Untitled

Questions and Answers

If Beth is restricting access to sensitive data to only authorized personnel, which principle of information security is she primarily enforcing?

• Confidentiality (correct)
• Denial
• Integrity
• Availability

Which of the following issues is typically not addressed within a standard service-level agreement (SLA)?

• Maximum consecutive downtime
• Failover time
• Uptime
• Confidentiality of customer information (correct)

Joan is seeking intellectual property protection for her newly developed software. Which of the following legal protections is generally not applicable to software?

• Patent
• Trademark (correct)
• Copyright
• Trade secret

Juniper Content's offices need secure access to each other's file servers over the internet. Which control would provide confidentiality during these communications?

Virtual private network (A)

To improve data availability on the file servers, you want to implement a solution that allows continued access to files even if a hard drive fails. Which control achieves this redundancy without requiring additional servers?

RAID (D)

For historical records that must never be modified, what integrity control can be implemented to periodically verify that the files have not been altered?

Hashing (D)

An employee, Bob, consistently sends sensitive company data to his personal email address. Which security control would be most effective in directly preventing this type of data exfiltration?

Data Loss Prevention (DLP) (A)

A company wants to ensure that all employees are aware of the latest cybersecurity threats and company policies. Which of the following is the MOST effective method for achieving this?

Conducting regular security awareness training (C)

Alyssa manages her organization's security awareness program and worries about technological changes making content obsolete. Which control BEST addresses this risk?

Content reviews (D)

Gavin is preparing a risk assessment report and wants to identify the risk level after implementing security controls. Which term describes this remaining risk?

Residual risk (D)

Francine, a security specialist for a U.S.-based online service provider, receives a copyright infringement claim. Which law governs her required actions?

Digital Millennium Copyright Act (A)

FlyAway Travel, with offices in both the EU and the US, regularly transfers personal information. An EU customer requests account termination. According to GDPR, what action MUST FlyAway Travel take?

Erase the customer's personal data and cease processing it. (C)

An organization is developing a new security policy. Which of the following is the MOST important consideration when creating this policy?

Ensuring the policy is aligned with business objectives. (C)

During a risk assessment, which activity BEST helps to determine the potential financial loss from a specific threat exploiting a vulnerability?

Calculating the Annualized Loss Expectancy (ALE). (A)

A company wants to improve its supply chain risk management (SCRM). Which of the following should be its INITIAL step?

Assessing and mapping the current supply chain. (A)

Which of the following actions is least likely to be part of a typical employee termination process handled by human resources?

Signing a Non-Compete Agreement (NCA) (B)

Why is it essential to establish and promote professional ethics within an organization's security practices?

To foster trust and accountability among employees and stakeholders. (D)

Frances is reviewing her organization's business continuity plan documentation. Which element is least likely to be found within this documentation?

Statement of accounts (D)

An accounting employee at Doolittle Industries embezzled funds by making frequent transfers between accounts to disguise the fraud. Which control would have been most effective in detecting this activity earlier?

Mandatory vacation (B)

Jeff wants to use an industry-standard approach to assess the processes that manages risk. Which maturity model would be the most appropriate?

COBIT (C)

Chris' organization experienced a denial-of-service attack, rendering their e-commerce website unavailable. Which information security goal was most directly impacted?

Availability (A)

Yolanda is creating a document that specifies the minimum security requirements that every system in her organization must meet. What type of document is she preparing?

Baseline (B)

In an organization, who should initially receive comprehensive business continuity plan (BCP) training?

Those with specific business continuity roles (B)

James is performing a risk assessment and needs to assign an asset value to the servers in his data center. The primary concern is the cost to rebuild the data center if it is destroyed. Which asset valuation method is most relevant?

Replacement cost (C)

A U.S. company is planning to export technology to multiple countries. Which technology is most likely to be subject to export control regulations, requiring specific licenses or restrictions?

High-grade encryption software used to secure communications and data. (B)

During a security audit, a system administrator discovers that a regular user account was able to gain unauthorized root access by exploiting a buffer overflow vulnerability in a widely used system utility. According to the STRIDE threat model, which type of threat does this represent?

Elevation of privilege (D)

As part of your organization's business continuity plan, a specific risk has been identified and consciously accepted. After deciding to accept the risk, what is the most important next step?

Thoroughly document the decision-making process, rationale, and potential impact of accepting the risk. (C)

Your organization wants to improve the physical security of its media storage facility. How would you classify a perimeter fence around the facility based on security control categories? (Select all that apply.)

Physical (B), Deterrent (D)

An organization is having difficulty combining information about tangible and intangible assets due to the acquisition of a competitor for their business continuity plan. Which risk assessment approach would be most effective?

Combination of quantitative and qualitative risk assessment (B)

An employee suspects that a former employee stole trade secrets and brought them to a competitor. Under what law could legal charges be pursued?

Economic Espionage Act (B)

What principle dictates that individuals must act as a reasonable person would under similar circumstances, establishing a broad standard of expected behavior?

Due care (B)

Brenda’s organization recently finished acquiring a competitor firm. What is one of the most likely next steps?

Harmonize security policies. (B)

Chas recently completed the development of his organization's business continuity plan (BCP). Who is the ideal person to approve an organization's business continuity plan?

Chief Executive Officer (C)

Which one of the following actions is NOT normally part of the project scope and planning phase of business continuity planning?

Documentation of the plan (B)

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?

Availability (C)

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?

Cold site (D)

Greg's company recently experienced a significant data breach involving the personal data of many of their customers. The company operates only in the United States and has facilities in several different states. The personal information relates only to residents of the United States. Which breach laws should they review to ensure that they are taking appropriate action?

The breach laws of states they do business in or where their customers reside along with federal breach laws. (C)

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?

ISO 27002 (D)

Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt's clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?

CALEA (D)

Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. Which U.S. law mandates these notices?

GLBA (Gramm-Leach-Bliley Act) (D)

Alan is performing threat modeling and decomposes a system into core elements using a data flow diagram for user authentication. Which tool is he most likely using?

Data modeling (B)

Shahla is reviewing privacy laws for a new enterprise in South Africa that handles personal information of residents. Which law is most likely to affect this operation?

POPIA (A)

When attempting to evaluate the impact of a failure on customer confidence, which type of business impact assessment tool is the most appropriate?

Qualitative (D)

Ryan, a security risk analyst, is examining a scenario where a hacker uses a SQL injection attack to deface a web server due to a missing patch. In this scenario, what constitutes the threat?

Malicious hacker (D)

At Atwood Landing, a resort community in the midwestern United States, a typical tornado would cause approximately $5 million of damage to a data center that would cost $10 million to rebuild. What is the exposure factor for the effect of a tornado on Atwood Landing's data center?

50% (C)

At Atwood Landing's data center, meteorologists determined that the facility is likely to experience a tornado once every 200 years. What is the annualized rate of occurrence for a tornado?

0.005 (C)

Given a $5 million potential damage from a tornado and an annualized rate of occurrence of 0.005 at Atwood Landing's data center, what is the annualized loss expectancy (ALE)?

$25,000 (B)

Which of the following actions demonstrates the principle of least privilege?

Providing users with only the minimum necessary access rights required to perform their job functions. (B)

Flashcards

Security Awareness Program

The process of educating employees about security risks and best practices to reduce human error.

Content Reviews

Reviewing and updating security awareness program content regularly to reflect changes in technology and threats.

Residual Risk

The level of risk remaining after security controls have been implemented.

Inherent Risk

The risk to an organization before any controls are applied.

Digital Millennium Copyright Act (DMCA)

A U.S. law that protects copyright holders by defining the rights and responsibilities of owners of websites where users can post content.

Lanham Act

A U.S. federal law which deals with trademarks, brand names, and unfair competition.

Gramm-Leach-Bliley Act (GLBA)

A U.S. federal law that protects consumers' personal financial information held by financial institutions.

Copyright Act

A U.S. federal law which deals with copyright issues.

Encryption Software

Software that scrambles data to prevent unauthorized access. Its export is often heavily regulated.

Elevation of Privilege

An attack where a normal user account gains administrative rights.

Document Risk Acceptance

Documenting the rationale behind accepting a risk after evaluating it in business continuity planning.

Physical Controls

Controls that provide a physical barrier.

Deterrent Controls

Controls that discourage potential attackers.

Qualitative Risk Assessment

A risk assessment that prioritizes resources by combining tangible and intangible assets.

Economic Espionage Act

A law that protects trade secrets from being stolen and used by competitors.

Due Care

Acting as a reasonable person would under similar circumstances. Trying your best.

Confidentiality

Protecting information from unauthorized access and disclosure.

Availability

Ensuring systems and data are accessible when needed.

Integrity

Protecting the accuracy and completeness of information.

Service-Level Agreement (SLA)

Agreements that define the level of service expected by a customer from a provider, including metrics around uptime, failover time, and maximum downtime.

Copyright

A form of intellectual property law that protects original works of authorship, including software code.

Virtual Private Network (VPN)

Creates an encrypted tunnel for secure data transmission over a network.

RAID

A data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for data redundancy, performance improvement, or both.

Hashing

A cryptographic function that produces a unique, fixed-size string representing a file's contents, used to verify integrity.

Exit Interview

A formal discussion conducted with an employee leaving the organization, covering reasons for departure and feedback on the employee's experience.

Business Continuity Plan (BCP)

A document outlining how an organization will continue operating during an unplanned disruption in service.

Separation of Duties

Assigning tasks to different individuals to prevent a single person from controlling all aspects of a process.

Maturity Model

A structured approach to evaluating and improving processes.

Security Baseline

A document that establishes a minimum security standard that systems must meet.

Replacement Cost

The cost to replace an asset with a new one.

Business Continuity Plan (BCP) Training

Training to ensure that employees understand their roles and responsibilities in maintaining business operations during disruptions.

BCP Approver

The individual with overall responsibility for the organization's operations and resources, holding ultimate accountability.

BCP: Documentation vs. Execution

This step normally involves executing the documented plan, not creating it.

Warm Site

A facility with HVAC, power, and communication circuits, but lacking hardware.

Data Breach Legal Review

Review breach laws of states with impacted customers + federal laws.

ISO 27002

A comprehensive set of information security controls accepted globally.

CALEA

Requires telecom providers to cooperate with law enforcement for wiretaps with a warrant.

Data Flow Diagram (DFD)

A method of visually representing data flow within a system for threat modeling.

Threat Modeling

Analyzing a system to identify potential points of failure and vulnerabilities to threats.

POPIA

South Africa's data protection law focuses on processing personal information.

Qualitative BIA

A BIA method assessing non-numerical impacts on customer perception and reputation.

Threat

Something that can exploit a vulnerability, potentially causing harm.

Exposure Factor (EF)

The percentage of asset value lost during a security incident.

Annualized Rate of Occurrence (ARO)

The predicted frequency a threat event will occur in a year.

Annualized Loss Expectancy (ALE)

Expected monetary loss due to a risk event in a year.

Study Notes

• Domain 1 involves Security and Risk Management.

Subdomains

• Understand, adhere to, and promote professional ethics.
• Understand and apply security concepts.
• Evaluate, apply, and sustain security governance principles.
• Understand legal, regulatory, and compliance issues related to information security in a holistic context.
• Understand requirements for various investigation types: administrative, criminal, civil, regulatory, and industry standards.
• Develop, document, and implement security policy, standards, procedures, and guidelines.
• Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements.
• Contribute to and enforce personnel security policies and procedures.
• Understand and apply risk management concepts.
• Understand and apply threat modeling concepts and methodologies.
• Apply Supply Chain Risk Management (SCRM) concepts.
• Establish and maintain a security awareness, education, and training program.

Question 1: Alyssa and Security Awareness Program

• The question concerns Alyssa, who is in charge of security awareness.
• She is worried that technology changes could make the content outdated.
• Content reviews would address this risk.

Question 2: Gavin and Risk Assessment

• Gavin wants to identify the remaining risk in the organization after applying security controls.
• Residual risk refers to the risk that remains after controls are implemented.

Question 3: Francine and Copyright Claim

• The matter concerns Francine, a security specialist for an online service provider,
• A user is storing information, and there is a copyright claim.
• The Digital Millennium Copyright Act governs the actions that Francine must take.

Question 4: FlyAway Travel and GDPR

• It addresses FlyAway Travel, which has offices in the EU and the US.
• They regularly transfer data between offices.
• Under GDPR, individuals have the right to erasure, enabling them to request their data to be deleted.

Question 5: Sally and Risk Response

• The matter concerns Sally, who recommends purchasing cybersecurity breach insurance.
• In this case, buying cybersecurity breach insurance is a risk transfer behavior.

Question 6: Personally Identifiable Information (PII)

• The question asks to identify which element is NOT PII and wouldn't trigger most US state data breach laws.
• Student ID
• Social Security number
• Driver's license
• Credit card numbers are usually considered Personally Identifiable Information (PII),.

Question 7: License Agreement Negotiation

• Renee is negotiating a software license that specifies customized terms and a dicounted price.
• An Enterprise license agreement would normally be used to document the results of this negotiation.

Question 8: Henry's Ethics Violation

• Includes Henry, who disclosed the contains of the CISSP exam.
• Anyone may bring ethics charges against Henry.

Question 9: Wanda and GDPR Compliance

• Is about Wanda, who exchange customer information with GDPR.
• Binding corporate rules apply.

Question 10: Yolanda and Privacy Requirements

• Pertains to Yolanda, a chief privacy officer for a financial institution.
• GLBA is most likely to apply to her situation.

Question 11: Tim and Government Research Contracts

• The question is about Tim's organization that conducts research on a government contract.
• FISMA (Federal Information Security Management Act) now likely applies to the information systems.

Question 12: Chris and Overseas Travel Compliance

• Chris is concerned about compliance with export control laws.
• Encryption software is most likely to trigger these regulations.

Question 13: Bobbi and STRIDE Threat Model

• Deals with Bobbi, who is investigating a security incident.
• The attacker exploited a system vulnerability to gain administrative rights.
• The type of attack that took place under the STRIDE threat model is Elevation of Privilege.

Question 14: Business Continuity Planning

• The question pertains to accepting one if the risks.
• Next this, you should Document your decision-making process.

Question 15: Control Review

• Physical
• Deterrent
• Preventive

Question 16: Tony and Business Continuity Plan

• Tony is having difficulty prioritizing resources due to combining tangible and intangible assets.
• A combination of quantitative and qualitative risk assessment approaches are effective.

Question 17: Vincent and Trade Secret Theft

• The context covers Vincent who wants to pursue legal action
• Charges can be carried out under the Economic Espionage Act.

Question 18: Principles

• Relates to, broad principle applicable and expected
• Due care is one principle imposes a standard.

Question 19: Brenda and Organizational Acquisition

• Includes Brenda, and about the tasks during organizational processes.
• Documentation of security policies is LEAST likely to be part of the organizational processes addressed during the acquisition.

Question 20: Administrative Investigation and Burden of Proof

• Concerns unauthorized computing resources.
• Preponderance of the evidence is meet for the investigation.

Question 21: Keenan Systems and Technology Licensing

• Includes Keenan Systems, which is a developing process.
• A patent is best suited for this situation.

Question 22: Business Continuity Plan Actions

• Action examples.
• Restoring from backup tapes
• Relocating to a cold site
• Restarting business operations

Question 23: Developing Business Impact Analysis (BIA)

• List of assets needs to be created.
• Develop a value for each asset.

Question 24: Mike Managing Network Attacks

• Mike implemented an intrusion prevention system
• Risk mitigation strategy is Mike pursuing.

Question 25: Laura and Security Controls Assessment

• Laura need to perform a Security Controls Assessment (SCA).
• Government is what type of organization she most likely in.

Question 26: Carl and Federal Investigation Standards

• A federal agent investigating a computer crime case.
• Beyond a reasonable doubt is a standard of proof meet.

Question 27: Security

• Intellectual property protection.
• Trademark is represent online.

Question 28: Mary and Computer Attack Identification

• Includes Mary, and about a computer screen showing and messages.
• The type of attack occurred with a Confidentiality.

Question 29: Organizations Exempt from HIPAA

• Health and fitness application developer would not be automatically subject to the regulation..

Question 30: John and Network Security

• States that John is experiencing slowness symptoms.
• That the principle of information security being violated if there is an Accessibility.

Question 31: Renee and Strategic Security Planning

• Refers to Renee that has a primary goal.
• The type of plan she is developing is Strategic.

Question 32: Gina and U.S. Agency Roles

• Includes Gina, and about a brand new product she is launching.
• USPTO, will be best suited for an agency

Question 33: Security Control

• New accounting controls in place
• Prevention of creating a new vendor account
• Segregation of duties can best help prevent this situation?

Question 34: Organizations Covered by FISMA

• Relates to organizations to covered for FISMA
• Defense contractors is most likely.

Question 35: Securing Credit Card Processing Systems

• Controlling secured systems to process information.
• Should guide his actions is PCI DSS.

Question 36: Data Protection Responsibilities

• Management roles to fulfil protection with the data.
• A Data custodian will be responsible to manage security policies..

Question 37: Alan and E-commerce Content Theft

• States about property theft from an Ecommerce company
• Copyright is the product that is being stolen.

Question 38: Florian and New Administrative Law

• Includes that Florian received a federal goverment's flyer.
• The text of the law can be find here: Code of Federal Regulations.

Question 39: Mitigating Application Attacks

• Metric perspective cloud.
• Lowering Likelihood is correct.

Question 40: Information Security Program Owner

• Pertains to individuals and effectivness.
• The President and CEO are better owners.

Question 41: Senior Management in Business Continuity

• States about Managers and continuity planning.
• Important function that the managers can fill is the Legal and the arbitration disputes.

Question 42: Hospital System SaaS Vendor Audit

• Controlling a Control Assessment
• Assurance SOC 2.

Question 43: Gary Investigating a Security Incident

• Includes Gary and the analysis of the security.
• What type of threat taking place is Denial.

Question 44: Security Administrator

• States about Beth the security administrator in school and testing.
• The action enforcing Integrity action .

Question 45: Issues NOT in Service Level Agreements (SLAs)

• This concerns a series of agreement in Service level.
• Not in the agreement will be the Confidentiality

Question 46: Joan and Intellectual Property Protection

• Not in intellectual production
• Patent and trademark products can have this.

Question 47: Users Sharing Files

• Need for content to have confidentiality
• Will be private network .

Question 48: Availability of Server Data

• Want availability of the data.
• Allows data for the robustness without servers needs, is the RAID

Question 49: File Integrity Control

• Includes integrity needs for the business.
• Adding Hashing

Question 50: Human Resources Specialist

• The person responsible for giving the employee termination the NCA
• Is not typically part of the termination process?

Question 51: Business Continuity Plan

• Frances review documentation complete.
• Statement of accounts is not normally included?

Question 52: Auditors and Fraud

• Doolittle fraud and the management from this
• Separation of duties should have to detect earlier.

Question 53: Jeff Processes Standards

• States Jeff and standard processes
• The code CMM.

Question 54: Chris Website Attacks

• Inaccessible for the customers
• What impact has the availability been attacked. .

Question 55: Yolanda writing Document Configuration

• Configuring needed
• Yolanda preparing Baseline plans.

Question 56: Who should get training in the Business in action

• People that need plan training.
• Have specific business roles.

Question 57: Data center and damages

• James is conducting assets on an asset management.
• The organisation need to rebuild is the replacement.

Question 58: Credit card breach

• Matters for data in place.
• Roger needing to choose investigations from the PCI DSS.

Question 59: Cyber Security Champion Program

• Rick wants to use assistance with the peers and cyber security.
• The term to describe this relationship is a Security champion.

Question 60: Frank and the CEO keyloggers

• States Fank discovered CEO keyloggers.
• What principle is being disrupted is Confidentiality?

Question 61: Human resource management standards

• Human needs for the requirements of the requirements of the vendor.
• Standard set is Compliance with the regulation regulations

Question 62: graphic risk management

• missing step in graphic implementation.
• Process need to be assessed

Question 63: HAL, Mitigation Services

• HAL is stopping service attacks
• They are risk adverse.

Question 64: security applied for data for what the company wants

• Likelihood breached in the breach information.
• The goal in this is for Confidentiality.

Question 65: Component of Emergencies

• organization and emergency response.
• List an organisation and what be happening.

Question 66: Business continuity plan approval officer

• Development business continuity plan.
• The person that is responsible to approve is the Chief CEO.

Question 67: Project scope and planning phase actions

• Actions needed in certain phases
• Documentation of the plan cannot be a planning phase.

Question 68: Gary with Availability Security

• The architecture.
• To enforce in certain environment is the.Gary wants is the availability.

Question 69: Alternate Data Processes Becks

• No Hardware is being made.
• Beck is using a cold side/site..

Question 70: Data Breach laws and States that need them

• Significant break in data in customers environment.
• Brecah laws in to ensure action.

Question 71: ben information for security controls

• A frameworks to needs can used.
• ITIL action.

Question 72: Federal wiretap

• Matt Telecommunications approached.
• The agents and what to with their requests.

Question 73: Financial notifications in place

• Yearly notices every year
• To send to notices.

Question 74: Vendor nondisclosure agreement

• Typical requirements.
• Information during the scope in engagement is from NDA.

Question 75: ISC2 Code of Ethics

• Disclose breaches to ethics ethics.
• Privacy should not be breached.

Question 76: Business continuity planning

• All stakeholders in this area.
• CEO and board are in here to support departments

Question 77: Ben a design messenger system

• the recipient to prove that it is from the original sender.
• Ben goal is to achieve Non-repudiation.

Question 78: Depth principle

• Implement overlapping controls.
• Is defended that that that principle in depth.

Question 79: Cybersecurity

• Working not profit by security professional
• ethical obligations applied ethical code.
• The code of ethics applies the the work.

Question 80: payment card information stored in a database

• Policy and directions of the database and secure payment.
• What is the best exception in this case of securing with encryption the data of contents?

Question 81: Risk Assessment Quadrants

• Qualify the quadrant.
• It requires immediate attention as a product of impact

Question 82: Termination Plan

• Planning to have a smooth meeting, needs planning.
• Best coordination in this area.

Question 83: Rolando mitigation enterprise

• Large enterprise for risk operations.
• The company has the ability to mitigate risk.

Question 84: COPPA online privacy act

• Need for websites and information on a web
• Cut offs below that need to have constent in a period.
• The age is 13 below.

Question 85: flood zones of the city

• Locate determine plane
• One can get the are from .01-.1 %

Question 86: The security that has been violated

• User on the network is using shark
• Using it for allicict purposes.

Question 87: Threat system modelling

• Model decomponse to system
• he system to the core the system in the core.

Question 88: Privcay Laws

• In africa to a new area.
• What law is expected for operation.

Question 89: evaluating customer

• Confidence failures.
• Business best tools for qualitative work.

Question 90: security to affect web services

• Hacking might effect
• The attack affect operating systems.
• Operating systems.

Question 91: exposure factor related to data

• Henry looks in the tornado factors.1 in the center.
• He is in an area that is around 50 millions.

Question 92: based on how year information tornado

• Annual rate for data lost in landing
• Data is loss about 0.05
• Damage to factility .

Question 93: ALE for tornados

• Value for expectancy for Atwood landing the data is
• 250,000 to start.

Question 94: STRIDE of Attack with HTML comments

• Embedded with codes
• The clue it gave.
• The information disclosure for undercover in STRIDE.

Question 95: Third party

• Worried about them on the key.
• Focus efforts aupply chain.

Question 96: Test processes in submit codes

• Another employee does code review process?
• Approved.

Question 97: Charles security program review

• Complete with training
• Completion hit the rate measures API.

Question 98: Process Screen

• The typical hires are:
• Fitness.
• This answer will be Drug check
• Back Ground, and Social media.

Question 99: considered with Supply Chain Risk

• (Select all that apply.)
• An adversary that happens with to the end user.
• IaaS enviroments.
• SaaS vendors gain accessing

Question 100:

• 1 (GLBA A
• 2 (PCI DSS) -C
• 3 (HIPAA) -D
• 4 (SOX) -B