EXAM OBJECTIVES COVERED IN THIS CHAPTER:

• 5.1 Understand the importance of data privacy and protection.
  • Privacy vs. security
  • Non-technical controls
  • Technical controls
• 5.2 Given a scenario, apply security concepts in support of organizational risk mitigation.
  • Business impact analysis
  • Risk identification process
  • Risk calculation
  • Communication of risk factors
  • Risk prioritization
  • Systems assessment
  • Documented compensating controls
  • Training and exercises
  • Supply chain assessment
• 5.3 Explain the importance of frameworks, policies, procedures, and controls.
  • Frameworks
  • Policies and procedures
  • Category
  • Control type
  • Audits and assessments

1. Victoria's organization is concerned that end users do not understand the levels of security protection that apply to each type of information that they handle. What security control would best address this need?
   1. Ownership
   2. Classification
   3. Retention
   4. Confidentiality
2. Ken learns that an APT group is targeting his organization. What term best describes this situation?
   1. Risk
   2. Threat
   3. Countermeasure
   4. Vulnerability
3. Walt is assessing his organization against the HIPAA security framework. The HIPAA security rule allows the organization to select controls that are appropriate for the organization's business environment. What term best describes this approach?
   1. Prescriptive
   2. Minimal
   3. Optional
   4. Risk-based
4. Which one of the following activities is least likely to occur during the risk identification process?
   1. Network segmentation
   2. Threat intelligence
   3. Vulnerability scanning
   4. System assessments
5. What two factors are weighted most heavily when determining the severity of a risk?
   1. Probability and magnitude
   2. Likelihood and probability
   3. Magnitude and impact
   4. Impact and control
6. Preemployment background screening is an example of what type of security control?
   1. Detective
   2. Preventive
   3. Corrective
   4. Compensating
7. Roland received a security assessment report from a third-party assessor, and it indicated that one of the organization's web applications is susceptible to an OAuth redirect attack. What type of attack would this vulnerability allow an attacker to wage?
   1. Privilege escalation
   2. Cross-site scripting
   3. SQL injection
   4. Impersonation
8. Manish recently verified that the cash registers in his retail stores are printing only the last four digits of credit card numbers on receipts, replacing all of the other digits with asterisks. The receipt does contain the customer's name and signature. What type of control has he implemented?
   1. Tokenization
   2. Purging
   3. Masking
   4. Deidentification
9. Renee is conducting due diligence on a potential vendor. Which one of the following information sources would be most useful to her?
   1. Marketing brochure
   2. Conversation with the vendor's security team
   3. Independent audit results
   4. List of security standards in use
10. Which one of the following objectives is least relevant to HIPAA compliance programs?
    1. Confidentiality
    2. Privacy
    3. Nonrepudiation
    4. Availability

    Questions 11–13 refer to the following scenario.

    Gary recently conducted a comprehensive security review of his organization. He identified the 25 top risks to the organization and is pursuing different risk management strategies for each of these risks. In some cases, he is using multiple strategies to address a single risk. His goal is to reduce the overall level of risk so that it lies within his organization's risk tolerance.

11. Gary decides that the organization should integrate a threat intelligence feed with the firewall. What type of risk management strategy is this?
    1. Risk mitigation
    2. Risk acceptance
    3. Risk transference
    4. Risk avoidance
12. Gary discovers that his organization is storing some old files in a cloud service that are exposed to the world. He deletes those files. What type of risk management strategy is this?
    1. Risk mitigation
    2. Risk acceptance
    3. Risk transference
    4. Risk avoidance
13. Gary is working with his financial team to purchase a cyber-liability insurance policy to cover the financial impact of a data breach. What type of risk management strategy is he using?
    1. Risk mitigation
    2. Risk acceptance
    3. Risk transference
    4. Risk avoidance
14. Sadiq is the CIO of a midsized company and is concerned that someone on the IT team may be embezzling funds from the organization by modifying database contents in an unauthorized fashion. What group could investigate this providing the best balance between cost, effectiveness, and independence?
    1. Internal assessment by the IT manager
    2. Internal audit
    3. External audit
    4. Law enforcement
15. Deepa recently accepted a new position as a cybersecurity analyst for a privately held bank. Which one of the following regulations will have the greatest impact on her cybersecurity program?
    1. HIPAA
    2. GLBA
    3. FERPA
    4. SOX
16. Alfonso is reviewing the ways that his organization uses personal information and ensuring that they are compliant with the disclosures made in their privacy policy. What term best describes this activity?
    1. Data retention
    2. Data disposal
    3. Data minimization
    4. Purpose limitation
17. Florian is designing an encryption strategy for his organization. He is choosing an encryption key length and decides that he will choose a shorter key to minimize processor consumption. The key length is within his organization's security standards, but it is not the maximum key length supported by the device. The organization is a HIPAA-covered entity. Which one of the following statements best describes this approach?
    1. This introduces an unnecessary level of security risk because it is not using the full security capabilities of the device.
    2. This is an acceptable engineering trade-off.
    3. This approach likely violates the organization's security policies.
    4. Regardless of whether the approach violates the organization's internal policies, it is likely a HIPAA violation.
18. Brandy works in an organization that is adopting the ITIL service management strategy. Which ITIL core activity includes security management as a process?
    1. Service strategy
    2. Service design
    3. Service transition
    4. Service operation
19. What type of exercise gathers teams together to plan a response to a hypothetical situation without actually activating an incident response effort?
    1. Checklist review
    2. Tabletop exercise
    3. Full interruption test
    4. Parallel test
20. Oskar uses an infrastructure-as-a-service (IaaS) provider and faces limits on the regions that he may use within that service. His organization is concerned that placing data in datacenters located within the European Union would subject it to the EU's General Data Protection Regulation (GDPR). What type of concern does this policy address?
    1. Data minimization
    2. Data sovereignty
    3. Purpose limitation
    4. Data retention
21. Which one of the following events is least likely to trigger the review of an organization's information security program?
    1. Security incident
    2. Changes in compliance obligations
    3. Changes in team members
    4. Changes in business processes
22. Which one of the following risk management strategies is most likely to limit the probability of a risk occurring?
    1. Risk acceptance
    2. Risk avoidance
    3. Risk transference
    4. Risk mitigation
23. Roger is the CISO for a midsized manufacturing firm. His boss, the CIO, recently returned from a meeting of the board of directors where she had an in-depth discussion about cybersecurity. One member of the board, familiar with International Organization for Standardization (ISO) standards in manufacturing quality control, asked if there was an ISO standard covering cybersecurity. Which standard is most relevant to the director's question?
    1. ISO 9000
    2. ISO 17799
    3. ISO 27001
    4. ISO 30170

    Questions 24–26 refer to the following scenario:

    Martin is developing the security infrastructure for a new business venture that his organization is launching. The business will be developing new products that are considered trade secrets, and it is of the utmost importance that the plans for those products not fall into the hands of competitors.

24. Martin would like to take steps to confirm the reliability of employees and avoid situations where employees might be susceptible to blackmail attempts to obtain the plans. Which one of the following controls would be most effective to achieve that goal?
    1. Firewall
    2. DLP system
    3. Background investigation
    4. Nondisclosure agreement
25. Martin would like to install a network control that would block the potential exfiltration of sensitive information from the venture's facility. Which one of the following controls would be most effective to achieve that goal?
    1. IPS
    2. DLP system
    3. Firewall
    4. IDS
26. Several employees will need to travel with sensitive information on their laptops. Martin is concerned that one of those laptops may be lost or stolen. Which one of the following controls would best protect the data on stolen devices?
    1. FDE
    2. Strong passwords
    3. Cable lock
    4. IPS
27. Saanvi would like to reduce the probability of a data breach that affects sensitive personal information. Which one of the following controls is most likely to achieve that objective?
    1. Minimizing the amount of data retained and the number of places where it is stored
    2. Limiting the purposes for which data may be used
    3. Purchasing cyber-risk insurance
    4. Installing a new firewall
28. Kwame recently completed a risk assessment and is concerned that the level of residual risk exceeds his organization's risk tolerance. What should he do next?
    1. Have a discussion with his manager
    2. Implement new security controls
    3. Modify business processes to lower risk
    4. Purge data from systems
29. Which one of the following is not one of the four domains of COBIT control objectives?
    1. Plan and Organize
    2. Acquire and Implement
    3. Design and Secure
    4. Deliver and Support
30. Mia discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation?
    1. NDA
    2. AUP
    3. Data ownership
    4. Data classification

    Questions 31–36 refer to the following scenario.

    Alan is a risk manager for Acme University, a higher education institution located in the western United States. He is concerned about the threat that an earthquake will damage his organization's primary datacenter. He recently undertook a replacement cost analysis and determined that the datacenter is valued at $10 million.

    After consulting with seismologists, Alan determined that an earthquake is expected in the area of the datacenter once every 200 years. Datacenter specialists and architects helped him determine that an earthquake would likely cause $5 million in damage to the facility.

31. Based on the information in this scenario, what is the exposure factor (EF) for the effect of an earthquake on Acme University's datacenter?
    1. 10%
    2. 25%
    3. 50%
    4. 75%
32. Based on the information in this scenario, what is the annualized rate of occurrence (ARO) for an earthquake at the datacenter?
    1. 0.0025
    2. 0.005
    3. 0.01
    4. 0.015
33. Based on the information in this scenario, what is the annualized loss expectancy (ALE) for an earthquake at the datacenter?
    1. $25,000
    2. $50,000
    3. $250,000
    4. $500,000
34. Referring to the previous scenario, if Alan's organization decides to move the datacenter to a location where earthquakes are not a risk, what risk management strategy are they using?
    1. Risk mitigation
    2. Risk avoidance
    3. Risk acceptance
    4. Risk transference
35. Referring to the previous scenario, if the organization decides not to relocate the datacenter but instead purchases an insurance policy to cover the replacement cost of the datacenter, what risk management strategy are they using?
    1. Risk mitigation
    2. Risk avoidance
    3. Risk acceptance
    4. Risk transference
36. Referring to the previous scenario, assume that the organization decides that relocation is too difficult and the insurance is too expensive. They instead decide that they will carry on despite the risk of earthquake and handle the impact if it occurs. What risk management strategy are they using?
    1. Risk mitigation
    2. Risk avoidance
    3. Risk acceptance
    4. Risk transference
37. Under the U.S. government's data classification scheme, which one of the following is the lowest level of classified information?
    1. Private
    2. Top Secret
    3. Confidential
    4. Secret
38. When using a data loss prevention (DLP) system, which of the following statements best describes the purpose of labeling data with classifications?
    1. DLP systems can adjust classifications dynamically as needs change.
    2. DLP systems can use labels to apply appropriate security policies.
    3. DLP systems can use labels to perform file access control.
    4. DLP systems can use labels to perform data minimization tasks.
39. Carlos is preparing a password policy for his organization and would like it to be fully compliant with Payment Card Industry Data Security Standard (PCI DSS) requirements. What is the minimum password length required by PCI DSS?
    1. 7 characters
    2. 8 characters
    3. 10 characters
    4. 12 characters
40. Colin would like to implement a security control in his accounting department which is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. Which one of the following controls is best suited to meet Colin's need?
    1. Separation of duties
    2. Least privilege
    3. Dual control
    4. Mandatory vacations
41. Singh would like to apply encryption to protect data in transit from his web server to remote users. What technology would best fulfill this need?
    1. SSL
    2. DLP
    3. FDE
    4. TLS
42. Rob is an auditor reviewing the payment process used by a company to issue checks to vendors. He notices that Helen, a staff accountant, is the person responsible for creating new vendors. Norm, another accountant, is responsible for issuing payments to vendors. Helen and Norm are cross-trained to provide backup for each other. What security issue, if any, exists in this situation?
    1. Least privilege violation
    2. Separation of duties violation
    3. Dual control violation
    4. No issue
43. Mei recently completed a risk management review and identified that the organization is susceptible to a man-in-the-middle attack. After review with her manager, they jointly decided that accepting the risk is the most appropriate strategy. What should Mei do next?
    1. Implement additional security controls
    2. Design a remediation plan
    3. Repeat the business impact assessment
    4. Document the decision
44. Robin is planning to conduct a risk assessment in her organization. She is concerned that it will be difficult to perform the assessment because she needs to include information about both tangible and intangible assets. What would be the most effective risk assessment strategy for her to use?
    1. Quantitative risk assessment
    2. Qualitative risk assessment
    3. Combination of quantitative and qualitative risk assessment
    4. Neither quantitative nor qualitative risk assessment
45. Barry's organization is running a security exercise and Barry was assigned to conduct offensive operations. What term best describes Barry's role in the process?
    1. Red team
    2. Black team
    3. Blue team
    4. White team
46. Vlad's organization recently suffered an attack where a senior system administrator executed some malicious commands and then deleted the log files that recorded his activity. Which one of the following controls would best mitigate the risk of this activity recurring in the future?
    1. Separation of duties
    2. Two-person control
    3. Job rotation
    4. Security awareness
47. Vlad's organization recently underwent a security audit that resulted in a finding that the organization fails to promptly remove the accounts associated with users who have left the organization. This resulted in at least one security incident where a terminated user logged into a corporate system and took sensitive information. What identity and access management control would best protect against this risk?
    1. Automated deprovisioning
    2. Quarterly user account reviews
    3. Separation of duties
    4. Two-person control
48. Jay is the CISO for his organization and is responsible for conducting periodic reviews of the organization's information security policy. The policy was written three years ago and has undergone several minor revisions after audits and assessments. Which one of the following would be the most reasonable frequency to conduct formal reviews of the policy?
    1. Monthly
    2. Quarterly
    3. Annually
    4. Every five years
49. Terri is undertaking a risk assessment for her organization. Which one of the following activities would normally occur first?
    1. Risk identification
    2. Risk calculation
    3. Risk mitigation
    4. Risk management
50. Ang is selecting an encryption technology for use in encrypting the contents of a USB drive. Which one of the following technologies would best meet his needs?
    1. TLS
    2. DES
    3. AES
    4. SSL
51. Suki's organization has a policy that restricts them from doing any business with any customer that would subject them to the terms of the General Data Protection Regulation (GDPR). Which one of the following controls would best help them achieve this objective?
    1. Encryption
    2. Tokenization
    3. Geographic access requirements
    4. Data sovereignty
52. Vivian would like to be able to identify files that originated in her organization but were later copied. What security control would best achieve this objective?
    1. Encryption
    2. Data masking
    3. Watermarking
    4. Tokenization
53. Kai is attempting to determine whether he can destroy a cache of old records that he discovered. What type of policy would most directly answer his question?
    1. Data ownership
    2. Data classification
    3. Data minimization
    4. Data retention
54. Fences are a widely used security control that can be described by several different control types. Which one of the following control types would least describe a fence?
    1. Deterrent
    2. Corrective
    3. Preventive
    4. Physical
55. Ian is designing an authorization scheme for his organization's deployment of a new accounting system. He is considering putting a control in place that would require that two accountants approve any payment request over $100,000. What security principle is Ian seeking to enforce?
    1. Security through obscurity
    2. Least privilege
    3. Separation of duties
    4. Dual control
56. Which one of the following frameworks best helps organizations design IT processes that fit together seamlessly?
    1. NIST CSF
    2. ITIL
    3. COBIT
    4. ISO 27001
57. Carmen is working with a new vendor on the design of a penetration test. She would like to ensure that the vendor does not conduct any physical intrusions as part of their testing. Where should Carmen document this requirement?
    1. Rules of engagement
    2. Service level agreement
    3. Nondisclosure agreement
    4. Counterparty agreement
58. Which one of the following categories best describes information protected by HIPAA?
    1. PII
    2. SPI
    3. PHI
    4. PCI DSS
59. In a data management program, which role bears ultimate responsibility for the safeguarding of sensitive information?
    1. Data owner
    2. System owner
    3. Business owner
    4. Data custodian
60. Lakshman is investigating the data management techniques used to protect sensitive information in his organization's database and comes across the database table shown here. What data management technique is most likely being used?

    

    1. Masking
    2. Encryption
    3. Minimization
    4. Tokenization
61. Lakshman continues to explore the database and finds another copy of the table in a different system that stores information as shown here. What technique was most likely used in this system?

    

    1. Masking
    2. Encryption
    3. Minimization
    4. Tokenization
62. After reviewing the systems, Lakshman discovers a printed roster of employees that contains the information shown in this image. What type of data protection has most likely been applied to this report?

    

    1. Masking
    2. Encryption
    3. Minimization
    4. Tokenization
63. The board of directors of Kate's company recently hired an independent firm to review the state of the organization's security controls and certify those results to the board. What term best describes this engagement?
    1. Assessment
    2. Control review
    3. Gap analysis
    4. Audit
64. Gavin is drafting a document that provides a detailed step-by-step process that users may follow to connect to the VPN from remote locations. Alternatively, users may ask IT to help them configure the connection. What term best describes this document?
    1. Policy
    2. Procedure
    3. Standard
    4. Guideline
65. Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?
    1. Respond
    2. Recover
    3. Protect
    4. Review
66. Which one of the following security controls is designed to help provide continuity for security responsibilities?
    1. Succession planning
    2. Separation of duties
    3. Mandatory vacation
    4. Dual control
67. After conducting a security review, Oskar determined that his organization is not conducting regular backups of critical data. What term best describes the type of control gap that exists in Oskar's organization?
    1. Preventive
    2. Corrective
    3. Detective
    4. Deterrent
68. Tim is helping his organization shift resources to the cloud. He is conducting vendor due diligence on the organization's IaaS provider. Which one of the following risks is this effort most likely to reduce?
    1. Security group misconfiguration
    2. Operating system misconfiguration
    3. Data exfiltration
    4. Provider viability
69. Carla is reviewing the cybersecurity policies used by her organization. What policy might she put in place as a failsafe to cover employee behavior situations where no other policy directly applies?
    1. Data monitoring policy
    2. Account management policy
    3. Code of conduct
    4. Data ownership policy
70. Which one of the following items is not normally included in a request for an exception to security policy?
    1. Description of a compensating control
    2. Description of the risks associated with the exception
    3. Proposed revision to the security policy
    4. Business justification for the exception
71. Mike's organization adopted the COBIT standard, and Mike would like to find a way to measure their progress toward implementation. Which one of the following COBIT components is useful as an assessment tool?
    1. Process descriptions
    2. Control objectives
    3. Management guideline
    4. Maturity models
72. What policy should contain provisions for removing user access upon termination?
    1. Data ownership policy
    2. Data classification policy
    3. Data retention policy
    4. Account management policy
73. Suki is the CISO at a major nonprofit hospital group. Which one of the following regulations most directly covers the way that her organization handles medical records?
    1. HIPAA
    2. FERPA
    3. GLBA
    4. SOX

    Questions 74–76 refer to the following scenario:

    Karen is the CISO of a major manufacturer of industrial parts. She is currently performing an assessment of the firm's financial controls, with an emphasis on implementing security practices that will reduce the likelihood of theft from the firm.

74. Karen would like to ensure that the same individual is not able to both create a new vendor in the system and authorize a payment to that vendor. She is concerned that an individual who could perform both of these actions would be able to send payments to false vendors. What type of control should Karen implement?
    1. Mandatory vacations
    2. Separation of duties
    3. Job rotation
    4. Two-person control
75. The accounting department has a policy that requires the signatures of two individuals on checks valued over $5,000. What type of control do they have in place?
    1. Mandatory vacations
    2. Separation of duties
    3. Job rotation
    4. Two-person control
76. Karen would also like to implement controls that would help detect potential malfeasance by existing employees. Which one of the following controls is least likely to detect malfeasance?
    1. Mandatory vacations
    2. Background investigations
    3. Job rotation
    4. Privilege use reviews
77. Chris is concerned about the possibility that former employees will disclose sensitive personal information about customers to unauthorized individuals. What is the best mechanism that Chris can use to manage this risk?
    1. NDA
    2. AUP
    3. Privacy policy
    4. Data ownership policy
78. Kevin is conducting a security exercise for his organization that uses both offensive and defensive operations. His role is to serve as the moderator of the exercise and to arbitrate disputes. What role is Kevin playing?
    1. White team
    2. Red team
    3. Swiss team
    4. Blue team
79. Dan is the chief information security officer (CISO) for a bank in the United States. What law most directly governs the personal customer information that his bank handles?
    1. HIPAA
    2. PCI DSS
    3. GLBA
    4. SOX
80. Bohai is concerned about access to the master account for a cloud service that his company uses to manage payment transactions. He decides to implement a new process for multifactor authentication to that account where an individual on the IT team has the password to the account, while an individual in the accounting group has the token. What security principle is Bohai using?
    1. Dual control
    2. Separation of duties
    3. Least privilege
    4. Security through obscurity
81. Tina is preparing for a penetration test and is working with a new vendor. She wants to make sure that the vendor understands exactly what technical activities are permitted within the scope of the test. Where should she document these requirements?
    1. MOA
    2. Contract
    3. RoE
    4. SLA
82. Azra is reviewing a draft of the Domer Doodads information security policy and finds that it contains the following statements. Which one of these statements would be more appropriately placed in a different document?
    1. Domer Doodads designates the Chief Information Security Officer as the individual with primary responsibility for information security.
    2. The Chief Information Security Officer is granted the authority to create specific requirements that implement this policy.
    3. All access to financial systems must use multifactor authentication for remote connections.
    4. Domer Doodads considers cybersecurity and compliance to be of critical importance to the business.
83. Ben is conducting an assessment of an organization's cybersecurity program using the NIST Cybersecurity Framework. He is specifically interested in the organization's external participation and determines that the organization has a good understanding of how it relates to customers on cybersecurity matters but does not yet have a good understanding of similar relationships with suppliers. What tier rating is appropriate for this measure?
    1. Partial
    2. Risk Informed
    3. Repeatable
    4. Adaptive
84. Which one of the following security policy framework documents never includes mandatory employee compliance?
    1. Policy
    2. Guideline
    3. Procedure
    4. Standard
85. Kaitlyn is on the red team during a security exercise and she has a question about whether an activity is acceptable under the exercise's rules of engagement. Who would be the most appropriate person to answer her question?
    1. Red team leader
    2. White team leader
    3. Blue team leader
    4. Kaitlyn should act without external advice.
86. Quinn encounters a document that contains information that is not intended for use outside of his company but would generally not cause any serious damage if accidentally disclosed. What data classification would be most appropriate for this document?
    1. Internal
    2. Sensitive
    3. Highly Sensitive
    4. Public

    Questions 87–91 refer to the following scenario.

    Seamus is conducting a business impact assessment for his organization. He is attempting to determine the risk associated with a denial-of-service attack against his organization's datacenter.

    Seamus consulted with various subject matter experts and determined that the attack would not cause any permanent damage to equipment, applications, or data. The primary damage would come in the form of lost revenue. Seamus believes that the organization would lose $75,000 in revenue during a successful attack.

    Seamus also consulted with his threat management vendor, who considered the probability of a successful attack against his organization and determined that there is a 10% chance of a successful attack in the next 12 months.

87. What is the ARO for this assessment?
    1. 0.8%
    2. 10%
    3. 12%
    4. 100%
88. What is the SLE for this scenario?
    1. $625
    2. $6,250
    3. $7,500
    4. $75,000
89. What is the ALE for this scenario?
    1. $625
    2. $6,250
    3. $7,500
    4. $75,000
90. Seamus is considering purchasing a DDoS protection system that would reduce the likelihood of a successful attack. What type of control is he considering?
    1. Detective
    2. Corrective
    3. Preventive
    4. Deterrent
91. Seamus wants to make sure that he can accurately describe the category of the DDoS protection service to auditors. Which term best describes the category of this control?
    1. Compensating
    2. Physical
    3. Operational
    4. Technical
92. Piper's organization handles credit card information and is, therefore, subject to the Payment Card Industry Data Security Standard (PCI DSS). What term best describes this standard?
    1. Prescriptive
    2. Minimal
    3. Optional
    4. Risk-based
93. As Piper attempts to implement the PCI DSS requirements, she discovers that she is unable to meet one of the requirements because of a technical limitation in her point-of-sale system. She decides to work with regulators to implement a second layer of logical isolation to protect this system from the Internet to allow its continued operation despite not meeting one of the requirements. What term best describes the type of control Piper has implemented?
    1. Physical control
    2. Operational control
    3. Compensating control
    4. Deterrent control
94. When Piper implements this new isolation technology, what type of risk management action is she taking?
    1. Risk acceptance
    2. Risk avoidance
    3. Risk transference
    4. Risk mitigation
95. What is the proper ordering of the NIST Cybersecurity Framework tiers, from least mature to most mature?
    1. Partial; Repeatable; Risk Informed; Adaptive
    2. Risk Informed; Partial; Adaptive; Repeatable
    3. Risk Informed; Partial; Repeatable; Adaptive
    4. Partial; Risk Informed; Repeatable; Adaptive
96. Ruth is helping a business leader determine the appropriate individuals to consult about sharing information with a third-party organization. Which one of the following policies would likely contain the most relevant guidance for her?
    1. Data retention policy
    2. Information security policy
    3. Data validation policy
    4. Data ownership policy
97. Samantha is investigating a cybersecurity incident where an internal user used his computer to participate in a denial-of-service attack against a third party. What type of policy was most likely violated?
    1. AUP
    2. SLA
    3. BCP
    4. Information classification policy
98. Ryan is compiling a list of allowable encryption algorithms for use in his organization. What type of document would be most appropriate for this list?
    1. Policy
    2. Standard
    3. Guideline
    4. Procedure
99. Julie is refreshing her organization's cybersecurity program using the NIST Cybersecurity Framework. She would like to use a template that describes how a specific organization might approach cybersecurity matters. What element of the NIST Cybersecurity Framework would best meet Julie's needs?
    1. Framework Scenarios
    2. Framework Core
    3. Framework Implementation Tiers
    4. Framework Profiles
100. What types of organizations are required to adopt the ISO 27001 standard for cybersecurity?
     1. Healthcare organizations
     2. Financial services firms
     3. Educational institutions
     4. None of the above
101. During the design of an identity and access management authorization scheme, Katie took steps to ensure that members of the security team who can approve database access requests do not have access to the database themselves. What security principle is Katie most directly enforcing?
     1. Least privilege
     2. Separation of duties
     3. Dual control
     4. Security through obscurity
102. Which one of the following controls is useful to both facilitate the continuity of operations and serve as a deterrent to fraud?
     1. Succession planning
     2. Dual control
     3. Cross-training
     4. Separation of duties
103. Which one of the following requirements is often imposed by organizations as a way to achieve their original control objective when they approve an exception to a security policy?
     1. Documentation of scope
     2. Limited duration
     3. Compensating control
     4. Business justification
104. In the ITIL service life cycle shown here, what core activity is represented by the X?

     

     1. Continual service improvement
     2. Service design
     3. Service operation
     4. Service transition
105. Berta is reviewing the security procedures surrounding the use of a cloud-based online payment service by her company. She set the access permissions for this service so that the same person cannot add funds to the account and transfer funds out of the account. What security principle is most closely related to Berta's action?
     1. Least privilege
     2. Security through obscurity
     3. Separation of duties
     4. Dual control
106. Thomas found himself in the middle of a dispute between two different units in his business that are arguing over whether one unit may analyze data collected by the other. What type of policy would most likely contain guidance on this issue?
     1. Data ownership policy
     2. Data classification policy
     3. Data retention policy
     4. Account management policy
107. Mara is designing a new data mining system that will analyze access control logs for signs of unusual login attempts. Any suspicious logins will be automatically locked out of the system. What type of control is Mara designing?
     1. Physical control
     2. Operational control
     3. Managerial control
     4. Technical control
108. Which one of the following elements is least likely to be found in a data retention policy?
     1. Minimum retention period for data
     2. Maximum retention period for data
     3. Description of information to retain
     4. Classification of information elements
109. Which one of the following issues would be better classified as a privacy issue, rather than a security issue?
     1. Use of information for a purpose other than was originally disclosed
     2. Unpatched vulnerability on a web server
     3. Improper file permissions for a group of employees
     4. Accidental destruction of backup media