What is the primary incident response goal?

1. Remediating the incident
2. Reverting to the last known good state
3. Determining the scope of the possible loss
4. Outcomes dictated by business requirements

You are in charge of building a cloud data center. Which raised floor level is sufficient to meet standard requirements?

1. 10 inches
2. 8 inches
3. 18 inches
4. 2 feet

You are in charge of building a cloud data center. What purposes does the raised floor serve?

1. Allows airflow and increases structural soundness for holding large components
2. Cold air feed and a place to run wires for the machines
3. Additional storage for critical components and a dedicated access to a landline
4. Fire suppression systems and personnel safety

You are in charge of building a cloud data center. Which of the following is a useful rack configuration for regulating airflow?

1. Exhaust fans on racks facing the inlet vents of other racks
2. Inlet fans on racks facing exhaust fans of other racks
3. All racks perpendicular to each other
4. Exhaust fans on racks facing exhaust fans on other racks

An event is something that can be measured within the environment. An incident is a(n) _______________ event.

1. Deleterious
2. Negative
3. Unscheduled
4. Major

Which of the following factors would probably most affect the design of a cloud data center?

1. Geographic location
2. Functional purpose
3. Cost
4. Aesthetic intent

All of the following elements must be considered in the design of a cloud data center except _______________.

1. External standards, such as ITIL or ISO 27001
2. Physical environment
3. Types of services offered
4. Native language of the majority of customers

In designing a data center to meet their own needs and provide optimum revenue/profit, the cloud provider will most likely aim to enhance _______________.

1. Functionality
2. Automation of services
3. Aesthetic value
4. Inherent value

You are the security officer for a small cloud provider offering public cloud infrastructure as a service (IaaS); your clients are predominantly from the education sector, located in North America. Of the following technology architecture traits, which is probably the one your organization would most likely want to focus on?

1. Reducing mean time to repair (MTTR)
2. Reducing mean time between failure (MTBF)
3. Reducing the recovery time objective (RTO)
4. Automating service enablement

What is perhaps the main way in which software-defined networking (SDN) solutions facilitate security in the cloud environment?

1. Monitoring outbound traffic
2. Monitoring inbound traffic
3. Segmenting networks
4. Preventing distributed denial of service (DDoS) attacks

The logical design of a cloud environment can enhance the security offered in that environment. For instance, in a software as a service (SaaS) cloud, the provider can incorporate _______________ capabilities into the application itself.

1. High-speed processing
2. Logging
3. Performance-enhancing
4. Cross-platform functionality

You are tasked with managing a cloud data center in Los Angeles; your customers are mostly from the entertainment industry, and you are offering both platform as a service (PaaS) and software as a service (SaaS) capabilities. From a physical design standpoint, you are probably going to be most concerned with _______________.

1. Offering digital rights management (DRM) capabilities
2. Insuring against seasonal floods
3. Preventing all malware infection potential
4. Ensuring that the racks and utilities can endure an earthquake

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which tier of the Uptime Institute rating system should you be looking for, if minimizing cost is your ultimate goal?

1. 1
2. 3
3. 4
4. 8

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your cloud provider is changing its business model at the end of your contract term, and you have to find a new provider. In choosing providers, which of the following functionalities will you consider absolutely essential?

1. Distributed denial of service (DDoS) protections
2. Constant data mirroring
3. Encryption
4. Hashing

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Which of the following standards are you most likely to adopt?

1. National Institute of Standards and Technology (NIST) 800-37
2. General Data Protection Regulation (GDPR)
3. ISO 27001
4. Sarbanes–Oxley Act (SOX)

You are the security manager for a small retail business involved mainly in direct e-commerce transactions with individual customers (members of the public). The bulk of your market is in Asia, but you do fulfill orders globally. Your company has its own data center located within its headquarters building in Hong Kong, but it also uses a public cloud environment for contingency backup and archiving purposes. Your company has decided to expand its business to include selling and monitoring life-support equipment for medical providers. What characteristic do you need to ensure is offered by your cloud provider?

1. Full automation of security controls within the cloud data center
2. Tier 4 of the Uptime Institute certifications
3. Global remote access
4. Prevention of ransomware infections

When designing a cloud data center, which of the following aspects is not necessary to ensure continuity of operations during contingency operations?

1. Access to clean water
2. Broadband data connection
3. Extended battery backup
4. Physical access to the data center

You are the security manager for a small surgical center. Your organization is reviewing upgrade options for its current, on-premises data center. In order to best meet your needs, which one of the following options would you recommend to senior management?

1. Building a completely new data center
2. Leasing a data center that is currently owned by another firm
3. Renting private cloud space in a Tier 2 data center
4. Staying with the current data center

When building a new data center within an urban environment, which of the following is probably the most restrictive aspect?

1. The size of the plot
2. Utility availability
3. Staffing
4. Municipal codes

When you are building a new data center in a rural setting, which of the following is probably the most restrictive aspect?

1. Natural disasters
2. Staffing
3. Availability of emergency services
4. Municipal codes

All tiers of the Uptime Institute standards for data centers require _______________ hours of on-site generator fuel.

1. 6
2. 10
3. 12
4. 15

The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) guidelines for internal environmental conditions within a data center suggest that a temperature setting of _______________ degrees (F) would be too high.

1. 93
2. 80
3. 72
4. 32

Internal data center conditions that exceed the American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) guidelines for humidity could lead to an increase of the potential for all of the following except _______________.

1. Biological intrusion
2. Electrical shorting
3. Corrosion/oxidation
4. Social engineering

Setting thermostat controls by measuring the _______________ temperature will result in the highest energy costs.

1. Server inlet
2. Return air
3. Under-floor
4. External ambient

Heating, ventilation, and air conditioning (HVAC) systems cool the data center by pushing warm air into _______________.

1. The server inlets
2. Underfloor plenums
3. HVAC intakes
4. The outside world

It is important to include _______________ in the design of underfloor plenums if they are also used for wiring.

1. Mantraps
2. Sequestered channels
3. Heat sinks
4. Tight gaskets

Cable management includes all of the following except _______________.

1. Tagging cables
2. Removing unused/obsolete cables
3. Banding and bundling cables
4. Removing unused machines

How often should cable management efforts take place?

1. Annually
2. Continually
3. Quarterly
4. Weekly

You are designing a private cloud data center for an insurance underwriter, to be located in a major metropolitan area. Which of the following airflow management schemes is preferable?

1. Hot aisle
2. Cold aisle
3. Either hot aisle or cold aisle
4. Free flow

Which of the following factors will probably have the most impact on the cost of running your heating, ventilation, and air conditioning (HVAC) systems?

1. Whether you choose hot or cold aisle containment
2. The external ambient environment
3. The initial cost of the HVAC systems
4. Proper cable maintenance

You are designing a Tier 4 data center for a large hospital. In order to plan for the possibility of losing utility power, in addition to having sufficient generators, you should plan to locate the data center _______________.

1. In an urban setting
2. In a rural environment
3. Near a coast
4. At the border of different counties, regions, or states

Because most cloud environments rely heavily on virtualization, it is important to lock down or harden the virtualization software, or any software involved in virtualization. Which of the following is not an element of hardening software?

1. Removing unused services and libraries
2. Maintaining a strict license catalog
3. Patching and updating as necessary
4. Removing default accounts

Which of the following is not an aspect of host hardening?

1. Removing all unnecessary software and services
2. Patching and updating as needed
3. Performing more frequent and thorough audits on the host
4. Installing a host-based firewall and an intrusion detection system (IDS)

Which of the following is not an element of ongoing configuration maintenance?

1. Penetration tests of guest OSs and hosts
2. Social engineering tests of all users
3. Patch management of guest OSs, hosts, and applications
4. Vulnerability scans of guest OSs and hosts

Storage controllers will be used in conjunction with all the following protocols except _______________.

1. HTTPS
2. Internet Small Computer Systems Interface (iSCSI)
3. Fibre Channel
4. Fibre Channel over Ethernet

Which of these characteristics of a virtualized network adds risks to the cloud environment?

1. Redundancy
2. Scalability
3. Pay-per-use
4. Self-service

Security best practices in a virtualized network environment would include which of the following?

1. Using distinct ports and port groups for various virtual local area networks (VLANs) on a virtual switch rather than running them through the same port
2. Running Internet Small Computer Systems Interface (iSCSI) traffic unencrypted in order to have it observed and monitored by a network intrusion detection system (NIDS)
3. Adding a host-based intrusion detection system (HIDS) to all virtual guests
4. Hardening all outward-facing firewalls in order to make them resistant to attack

In order to enhance virtual environment isolation and security, a best practice is to _______________.

1. Ensure that all virtual switches are not connected to the physical network
2. Ensure that management systems are connected to a different physical network than the production systems
3. Never connect a virtual switch to a physical host
4. Connect physical devices only with virtual switches

Which of the following is a risk that stems from a virtualized environment?

1. Live virtual machines in the production environment are moved from one host to another in the clear.
2. Cloud data centers can become a single point of failure.
3. It is difficult to find and contract with multiple utility providers of the same type (electric, water, etc.).
4. Modern service level-agreement (SLA) demands are stringent and very hard to meet.

Which of the following is a risk that stems from a pooled-resources environment?

1. Loss of data to widespread phishing attacks
2. Loss of availability due to widespread distributed denial of service (DDoS) attacks
3. Loss of data to widespread insider threat
4. Loss of data to law enforcement seizure of neighboring assets

Modern managed cloud service providers will often use secure keyboard/video/mouse (KVM) devices within their data centers. These devices are extremely expensive compared to their non-secured counterparts. Which of the following is one of the reasons cloud service providers do this?

1. They have plenty of revenue and can afford it.
2. They have invested heavily in the secure KVM market.
3. Cloud data centers need very few of these devices.
4. Managed cloud providers often manufacture their own devices as well.

The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) guidelines for internal environmental conditions within a data center suggest that a temperature setting of _______________ degrees (F) would be too low.

1. 93
2. 80
3. 72
4. 32

Modern managed cloud service providers will often use secure keyboard/video/mouse (KVM) devices within their data centers. These devices are extremely expensive compared to their non-secured counterparts. Which of the following is one of the reasons cloud service providers do this?

1. The risk of transferring data from one customer to another is significant.
2. The risk of devices leaving the cloud data center is significant.
3. It makes physical inventories much easier to maintain.
4. Audit purposes

A truly air-gapped machine selector will _______________.

1. Terminate a connection before creating a new connection
2. Be made of composites and not metal
3. Have total Faraday properties
4. Not be portable

Which of the following cloud data center functions do not have to be performed on isolated networks?

1. Customer access provision
2. Management system control interface
3. Storage controller access
4. Customer production activities

Which of the following is not a characteristic of a virtual local area network (VLAN)?

1. Broadcast packets sent by a machine inside the VLAN will reach all other machines in that VLAN.
2. Broadcast packets sent from outside the VLAN will not reach other machines outside the VLAN.
3. Broadcast packets sent from a machine outside the VLAN will not reach machines inside the VLAN.
4. Broadcast packets sent by a machine inside the VLAN will not reach machines outside the VLAN.

In order for communications from inside a virtual local area network (VLAN) to reach endpoints outside the VLAN, _______________.

1. The communications must go through a gateway
2. The traffic must be encrypted
3. A repeater must be used
4. The external endpoint must be in receive mode

Transport Layer Security (TLS) uses _______________ to authenticate a connection and create a shared secret for the duration of the session.

1. Security Assertion Markup Language (SAML) 2.0
2. X.509 certificates
3. 802.11X
4. The Diffie-Hellman process

Halon is now illegal to use for data center fire suppression. What is the reason it was outlawed?

1. It poses a threat to health and human safety when deployed.
2. It can harm the environment.
3. It does not adequately suppress fires.
4. It causes undue damage to electronic systems.

When cloud computing professionals use the term ping, power, pipe, which of the following characteristics is not being described?

1. Logical connectivity
2. Human interaction
3. Electricity
4. Heating, ventilation, and air conditioning (HVAC)

Which of the following is not a goal of a site survey?

1. Threat definition
2. Target identification
3. Penetration testing
4. Facility characteristics

Designing system redundancy into a cloud data center allows all the following capabilities except _______________.

1. Incorporating additional hardware into the production environment
2. Preventing any chance of service interruption
3. Load-sharing/balancing
4. Planned, controlled failover during contingency operations

Gaseous fire suppression systems that function by displacing oxygen need to be installed in conjunction with _______________.

1. Water cooling
2. Filters
3. Occupant training
4. Failsafe or “last person out” switches

What aspect of data center planning occurs first?

1. Logical design
2. Physical design
3. Audit
4. Policy revision

Which of the following are not examples of personnel controls?

1. Background checks
2. Reference checks
3. Strict access control mechanisms
4. Continuous security training

Updating virtual machine management tools will require _______________.

1. An infusion of capital
2. An alternate data center
3. Sufficient redundancy
4. Peer review

Access control to virtualization management tools should be _______________.

1. Rule-based
2. Role-based
3. User-based
4. Discretionary

Before deploying a specific brand of virtualization toolset, it is important to configure it according to _______________.

1. Industry standards
2. Prevailing law of that jurisdiction
3. Vendor guidance
4. Expert opinion

Which of the following is essential for getting full security value from your system baseline?

1. Personnel training
2. Documentation
3. Host-based intrusion detection system (HIDS)
4. Encryption

Which of the following is essential for getting full security value from your system baseline?

1. Capturing and storing an image of the baseline
2. Keeping a copy of upcoming suggested modifications to the baseline
3. Having the baseline vetted by an objective third party
4. Using a baseline from another industry member so as not to engage in repetitious efforts

Patching can be viewed as a configuration modification and therefore subject to the organization’s configuration management program and methods. What may also be an aspect of patching in terms of configuration management?

1. Patching doesn’t need to be performed as a distinct effort; patching can go through the normal change request process like all other modifications.
2. Any patches suggested or required by vendors to maintain compliance with service contracts must be made immediately, regardless of internal process restrictions.
3. Any patches suggested by third parties should not be considered as they may invalidate service contracts or warranties and negatively affect the organization’s security posture.
4. The configuration or change management committee or board may grant blanket approval for patches (at a certain impact level) without the need to go through the formal change process.

Clustering hosts allows you to do all the following except _______________.

1. Meet high-availability demands
2. Optimize performance with load balancing
3. Enhance scalability
4. Apply updates, patches, or configuration modifications instantly

Which of the following is not a way to apportion resources in a pooled environment?

1. Reservations
2. Limits
3. Tokens
4. Shares

A loosely coupled storage cluster will have performance and capacity limitations based on the _______________.

1. Physical backplane connecting it
2. Total number of nodes in the cluster
3. Amount of usage demanded
4. The performance and capacity in each node

When putting a system into maintenance mode, it’s important to do all of the following except _______________.

1. Transfer any live virtual guests off the host
2. Turn off logging
3. Lock out the system from accepting any new guests
4. Notify customers if there are any interruptions

Typically, a cloud customer seeking stand-alone hosting will expect all of the following except _______________.

1. More control over governance of the environment
2. Greater administrative control of the environment
3. Higher overall security of the environment
4. Lower costs for the environment

Methods for achieving “high availability” cloud environments include all of the following except _______________.

1. Extreme redundancy
2. Multiple system vendors for the same services
3. Explicitly documented business continuity and disaster recovery (BC/DR) functions in the service-level agreement (SLA) or contract
4. Failover capability back to the customer’s on-premises environment

You are in charge of a cloud migration for your organization. You anticipate attack traffic from various sources, each using a variety of both automated and manual intrusion techniques. In order to deter novel attacks used only against your organization, you would be wise to employ firewalls that use _______________ to detect threats.

1. Attack signatures
2. Behavioral outliers
3. Content filters
4. Biometric templates

Firewalls can be included in all the following aspects of a cloud environment except _______________.

1. The guest OS
2. The cloud data center IT architecture
3. Bandwidth providers used to connect to the cloud
4. Applications used to manipulate data in the cloud

A honeypot can be used for all the following purposes except _______________.

1. Gathering threat intelligence
2. Luring attackers
3. Distracting attackers
4. Delaying attackers

Which of the following should honeypots contain?

1. Inward-facing connections
2. Network schematics
3. Production data
4. Detection systems

Because all cloud access is remote access, contact between users and the environment should include all of the following except _______________.

1. Encryption
2. Secure login with complex passwords
3. Once in-all in
4. Logging and audits

Most attacks that overcome encryption protections exploit _______________.

1. Mathematical principles
2. Misconfigurations
3. Supercomputers
4. Statistical probabilities

Administrators and engineers who work for cloud service providers will have a significant amount of control over multiple customer environments and therefore pose a severe risk. Which of the following is not a technique used to mitigate this level of increased risk from privileged users in the cloud data center?

1. Two-person control
2. Enhanced logging of administrative activity
3. Granting privileged access only on a temporary basis
4. Assigning permanent administrators to select customer accounts

Which of these is a vital action to determine whether the business continuity and disaster recovery (BC/DR) effort has a chance of being successful?

1. Perform an integrity check on archived data to ensure that the backup process is not corrupting the data.
2. Encrypt all archived data to ensure that it can’t be exposed while at rest in the long term.
3. Periodically restore from backups.
4. Train all personnel on BC/DR actions they should take to preserve health and human safety.

Patches do all the following except _______________.

1. Address newly discovered vulnerabilities
2. Solve cloud interoperability problems
3. Add new features and capabilities to existing systems
4. Address performance issues

When applying patches, it is necessary to do all of the following except _______________.

1. Test the patch in a sandbox that simulates the production environment
2. Put the patch through the formal change management process
3. Be prepared to roll back to the last known good build
4. Inform users of any impact or interruptions

Which of the following is a risk associated with automated patching?

1. Users can be leveraged by intruders.
2. A patch may not be applicable to a given environment.
3. Patches can come loaded with malware, in a Trojan horse attack.
4. Automated patching is slow and inefficient.

Which of the following is a risk associated with automated patching, especially in the cloud?

1. Snapshot/saved virtual machine (VM) images won’t take a patch.
2. Remote access disallows patching.
3. Cloud service providers aren’t responsible for patching.
4. Patches aren’t applied among all cloud data centers.

Which of the following is a risk associated with automated patching, especially in the cloud?

1. Patches may interfere with some tenants’ production environments.
2. Patches don’t work with software as a service (SaaS) service models.
3. Patches don’t work with private cloud builds.
4. Vendors don’t issue patches to cloud providers.

Which of the following is a risk associated with manual patching, especially in the cloud?

1. It can happen too quickly.
2. Vendors release patches that work only with their proprietary automated tools.
3. It’s not scalable.
4. Users can be tricked into installing malware that looks like a patch.

Which of the following is a risk associated with manual patching especially in the cloud?

1. No notice before the impact is realized
2. There is a lack of applicability to the environment.
3. Patches may or may not address the vulnerability they were designed to fix.
4. The possibility for human error exists.

You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. What additional risk are you accepting?

1. The cloud provider will suspend your access for violating its terms of service.
2. The cloud provider may sue your organization for breach of contract.
3. Your organization is subject to the vulnerability the patch addresses.
4. Your end clients will no longer trust your organization, and this will hurt your revenue flow.

You are the security manager for an organization that uses the cloud for its production environment. According to your contract with the cloud provider, your organization is responsible for patching. A new patch is issued by one of your vendors. You decide not to apply it immediately for fear of interoperability problems. Who may impose penalties on your organization for this decision if the vulnerability is exploited?

1. The cloud provider
2. Regulators
3. Your end clients
4. Your Internet service provider (ISP)

Which of the following aspects of a cloud environment is most likely to add risk to the patch management process?

1. Variations in user training and familiarity with the cloud
2. A cloud services contract that specifies which parties are responsible for which aspects of patching
3. VMs located physically in one location but operating in different time zones
4. The prevalence of attacker activity at the time the patch is applied

Which type of web application monitoring most closely measures actual activity?

1. Synthetic performance monitoring
2. Real-user monitoring (RUM)
3. Security information and event management (SIEM)
4. Database application monitor (DAM)

When using real-user monitoring (RUM) for web application activity analysis, which of the following do you need to take into account?

1. False positives
2. Attacker baseline actions
3. Privacy concerns
4. Sandboxed environments

Synthetic performance monitoring may be preferable to real-user monitoring (RUM) because _______________.

1. It costs less
2. It is a more accurate depiction of user behavior
3. It is more comprehensive
4. It can take place in the cloud

You are the security manager for an organization with a cloud-based production environment. You are tasked with setting up the event monitoring and logging systems. In your jurisdiction, private entities are allowed to monitor all activity involving their systems, without exception. Which of the following best describes a logging scheme you would recommend?

1. Logging every event, at all levels of granularity, including continual screen shots, keystroke logging, and browser history
2. Sufficient logging to reconstruct a narrative of events at some later date
3. Logging only data related to incidents after they have occurred
4. Logging specific data sets recommended by industry standards and guidelines

Who should be performing log review?

1. Only certified, trained log review professionals with a great deal of experience with the logging tool
2. The internal audit body
3. External audit providers
4. Someone with knowledge of the operation and a security background

Which of these subsystems is probably most important for acquiring useful log information?

1. Fan
2. RAM
3. Clock
4. Uninterruptible power supply (UPS)

A SIEM (security information and event management) system does not eliminate the need for human participation in _______________.

1. Log collection
2. Responding to alerts
3. Mathematical normalization of different logs
4. Detecting and alerts

Log data should be protected _______________.

1. One level below the sensitivity level of the systems from which it was collected
2. At least at the same sensitivity level as the systems from which it was collected
3. With encryption in transit, at rest, and in use
4. According to National Institute of Standards and Technology (NIST) guidelines

Risk is usually viewed with consideration for all the following elements except _______________.

1. Impact that could occur if a given circumstance is realized
2. The likelihood or probability a circumstance will occur
3. In the context of specific threats to an organization
4. According to risks recently realized by other organizations in the same industry

Risk management entails evaluating all of the following except _______________.

1. Threats
2. Vulnerabilities
3. Countermeasures
4. Customers

Impact resulting from risk being realized is often measured in terms of _______________.

1. Amount of data lost
2. Money
3. Amount of property lost
4. Number of people affected

You are the security officer for a small nonprofit organization. You are tasked with performing a risk assessment for your organization; you have one month to complete it. The IT personnel you work with have been with the organization for many years and have built the systems and infrastructure from the ground up. They have little training and experience in the field of risk. Which type of risk assessment would you choose to conduct?

1. Quantitative
2. Qualitative
3. Pro forma
4. Informal

Which of the following is most useful in determining the single loss expectancy (SLE) of an asset?

1. The frequency with which you expect that type of loss to occur
2. The dollar value of the asset
3. The sensitivity of the asset
4. The size and scope of the asset

Which of the following will likely best help you predict the annualized rate of occurrence (ARO) of a specific loss?

1. Threat intelligence data
2. Historical data
3. Vulnerability scans
4. Aggregation analysis

Which of the following has the most effect on exposure factor (EF)?

1. The type of threat vector
2. The source location of the attack
3. The target of the attack
4. The jurisdiction where the attack takes place

You are a consultant, performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which cost $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. What is the annual rate of occurrence (ARO) in this scenario?

1. 12
2. $24 million
3. 1
4. $10 million

You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which cost $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. What would you recommend?

1. Accept the risk of fire, and save money by not spending anything on controls/countermeasures.
2. Get the fire suppression system.
3. Get the insurance policy.
4. It is impossible to decide from this information.

You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which cost $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. In order to establish the true annualized loss expectancy (ALE), you would need all of the following information except _______________.

1. The amount of revenue generated by the plant
2. The rate at which the plant generates revenue
3. The length of time it would take to rebuild the plant
4. The amount of product the plant creates

You are a consultant performing an external security review on a large manufacturing firm. You determine that its newest assembly plant, which cost $24 million, could be completely destroyed by a fire but that a fire suppression system could effectively protect the plant. The fire suppression system costs $15 million. An insurance policy that would cover the full replacement cost of the plant costs $1 million per month. The plant generates $2 million of revenue each month. The time to rebuild the plant at the current location is six months. What should you recommend?

1. Accept the risk of fire, and save money by not spending anything on controls and countermeasures.
2. Get the fire suppression system.
3. Get the insurance policy.
4. It is impossible to decide from this information.

Risk mitigation must always also entail which other method of addressing risk?

1. Risk acceptance
2. Risk avoidance
3. Risk transfer
4. Risk attenuation

Which of the following poses a secondary risk?

1. Fire exit signs
2. Oxygen-displacing fire suppression
3. Automated fire detection systems
4. Fail-safe fire egress paths

Which of the following is not true about risk mitigation?

1. A given control/countermeasure should never cost more than the impact of the risk it mitigates.
2. Risk cannot be reduced to zero.
3. The end state of risk mitigation is risk at a tolerable level.
4. Risk mitigation is always the best means to address risk.

Which of the following is not true about risk mitigation?

1. The cost of the control/countermeasure per year is simple: the overall cost (of acquisition, implementation, and maintenance) divided by life span, in years.
2. Ignoring risk is not risk mitigation; ignoring risk is risk acceptance.
3. The cost of mitigation can be compared against the cost of a control/countermeasure to determine the optimum course of action.
4. Risk is fluid, so all risk assessments are pointless.

Which comes first?

1. Accreditation
2. Operation
3. Maintenance
4. Certification

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is required for federal agencies in the United States. Which of the following is not a characteristic of the RMF?

1. Automation of controls wherever possible
2. Focuses on continual improvement and near real-time risk management
3. Is based on cost metrics and perceived threats
4. Links risk management at the process level to risk management at the managerial level

Symmetric encryption involves _______________.

1. Two key pairs, mathematically related
2. Unknown parties, sharing information
3. Signed certificates
4. A shared secret

Symmetric encryption involves _______________.

1. The Diffie-Hellman key exchange
2. Passing keys out of band
3. Mathematically related key pairs
4. A one-way mathematical algorithm for validating messages