Domain 5, Quiz 2 Flashcards
Which of the following is a potential consequence of failing to meet security compliance regulations?
a. Enhanced operational efficiency
b. Reputational damage
c. Increase in customer trust
d. Increase in stock prices
Reputational damage
Failing to comply with security standards can harm an organization’s public image and trustworthiness.
The right for an individual to have their personal data erased by an entity that is storing it, especially online, is referred to as:
a. Data retention
b. Data accountability
c. Right to be forgotten
d. Data integrity
Right to be forgotten
A principle that gives individuals the power to request their personal information be removed.
What primarily differentiates a data controller from a data processor?
a. Data processors have the final say in data retention policies.
b. Data controllers are solely responsible for data breaches.
c. Data processors create the data while controllers analyze it.
d. A data controller determines the purpose and means of processing, while a processor processes data on behalf of the controller.
A data controller determines the purpose and means of processing, while a processor processes data on behalf of the controller.
The controller is responsible for why and how personal data is processed, and the processor does the actual processing.
An organization is looking for an assessment where a third party verifies its adherence to certain regulations. Which of the following best describes this?
a. Penetration testing
b. Self-assessment
c. Independent third-party audit
d. Internal compliance
Independent third-party audit
Involves an external entity evaluating the organization’s compliance.
During a penetration test, an attacker has no prior knowledge of the network infrastructure. Which type of testing environment does this represent?
a. Unknown environment
b. Integrated environment
c. Partially known environment
d. Known environment
Unknown environment
The attacker has no prior information about the infrastructure.
What kind of reconnaissance involves using openly available sources without directly interacting with the target system?
a. Defensive
b. Passive
c. Active
d. Integrated
Passive
Uses open sources and does not interact directly with the target.
A company regularly sends out simulated phishing emails to test employee awareness. What is this practice called?
a. Campaigns
b. Attestation
c. User guidance
d. Phishing prevention
Campaigns
Organized efforts to test and increase security awareness among employees.
What is the primary goal of security awareness training for employees?
a. To ensure they are aware of the company’s security policy.
b. To enable them to recognize and respond appropriately to security threats.
c. To ensure they know the IT department’s contact information.
d. To inform them of the latest industry news.
To enable them to recognize and respond appropriately to security threats.
Security awareness training aims to equip employees with the knowledge and skills to detect and deal with security threats.
Which of the following best explains the role of a regulatory external audit for a company?
a. To verify the company’s adherence to industry-specific laws and regulations.
b. To evaluate the company’s internal communication effectiveness.
c. To ensure the company’s marketing strategy aligns with industry trends.
d. To check if the company’s financial statements are accurate.
To verify the company’s adherence to industry-specific laws and regulations.
Regulatory audits ensure compliance with specific industry laws and standards.
In the context of privacy, who is responsible for determining the purpose, conditions, and means of processing personal data?
a. Controller
b. Data subject
c. Processor
d. Data inventory manager
Controller
Decides the purpose and means of processing personal data.
If an organization conducts a test by hiring ethical hackers to simulate an attack on its premises to identify vulnerabilities in its physical security measures, it is conducting which type of penetration test?
a. Active reconnaissance
b. Physical
c. Defensive
d. Offensive
Physical
Refers to testing vulnerabilities in physical security measures.
When an employee is trained to be cautious about sharing office details over casual conversations outside work, this training is primarily against which type of threat?
a. Insider threats
b. Password attacks
c. Phishing
d. Social engineering
Social engineering
Involves manipulating individuals into divulging confidential information.
An employee was given a USB stick at a conference, which they want to use at work. Before using it, what is the best security measure they should take?
a. Copy the USB contents to the cloud.
b. Have the IT department scan it for malware.
c. Format the USB stick.
d. Use it on a personal computer first.
Have the IT department scan it for malware.
Ensures the device is safe before potential threats can harm the company’s network.
For which reason might an organization want its employees to undergo regular training on recognizing a phishing attempt?
a. To replace the need for email filtering systems.
b. To shift all responsibility for phishing attacks to employees.
c. To reduce the need for advanced firewall systems.
d. To minimize the risk of successful phishing attacks.
To minimize the risk of successful phishing attacks.
Well-trained employees can be the first line of defense against phishing attempts.
An organization requires all employees to acknowledge they have read and understood the security policy every year. What best describes this practice?
a. Regulatory audit
b. Attestation
c. Data inventory
d. Due diligence/care
Attestation
Refers to a formal declaration or verification, in this case, that employees have understood the security policy.
