Domain 5, Quiz 1 Flashcards
Which document outlines the user’s rights and responsibilities when accessing a corporate network or device?
a. Acceptable use policy (AUP)
b.Change management procedures
c. Information security policies
d. Business continuity policy
Acceptable use policy (AUP)
An Acceptable Use Policy (AUP) details explicitly what users are allowed to do and not do on an organization’s network or with its devices.
Which of the following best defines the maximum time an organization aims to recover its operations after a disaster?
a. Recovery time objective (RTO)
b. Recovery point objective (RPO)
c. Mean time between failures (MTBF)
d. Annualized loss expectancy (ALE)
Recovery time objective (RTO)
Recovery time objective (RTO) is correct as it denotes the maximum time an organization aims to recover operations post-disruption.
A company is hiring a vendor to supply IT hardware. The company wants to ensure that the vendor’s products are tested against potential security vulnerabilities. Which of the following would the company likely ask the vendor for?
a. Due diligence documentation
b. Right-to-audit clause
c. Evidence of internal audits
d. Penetration testing results
Penetration testing results
Penetration testing results are correct because they provide evidence that the vendor’s products were examined for security vulnerabilities.
Which type of governance structure represents the highest level of authority in an organization and might include executive members?
a. Government entities
b. Committees
c. Boards
d. Centralized entities
Boards
Boards are correct because they represent the pinnacle of authority within many organizations, often consisting of executive members.
A company is open to taking high risks in hopes of gaining high rewards. This approach is best described as:
a. Expansionary risk appetite
b. Neutral risk appetite
c. Risk avoidance
d. Conservative risk appetite
Expansionary risk appetite
Expansionary risk appetite is correct because it indicates a willingness to take more significant risks to achieve higher rewards.
Which document establishes a formal understanding between two entities without legal obligations?
a. Business partners agreement (BPA)
b. Non-disclosure agreement (NDA)
c. Memorandum of understanding (MOU)
d. Service-level agreement (SLA)
Memorandum of understanding (MOU)
Memorandum of understanding (MOU) is correct because it establishes a mutual agreement between parties without creating a legally binding contract.
An organization follows a strategy in which they decide to pay for insurance rather than invest in new security controls. Which risk management strategy is the organization following?
a. Mitigate
b. Transfer
c. Avoid
d. Accept
Transfer
The organization is shifting the responsibility of a potential loss to another entity, such as an insurer.
Before introducing a new software module into the production environment, what policy should be consulted to ensure smooth integration and minimal disruption?
a. Incident response policy
b. Disaster recovery policy
c. Change management policy
d. Access control standard
Change management policy
Change management policy provides guidance on introducing changes into the environment in a controlled manner.
An organization has a written understanding with another entity, detailing the scope of work but not the specific ways of doing it. What is this understanding referred to as?
a. Service-level agreement (SLA)
b. Memorandum of agreement (MOA)
c. Non-disclosure agreement (NDA)
d. Statement of work (SOW)
Statement of work (SOW)
Statement of work (SOW) details the work scope to be done, although it doesn’t necessarily get into the specific ways of execution.
What is the primary objective of the software development lifecycle (SDLC) policy?
a. Ensure a systematic process for software development and maintenance
b. Define access permissions for software
c. Provide guidelines for acceptable use of software
d. Establish procedures for onboarding and offboarding
Ensure a systematic process for software development and maintenance
SDLC policies guide the phases and best practices of software creation and upkeep.
Which risk management strategy involves taking steps to lessen the severity or likelihood of a risk?
a. Mitigate
b. Accept
c. Avoid
d. Transfer
Mitigate
Mitigate implies actions taken to reduce a risk’s potential impact or likelihood.
An organization wishes to ensure that if any third-party vendor faces a cybersecurity incident, it will be immediately reported. Which type of agreement should they consider?
a. Service-level agreement (SLA)
b. Memorandum of understanding (MOU)
c. Work order (WO)
d. Business partners agreement (BPA)
Service-level agreement (SLA)
Service-level agreement (SLA) defines service expectations and specific requirements like incident reporting.
An organization has set a specific boundary beyond which the risk becomes unacceptable. This boundary is known as:
a. Risk threshold
b. Risk appetite
c. Risk assessment
d. Risk tolerance
Risk tolerance
Risk tolerance defines the extent of risk an organization is willing to bear.
Which external consideration primarily focuses on the specific requirements set by a certain industry standard, like PCI-DSS for the payment card industry?
a. Legal
b. Industry
c. Global
d. National
PCI-DSS (Payment Card Industry Data Security Standard)
Industry
Industry refers to considerations and requirements specific to a certain industry.
Which term represents the amount of financial loss expected from a single threat event affecting an asset?
a. Single loss expectancy (SLE)
b. Impact
c. Annualized loss expectancy (ALE)
d. Likelihood
Single loss expectancy (SLE)
Single loss expectancy (SLE) is correct because it quantifies the financial loss expected from a single threat event.
