SEC+ Objectives Practice Q&A: CH5 - Governance, Risk, and Compliance

23. C. Antivirus software is used to protect computer systems from malware and is not a physical security control. Physical controls are security measures put in place to reduce the risk of harm coming to a physical property. This includes protection of personnel, hardware, software, networks, and data from physical actions and events that could cause damage or loss.

23. Which of the following is not a physical security control? A. Motion detector B. Fence C. Antivirus software D. Closed-circuit television (CCTV)

12. A. The single loss expectancy (SLE) is the product of the value ($16,000) and the exposure factor (.35), or $5,600.

12. You have an asset that is valued at $16,000, the exposure factor of a risk affecting that asset is 35 percent, and the annualized rate of occurrence is 75 percent. What is the SLE? A. $5,600 B. $5,000 C. $4,200 D. $3,000

53. D. The General Data Protection Regulation (GDPR) does not include a right to anonymity, although organizations must be able to provide security safeguards that may include anonymization where appropriate.

53. Which of the following rights is not included in the GDPR? A. The right to access B. The right to be forgotten C. The right to data portability D. The right to anonymity

100. B. Olivia should establish a service level agreement (SLA) with her provider to ensure that they meet the expected level of service. If they don't, financial or other penalties are typically included. Olivia should ensure that those penalties are meaningful to her vendor to make sure they are motivated to meet the SLA. An MOU is a memorandum of understanding and explains the relationship between two organizations; an MSA is a master services agreement, which establishes a business relationship under which additional work orders or other documentation describe the actual work that is done; and a BPA is a business partnership agreement, which is used when companies wish to partner on efforts and may outline division of profits or responsibilities in the partnership.

100. Olivia's cloud service provider claims to provide "five nines of uptime" and Olivia's company wants to take advantage of that service because their website loses thousands of dollars every hour that it is down. What business agreement can Oliva put in place to help ensure that the reliability that the vendor advertises is maintained? A. An MOU B. An SLA C. An MSA D. A BPA

106. D. Although humans can create fires or floods, industrial accidents are the only item on the list that are exclusively person-made disasters.

106. Gurvinder is assessing risks from disasters to his company's facility and wants to properly categorize them in his planning. Which of the following is not a type of natural disaster? A. Fire B. Flood C. Tornado D. Industrial accidents

111. C. Locks are physical controls. An example of a managerial control would be a policy or practice, a technical control can include things like firewalls or antivirus, and corrective controls are put in place to ensure that a problem or gap in another control is fixed.

111. What type of control is a lock? A. Managerial B. Technical C. Physical D. Corrective

127. D. Privacy notices are frequently provided as part of license or contractual terms, as well as in website usage agreements.

127. Where are privacy notices frequently found? A. The terms of an agreement for customers B. A click-through license agreement C. A website usage agreement D. All of the above

3. D. Least privilege is the most fundamental concept in establishing accounts. Each user should have just enough privileges to do their job. This concept also applies to service accounts. Although each of the other options is something you would consider, they are not as critical as the principle of least privilege.

3. You are responsible for setting up new accounts for your company network. What is the most important thing to keep in mind when setting up new accounts? A. Password length B. Password complexity C. Account age D. Least privileges

35. B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss, and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor).

35. How do you calculate the annual loss expectancy (ALE) that may occur due to a threat? A. Exposure factor (EF) / single loss expectancy (SLE) B. Single loss expectancy (SLE) × annual rate of occurrence (ARO) C. Asset value (AV) × exposure factor (EF) D. Single loss expectancy (SLE) / exposure factor (EF)

56. A. Risks that the organization itself creates are internal risks. External risks are those created by factors outside the organization's control. Qualitative and quantitative are both types of risk assessment, rather than categorizations of risk.

56. Alyssa has been asked to categorize the risk of outdated software in her organization. What type of risk categorization should she use? A. Internal B. Quantitative C. Qualitative D. External

70. D. The diagram shows a fully redundant internal network with pairs of firewalls, routers, and core switches, but with a single connection to the Internet. This means that Megan should consider how her organization would connect to the outside world if that link was severed or disrupted. There is no indication whether this is a wired or wireless link, and the image does not show a redundant link.

70. Megan is reviewing her organization's datacenter network diagram as shown in the following image. What should she note for point A on the diagram? A. A wireless link B. A redundant connection C. A wired link D. A single point of failure

82. D. The General Data Protection Regulation, or GDPR, requires a data protection officer (DPO). They oversee the organization's data protection strategy and implementation, and make sure that the organization complies with the GDPR.

82. What law or regulation requires a DPO in organizations? A. FISMA B. COPPA C. PCI-DSS D. GDPR

83. D. Although recovering from a breach can be costly, the loss of data like intellectual property in circumstances like these is the most critical issue. The institution is likely to suffer reputational harm and may not be trusted to conduct research like this in the future, leading to an even greater cost to the university's ability to do new research with the government.

83. The university that Susan works for conducts top secret research for the U.S. Department of Defense as part of a partnership with its engineering school. A recently discovered breach points to the school being compromised for over a year by an advanced persistent threat actor. What consequence of the breach should Susan be most concerned about? A. Cost to restore operations B. Fines C. Identity theft D. IP theft

88. B. This is an example of a personnel credential policy since it applies to the staff who are employed by his organization. Policies like this help to ensure that accounts are not shared or reused. There is no mention of specific devices, service accounts, or administrative accounts.

88. Dan has written a policy that prohibits employees from sharing their passwords with their coworkers, family members, or others. What type of credential policy has he created? A. Device credential policy B. Personnel credential policy C. A service account policy D. An administrative account policy

92. D. The most common means of transferring breach risk is to purchase cybersecurity insurance. Accepting breaches is rarely considered a valid risk process, blaming breaches on competitors does not actually transfer risk, and selling data to another organization is not a risk handling process but may be a business process.

92. Zarmeena wants to transfer the risk for breaches to another organization. Which of the following options should she use to transfer the risk? A. Explain to her management that breaches will occur. B. Blame future breaches on competitors. C. Sell her organization's data to another organization. D. Purchase cybersecurity insurance.

94. C. The cost of a breach is an example of the impact of a breach. Probability is how likely the risk is to occur, and risk severity is calculated by multiplying probability and impact.

94. The financial cost of a breach is an example of what component of risk calculations? A. Probability B. Risk severity C. Impact D. All of the above

96. D. SOC 2 engagement assesses the security and privacy controls that are in place, and a Type 2 report provides information on the auditor's assessment of the effectiveness of the controls that are in place. An SOC 1 report assesses the controls that impact the accuracy of financial reporting. Type 1 reports a review auditor's opinion of the description provided by management about the suitability of the controls as designed. They do not look at the actual operating effectiveness of the controls.

96. Joanna wants to request an audit report from a vendor she is considering and plans to review the auditor's opinions on the effectiveness of the security and privacy controls the vendor has in place. What type of Standard for Attestation Engagements (SSAE) should she request? A. SSAE-18 SOC 1, Type 2 B. SSAE-18 SOC 2, Type 1 C. SSAE-18 SOC 1, Type 1 D. SSAE-18 SOC 2, Type 2

104. C. Third-party credential policies address how contractors and consultants credentials are handled. This may require sponsorship by an internal staff member, additional controls regarding password resets or changes, and shorter lifespans, among other controls and requirements.

104. What type of credential policy is typically created to handle contractors and consultants? A. A personnel policy B. A service account policy C. A third-party policy D. A root account policy

105. B. Annual rate of occurrence (ARO) is expressed as the number of times an event will occur in a year. Wayne has estimated that the risk event that is being assessed will happen three times a year.

105. Wayne has estimated the ARO for a risk in his organization to be 3. How often does Wayne think the event will happen? A. Once every 3 months B. Three times a year C. Once every three years D. Once a year for three years

107. C. Information on a website made available to customers is typically classified as public information because it is easily available and intentionally exposed to them. Confidential, sensitive, or critical information is unlikely to be exposed to customers without a specific data handling agreement and additional security layers.

107. Madhuri is classifying all of her organization's data and wants to properly classify the information on the main organizational website that is available to anyone who visits the site. What data classification should she use from the following list? A. Sensitive B. Confidential C. Public D. Critical

108. D. Data processors are service providers that process data for data controllers. A data controller or data owner is the organization or individual who collects and controls data. A data steward carries out the intent of the data controller and is delegated responsibility for the data. Data custodians are those who are entrusted with the data to store, manage, or secure the data.

108. Elle works for a credit card company that handles credit card transactions for businesses around the world. What data privacy role does her company play? A. A data controller B. A data steward C. A data custodian D. A data processor

109. D. Data masking partially redacts sensitive data by replacing some or all information in a sensitive data field with blanks or other replacement characters. Tokenization replaces sensitive data with unique identifiers using a lookup table. Hashing performs a one-way function on a value to get a unique hash, and encryption protects data using an algorithm that can be reversed to restore the original data while allowing for confidentiality and integrity validation.

109. The website that Brian is using shows part of his Social Security number, not all of it, and replacing the rest of the digits with asterisks, allowing him to verify the last four digits. What technique is in use on the website? A. Tokenization B. Hashing C. Encryption D. Data masking

110. C. The Cloud Security Alliance's reference architecture includes information about tools in a vendor-neutral manner. CIS provides vendor specific benchmarks for AWS, Azure, and Oracle's cloud offerings. The International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) do not offer this type of resource.

110. Mike wants to look for a common set of tools for security and risk management for his infrastructure as a service (IaaS) environment. Which of the following organizations provides a vendor-neutral reference architecture that he can use to validate his design? A. The Center for Internet Security (CIS) B. ISO C. The Cloud Security Alliance D. NIST

112. C. Control risk is a term used in public accounting. It is the risk that arises from a potential lack of internal controls within an organization that may cause a material misstatement in the organization's financial reports. In this case, the lack of controls that would validate the financial system's data and function is a control risk.

112. Isaac has discovered that his organization's financial accounting software is misconfigured, causing incorrect data to be reported on an ongoing basis. What type of risk is this? A. Inherent risk B. Residual risk C. Control risk D. Transparent risk

113. C. Although fires, oil spills, and wars are all potential examples of person-made disasters, hurricanes remain solely a natural disaster. Some disasters could be either a person-made or natural disaster. For example, fires can be caused by humans or by nature, as can floods, and even chemical spills when an earthquake occurs.

113. Which of the following is not a potential type of person-made disaster? A. Fires B. Oil spills C. Hurricanes D. War

114. C. Confidential information is classified by the U.S. government as information that requires some protection and that if disclosed without authorization, would cause identifiable harm to national security. Top Secret information requires the highest degree of protection and would cause exceptionally grave harm if exposed without authorization. Secret information requires a substantial degree of protection and would cause serious damage if exposed. Business Sensitive is not a U.S. government classification but is a term commonly used in businesses.

114. Susan works for the U.S. government and has identified information in her organization that requires some protection. If the information were disclosed without authorization, it would cause identifiable harm to national security. How should she classify the data? A. Top Secret B. Secret C. Confidential D. Business Sensitive

115. C. Phone numbers uniquely identify individuals, making them an example of personally identifiable information, or PII. PHI is protected health information, financial information includes financial records of all types, and government information is information that belongs to the government or may be classified by the government and entrusted to an organization.

115. Ed serves as his organization's data steward and wants to classify each data element that is used in their business. How should he classify cell phone numbers? A. As PHI B. As financial information C. As PII D. As government information

116. B. Tokenization is an ideal option for this scenario. Tokenization replaces a sensitive value with an alternate value that can be looked up in a table when the value needs to be referenced back to its original form. Encryption does not meet this need, data masking only hides part of the value, and data washing is not a commonly used term for techniques of this nature.

116. Marcus wants to ensure that attackers can't identify his customers if they were to gain a copy of his organization's web application database. He wants to protect their Social Security numbers (SSNs) with an alternate value that he can reference elsewhere when he needs to look up a customer by their SSN. What technique should he use to accomplish this? A. Encryption B. Tokenization C. Data masking D. Data washing

117. C. Privacy notices are often included on websites to meet the requirements of laws or regulations like the General Data Protection Regulation (GDPR) or state privacy laws.

117. Which of the following is the most common reason to include a privacy notice on a website? A. To warn attackers about security measures B. To avoid lawsuits C. Due to regulations or laws D. None of the above

118. C. Nicole is a data controller, sometimes called a data owner. She determines the reasons for processing personal information and how it is processed. A data steward carries out the intents of the data controller, data custodians are charged with safeguarding information, and data consumer is not a common data privacy role.

118. Nicole determines how her organization processes data that it collects about its customers and also decides how and why personal information should be processed. What role does Nicole play in her organization? A. Data steward B. Data custodian C. Data controller D. Data consumer

119. B. This is an internal disaster—one in which internal issues have led to a problem. An external disaster would be caused by forces outside the organization like a natural disaster, malicious activity, or other outside forces. An RTO, or recovery time objective, is not a type of disaster, and an MRO disaster was made up for this question.

119. The virtual machine cluster that Pat is in charge of has suffered a major failure in its primary controller. The entire organization is offline, and customers cannot get to the organization's website which is its primary business. What type of disaster has Pat's organization experienced? A. An MRO disaster B. An internal disaster C. An RTO disaster D. An external disaster

120. C. Minimizing the amount of data that is collected is the first step in ensuring that organizations can handle the volume and types of data that they work with. After that, classifying it and then determining how long you retain it are also important parts of the data life cycle.

120. What important step should be taken early in the information life cycle to ensure that organizations can handle the data they collect? A. Data retention B. Data classification C. Data minimization D. Data exfiltration

121. D. Kirk has mitigated the risk to his organization by increasing the resources targeted by the DoS attack in an attempt to ensure that the attack will not be successful. Acceptance would involve simply letting the attacks occur knowing they are likely to stop, avoidance might involve finding a way to ensure the attacks cannot occur, and transfer could leverage a third-party mirror or anti-DoS hosting service.

121. Kirk's organization has been experiencing large-scale denial-of-service (DoS) attacks against their primary website. Kirk contracts with his Internet service provider to increase the organization's bandwidth and expands the server pool for the website to handle significantly more traffic than any of the previous DoS attacks. What type of risk management strategy has he employed? A. Acceptance B. Avoidance C. Transfer D. Mitigation

122. A. A multiparty risk involves multiple organizations. Since there are multiple customers and organizations involved, this is an example of multiparty risk. An internal risk originates inside an organization—instead, this is an external risk. A legacy system risk is created by a system or process that is no longer supported or updated. An intellectual property (IP) theft risk occurs when proprietary information or trade secrets might be exposed or lost.

122. The co-location facility that Joanna contracts to host her organization's servers is in a flood plain in a hurricane zone. What type of risk best describes the risk that Joanna and other customers face? A. A multiparty risk B. An internal risk C. A legacy risk D. An IP theft risk

123. B. EOL, or end of life, occurs when a service or system is no longer supported, available, or does not function. Natasha needs to plan to transition smoothly away from the service, either to a replacement service or to stop using the service itself. An MOU is a memorandum of understanding, and an NDA is a nondisclosure agreement, neither of which is directly relevant here. A last will and testament is not used for a service EOL.

123. The cloud service that Natasha's organization has used for the past five years will no longer be available. What phase of the vendor relationship should Natasha plan for with this service? A. Preparing a service MOU B. An EOL transition process C. Creating an NDA D. A last will and testament

124. C. The Center for Internet Security (CIS) provides a wide range of OS, application, server, and other benchmarks. Microsoft provides benchmarks for their own operating systems but does not provide Linux benchmarks. The National Institute of Standards and Technology (NIST) does not provide benchmarks, but the National Security Agency (NSA) does.

124. Gary wants to use a secure configuration benchmark for his organization for Linux. Which of the following organizations would provide a useful, commonly adopted benchmark that he could use? A. Microsoft B. NIST C. CIS D. All of the above

125. C. Offboarding processes are conducted to ensure that accounts and access is removed and that materials, computers, and data are all recovered from the staff member when a member of an organization leaves. Exit interviews are an HR process, job rotation helps to prevent an individual from conducting fraudulent activities over time, and governance helps to manage and maintain data by establishing high level control over the processes, procedures, and classification of the data an organization uses.

125. After Angela left her last organization, she discovered that she still had access to her shared drives and could log in to her email account. What critical process was likely forgotten when she left? A. An exit interview B. Job rotation C. Offboarding D. Governance

126. D. Public, private, sensitive, confidential, critical, and proprietary are all commonly used data classification labels for business. Secret, however, is more commonly used in government classification schemes.

126. Frank knows that businesses can use any classification labels they want, but he also knows that there are a number of common labels in use. Which of the following is not a common data classification label for businesses? A. Public B. Sensitive C. Private D. Secret

17. D. In most cases, operating a facility in a state is sufficient reason to need to comply with state laws. Jim should check with a lawyer, but he should plan on needing to comply with Illinois, Indiana, and Ohio law, as well as federal laws.

17. Jim's company operates facilities in Illinois, Indiana, and Ohio, but the headquarters is in Illinois. Which state laws does Jim need to review and handle as part of his security program? A. All U.S. state laws B. Illinois C. Only U.S. federal laws D. State laws in Illinois, Indiana, and Ohio

29. A. Preventive controls stop an action from happening—in this scenario, preventing an unauthorized user from gaining access to the network when the user steps away. A corrective control is designed to correct a situation, a deterrent control is used to deter a security breach, and a detective control is designed to uncover a violation.

29. James is a security administrator and is attempting to block unauthorized access to the desktop computers within the company's network. He has configured the computers' operating systems to lock after 5 minutes of no activity. What type of security control has James implemented? A. Preventive B. Corrective C. Deterrent D. Detective

52. B. Separation of duty can be classified as an operational control that attempts to minimize fraud by ensuring that an individual cannot exploit a process and conceal the errors or issues that they are creating. It is not a physical control or a technical control, and nothing in the question indicates that this is compensating for gaps left by another control.

52. What type of control is separation of duty? A. Physical B. Operational C. Technical D. Compensating

45. A. Data owners assign labels such as top secret to data. Custodians assign security controls to data. A privacy officer ensures that companies comply with privacy laws and regulations. System administrators are responsible for the overall functioning of IT systems.

45. You are the IT manager and one of your employees asks who assigns data labels. Which of the following assigns data labels? A. Owner B. Custodian C. Privacy officer D. System administrator

6. C. The PCI-DSS, or Payment Card Industry Data Security Standard, is a security standard that is mandated by credit card vendors. The Payment Card Industry Security Standards Council is responsible for updates and changes to the standard. GDPR, or the General Data Protection Regulation, is a standard for data privacy and security in the European Union (EU). COPPA is the Children's Online Privacy Protection Act, a U.S. federal law. CIS is the Center for Internet Security and is not a law or a regulation.

6. What standard is used for credit card security? A. GDPR B. COPPA C. PCI-DSS D. CIS

72. A. An intrusion detection system (IDS) can detect attacks, and is a detective control. Since it is a technical system rather than a physical control or an administrative policy or procedure, Henry can correctly categorize it as a technical, detective control.

72. Henry has implemented an intrusion detection system. What category and control type could he list for an IDS? A. Technical, Detective B. Administrative, Preventative C. Technical, Corrective D. Administrative, Detective

10. D. A memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money. An SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.

10. Which of the following agreements is less formal than a traditional contract but still has a certain level of importance to all parties involved? A. SLA B. BPA C. ISA D. MOU

11. A. Escalation is necessary in cases where the current breach goes beyond the scope of the organization or investigators or is required by law. In this case, Sally believes a crime has been committed and has escalated the case to law enforcement. Other escalations might be to federal or state law enforcement, or to other more capable internal or external investigators. Tokenizing data uses a deidentified replacement data item, public notification notifies the population or customers at large, and outsourcing investigations may be done if specialized skills are needed.

11. As part of the response to a credit card breach, Sally discovers evidence that individuals in her organization were actively working to steal credit card information and personally identifiable information (PII). She calls the police to engage them for the investigation. What has she done? A. Escalated the investigation B. Public notification C. Outsourced the investigation D. Tokenized the data

13. C. Antivirus is an example of a corrective control. A corrective control is designed to correct a situation. An IDS (intrusion detection system) is a detective control because it detects security breaches. An audit log is a detective control because it detects security breaches. A router is a preventive control because it prevents security breaches with access control lists (ACLs).

13. During a meeting, you present management with a list of access controls used on your network. Which of the following controls is an example of a corrective control? A. IDS B. Audit logs C. Antivirus software D. Router

14. A. A deterrent control is used to warn a potential attacker not to attack. Lighting added to the perimeter and warning signs such as a "no trespassing" sign are deterrent controls. The other options are examples of detective controls. A detective control is designed to uncover a violation, although some detective controls may serve as a deterrent—for example, when a camera is visible, they are not primarily deterrent controls.

14. You are the new security administrator and have discovered your company lacks deterrent controls. Which of the following would you install that satisfies your needs? A. Lighting B. Motion sensor C. Hidden video cameras D. Antivirus scanner

60. D. There is no civilian classification level for government data. Data may be unclassified, or sensitive but unclassified. Top Secret, Secret, and Confidential are all commonly used classifications.

60. Eric works for the U.S. government and needs to classify data. Which of the following is not a common classification type for U.S. government data? A. Top Secret B. Secret C. Confidential D. Civilian

103. A. The single loss expectancy (SLE) describes what a single risk event is likely to cost. It is calculated using the asset value (AV) times the exposure factor (EF), which is an estimated percentage of the cost that will occur in damage if the loss occurs. MTTR is the mean time to restore, ARO is the annual rate of occurrence, and RTO is the recovery time objective. These are not part of the SLE equation.

103. How is SLE calculated? A. AV * EF B. RTO * AV C. MTTR * EF D. AV * ARO

101. D. The most accurate risk descriptor for this is software compliance. Although this is an internal risk, software compliance fully describes the issue. Intellectual property (IP) theft risk occurs when an organization's intellectual property is stolen, not when license violations for third parties occurs. This is not a legacy system, or at least it was not described that way in the question.

101. After reviewing systems on his network, Brian has discovered that dozens of them are running copies of a CAD software package that the company has not paid for. What risk type should he identify this as? A. Internal B. Legacy systems C. IP theft D. Software compliance

102. D. Inherent risk is the risk that an organization faces before controls are put in place. Without risk assessment and controls in place, Gary must first deal with the inherent risks the organization has as it exists today. Residual risk is the risk that is left after controls are put in place. The theft of intellectual property (IP) like algorithms, formulas, and processes are IP risks, and multiparty risk is risk that impacts more than one group, company, or person.

102. Gary is beginning his risk assessment for the organization and has not yet begun to implement controls. What risk does his organization face? A. Residual risk B. IP theft risk C. Multiparty risk D. Inherent risk

1. A. Caroline should select ISO 27002. ISO 27002 is an international standard for implementing and maintaining information security systems. ISO 27017 is an international standard for cloud security; NIST 800-12 is a general security standard and it is a U.S. standard, not an international one; and NIST 800-14 is a standard for policy development, and it is also a U.S. standard, not an international one.

1. Caroline has been asked to find an international standard to guide her company's choices in implementing information security management systems. Which of the following would be the best choice for her? A. ISO 27002 B. ISO 27017 C. NIST 800-12 D. NIST 800-14

48. B. ALE (annual loss expectancy) = SLE (single loss expectancy) × ARO (annualized rate of occurrence). SLE equals $750,000 (2,500 records × $300), and ARO equals 5%, so $750,000 times 5% equals $37,500.

48. A security analyst is analyzing the cost the company could incur if the customer database was breached. The database contains 2,500 records with personally identifiable information (PII). Studies show the cost per record would be $300. The likelihood that the database would be breached in the next year is only 5 percent. Which of the following would be the ALE for a security breach? A. $15,000 B. $37,500 C. $150,000 D. $750,000

41. C. A single point of failure (SPOF) is a single weakness that can bring an entire system down and prevent it from working. Cloud computing allows the delivery of hosted service over the Internet. Load balancing spreads traffic or other load between multiple systems or servers. Virtualization uses a system to host virtual machines that share the underlying resources such as RAM, hard drive, and CPU.

41. All of your organization's traffic flows through a single connection to the Internet. Which of the following terms best describes this scenario? A. Cloud computing B. Load balancing C. Single point of failure D. Virtualization

67. D. An individual is most likely to face identity theft issues if their personally identifiable information (PII) is stolen or breached.

67. What type of impact is an individual most likely to experience if a data breach that includes PII occurs? A. IP theft B. Reputation damage C. Fines D. Identity theft

85. B. A SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. An MOU (memorandum of understanding) is a legal document that describes a mutual agreement between parties. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners.

85. Your company is considering moving its mail server to a hosting company. This will help reduce hardware and server administrator costs at the local site. Which of the following documents would formally state the reliability and recourse if the reliability is not met? A. MOU B. SLA C. ISA D. BPA

86. A. Customer data can include any information that a customer uploads, shares, or otherwise places in or creates via a service. Customers may have contractual security guarantees in the terms of service, and notification or other clauses may also impact what Rick needs to do if the data is breached. PII is personally identifiable information like name, address, or other details that can identify a person. Financial information may include bills, account balances, and similar details. Health information covers a broad range of data about an individual's medical and health status or history.

86. Rick's organization provides a website that allows users to create an account and then upload their art to share with other users. He is concerned about a breach and wants to properly classify the data for their handling process. What data type is most appropriate for Rick to label the data his organization collects and stores? A. Customer data B. PII C. Financial information D. Health information

93. B. Service accounts are not typically allowed to use interactive logins, and thus prohibiting interactive logins is a common security policy for them. Limited login hours or locations are more commonly used for employee accounts when they should not be accessing resources after hours or from nonwork locations. Frequent password expiration for service accounts is actually likely to cause a service outage, and many service accounts have complex passwords and are set with longer password expiration timeframes or are set to never expire.

93. Which of the following is a common security policy for service accounts? A. Limiting login hours B. Prohibiting interactive logins C. Limiting login locations D. Implementing frequent password expiration

15. D. Testing and training are preventive administrative controls. Administrative controls dictate how security policies should be executed to accomplish the company's security goals. A detective technical control uncovers a violation through technology. A preventive technical control attempts to stop a violation through technology. Detective administrative controls uncover a violation through policies, procedures, and guidelines.

15. Your company's security policy includes system testing and security awareness training guidelines. Which of the following control types is this? A. Detective technical control B. Preventive technical control C. Detective administrative control D. Preventive administrative control

16. A. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or that has such limited impact that a corrective control is not warranted. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.

16. You are a security administrator for your company and you identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan in case the security risk occurs. Which of the following type of risk response technique are you demonstrating? A. Accept B. Transfer C. Avoid D. Mitigate

18. A. Onboarding is the process of adding an employee to a company's identity and access management system. Offboarding is the process of removing an employee from the company's identity and access management system. Adverse action is an official personnel action that is taken for disciplinary reasons. Job rotation gives individuals the ability to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee's attack is easier when multiple employees understand the company's security posture.

18. You are an IT administrator for a company and you are adding new employees to an organization's identity and access management system. Which of the following best describes the process you are performing? A. Onboarding B. Offboarding C. Adverse action D. Job rotation

19. A. A clean desk policy ensures that sensitive information and documents are not left on desks after hours and requires employees to place those files into a less exposed or secure location. Background checks, continuing education, and job rotation do not protect confidential information left on desks from being exposed.

19. Mark is an office manager at a local bank branch. He wants to ensure that customer information isn't compromised when the deskside employees are away from their desks for the day. What security concept would Mark use to mitigate this concern? A. Clean desk B. Background checks C. Continuing education D. Job rotation

2. B. If a system is infected with malware, the malware will operate with the privileges of the current user. If you use Non-administrative accounts, with least privileges, then the malware won't be able to access administrative functionality without a privilege escalation capability.

2. Adam is concerned about malware infecting machines on his network. One of his concerns is that malware would be able to access sensitive system functionality that requires administrative access. What technique would best address this issue? A. Implementing host-based antimalware B. Using a nonadministrative account for normal activities C. Implementing full-disk encryption (FDE) D. Making certain the operating systems are patched

20. A. As users register for an account, they enter letters and numbers they are given on the web page before they can register. This is an example of a deterrent control since it prevents bots from registering and proves this is a real person. Detective controls detect intrusion as it happens and uncovers a violation. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field.

20. You are a security administrator and advise the web development team to include a CAPTCHA on the web page where users register for an account. Which of the following controls is this referring to? A. Deterrent B. Detective C. Compensating D. Degaussing

21. D. A parking policy generally outlines parking provisions for employees and visitors. This includes the criteria and procedures for allocating parking spaces for employees and is not a part of organizational security policy. Instead, it is an operational or business policy. An acceptable use policy describes the limits and guidelines for users to make use of an organization's physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. Social media policy defines how employees should use social media networks and applications such as Facebook, Twitter, LinkedIn, and others. It can adversely affect a company's reputation. Password policies define the complexity of creating passwords. It should also define weak passwords and how users should protect password safety.

21. Which of the following is not a common security policy type? A. Acceptable use policy B. Social media policy C. Password policy D. Parking policy

22. C. Proprietary data is a form of confidential information, and if the information is revealed, it can have severe effects on the company's competitive edge. High is a generic label assigned to data internally that represents the amount of risk being exposed outside the company. The top-secret label is often used in governmental systems where data and access may be granted or denied based on assigned categories. Low is a generic label assigned to data internally that represents the amount of risk being exposed outside the company.

22. As the IT security officer for your organization, you are configuring data label options for your company's research and development file server. Regular users can label documents as contractor, public, or internal. Which label should be assigned to company trade secrets? A. High B. Top secret C. Proprietary D. Low

54. D. The NIST RMF's process is. 1. Prepare 2. Categorize system 3. Select controls 4. Implement controls 5. Assess controls 6. Authorize system 7. Monitor controls

54. Nick is following the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and has completed the prepare and categorize steps. Which step in the risk management framework is next? A. Assessing controls B. Implementing controls C. Monitoring controls D. Selecting controls

24. A. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what impact the event will have. Qualitative risk assessment is the process of ranking which risk poses the most danger such as low, medium, and high. A business impact analysis (BIA) is used to evaluate the possible effect a business can suffer should an interruption to critical system operations occur. This interruption could be as a result of an accident, emergency, or disaster. Threat assessment is the process of identifying and categorizing different threats such as environmental and person-made. It also attempts to identify the potential impact from the threats.

24. Your security manager wants to decide which risks to mitigate based on cost. What is this an example of? A. Quantitative risk assessment B. Qualitative risk assessment C. Business impact analysis D. Threat assessment

25. D. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands. An NDA is a legal contract between the company and third-party vendor to not disclose information per the agreement. Encrypted data that is sent can still be decrypted by the third-party vendor if they have the appropriate certificate or the key but does not restrict access to the data. Violating an NDA would constitute unauthorized data sharing, and a violation of privileged user role-based awareness training has nothing to do with sharing proprietary information.

25. Your company has outsourced its proprietary processes to Acme Corporation. Due to technical issues, Acme wants to include a third-party vendor to help resolve the technical issues. Which of the following must Acme consider before sending data to the third party? A. This data should be encrypted before it is sent to the third-party vendor. B. This may constitute unauthorized data sharing. C. This may violate the privileged user role-based awareness training. D. This may violate a nondisclosure agreement.

26. A. Detective controls like CCTV detect intrusion as it happens and can help uncover violations. Policies are administrative controls. Firewalls and intrusion prevention system (IPS) devices are technical controls. Technical controls are applied through technology and may be also be deterrent, preventive, detective, or compensating.

26. Which of the following is considered a detective control? A. Closed-circuit television (CCTV) B. An acceptable use policy C. Firewall D. IPS

27. C. Sharing of profits and losses and the addition or removal of a partner, as well as the responsibilities of each partner, are typically included in a BPA (business partner agreement). Expectations between parties such as a company and an Internet service provider are typically found in a service level agreement (SLA). Expectations include the level of performance given during the contractual service. An SLA will provide a clear means of determining whether a specific function or service has been provided according to the agreed-on level of performance. Security requirements associated with interconnecting IT systems are typically found in an interconnection security agreement, or ICA.

27. Which of the following is typically included in a BPA? A. Clear statements detailing the expectation between a customer and a service provider B. The agreement that a specific function or service will be delivered at the agreed-on level of performance C. Sharing of profits and losses and the addition or removal of a partner D. Security requirements associated with interconnecting IT Systems

28. D. A backup generator is a compensating control—an alternate control that replaces the original control when it cannot be used due to limitations of the environment. A firewall is considered a preventive control, a security guard is considered a physical control, and an IDS (intrusion detection system) is considered a detective control.

28. You are the network administrator of your company, and the manager of a retail site located across town has complained about the loss of power to their building several times this year. The branch manager is asking for a compensating control to overcome the power outage. What compensating control would you recommend? A. Firewall B. Security guard C. IDS D. Backup generator

30. C. Job rotation allows individuals to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee's attack is easier when multiple employees understand the company's security posture. Separation of duties is the concept of having more than one person required to complete a task, allowing problems to be noted by others involved. A mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities while the person who normally performs them is out of the office. Onboarding is the process of adding an employee to a company's identity and access management system or other infrastructure.

30. An accounting employee changes roles with another accounting employee every 4 months. What is this an example of? A. Separation of duties B. Mandatory vacation C. Job rotation D. Onboarding

31. B. Data minimization is the process of ensuring that only data that is required for business functions is collected and maintained. Tony should ensure that his organization is minimizing the data collected. Data masking redacts data but does not decrease how much is collected. Tokenization replaces sensitive values with a unique identifier that can be looked up in a lookup table. Anonymization removes the ability to identify individuals from data but is quite difficult.

31. Tony's company wants to limit their risk due to customer data. What practice should they put in place to ensure that they have only the data needed for their business purposes? A. Data masking B. Data minimization C. Tokenization D. Anonymization

32. A. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat. A risk register is a document that tracks an organization's risks and information about the risks like who owns it, if it is being remediated, and similar details. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or that has such limited impact that a corrective control is not warranted. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.

32. Your company website is hosted by an Internet service provider. Which of the following risk response techniques is in use? A. Risk avoidance B. Risk register C. Risk acceptance D. Risk mitigation

33. D. Systems should be restored within four hours with a minimum loss of one day's worth of data. The RTO (recovery time objective) is the amount of time within which a process or service must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. The recovery point objective, or RPO, specifies the amount of time that can pass before the amount of data lost may exceed the organization's maximum tolerance for data loss.

33. A security administrator is reviewing the company's continuity plan, and it specifies an RTO of four hours and an RPO of one day. Which of the following is the plan describing? A. Systems should be restored within one day and should remain operational for at least four hours. B. Systems should be restored within four hours and no later than one day after the incident. C. Systems should be restored within one day and lose, at most, four hours' worth of data. D. Systems should be restored within four hours with a loss of one day's worth of data at most.

34. A. A data retention policy defines how long an organization will keep data. Removing sensitive documents not in use is a clean desk policy. A formal process for managing configuration changes is change management, and a memorandum of understanding consists of legal documents that describe mutual agreement between two parties.

34. Which of the following statements is true regarding a data retention policy? A. Regulations require financial transactions to be stored for seven years. B. Employees must remove and lock up all sensitive and confidential documents when not in use. C. It describes a formal process of managing configuration changes made to a network. D. It is a legal document that describes a mutual agreement between parties.

36. B. The Center for Internet Security (CIS) benchmarks provide recommendations for how to secure an operating system, application, or other covered technology. Michelle will find Windows 10-specific security configuration guidelines and techniques.

36. Michelle has been asked to use the CIS benchmark for Windows 10 as part of her system security process. What information will she be using? A. Information on how secure Windows 10 is in its default state B. A set of recommended security configurations to secure Windows 10 C. Performance benchmark tools for Windows 10 systems, including network speed and firewall throughput D. Vulnerability scan data for Windows 10 systems provided by various manufacturers

37. A. Preventive controls like data backups are proactive and are used to avoid a security breach or an interruption of critical services before they can happen. Security cameras, smoke detectors, and door alarms are examples of detective control. Detective controls detect intrusion as it happens and uncovers a violation.

37. Which of the following is the best example of a preventive control? A. Data backups B. Security camera C. Door alarm D. Smoke detectors

38. C. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or that has such limited impact that a corrective control is not warranted. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether.

38. You are a security administrator for your company and you identify a security risk that you do not have in-house skills to address. You decide to acquire contract resources. The contractor will be responsible for handling and managing this security risk. Which of the following type of risk response techniques are you demonstrating? A. Accept B. Mitigate C. Transfer D. Avoid

39. D. A preventive control is used to avoid a security breach or an interruption of critical services before they can happen. Administrative controls are defined through policies, procedures, and guidelines. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. A deterrent control is used to deter a security breach.

39. Each salesperson who travels has a cable lock to lock down their laptop when they step away from the device. To which of the following controls does this apply? A. Administrative B. Compensating C. Deterrent D. Preventive

4. C. Change management is the process of documenting all changes made to a company's network and computers. Avoiding making changes at the same time makes tracking any problems that can occur much simpler. Due diligence is the process of investigation and verification of the accuracy of a particular act. Acceptable use policies state what actions and practices are allowed in an organization while using technology. Due care is the effort made by a reasonable party to avoid harm to another. It is the level of judgment, care, determination, and activity a person would reasonably expect to do under certain conditions.

4. Which of the following principles stipulates that multiple changes to a computer system should not be made at the same time? A. Due diligence B. Acceptable use C. Change management D. Due care

40. C. Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. An RPO (recovery point objective) is the period of time a company can tolerate lost data being unrecoverable between backups. ALE (annual loss expectancy) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

40. You are a server administrator for your company's private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives? A. MTTR B. RPO C. MTBF D. ALE

42. A. Quantitative risk analysis requires complex calculations and is more time-consuming because it requires detailed financial data and calculations. Quantitative risk assessment is often subjective and requires expertise on systems and infrastructure, and both types of assessment can provide clear answers on risk-based questions.

42. Which of the following best describes the disadvantages of quantitative risk analysis compared to qualitative risk analysis? A. Quantitative risk analysis requires detailed financial data. B. Quantitative risk analysis is sometimes subjective. C. Quantitative risk analysis requires expertise on systems and infrastructure. D. Quantitative risk provides clear answers to risk-based questions.

43. D. A custodian configures data protection based on security policies. The local community bank is the data owner, not Leigh Ann. Leigh Ann is a network administrator, not a user, and power user is not a standard security role in the industry.

43. Leigh Ann is the new network administrator for a local community bank. She studies the current file server folder structures and permissions. The previous administrator didn't properly secure customer documents in the folders. Leigh Ann assigns appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming? A. Power user B. Data owner C. User D. Custodian

44. B. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has such limited impact that a corrective control is not warranted. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether. Risk transfer is the act of moving the risk to other organizations like insurance providers or hosting companies who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk.

44. Categorizing residual risk is most important to which of the following risk response techniques? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transfer

46. C. Employees can leak a company's confidential information. Exposing a company's information could put the company's security position at risk because attackers can use this information as part of attacks against the company. Gaining access to a computer's MAC address is not relevant to social media network risk. Gaining access to a computer's IP address is not relevant to social media network risk. Employees can easily express their concerns about a company in general. This is not relevant to social media network risk as long as the employee doesn't reveal any confidential information.

46. Which of the following is the most pressing security concern related to social media networks? A. Other users can view your MAC address. B. Other users can view your IP address. C. Employees can leak a company's confidential information. D. Employees can express their opinion about their company.

47. C. Separation of duties is the concept of having more than one person required to complete a task. A background check is a process that is performed when a potential employee is considered for hire. Job rotation allows individuals to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee's attack is easier when multiple employees understand the company's security posture. Collusion is an agreement between two or more parties to defraud a person of their rights or to obtain something that is prohibited by law.

47. What concept is being used when user accounts are created by one employee and user permissions are configured by another employee? A. Background checks B. Job rotation C. Separation of duties D. Collusion

49. C. RPO (recovery point objective) specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning's maximum acceptable threshold. MTBF (mean time between failures) is the rating on a device or component that predicts the expected time between failures. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. ARO (annual rate of occurrence) is the ratio of an estimated possibility that a threat will take place within a one-year time frame.

49. Which of the following concepts defines a company goal for system restoration and acceptable data loss? A. MTBF B. MTTR C. RPO D. ARO

5. A. An acceptable use policy (AUP) is a document stating what a user may or may not have access to on a company's network or the Internet. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Job rotation is a policy that describes the practice of moving employees between different tasks. Job rotation can help detect fraud because employees cannot perform the same actions for long periods of time.

5. You are a security engineer and discovered an employee using the company's computer systems to operate their small business. The employee installed their personal software on the company's computer and is using the computer hardware, such as the USB port. What policy would you recommend the company implement to prevent any risk of the company's data and network being compromised? A. Acceptable use policy B. Clean desk policy C. Mandatory vacation policy D. Job rotation policy

50. D. A data retention policy states how data should be stored based on various types, such as storage location, amount of time the data should be retained, and the type of storage medium that should be used. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. An AUP, or acceptable use policy, describes the limits and guidelines for users to make use of an organization's physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. A security policy defines how to secure physical and information technology assets. This document should be continuously updated as technology and employee requirements change.

50. Your company hires a third-party auditor to analyze the company's data backup and long-term archiving policy. Which type of organization document should you provide to the auditor? A. Clean desk policy B. Acceptable use policy C. Security policy D. Data retention policy

51. C. Onboarding is the process of adding an employee to company's identity and access management system. Offboarding is the process of removing an employee from the company's identity and access management system. A system owner is an individual who is in charge of managing one or more systems and can include patching and updating operating systems. An executive user was made up for this question.

51. You are a network administrator and have been given the duty of creating user accounts for new employees the company has hired. These employees are added to the identity and access management system and assigned mobile devices. What process are you performing? A. Offboarding B. System owner C. Onboarding D. Executive user

55. B. Security program administrators often use different types of training to ensure that trainees who react and respond differently to training are given training that helps them. There may be other valid reasons, but this is the most common reason for training diversity.

55. Why are diversity of training techniques an important concept for security program administrators? A. It allows for multiple funding sources. B. Each person responds to training differently. C. It avoids a single point of failure in training compliance. D. It is required for compliance with PCI-DSS.

57. B. Risk registers are documents used by organizations to track and manage risks and include information including the owner or responsible party, details about the risk, and other useful information. Statement on Standards for Attestation Engagements (SSAEs) are audit reports, Payment Card Industry Data Security Standard (PCI-DSS) is a security standard used for credit card operations, and risk table is not a common industry term.

57. What term is used to describe a listing of all of an organization's risks, including information about the risk's rating, how it is being remediated, remediation status, and who owns or is assigned responsibility for the risk? A. An SSAE B. A risk register C. A risk table D. A DSS

58. C. The mean time to repair (MTTR) for a system or devices is the average time that it will take to repair it if it fails. The MTTR is used as part of business continuity planning to determine if a system needs additional redundancy or other options put in place if a failure and repair would exceed the maximum tolerable outage. It is calculated by dividing the total maintenance time by the total number of repairs. MTBF is the mean time between failures, MTTF the mean time to fail, and MITM is an on-path attack, a term that has been increasingly replaced with on-path.

58. Which of the following terms is used to measure how maintainable a system or device is? A. MTBF B. MTTF C. MTTR D. MITM

59. D. Common results of breaches like this include identity theft using the personal information of the customers, financial loss to the company due to breach costs and lawsuits, and reputational loss. Since the incident response process is over, Olivia's company should have remediated the underlying issues that led to the breach, hopefully preventing further downtime and thus availability loss.

59. The company that Olivia works for has recently experienced a data breach that exposed customer data, including their home addresses, shopping habits, email addresses, and contact information. Olivia's company is an industry leader in their space but has strong competitors as well. Which of the following impacts is not likely to occur now that the organization has completed their incident response process? A. Identity theft B. Financial loss C. Reputation loss D. Availability loss

61. B. The source code for a product is not typically used as a location for privacy terms and conditions. Instead, they are in the contract, user license or related legal terms, or in a formal privacy notice.

61. Which of the following is not a common location for privacy practices to be recorded or codified? A. A formal privacy notice B. The source code for a product C. The terms of the organization's agreement with customers D. None of the above

62. B. Pseudonymization can allow reidentification of the data subject if additional data is available. Properly done anonymization cannot be reversed. Anonymization techniques will group information so that individuals cannot be identified from data and use other techniques to prevent additional information, leading to de-anonymization of individuals.

62. What key difference separates pseudonymization and anonymization? A. Anonymization uses encryption. B. Pseudonymization requires additional data to reidentify the data subject. C. Anonymization can be reversed using a hash. D. Pseudonymization uses randomized tokens.

63. A. A data governance policy clearly states who owns the information collected and used by an organization. Information security policies provide the high-level authority and guidance for security programs and efforts. Acceptable use policies (AUPs) define what information resources can be used for and how. Data retention policies establish what information an organization will collect and how long it will be kept before destruction.

63. What policy clearly states the ownership of information created or used by an organization? A. A data governance policy B. An information security policy C. An acceptable use policy D. A data retention policy

64. C. Helen has created a functional recovery plan focused on a specific technical and business function. A disaster recovery plan (DRP) has a broader perspective and might include multiple functional recovery plans. RPOs, or recovery point objectives, and MTBF, or mean time between failures, are not types of plans typically built by organizations.

64. Helen's organization provides telephone support for their entire customer base as a critical business function. She has created a plan that will ensure that her organization's Voice over IP (VoIP) phones will be restored in the event of a disaster. What type of plan has she created? A. A disaster recovery plan B. An RPO plan C. A functional recovery plan D. An MTBF plan

65. B. Health information may be covered by state, local, or federal law, and Greg's organization should ensure that they understand any applicable laws before storing, processing, or handling health information.

65. Greg has data that is classified as health information that his organization uses as part of their company's HR data. Which of the following statements is true for his company's security policy? A. The health information must be encrypted. B. Greg should review relevant law to ensure the health information is handled properly. C. Companies are prohibited from storing health information and must outsource to third parties. D. All of the above

66. C. Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information.

66. What type of information does a control risk apply to? A. Health information B. Personally identifiable information (PII) C. Financial information D. Intellectual property

68. C. It is common practice to prohibit interactive logins to a GUI or shell for service accounts. Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC).

68. Isaac has been asked to write his organization's security policies. What policy is commonly put in place for service accounts? A. They must be issued only to system administrators. B. They must use multifactor authentication. C. They cannot use interactive logins. D. All of the above

69. C. Asset management policies typically include all stages of an asset's life cycle, and asset tags like those described are used to track assets in many organizations. Change management, incident response, and acceptable use policies do not require asset tagging.

69. Nina is tasked with putting radio frequency identification (RFID) tags on every new piece of equipment that enters her datacenter that costs more than $500. What type of organizational policy is most likely to include this type of requirement? A. A change management policy B. An incident response policy C. An asset management policy D. An acceptable use policy

7. A. Companies will use mandatory vacation policies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands. Continuing education is the process of training adult learners in a broad list of postsecondary learning activities and programs. Companies will use continuing education in training their employees on the new threats and also reiterating current policies and their importance.

7. You are a security manager for your company and need to reduce the risk of employees working in collusion to embezzle funds. Which of the following policies would you implement? A. Mandatory vacations B. Clean desk C. NDA D. Continuing education

71. D. Emma should categorize this as a supply chain risk. When organizations cannot get the systems, equipment, and supplies they need to operate, it can have significant impact on their ability to conduct business. That could create financial risk, but financial risk is not the direct risk here. There is no indication that the vendor will not support the systems, nor is there any information about whether there is an integration issue in the description.

71. Emma is reviewing third-party risks to her organization, and Nate, her organization's procurement officer, notes that purchases of some laptops from the company's hardware vendor have been delayed due to lack of availability of SSDs (solid state drives) and specific CPUs for specific configurations. What type of risk should Emma describe this as? A. Financial risk B. A lack of vendor support C. System integration D. Supply chain

73. C. The Federal Trade Commission (FTC) does not provide security configuration guides or benchmarks for operating systems or devices. The Center for Internet Security (CIS), Microsoft (and other vendors), and the National Security Agency (NSA) all provide configuration benchmarks.

73. Amanda administers Windows 10 workstations for her company and wants to use a secure configuration guide from a trusted source. Which of the following is not a common source for Windows 10 security benchmarks? A. CIS B. Microsoft C. The FTC D. The NSA

74. C. Legacy systems that no longer receive support are a significant concern because they cannot be patched if security vulnerabilities are discovered. Windows 2008 reached its end of life in January 2020. It ran on both 32-bit and 64-bit platforms, and you can still install modern web servers on it.

74. Katie has discovered a Windows 2008 web server running in her environment. What security concern should she list for this system? A. Windows 2008 only runs on 32-bit platforms. B. Windows 2008 cannot run modern web server software. C. Windows 2008 has reached its end of life and cannot bepatched. D. All of the above

75. B. Patching is a form of avoidance because it works to remove a risk from the environment. Acceptance of flaws that need patching would involve leaving the software unpatched; mitigation strategies might include firewalls, intrusion prevention systems (IPSs), or web application firewall (WAF) devices; and transference options include third-party hosting or services.

75. Patching systems immediately after patches are released is an example of what risk management strategy? A. Acceptance B. Avoidance C. Mitigation D. Transference

76. B. Risk heat maps or a risk matrix can allow an organization to quickly look at risks and compare them based on their probability and impact or other rating elements. Qualitative and quantitative risk assessments are types of assessment, not means of presenting risk information in an easy-to-understand format, and risk plots are not a common term used in the field.

76. Charles wants to display information from his organization's risk register in an easy-to-understand and -rank format. What common tool is used to help management quickly understand relative rankings of risk? A. Risk plots B. A heat map C. A qualitative risk assessment D. A quantitative risk assessment

77. A. The fines that can result from violation or infringement of regulations like the General Data Protection Regulation can have a significant impact on an organization, or could even potentially put it out of business. Due to this, organizations will track compliance with regulations as part of their risk posture.

77. What key element of regulations, like the European Union's (EU's) GDPR, drive organizations to include them in their overall assessment of risk posture? A. Potential fines B. Their annual loss expectancy (ALE) C. Their recovery time objective (RTO) D. The likelihood of occurrence

78. D. Disaster recovery requires forethought and preparation, response to issues to minimize impact during a disaster, and response activities after a disaster. Thus, a complete disaster recovery plan should include actions that may or will occur before, during, and after a disaster, and not just the recovery process after the fact.

78. What phases of handling a disaster are covered by a disaster recovery plan? A. What to do before the disaster B. What to do during the disaster C. What to do after the disaster D. All of the above

79. B. Although data breaches could result in termination of a card processing agreement, the fact that her organization is noncompliant is most likely to result in a fine. PCI-DSS, or Payment Card Industry Data Security Standard, is a vendor standard, not a law, and criminal charges would not typically be filed in a situation like this.

79. Naomi's organization has recently experienced a breach of credit card information. After investigation, it is discovered that her organization was inadvertently not fully compliant with PCIDSS and is not currently fully compliant. Which of the following penalties is her organization most likely to incur? A. Criminal charges B. Fines C. Termination of the credit card processing agreement D. All of the above

8. B. Locking cabinets and drawers is the best solution because they allow individuals to lock their drawers and ensure that access to a single key does not allow broad access to documents like a department door lock or proximity cards for the space. Onboarding is the process of adding an employee to a company's identity and access management system and would not help with securing documents, but it might teach the process of doing so.

8. After your company implemented a clean desk policy, you have been asked to secure physical documents every night. Which of the following would be the best solution? A. Department door lock B. Locking cabinets and drawers at each desk C. Proximity cards D. Onboarding

80. C. The Cloud Security Alliance's Cloud Control Matrix maps existing standards to common control descriptions allowing control requirements to be compared and validated across many standards and regulations. The CSA reference architecture is a set of standard designs, and ISO 27001 and ISO 27002 are standards for managing information security.

80. Alaina wants to map a common set of controls for cloud services between standards like COBIT (Control Objectives for Information and Related Technology), FedRAMP (Federal Risk and Authorization Management Program), HIPAA (the Health Insurance Portability and Accountability Act of 1996), and others. What can she use to speed up that process? A. The CSA's reference architecture B. ISO 27001 C. The CSA's cloud control matrix D. ISO 27002

81. B. Gamification makes training into a game to get more involvement and interest. Scoring points and receiving rewards, either in-game or virtually, can have a significant positive impact on the response to training. Capture-the-flag events focus on techniques like finding hidden information or otherwise obtaining "flags" as part of a contest. Phishing campaigns send fake phishing emails to staff to identify individuals who may fall for them. Role-based training focuses on training specifically for the role or job that an individual has or will have.

81. Gary has created an application that new staff in his organization are asked to use as part of their training. The application shows them examples of phishing emails and asks the staff members to identify the emails that are suspicious and why. Correct answers receive points, and incorrect answers subtract points. What type of user training technique is this? A. Capture the flag B. Gamification C. Phishing campaigns D. Role-based training

84. B. Mission-essential functions are defined as those functions that an organization must run throughout a disaster or that must be resumed as quickly as possible after one if they cannot be sustained. They are the core functions of the organization and are key to its success and ongoing existence. A single point of failure (SPOF) is a point where a device, system, or resource can fail and cause an entire function or organization to no longer work. Recovery time objectives (RTOs) are the time allotted to return to normal functionality. Core recovery functions were made up for this question.

84. What term is used to describe the functions that need to be continued throughout or resumed as quickly as possible after a disaster? A. Single points of failure B. Mission-essential functions C. Recovery time objectives D. Core recovery functions

87. C. Theft of proprietary information like a formula or code is an example of intellectual property (IP) theft. IP theft can be harder to quantify the cost of a loss in many cases but can have significant impact to an organization that relies on the IP for their business. External risk is risk created by factors outside the organization, internal risk is created by the organization itself or its decisions, and licensing risk exists through software and other contracts.

87. Jack is conducting a risk assessment, and a staff member notes that the company has specialized, internal AI algorithms that are part of the company's main product. What risk should Jack identify as most likely to impact those algorithms? A. External B. Internal C. IP theft D. Licensing

89. C. The likelihood of occurrence, or probability, is multiplied by the impact to determine a risk's severity.

89. Risk severity is calculated using the equation shown here. What information should be substituted for X? Risk severity = X * Impact A. Inherent risk B. MTTR (mean time to repair) C. Likelihood of occurrence D. RTO (recovery time objective)

9. D. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have. Change management is the process of managing configuration changes made to a network. Vulnerability assessment attempts to identify, quantify, and rank the weaknesses in a system. Qualitative risk assessment is the process of ranking which risk poses the most danger using ratings like low, medium, and high.

9. Which of the following techniques attempts to predict the likelihood a threat will occur and assigns monetary values should a loss occur? A. Change management B. Vulnerability assessment C. Qualitative risk assessment D. Quantitative risk assessment

90. D. Organizations can determine how they want to determine asset value, but consistency is important in many cases. Thus, the original cost, the replacement cost, or a depreciated cost may be used.

90. How is asset value determined? A. The original cost of the item B. The depreciated cost of the item C. The cost to replace the item D. Any of the above based on organizational preference

91. A. A business impact analysis (BIA) helps to identify critical systems by determining which systems will create the largest impact if they are not available. MTBF is the mean time between failures, an RTO is a recovery time objective, and an ICD was made up for this question.

91. What process is used to help identify critical systems? A. A BIA B. An MTBF C. An RTO D. An ICD

95. B. Sean is conducting a site risk assessment that will help him understand and communicate the risks that the site itself has. If the location is in a FEMA-identified flood plain, or if there are concerns about tornadoes or other natural disasters, those need to be taken into account as the organization makes its decisions about the location. A BIA identifies mission-critical functions and the systems that support them. Crime prevention through environmental design is a design concept that uses the design of facilities to reduce the likelihood of criminal actions through use of lighting and other controls. Business continuity planning focuses on how to keep an organization operating despite disruptions.

95. As part of his organization's effort to identify a new headquarters location, Sean reviews the Federal Emergency Management Agency (FEMA) flood maps for the potential location he is reviewing. What process related to disaster recovery planning includes actions like this? A. Business impact analysis (BIA) B. Site risk assessment C. Crime prevention through environmental design D. Business continuity planning

97. B. Ensuring that leadership throughout an organization is aware of the risks the organization faces and that they are regularly updating and providing feedback on those risks helps increase risk awareness. Inherent risk is risk that exists before controls are in place, and residual risk is risk that remains after controls are in place. Risk appetite is the risk that an organization is willing to take as part of doing business.

97. Jason has created a risk register for his organization and regularly updates it with input from managers and senior leadership throughout the organization. What purpose does this serve? A. It decreases inherent risk. B. It increases risk awareness. C. It decreases residual risk. D. It increases risk appetite.

98. C. State laws often include breach notification thresholds and requirements that organizations must follow. Laura should ensure that she is both aware of the breach laws for her state and any other states or countries her company operates in, and that her incident response plans have appropriate processes in place if a breach occurs. Organizations that process data like SSNs are unlikely to delete them even if a breach occurs, reclassifying data would not help unless the data was improperly classified before the breach, and data minimization plans are used to limit how much data an organization has, not to respond to a breach directly.

98. Laura is aware that her state has laws that guide her organization in the event of a breach of personally identifiable information, including Social Security numbers (SSNs). If she has a breach that involves SSNs, what action is she likely to have to take based on state law? A. Destroy all Social Security numbers. B. Reclassify all impacted data. C. Provide public notification of the breach. D. Provide a data minimization plan.

99. C. Nondisclosure agreements (NDAs) are signed by an employee at the time of hiring, and they impose a contractual obligation on employees to maintain the confidentiality of information. Disclosure of information can lead to legal ramifications and penalties. NDAs cannot ensure a decrease in security breaches. A job rotation policy is the practice of moving employees between different tasks to promote experience and variety. Separation of ties has more than one person required to complete a task. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities.

99. Which of the following does not minimize security breaches committed by internal employees? A. Job rotation B. Separation of duties C. Nondisclosure agreements signed by employees D. Mandatory vacations