Chap 5 - Governance Risk and Compliance

Question 1

ISO 27002

Answer 1

international standard for implementing and maintaining information security systems

Question 2

ISO 27012

Answer 2

international standard for cloud security

Question 3

NIST 800-12

Answer 3

general security standard, US based (National Institute of Standards and Technology)

Question 4

NIST 800-14

Answer 4

standard for policy development, US based (National Institute of Standards and Technology)

Question 5

Chap 5-7: You are a security manager for your company and need to reduce the risk of employees working in collusion to embezzle funds. Which of the following policies would you implement?

Mandatory vacations
Clean desk
NDA
Continuing education

Answer 5

Mandatory vacations

Question 6

Chap 5-10: Which of the following agreements is less formal than a traditional contract but still has a certain level of importance to all parties involved?

SLA
BPA
ISA
MOU

Answer 6

MOU

Question 7

MOU

Answer 7

Memoradum of Understanding - type of agreement that is usually not legally binding

Question 8

ISA

Answer 8

Interconnection Security Agreement - specifies the technical and security requirements of an interconnection between organizations

Question 9

SLE

Answer 9

Single Loss Expectancy. Calucated by value * exposure factor

e.g. asset valued at $10,000 with an exposure factor of 30% would have an SLE of $3,000

Question 10

Chap 5-20: You are a security administrator and advise the web development team to include a CAPTCHA on the web page where users register for an account. Which of the following controls is this referring to?

Deterrent
Detective
Compensating
Degaussing

Answer 10

Deterrent

Question 11

Chap 5-21: As the IT security officer for your organization, you are configuring data label options for your company’s research and development file server. Regular users can label documents as contractor, public or internal. Which label should be assigned to company trade secrets

High
Top Secret
Confidential
Low

Answer 11

Confidential

Question 12

BPA

Answer 12

Business Partnership Agreement. Legal agreement between 2 partners

Question 13

Chap 5-24: Your security manager wants to decide to mitigate based on cost. What is this an example of?

Quantitative risk assessment
Qualitative risk assessment
Business impact analysis
Threat assessment

Answer 13

Quantitative risk assessment

Question 14

Quantitative risk assessment

Answer 14

process of assigning numerical values to the probability that an event will occur and what impact the event will have

Requires complex calculations and is more time consuming because it requires detailed financial data and calucations.

Question 15

Qualitative risk assessment

Answer 15

process of ranking which risk poses the most danger

Question 16

Business impact analysis

Answer 16

aka BIA; used to evaluation the possible effect a business can suffer should an interruption to a critical system’s operation occur. Could be the result of an accident, disaster or emergency

Question 17

Chap 5-25: Your company has outsourced its proprietary processes to Acme Corporation. Due to technical issues, Acme wants to include a third party vendor to help resolve the technical issues. Which of the following must Acme consider before sending data to a third party?

The data should be encrypted before it is sent to the third party vendor
This may constitute unauthorized data sharing
This may violate the privileged user role-based awareness trainining
This may violate the Non-Disclosure Agreement (NDA)

Answer 17

This may violate the Non-Disclosure Agreement (NDA)

Question 18

Chap 5-27: Which of the following is typically included in a BPA?

Clear statements detailing the expectation between a customer and a service provider
The agreement that a specific function or service will be delivered at the agreed on level of performance
Sharing of profits and losses and the addition or removal of a partner
Security requirements associated with interconnected IT systems

Answer 18

Sharing of profits and losses and the addition or removal of a partner

Question 19

ISA

Answer 19

Interconnection Service Agreement: specifies security requirements associated with interconnecting IT systems

Question 20

Data Minimization

Answer 20

process of ensuring that only the data required for business functions is collected and maintained

Question 21

Your company website is hosted by an Internet Service Provider. Which of the following risk responsible techniques are in use?

Risk avoidance
Risk register
Risk acceptance
Risk mitigation

Answer 21

Risk avoidance

Question 22

Risk Response Techniques

Answer 22

There are four possible risk response strategies for negative risks:

Avoid – eliminate the threat to protect the project from the impact of the risk. An example of this is cancelling the project.
Transfer – shifts the impact of the threat to as third party, together with ownership of the response. An example of this is insurance.
Mitigate – act to reduce the probability of occurrence or the impact of the risk. An example of this is choosing a different supplier.
Accept – acknowledge the risk, but do not take any action unless the risk occurs. An example of this is documenting the risk and putting aside funds in case the risk occurs.

There are also four possible risk responses strategies for positive risks, or opportunities:

Exploit – eliminate the uncertainty associated with the risk to ensure it occurs. An example of this is assigning the best workers to a project to reduce time to complete.
Enhance – increases the probability or the positive impacts of an opportunity. An example of this adding more resources to finish early.
Share – allocating some or all of the ownership of the opportunity to a third party. An example of this is teams.
Acceptance – being willing to take advantage of the opportunity if it arises but not actively pursuing it. An example of this is documenting the opportunity and calculating benefit if the opportunity occurs.

Question 23

Data retention policy

Answer 23

Policy which defines how long an organization will retain data. Regulations require financial transactions to be stored for years

Question 24

Chap 5-35: How do you calculate the annual loss expectancy (ALE) that may occur due to a threat?

Exposure factor (EF) / single loss expectancy (SLE)
Single loss expectancy (SLE) x annual rate of occurrence (ARO)
Asset value (AV) x exposure factor (EF)
Single loss expectancy (SLE) / exposure factor (EF)

Answer 24

Single loss expectancy (SLE) x annual rate of occurrence (ARO)

Question 25

Annual loss expectancy (ALE)

Answer 25

Single loss expectancy (SLE) x annual rate of occurrence (ARO)

Question 26

Chap 5-36: Michelle has been asked to use the CIS Benchmark for Windows 10 as part of her system security process. What information will she be using? Information on how to secure Windows 10 in its default state A set of recommended security configurations to secure Windows 10 Performance benchmarking tools for Windows 10 systems. including network speed and firewall throughput Vulnerability scan data for Windows 10 systems provided by various manufacturers

Answer 26

A set of recommended security configurations to secure Windows 10

Question 27

CIS Benchmark

Answer 27

Center for Internet Security - provides recommendations for how to secure an operating system, application or other covered technology

Question 28

MTTR

Answer 28

Mean time to recovery - average time for a failed device or component to be repaired or replaced

Question 29

MTBF

Answer 29

Mean time between failures - measurement to show how reliable a hardware component is

Question 30

Chap 5-42: Which of the following best describes the disadvantages of quantitative risk compared to qualitative risk analysis? Quantitative risk analysis requires detailed financial information Quantitative risk analysis is sometimes subjective Quantitative risk analysis requires expertise on systems and infrastructure Quantitative risk analysis provides clear answers to risk-based questions

Answer 30

Quantitative risk analysis requires detailed financial information

Question 31

Chap 5-43: Leigh Ann is the new network administrator for a local community bank. She studies current file server folder structures and permissions. The previous administrator didn't properly secure customer documents in the folders. Leigh Ann assigns the appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming? Power user Data owner User Custodian

Answer 31

Custodian

Question 32

Chap 5-45: You are the IT Manager and one of your employees asks who assigns data labels. Which of the following assigns data labels? Owner Custodian Privacy Officer System Adminstrator

Answer 32

Owner

Question 33

Chap 5-48: A security analyst is analyzing the cost the company could incur if the customer database was breached. The database contains 2500 records with personally identifiable information (PII). Studies show the cost per record would be $300. The likelihood that the database would be breached in the next year is only 5% Which of the following would be the ALE for a security breach? $15,000 $37,500 $150,000 $750,000

Answer 33

$37,500 2500 * 300 = 750000 * .05 (5%) = 37500 (half of 75000)

Question 34

Chap 5-49: Which of the following concepts defines a company goal for system restoration and acceptable data loss? MTBF MTTR RPO ARO

Answer 34

RPO Recovery point objective specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quality of the data lost during that period surpasses business continuity planning's maximum acceptable threshold

Question 35

Chap 5-52: What type of control is separation of duty? Physical Operational Technical Compensating

Answer 35

Operational

Question 36

Chap 5-53: Which of the following rights is not included in the GDPR? The right to access The right to be forgotten The right to portability The right to anonymity

Answer 36

The right to anonymity

Question 37

Chap 5-54: Nick is following the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) and has completed the prepare and categorize steps. Which step in the risk management framework is next? Assessing controls Implementing controls Monitoring controls Selecting controls

Answer 37

Selecting controls

Question 38

National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)

Answer 38

Prepare Categorize System Select Controls Implement Controls Assess Controls Authorize System Monitor Controls

Question 39

Chap 5-55: Why are the diversity of training techniques an important concept for security program administrators? It allows for multiple funding sources Each person responds to training differently It avoid a single point of failure in training compliance It is required for compliance with PCI-DSS

Answer 39

Each person responds to training differently

Question 40

Chap 5-56: Alyssa has been asked to categorize the risk of outdated software in her organization. What type of risk categorization should she use? Internal Quantitative Qualitative External

Answer 40

Internal Internal is for risk created inside the company, external for risks created outside the company. Quantitative and Qualitative are risk assessments not categories

Question 41

Chap 5-57: What term is used to describe a listing of all of an organization's risks, including information about the risk's rating, how it is being remediated, remediation status, and who owns or is assigned responsibility for the risk? An SSAE A risk register A risk table A DSS

Answer 41

A risk register

Question 42

Risk Register

Answer 42

Documents used by organizations to track and manage risks and include information including the owner or responsible party, details about the risk, and other useful information

Question 43

SSAE

Answer 43

Statement on Standards for Attestation Engagements; same as SOC

Question 44

Chap 5-58: Which of the following terms is used to measure how maintainable a system or device is? MTBF MTTF MTTR MITM

Answer 44

MTTR (mean time to restore/repair) the average time that it will take to repair something if it fails. The MTTR is used as part of business continuity planning to determine if a system needs additional redundancy or other options pint in place if a failure an repair would exceed the maximum tolerable outage. It is calculated by dividing the total maintenance time by the total number of repairs

Question 45

Common Classification Types for US Government data

Answer 45

Top Secret Secret Classified

Question 46

Chap 5-61: Which of the following is not a common location for privacy practices to be recorded or codified? A formal privacy notice The source code for a product The terms of the organization's agreement with customers None of the above

Answer 46

The source code for a product

Question 47

Chap 5-64: Helen's organization provides telephone support for the entire customer base as a critical business function. She has created a plan that will ensure that her organization's VoIP phone will be restored in the event of a diaster. What type of plan has she created? A disaster recovery plan An RPO plan A functional recovery plan An MTBF plan

Answer 47

A functional recovery plan

Question 48

Functional recovery plan

Answer 48

focuses on a specific business and technology function

Question 49

Chap 5-66: What type of information does a control risk apply to? Health information Personally identifiable information (PII) Financial information Intellectual property

Answer 49

Financial information Control risks apply specifically to financial information, where they may impact the integrity or availability of the financial information

Question 50

Chap 5-74: Katie has discovered a Windows 2008 web server running in her environment. What security concern should she list for this system? Windows 2008 only runs on 32-bit platforms Windows 2008 cannot run modern web server software Windows 2008 has reached its end of life and cannot be patched All of the above

Answer 50

Windows 2008 has reached its end of life and cannot be patched

Question 51

Heat Map (Risk)

Answer 51

Risk heat maps or risk matrix can allow an organization to quickly look at risks and compare them based on their probability and impact or other rating elements.

Question 52

Chap 5-76: Charles wants to display information from his organization's risk register in an easy to understand and rank format. What common tool is used to help management quickly understand relative rankings of risk? Risk plots A heat map A qualitative risk assessment A quantitative risk assessment

Answer 52

A heat map

Question 53

Chap 5-78: What phases of handling a disaster are covered by a disaster recovery plan? What to do before the disaster What to do during the disaster What to do after the disaster All of the above

Answer 53

All of the above

Question 54

Chap 5-80: Alaina wants to map a common set of controls for cloud services between standards like COBIT (Control Objectives for Information and Related Technology), FedRAMP (Federal Risk and Authorization Management Program), HIPPA (the Health Insurance Portability and Accountability Act of 1996) and others. What can use she to speed up that process? The CSA's reference architecture ISO 27001 The CSA's cloud control matrix ISO 27002

Answer 54

The CSA's cloud control matrix

Question 55

CSA

Answer 55

Cloud Security Alliance provides reference architecture including information about tools in vendor neutral manner.

Question 56

DPO

Answer 56

Data Protection Officer. Required to exist in a company wanting to be compliant with GDPR

Question 57

Chap 5-86: Rick's organization provides a website that allows users to create an account and then upload their art and share it with others. He is concerned about a breach hand wants to properly classify the data for their handling process. What data type is most appropriate for Rick to label the data his organization collects and stores? Customer data PII Financial Information Health Information

Answer 57

Customer data

Question 58

Chap 5-89: Risk severity is calculated using the equation shown here. What information should be substituted for X? Risk severity = X * Impact Inherent Risk MTTR (mean time to repair) Likelihood of occurrence RTO (Recovery time objective)

Answer 58

Likelihood of occurrence

Question 59

Risk severity calculation

Answer 59

risk severity = likelihood of occurrence * impact

Question 60

Chap 5-90: How is asset value determined? The original cost of the item The depreciated cost of the item The cost to replace the item Any of the above based on organizational preference

Answer 60

Any of the above based on organizational preference

Question 61

Chap 9-91: What process is used to help identify critical systems? A BIA An MTBF An RTO An ICD

Answer 61

A BIA

Question 62

BIA

Answer 62

Business Impact Analysis = helps to identify critical systems by determining which systems will create the largest impact if they are not available

Question 63

Chap 5-99: Which of the following does not minimize security breaches committed by internal employees? Job rotation Separation of duties Nondisclosure agreements signed by employees Mandatory vacations

Answer 63

Nondisclosure agreements signed by employees

Question 64

Chap 5-100: Olivia's cloud service provider claims to provide "five nines of uptime" and Olivia's company wants to take advantage of that service because their website loses thousands of dollars every hour that is it down. What business agreement can Olivia pit in place to help ensure that the reliability that the vendor advertises is maintained? An MOU An SLA An MSA A BPA

Answer 64

An SLA

Question 65

Chap 5-101: After reviewing systems on his network, Brian discovered that dozen of them are running copies of a CAD software package that his company has not paid for. What risk type should he identify this as? Internal Legacy Systems IP Theft Software Compliance

Answer 65

Software Compliance

Question 66

Chap 5-102: Gary is beginning his risk assessment for the organization and has not yet begun to implement controls. What risk does his organization face? Residual risk IP theft risk Multiparty risk Inherent risk

Answer 66

Inherent risk

Question 67

Chap 5-104: What type of credential policy is typically created to handle contractors and consultants? A personnel policy A service account policy A third party policy A root account policy

Answer 67

A third party policy

Question 68

ARO

Answer 68

Annual Rate of Occurrence

Question 69

Data controller

Answer 69

aka Data Owner, the organization or individual that collects and controls the data

Question 70

Data Steward

Answer 70

Carries out the intent of the data controller and is delegated responsibility for the data

Question 71

Data custodian

Answer 71

Those who are trusted with the data to store it, manage it and secure it

Question 72

Data processor

Answer 72

Service providers that process data for data owners+

Question 73

Chap 5-110: Mike wants to look for a common set of tools for security and risk management for his IaaS environment. Which of the following organizations provides a vendor-neutral reference architecture that he can use to validate his design? The Center for Internet Security (CIS) ISO The Cloud Security Alliance NIST

Answer 73

The Cloud Security Alliance

Question 74

CIS

Answer 74

Center for Internet Security Provides vendor specific benchmarks for AWS, Azure and Oracle

Question 75

Chap 5-126: Frank knows that businesses can use any classification labels they want but he also knows that there are a number of common labels in use. Which of the following is not a common data classification label for businesses? Public Sensitive Private Secret

Answer 75

Secret Secret is mainly used in the government, not private sector

Question 76

Multiparty risk

Answer 76

Multiparty risk involved multiple organizations

Question 77

Chap 5-112: Issac has discovered that his organization's financial account software is misconfigured causing incorrect data to be reported on an ongoing basis. What type of risk is this? Inherent risk Residual risk Control risk Transparent risk

Answer 77

Control risk Term used in public accounting. It is the risk that arises from a potential lack of internal controls within an organization that may cause a material misstatement in the organization's financial reports

Question 78

Chap 5-114: Susan works for the US Government and has identified information in her organization that requires some protection. If the information were disclosed without authorization, it would cause identifiable harm to national security. How should she classify the data? Top Secret Secret Confidential Business Sensitive

Answer 78

Confidential Confidential Information is classified by the US Government as information that requires some protection that that if disclosed without authorization, would cause identifiable harm to national security.

Question 79

Confidential Information (US Government)

Answer 79

Confidential Information is classified by the US Government as information that requires some protection that that if disclosed without authorization, would cause identifiable harm to national security.

Question 80

Top Secret Information (US Government)

Answer 80

Requires the highest degree of protection and would cause exceptionally grave harm if exposed without authorization

Question 81

Secret Information (US Government)

Answer 81

Requires a substantial degree of protection and would cause serious harm with exposed without authorization

Question 82

Chap 5-118: Nicole determines how her organization processes the data that it collects about its customers and also decides how and why personal information should be processed. What role does Nicole play in her organization? Data steward Data custodian Data controller Data consumer

Answer 82

Data controller

Question 83

Chap 5-120: What important step should be taken early in the information life cycle to ensure that organizations can handle the data they collect? Data retention Data classification Data minimization Data exfiltration

Answer 83

Data minimization

Question 84

Chap 5-121: Kirk's organization has been experience large scale Denial of Service (DoS) attack against their primary website. Kirk contracts with his Internal Service Provider to increase the organization's bandwidth, and expands the server pool for the website to handle significantly more traffic than any of the previous DoS attacks. What type of risk management strategy has he employed Acceptance Avoidance Mitigation Transfer

Answer 84

Mitigation