accountability E. Dynamic Governance System

A. Holistic Approach B. End-to-End Governance System C. Provide Stakeholder Value E. Dynamic Governance System

Which security framework was initially crafted by a government for domestic use but is now an international standard, which is a set of recommended best practices for optimization of IT services to support business growth, transformation, and change; which focuses on under- standing how IT and security need to be integrated with and aligned to the objectives of an organization; and which is often used as a starting point for the crafting of a customized IT security solution within an established infrastructure? A. ITIL B. ISO 27000 C. CIS D. CSF

A. ITIL

Annaliese's organization is undergoing a period of increased business activity where they are conducting a large number of mergers and acquisitions. She is concerned about the risks associated with those activities. Which of the following are example of those risks? (Choose all that apply.) A. Inappropriate information disclosure B. Increased worker compliance C. Data loss D. Downtime E. Additional insight into the motivations of inside attackers F. Failure to achieve sufficient return on investment (ROI)

A. Inappropriate information disclosure C. Data loss D. Downtime F. Failure to achieve sufficient return on investment (ROI)

A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue? A. Inherent risk B. Risk matrix C. Qualitative assessment D. Residual risk

A. Inherent risk

Ryan is assisting with his organization's annual business impact analysis effort. He's been asked to assign quantitative values to assets as part of the priority identification exercise. What unit of measure should he use? A. Monetary B. Utility C. Importance D. Time

A. Monetary

Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A. 0.01 B. $10 million C. $100,000 D. 0.10

B. $10 million

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy (SLE) of your shipping facility to avalanches? A. $3 million B. $2,700,000 C. $270,000 D. $135,000

B. $2,700,000

Security documentation is an essential element of a successful security program. Under- standing the components is an early step in crafting the security documentation. Match the following components to their respective definitions. 1. Policy 2. Standard 3. Procedure 4. Guideline I. A detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution. II. A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. III. A minimum level of security that every system throughout the organization must meet. IV. Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users. V. Defines compulsory requirements for t

B. 1 - II; 2 - V; 3 - I; 4 - IV

A table includes multiple objects and subjects, and it identifies the specific access each subject has to different objects. what is this table? A. Access control list B. Access control matrix C. Federation D. Creeping privilege

B. Access control matrix

Which of the following best describes an implicit deny principle? A. All actions that are not expressly denied are allowed. B. All actions that are not expressly allowed are denied. C. All actions must be expressly denied. D. None of the above.

B. All actions that are not expressly allowed are denied.

The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categoriza- tion; control selection, implementation, and assessment; system and common control authori- zations; and continuous monitoring. The RMF has seven steps or phases. Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable? A. Categorize B. Authorize C. Assess D. Monitor

B. Authorize The RMF phase 6 is Authorize whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable (or reasonable). The phases of RMF are (1) Prepare, (2) Categorize, (3) Select, (4) Implement, (5) Assess, (6) Authorize, and (7) Monitor. (A) RMF phase (2) is categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. (C) RMF phase (5) is assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. (D) RMF phase (7) is monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

James recently discovered an attack taking place against his organization that prevented employees from accessing critical records. What element of the CIA Triad was violated? A. Identification B. Availability C. Encryption D. Layering

B. Availability

Company proprietary data are discovered on a public social media posting by the CEO. While investigating, a significant number of similar emails were discovered to have been sent to employees, which included links to malicious sites. Some employees report that they had received similar messages to their personal email accounts as well. What improvements should the company implement to address this issue? (Choose two.) A. Deploy a web application firewall. B. Block access to personal email from the company network. C. Update the company email server. D. Implement multifactor authentication (MFA) on the company email server. E. Perform an access review of all company files. F. Prohibit access to social networks on company equipment.

B. Block access to personal email from the company network. F. Prohibit access to social networks on company equipment.

After repeated events of retraining, a particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO decides this was the last chance and the worker is to be fired. The CSO reminds you that the orga- nization has a formal termination process that should be followed. Which of the following is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee? A. Return the exiting employee's personal belongings. B. Review the nondisclosure agreement. C. Evaluate the exiting employee's performance. D. Cancel the exiting employee's parking permit.

B. Review the nondisclosure agreement.

Often a _____________ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. _____________ are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. A. CISO(s) B. Security champion(s) C. Security auditor(s) D. Custodian(s)

B. Security champion(s)

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization. What is the security role that has the functional responsibility for security, including writing the security policy and implementing it? A. Senior management B. Security professional C. Custodian D. Auditor

B. Security professional

Security governance requires a clear understanding of the objectives of the organization as the core concepts of security. Which of the following contains the primary goals and objec- tives of security? A. A network's border perimeter B. The CIA Triad C. AAA services D. Ensuring that subject activities are recorded

B. The CIA Triad

The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its inter- actions with external elements. Which of the following are key components to identify when performing decomposition? (Choose all that apply.) A. Patch or update versions B. Trust boundaries C. Dataflow paths D. Open vs. closed source code use E. Input points F. Privileged operations G. Details about security stance and approach

B. Trust boundaries C. Dataflow paths E. Input points F. Privileged operations G. Details about security stance and approach

Cathy's employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding? A. Write up a report and submit it to the CIO. B. Void the ATO of the vendor. C. Require that the vendor review their terms and conditions. D. Have the vendor sign an NDA.

B. Void the ATO of the vendor.

A user logs in to their workstation and then decides to get a soda from the vending machine in the stairwell. As soon as the user walks away from their workstation, another person sits down at their desk and copies all the files from a local folder onto a network share. B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.

B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.

Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A. Vice president of business operations B. Chief information officer C. Chief executive officer D. Business continuity manager

C. Chief executive officer

During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach, and determining the number of times a threat could cause harm to the company each year. What is being performed? A. Qualitative risk assessment B. Delphi technique C. Risk avoidance D. Quantitative risk assessment

D. Quantitative risk assessment

Lighter than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the annualized loss expectancy? A. 0.01 B. $10 million C. $100,000 D. 0.10

C. $100,000

Your organization is courting a new business partner. During the negotiations the other party defines several requirements of your organization's security that must be met prior to the signing of the SLA and business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity Model (RMM). The requirement is specifically that a common or standardized risk framework is adopted organization-wide. Which of the five possible levels of RMM is being required of your organization? A. Preliminary B. Integrated C. Defined D. Optimized

C. Defined The level of RMM named Defined requires that a common or standardized risk frame-work be adopted organization-wide. This is effectively level 3. The first level of RMM is not listed as an option; it is ad hoc, which is the chaotic starting point. Preliminary is RMM level 2, which demonstrates loose attempts to follow risk management processes but each department may perform risk assessment uniquely. Integrated is RMM level 4, where risk management operations are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions. Optimized is RMM level 5, where risk management focuses on achieving objectives rather than just reacting to external threats, increasing strategic planning toward business success rather than just avoiding incidents, and reintegrating lessons learned into the risk management process.

Helen is working on her organization's resilience plans, and her manager asks her whether the organization has sufficient technical controls in place to recover operations after a dis- ruption. What type of plan would address the technical controls associated with alternate processing facilities, backups, and fault tolerance? A. Business continuity plan B. Business impact analysis C. Disaster recovery plan D. Vulnerability assessment

C. Disaster recovery plan

The board of directors of Clashmore Circuits conducts an annual review of the business continuity planning process to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability. What obligation are they satisfying by this review? A. Corporate responsibility B. Disaster requirement C. Due diligence D. Going concern responsibility

C. Due diligence

Confidentiality, integrity, and availability are typically viewed as the primary goals and objec- tives of a security infrastructure. Which of the following is not considered a violation of con- fidentiality? A. Stealing passwords using a keystroke logging tool B. Eavesdropping on wireless network communications C. Hardware destruction caused by arson D. Social engineering that tricks a user into providing personal information to a false website

C. Hardware destruction caused by arson

Jake is conducting a business impact analysis for his organization. As part of the process, he asks leaders from different units to provide input on how long the enterprise resource planning (ERP) system could be unavailable without causing irreparable harm to the organi- zation. What measure is he seeking to determine? A. SLE B. EF C. MTD Maximum tolerable downtime D. ARO

C. MTD Maximum tolerable downtime

5. Which of the following is a true statement in regard to vendor, consultant, and con- tractor controls? A. Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service pro- vider, vendor, or contractor and the customer organization. B. Outsourcing can be used as a risk response option known as acceptance or appetite. C. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. D. Risk management strategies implemented by one party do not cause additional risks against or from another party.

C. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved.

Ricky is conducting the quantitative portion of his organization's business impact analysis. Which one of the following concerns is least suitable for quantitative measurement during this assessment? A. Loss of a plant B. Damage to a vehicle C. Negative publicity D. Power outage

C. Negative publicity

It's common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prior- itize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected? A. VAST B. SD3+C C. PASTA D. STRIDE

C. PASTA

In which business continuity planning task would you actually design procedures and mecha- nisms to mitigate risks deemed unacceptable by the BCP team? A. Strategy development B. Business impact analysis C. Provisions and processes D. Resource prioritization

C. Provisions and processes

Chris is completing the risk acceptance documentation for his organization's business con- tinuity plan. Which one of the following items is Chris least likely to include in this doc- umentation? A. Listing of risks deemed acceptable B. Listing of future events that might warrant reconsideration of risk acceptance decisions C. Risk mitigation controls put in place to address acceptable risks D. Rationale for determining that risks were acceptable

C. Risk mitigation controls put in place to address acceptable risks

You have been tasked with crafting a long-term security plan that is fairly stable. It needs to define the organization's security purpose. It also needs to define the security function and align it to the goals, mission, and objectives of the organization. What are you being asked to create? A. Tactical plan B. Operational plan C. Strategic plan D. Rollback plan

C. Strategic plan

You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.

C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss.

Tracy is preparing for her organization's annual business continuity exercise and encounters resistance from some managers who don't see the exercise as important and feel that it is a waste of resources. She has already told the managers that it will only take half a day for their employees to participate. What argument could Tracy make to best address these concerns? A. The exercise is required by policy. B. The exercise is already scheduled and canceling it would be difficult. C. The exercise is crucial to ensuring that the organization is prepared for emergencies. D. The exercise will not be very time-consuming.

C. The exercise is crucial to ensuring that the organization is prepared for emergencies.

What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination

C. Training

12. STRIDE is often used in relation to assessing threats against applications or operating sys- tems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation? A. S B. T C. R D. I E. D F. E

D. I

Brian is developing continuity plan provisions and processes for his organization. What resource should he protect as the highest priority in those plans? A. Physical plant B. Infrastructure C. Financial D. People

D. People

Darcy is leading the BCP effort for her organization and is currently in the project scope and planning phase. What should she expect will be the major resource consumed by the BCP process during this phase? A. Hardware B. Software C. Processing time D. Personnel

D. Personnel

You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the annualized loss expectancy? A. $3 million B. $2,700,000 C. $270,000 D. $135,000

D. $135,000

Matt is supervising the installation of redundant communications links in response to a find- ing during his organization's BIA. What type of mitigation provision is Matt overseeing? A. Hardening systems B. Defining systems C. Reducing systems D. Alternative systems

D. Alternative systems

The CSO has expressed concern that after years of security training and awareness programs, the level of minor security violations has actually increased. A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the materials be revised to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. They claim these efforts will improve security compliance and foster security behavior change. What is the approach that is being recommended? A. Program effectiveness evaluation B. Onboarding C. Compliance enforcement D. Gamification

D. Gamification

Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associ- ated with what product component in this scenario? A. Software B. Services C. Data D. Hardware

D. Hardware

You have been tasked with overseeing the security improvement project for your organi- zation. The goal is to reduce the current risk profile to a lower level without spending con- siderable amounts of money. You decide to focus on the largest concern mentioned by your CISO. Which of the following is likely the element of the organization that is considered the weakest? A. Software products B. Internet connections C. Security policies D. Humans

D. Humans

Optimally, security governance is performed by a board of directors, but smaller organiza- tions may simply have the CEO or CISO perform the activities of security governance. Which of the following is true about security governance? A. Security governance ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity. B. Security governance is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. C. Security governance is a documented set of best IT security practices that prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight

D. Security governance seeks to compare the security processes and infrastructure used within the organization with knowledge and insight obtained from external sources.

Which of the following access control models allows the owner of data to modify permissions? Discretionary Access Control (DAC) Mandatory Access Control (MAC) Rule-based access control Risk-based access control

Discretionary Access Control (DAC)

Laws, regulations, and standards should not be confused. Which of these are NOT a law? HIPAA PCI-DSS Gramm-Leach-Bliley act Homeland security act

Payment Card Industry Data Security Standard (PCI-DSS) - Technically not a law. Created by the payment card industry. The standard applies to cardholder data for both credit and debit cards. Requires merchants and others to meet a minimum set of security requirements. Mandates security policy, devices, control techniques, and monitoring.

Describe the differences between identification, authentication, authorization, and accountability.

Identification occurs when a user claims an identity such as a username to log into a computer. Authentication occurs when the subject provides the correct information to verify the claimed identity is the user's identity such as when a user provides a password connected to the username. Authorization occurs when identity has been authenticated. The account is granted rights and permissions based on the proven identity. Accountability occurs when the user's actions are logged and auditable. This can only happen if the processes for identification and authentication are secure.

What is wrong with taking an informal approach to business continuity planning?

If an informal approach to business continuity planning is taken and an emergency situation occurs, there could be dire consequences. Without a plan of action, there will be no guide in how to respond to an emergency.

Name a tool that is commonly used in the pass-the-hash and kerberos exploitation attacks for privilege escalation.

Mimikatz is an application that allows users to view and save authentication credentials such as kerberos tickets.

Describe sensitive data.

Sensitive data is any data that is not public or unclassified. This type of data would include PII, PHI, or proprietary data.

Name six different administrative controls used to secure personnel.

Six different administrative controls used to secure personnel would be: Offboarding, Least privilege, mandatory vacations, separation of duties, job rotation, acceptable use policies.

What are some common questions that organizations should ask when considering outsourcing information storage, processing, or transmission?

Some questions that should be asked when considering outsourcing information storage, processing, or transmission are: What types of sensitive information does the vendor store, process, or transmit? What types of security audits are performed by the vendor? What access does the client have to the security audits performed by the vendor? What provisions does the vendor have in place to ensure the protection of confidentiality, integrity, and availability of client data?

What are the four components of a complete organizational security policy and their basic purpose?

The 4 components of a complete organizational security policy are Standards, Guidelines, Policies, and Procedures. Standards are the current definition of hardware and software compliance. Policies are broad security statements with a goal of relaying company expectations. A procedure is a detailed document containing step-by-step instructions on how to complete a task appropriately. A guideline is used when there are no specific procedures for a task.

Discuss and describe the CIA Triad.

The CIA Triad stands for Confidentiality, Integrity, and Availability. The three topics create a guideline for cybersecurity. Confidentiality involves the use of encryption to preserve the privacy of the data. Integrity ensures that the data being received has come from a verified individual and that the data is correct. Availability involves the timely and uninterrupted access to resources and services for customers and employees.

Describe the primary difference between discretionary and nondiscretionary access control models.

The primary difference between discretionary and nondiscretionary access control models is in how they are managed. With a non-discretionary access control model, administrators centrally administer access. With a discretionary access control model, the data owner is allowed to make their changes and manage access.

Identify the processes an organization follows when hiring an employee and when an employee leaves.

The process an organization follows when hiring an employee is called Provisioning and Onboarding. Provisioning helps new employees to get up and running as quickly as possible. Onboarding includes activities that allow new employees to complete the orientation process and get integrated into the organization. Deprovisioning and Offboarding are the processes an organization follows when an employee leaves. Deprovisioning removes individual accounts on file servers, machines, and Active Directory. Offboarding allows the organization to evaluate the value that the individual provided in their previous role.

What are the requirements to hold a person accountable for the actions of their user account?

The requirements for holding someone accountable are identification, authorization, authentication, and auditing. All 4 of these components need to be supported in order to hold someone accountable.

Name the six primary security roles as defined by (ISC)2 for CISSP.

The six primary security job roles are: Auditor, user, data owner, data custodian, IT/Security, and Management.

Describe the three primary authentication factor types.

The three primary authentication factors are something you know (Type 1), something you have (Type 2), and something you are (Type 3). Something you know is something memorized such as a password. Something you have is something you can hold/touch such as a smart card. Something you are, uses biometrics such as fingerprints or retina scanners.

What are the two primary mechanisms that an organization may use to share information outside the European Union under the terms of GDPR?

The two primary mechanisms that an organization can use to share information outside of the European Union under the terms of GDPR are: Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment.

This can be done with the use of the Delphi technique. The Delphi technique is an anonymous feedback-and-response process used to arrive at a consensus. This gives third parties the opportunity to properly evaluate risks in a qualitative risk assessment. The goal of this technique is to encourage participants to give truthful feedback and responses without the worry of being discriminated against.

List at least three standards used to provide SSO capabilities on the internet.

Three standards used to provide SSO capabilities on the internet are: OpenID, OpenID Connect (OIDC), OAuth, and SAML.

Why is it essential to include legal representatives on your business continuity planning team?

To ensure that the company remains compliant with law, regulations, and contractual agreements, it is essential to include legal representation on the Business Continuity Planning team. This will help to ensure that the company is correctly and legally protecting client data in the event of an emergency.

Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?

To perform a balanced risk assessment, a security professional should use an approach that involves both of the qualitative and quantitative methods. A full assessment cannot be completed without using both methods as some aspects of analysis are subjective.

What are the main types of social engineering principles?

authority, trust, familiarity, scarcity, intimidation, consensus, urgency,

What critical components should you include in your business continuity training plan?

critical components that should be included in the BCP training plan are: Different types of training for individuals who have different jobs within the plan, an overview of the plan for everyone, and a back up for each role in the plan.