SEC+ 601 Chapter 17: Risk Management and Privacy

Please refer to the following scenario: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the annualized rate of occurrence (ARO)? A. 0.05 B. 0.20 C. 2.00 D. 5.00

A. 0.05 Aziz's threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.

Helen's organization maintains medical records on behalf of its customers, who are individual physicians. What term best describes the role of Helen's organization? A. Data processor B. Data controller C. Data owner D. Data steward

A. Data processor In this case, the physicians maintain the data ownership role. They have chosen to outsource data processing to Helen's organization, making that organization a data processor.

Under the European Union's GDPR, what term is assigned to the individual who leads an organization's privacy efforts? A. Data protection officer B. Data controller C. Data steward D. Data processor

A. Data protection officer Under the GDPR, the data protection officer (DPO) is an individual assigned direct responsibility for carrying out an organization's privacy program.

Please refer to the following scenario: Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. In the end, Grace found that the insurance policy was too expensive and opted not to purchase it. She is taking no additional action. What risk management strategy is being used in this situation? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

A. Risk acceptance When an organization decides to take no further action to address remaining risk, they are choosing a strategy of risk acceptance.

Which one of the following data protection techniques is reversible when conducted properly? A. Tokenization B. Masking C. Hashing D. Shredding

A. Tokenization Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can't be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

Please refer to the following scenario: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the annualized loss expectancy (ALE)? A. $5,000 B. $25,000 C. $100,000 D. $500,000

B. $25,000 We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.

What term is given to an individual or organization who determines the reasons for processing personal information? A. Data steward B. Data controller C. Data processor D. Data custodian

B. Data controller Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law, and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.

Tina works for a hospital system and manages the system's patient records. What category of personal information best describes the information that is likely to be found in those records? A. PCI B. PHI C. PFI D. PII

B. PHI This is a tricky question, as it is possible that all of these categories of information may be found in patient records. However, they are most likely to contain protected health information (PHI). PHI could also be described as a subcategory of personally identifiable information (PII), but PHI is a better description. It is also possible that the records might contain payment card information (PCI) or personal financial information (PFI), but that is less likely than PHI.

Please refer to the following scenario: Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace is considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

B. Risk avoidance Changing business processes or activities to eliminate a risk is an example of risk avoidance.

Please refer to the following scenario: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the asset value (AV)? A. $5,000 B. $100,000 C. $500,000 D. $600,000

C. $500,000 The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.

Please refer to the following scenario: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the single loss expectancy (SLE)? A. $5,000 B. $100,000 C. $500,000 D. $600,000

C. $500,000 We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100%) to get an SLE of $500,000.

Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated? A. Data minimization B. Data retention C. Purpose limitation D. Data sovereignty

C. Purpose limitation Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.

Gene recently conducted an assessment and determined that his organization can be without its main transaction database for a maximum of two hours before unacceptable damage occurs to the business. What metric has Gene identified? A. MTBF B. MTTR C. RTO D. RPO

C. RTO The Recovery Time Objective (RTO) is the amount of time that the organization can tolerate a system being down before it is repaired. That is the metric that Gene has identified in this scenario.

You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk? A. Reduced the magnitude B. Eliminated the vulnerability C. Reduced the probability D. Eliminated the threat

C. Reduced the probability Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done? A. Removed the threat B. Reduced the threat C. Removed the vulnerability D. Reduced the vulnerability

C. Removed the vulnerability By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

Please refer to the following scenario: Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

C. Risk mitigation Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.

Which one of the following U.S. government classification levels requires the highest degree of security control? A. Secret B. Confidential C. Top Secret D. Unclassified

C. Top Secret Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.

Please refer to the following scenario: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the exposure factor (EF)? A. 5% B. 20% C. 50% D. 100%

D. 100% The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

Brian recently conducted a risk mitigation exercise and has determined the level of risk that remains after implementing a series of controls. What term best describes this risk? A. Inherent risk B. Control risk C. Risk appetite D. Residual risk

D. Residual risk The residual risk is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk.

Please refer to the following scenario: Grace recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk. Grace's company decided to install the web application firewall and continue doing business. They are still worried about other risks to the information that were not addressed by the firewall and are considering purchasing an insurance policy to cover those risks. What strategy does this use? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

D. Risk transference Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.