- Which one of the following risk assessment activities does not require advanced authorization from the target organization?
A. Penetration testing
B. Open source reconnaissance
C. Social engineering
D. Vulnerability scanning
- Ryan is developing a security awareness training program and would like to include information about the person employees should approach if they need to clarify who may access different types of information. What role in an organization has this responsibility?
A. Privileged user
B. System owner
C. Data owner
D. Executive user
- Which one of the following statements is not true about security awareness programs?
A. Some categories of employee do not require any security training.
B. System administrators should receive specialized technical training.
C. Awareness training should be customized to a user's role in the organization.
D. Training updates should occur when there are significant new threats.
- Belinda is negotiating with an internet service provider (ISP) regarding the terms of service they will provide to her organization. Belinda would like the agreement to spell out the specific requirements for the service and include financial penalties if the service does not meet those requirements. What tool would best meet Belinda's needs?
A. SLA
B. BPA
C. ISA
D. MOU
- Which one of the following statements about risk management is true?
A. Risk acceptance should only be done after careful analysis of other options.
B. Insurance policies are an example of risk avoidance.
C. Firewalls and intrusion prevention systems are examples of risk avoidance.
D. Risk avoidance is always preferable to risk acceptance.
- Sonia is concerned that users in her organization are connecting to corporate systems over insecure networks and begins a security awareness campaign designed to encourage them to use the VPN. What type of control has Sonia implemented?
A. Technical
B. Administrative
C. Physical
D. Detective
- Greg believes that a recently departed employee is likely to sue the company for employment law violations because the employee threatened to do so during an exit interview. When should the company issue a legal hold to preserve evidence?
A. When the employee issues a formal notice of intent to sue
B. When a lawsuit is filed
C. When they receive a subpoena
D. Immediately
Questions 8 through 11 refer to the following scenario:
Gary is conducting a business impact assessment for his organization. During this assessment, he identifies the risk of a power supply failure in a critical database server. He determines that the power supply is likely to fail once every three years and that it will take two days to obtain and install a replacement part.
After consulting with functional experts, Gary determines that the database server is crucial to business functions and would cause considerable disruption if it were down for more than a day. No new transactions would occur during a failure. In the event of a failure, clerks could retrieve the last four hours of transactions from an application log file and use those to recover lost data. Therefore, it would be acceptable to lose four hours of information prior to the failure.
- What is the MTTR in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- What is the MTBF in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- What is the RTO in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- What is the RPO in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- During an incident response effort, Tony discovers that many systems on his network have different times set on their internal clocks. He wants to avoid the hassle of recording time offsets during future investigations by synchronizing clocks. What protocol would meet this need?
A. NTP
B. TLS
C. SMTP
D. BGP
- Andy is developing requirements for a disaster recovery site and needs to be able to recover operations as quickly as possible. Which one of the following recovery site options provides the quickest activation time?
A. Warm site
B. Mobile site
C. Hot site
D. Cold site
- Rhonda is preparing a role-based awareness training program and recently developed a module designed to raise awareness among users of wire transfer fraud schemes where the attacker poses as a business leader seeking to transfer money to a foreign account. Of the following audiences, which would be the most likely to need this training?
A. System administrator
B. Executive user
C. Accounts payable clerk
D. Sales director
- Tom is conducting an incident response effort and believes that a crime may have been committed against his organization involving the theft of intellectual property. Which one of the following statements best describes Tom's obligation based upon the information available at this point?
A. Tom must contact federal law enforcement.
B. Tom must contact local law enforcement.
C. Tom does not have a specific legal obligation to report the incident to anyone outside the organization.
D. Tom must notify customers of the breach.
- Scott's company is entering into a joint venture with another organization and he would like to create a document that spells out the relationship between the two firms. Scott would like the agreement to be enforceable in court. What type of document would be best suited for this task?
A. SLA
B. BPA
C. ISA
D. MOU
- When capturing a system image for forensic purposes, what tool should the analyst use to avoid unintentionally altering the original evidence?
A. Write blocker
B. Imaging software
C. Clean media
D. Labels
- Brenda is a security analyst and is reviewing the alerts that were generated by a content filtering system on her corporate network. She notices that one employee has accessed a large number of sports gambling websites. What action should Brenda take next?
A. Disable the employee's account pending an investigation.
B. Inform the employee that this activity is not acceptable.
C. Consult her manager.
D. Take no action, as this would be an invasion of the employee's privacy.
- Howard is conducting an asset valuation exercise as part of his organization's risk assessment process. He would like to ensure that the valuations included in insurance policies are sufficient to cover the restoration of operations after asset destruction. Which one of the following asset valuation techniques is most appropriate for Howard's use?
A. Replacement cost
B. Original purchase price
C. Depreciated value
D. Subject matter expert estimated value
- Jane is designing an inventory control system and wants to reduce the risk of employee theft. She designs the access controls so that a person who has the ability to order supplies from vendors does not also have the ability to log received shipments into the system. This attempts to prevent someone from ordering supplies, diverting them for their own use, and logging them into the inventory system as received. What principle is Jane most directly enforcing?
A. Least privilege
B. Two-person control
C. Job rotation
D. Separation of duties
- Jake is helping his organization move out of an office complex they are leaving and has a large quantity of sensitive paper records to dispose of. Which one of the following destruction methods would not be appropriate to sufficiently destroy the information?
A. Degaussing
B. Burning
C. Pulping
D. Shredding
- Consider the NIST incident response process shown here. Which step in the process is indicated by the question mark?
Figure 5.1
A. Post-incident activity
B. Preparation
C. Containment, Eradication, and Recovery
D. Detection and Analysis
- Which one of the following data governance roles would normally be assigned to someone of the most senior rank in the organization?
A. Data custodian
B. Data steward
C. Data owner
D. Data user
- When labeling sensitive information using the US military classification scheme, which one of the following is the lowest level of classification?
A. Confidential
B. Secret
C. Top Secret
D. Top Secret SCI
- Which one of the following categories of information is explicitly governed by HIPAA's security and privacy rules?
A. PDI
B. PCI
C. PII
D. PHI
- Gordon is considering a variety of techniques to remove information stored on hard drives that are being discarded by his company and donated to a charity for reuse. Which one of the following techniques would not be an effective way to meet this goal?
A. Wiping
B. Encryption
C. Degaussing
D. Purging
- Which one of the following activities would not typically be a component of an employee onboarding process?
A. Deprovisioning accounts
B. Security training
C. Computer issuance
D. Credential generation
- Bill is concerned about his organization's practices regarding the timing of disposing records that are no longer necessary for business purposes. Which one of the following policies would be most relevant to this issue?
A. Data retention policy
B. Data encryption standards
C. Data access policy
D. Acceptable use policy
- Which one of the following elements would not be found at a warm disaster recovery site?
A. Computing hardware
B. Electrical infrastructure
C. Current data
D. Software
- Who has the primary responsibility for ensuring that the security requirements for a system are designed in a manner that is consistent with the organization's security policy?
A. System owner
B. Business owner
C. System administrator
D. Data owner
- Kate is conducting an investigation of activity on her network. She is looking for an information source that might provide the identity of the systems that a user connected to and the times of those connections. Which one of the following data sources is LEAST likely to have this information?
A. Wireless access point logs
B. NetFlow logs
C. Firewall logs
D. Content filter logs
- Wanda is developing an incident response team for her organization. Which one of the following individuals would be the best person to have direct oversight of the team's activities?
A. CEO
B. CIO
C. CISO
D. CFO
- Don maintains a database of information about the spending habits of individual consumers. Which term would best describe this information?
A. PHI
B. PII
C. PCI
D. PDI
- Vincent is tasked with establishing a disaster recovery site but is charged with providing bare-bones functionality at a minimal cost. Which option should he consider?
A. Hot site
B. Cold site
C. Warm site
D. Mobile site
- Tom is attempting to comply with a requirement of the Payment Card Industry Data Security Standard (PCI DSS) that requires that credit card information not be stored in a system. He is unable to remove the data due to a variety of technical issues and works with regulators to implement encryption as an interim measure while he is working to fully comply with the requirement. What term best describes this control?
A. Detective control
B. Corrective control
C. Preventive control
D. Compensating control
- Sandy is working with her leadership team on documenting the relationship between her firm and a new partner who will be co-marketing products. They would like to document the relationship between the firms but do so in a less formal way than a contract. Which tool would be the most appropriate for this task?
A. ISA
B. BPA
C. MOU
D. SLA
- Which one of the following disaster recovery exercise types will have the greatest impact on an organization's operations?
A. Parallel test
B. Full interruption test
C. Checklist review
D. Structured walkthrough
- Which one of the following statements is correct about evidence gathering and litigation holds?
A. Attorneys should review documents for privilege during the collection phase.
B. Most litigation holds never move forward to the production phase.
C. System administrators do not need to disable log file deletion during a litigation hold if the deletion process is part of a standard business practice.
D. Corporate attorneys bear primary responsibility for preserving evidence during a litigation hold.
- Harold is designing an access control system that will require the concurrence of two system administrators to gain emergency access to a root password. What security principle is he most directly enforcing?
A. Two-person control
B. Least privilege
C. Separation of duties
D. Security through obscurity
- Which one of the following data destruction technique requires the use of chemicals?
A. Pulverizing
B. Pulping
C. Degaussing
D. Wiping
- Thomas is considering using guard dogs to patrol the fenced perimeter of his organization's data processing facility. What category best describes this control?
A. Corrective
B. Deterrent
C. Compensating
D. Preventive
- Which one of the following regulations contains specific provisions requiring that the organization maintain the availability of protected information to facilitate medical treatment?
A. GDPR
B. PCI DSS
C. HIPAA
D. GLBA
- Gavin is planning to upgrade the operating system on a production server and would like to obtain approval from the change advisory board. What type of document should he submit to obtain this approval?
A. CRC
B. RFP
C. RFC
D. CMA
- Ron has a hard disk that contains sensitive information. He tried connecting the drive to a computer but a component failure will not allow him to access the drive. Which one of the following destruction techniques would be the most effective?
A. Wiping
B. Purging
C. Degaussing
D. Pulping
- When choosing an appropriate off-site storage location for backup media, which one of the following factors is most important when choosing the distance between the storage location and the primary facility?
A. Facility usage fees
B. Nature of the risk
C. Convenience
D. Transportation fees
- Consider the evidence log shown here. What is the primary purpose of this tool during a forensic investigation?
Figure 5.2
A. Ensure evidence is timely
B. Prevent the alteration of evidence
C. Document the chain of custody
D. Ensure evidence is relevant
- Matt is ranking systems in his organization in order of priority for disaster recovery. Which one of the following systems should have the highest impact rating?
A. Enterprise resource planning
B. Routing and switching
C. Fire suppression
D. Customer relationship management
- Which one of the following elements is least likely to be found in a security awareness training program that's been designed for end users?
A. Confidentiality requirements
B. Password management requirements
C. Social engineering education
D. Patching requirements
- What type of risk assessment focuses on evaluating the security controls put in place by vendors and contractors?
A. Penetration test
B. Quantitative assessment
C. Supply chain assessment
D. Qualitative assessment
- Randy is working within a virtualized server environment and would like to back up complete images of his virtual servers so that he can easily restore them in the event of failure. What type of backup is the most appropriate for his needs?
A. Full backup
B. Snapshot backup
C. Differential backup
D. Incremental backup
Questions 51-55 refer to the following scenario.
Tonya is performing a quantitative risk assessment for her organization's new data processing facility. Due to the proximity of this facility to the coast, she is concerned about the risk of flooding.
Tonya consults flood maps from the Federal Emergency Management Agency (FEMA) and determines that the facility lies within the 100-year flood plain. She also reviews a replacement cost estimate for the facility and determines that the cost to replace the facility would be $12 million. Tonya estimates that a typical flood would cause approximately $2 million in damage to the facility and that purchasing an insurance policy would incur a premium of $10,000 annually.
- What is the asset value (AV) in this scenario?
A. $20,000
B. $100,000
C. $2 million
D. $12 million
- What is the annualized rate of occurrence (ARO) in this scenario?
A. 0.01
B. 0.1
C. 1
D. 100
- What is the single loss expectancy in this scenario?
A. $20,000
B. $100,000
C. $2 million
D. $12 million
- What is the annualized loss expectancy in this scenario?
A. $20,000
B. $100,000
C. $2 million
D. $12 million
- Which one of the following statements best describes the risk situation Tonya is in?
A. Tonya should recommend that the business always purchases insurance for any risk with an ALE greater than 0.005.
B. The purchase of insurance in this scenario is not cost-effective from a purely financial viewpoint.
C. The purchase of insurance in this scenario makes good financial sense.
D. Tonya should recommend against the purchase of insurance because the SLE is less than the AV.
- Wayne was called to visit the workstation of a user who believes that an attacker is remotely controlling his computer. Which one of the following evidence-gathering techniques would best document what is appearing on the user's screen?
A. Witness interview
B. Operating system logs
C. Screen capture
D. CCTV
- Gordon is considering the implementation of exit interviews for staff who voluntarily resign from his organization. Who would be best suited to perform this exit interview?
A. Immediate supervisor
B. Second-level supervisor
C. Human resources representative
D. Co-worker
- Where is the most appropriate place for an organization to keep track of risks across a wide variety of risk management disciplines?
A. Audit reports
B. Risk assessment reports
C. Incident tracking system
D. Risk register
- Which one of the following security policies is specifically designed to prevent the unintentional unauthorized observation of sensitive information?
A. Mandatory vacations
B. Separation of duties
C. Least privilege
D. Clean desk policy
- Renee is reviewing the diagram shown here for a critical web application that's used by her company. She is performing a SPOF analysis on this environment. In the context of this analysis, what should raise the most concern?
Figure 5.3
A. User
B. Firewall
C. Web server
D. Database server
- When designing a security awareness program for employees, which one of the following groups would generally receive the most technical security training?
A. Users
B. System administrators
C. Data owners
D. Executives
- Wendy is seeking to design a compensating control for a PCI DSS requirement that she cannot meet. Which one of the following statements is incorrect about compensating controls in this situation?
A. The compensating control must meet the intent of the original control.
B. The compensating control may be used to meet another PCI DSS requirement simultaneously.
C. The compensating control must be commensurate with the additional risk that's introduced by failing to meet the original requirement.
D. The compensating control must meet the rigor of the original control.
- Steven is conducting a forensic investigation and believes that a hard drive may contain critical evidence. Which one of the following statements correctly describes how Steven should analyze this evidence?
A. Steven should not attempt to make a forensic image because it may tamper with the evidence.
B. Steven should make a forensic image of the drive, lock away the image, and conduct analysis on the original.
C. Steven should make a forensic image of the drive, lock away the original, and conduct analysis on the image.
D. Steven should create two forensic images, one for storage and one for analysis, and return the original drive to the user immediately.
- Which one of the following is the best example of a technical security control?
A. Firewall rules
B. Employee credit checks
C. Asset inventory
D. Fire detection system
- Which one of the following activities is the best example of a corrective security control?
A. Vulnerability remediation
B. Perimeter protection
C. Background checks
D. Intrusion prevention system
- What is the primary risk associated with using motion detectors to automatically unlock a data center door when a person is attempting to exit?
A. An employee may exit the facility with unauthorized materials.
B. An intruder may attempt to trigger the motion detector from the outside to gain entry.
C. The motion detector may not work during a power failure.
D. The motion detector may not sense some employees based upon their physical characteristics.
- Which one of the following techniques for destroying physical records is considered the least secure?
A. Pulping
B. Incineration
C. Straight-cut shredding
D. Cross-cut shredding
- Gwen is reviewing her organization's security policies and would like to update them to restrict the web browsing of employees. Specifically, she would like to prohibit the use of pornographic websites. Where would be the most common place to detail this type of restriction?
A. AUP.
B. NDA.
C. BYOD.
D. This type of policy is an invasion of privacy and should not be implemented.
- Evan is conducting a business impact analysis for an industrial products manufacturer. Which one of the following business functions would likely be ranked highest on a list of mission critical functions?
A. IPS systems
B. Billing systems
C. ICS systems
D. HVAC systems
- Patty is the information security officer for a bank. She is concerned about the possibility that a bank teller might be colluding with a customer to commit fraud and using his position to cover up that fraud by updating records each day to shuffle around funds. Which one of the following controls would be the most likely to uncover this type of malfeasance?
A. Intrusion detection
B. Clean desk policy
C. Multifactor authentication
D. Mandatory vacations
Questions 71-74 refer to the following scenario.
Brian is the risk manager for a firm that is considering locating personnel in a country where there is a high risk of kidnapping. He is considering a variety of controls designed to manage this risk.
- Brian is considering using armed bodyguards to protect his organization's employees. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- Brian is also consulting with senior managers to determine whether the business value of this effort justifies the risk. If the value is not sufficient, he is planning to propose not sending employees on this trip. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- After consulting with business leaders, Brian learns that the risk is justified and that the organization will send the employees. He considers purchasing an insurance policy to cover ransoms and other related costs. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- In the end, Brian determines that insurance policies and armed guards are not cost-effective, and the employees leave for the target country without those controls in place. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- Which one of the following disaster recovery test types has the least impact on business operations?
A. Full interruption test
B. Structured walk-through
C. Parallel test
D. Checklist review
- Which one of the following is the biggest disadvantage of relying on witness interviews during a forensic investigation?
A. Witness testimony is not admissible in civil court.
B. Witnesses usually want to deceive the interviewer.
C. Witnesses interviews are costly.
D. Witnesses have unreliable memories.
- Bob is performing regular backups of a system and is asked by his boss to create an emergency backup. Which one of the following backup types will consume the most disk space?
A. Full backup
B. Differential backup
C. Incremental backup
D. Transaction log backup
- Helen is examining the contract for a new SaaS provider and is scrutinizing a clause about data sovereignty. What is her primary concern?
A. Vendor viability
B. Resiliency
C. Fault tolerance
D. Retaining ownership of data
- Dylan is designing a social media security policy for his organization. Which one of the following elements would not be appropriate to include in that policy?
A. Complete ban on use of social media by employees
B. Prohibition of users identifying themselves as an employee of the company on social media
C. Approval requirements for posts from corporate accounts
D. Restrictions on accessing personal social media accounts
- Vivian's organization is about to begin a period of hiring. They will be bringing in a large number of new employees who will handle sensitive financial information. Which one of the following controls may be used as a pre-employment screening technique to reduce the risk of future fraud?
A. Separation of duties
B. Time-of-day restrictions
C. Privileged user monitoring
D. Background checks
- Hayley's team is analyzing the results of a qualitative risk assessment. The assessment uses the reporting structure shown here. Which quadrant should Hayley's team look to first when prioritizing remediation initiatives?
Figure 5.4
A. Quadrant I
B. Quadrant II
C. Quadrant III
D. Quadrant IV
Questions 82-84 refer to the following scenario.
John's organization performs full backups at midnight on the first day of every month and incremental backups every night at midnight (other than the first night of the month). The organization also performs differential backups every two hours, beginning at 2A.M. and ending at 10P.M. each day.
John is working to restore a system that failed at 9:30A.M. on Wednesday, November 14th.
- How many different backups must John apply to restore the system to the most current possible status?
A. 1
B. 3
C. 6
D. 15
- How long is the time period where data may have been permanently lost?
A. 30 minutes
B. 90 minutes
C. 2 hours
D. 9.5 hours
- If the system failure occurred at 12:30A.M. instead of 9:30A.M., how many backups would John have needed to restore?
A. 1
B. 2
C. 3
D. 14
- Which one of the following sources of evidence contains the least volatile information?
A. Archival media
B. Memory contents
C. Files stored on disk
D. ARP tables
- Brianna recently accepted a position at a US financial institution that handles checking the account records of US consumers. Which one of the following laws regulates this type of information?
A. GDPR
B. PCI DSS
C. SOX
D. GLBA
- Frank is collecting digital evidence and would like to use a technical control that would allow him to conclusively demonstrate that the evidence he later presents in court is identical to the evidence he collected. Which one of the following controls would best meet this requirement?
A. Digital certificates
B. Hashing
C. Write blocking
D. Evidence logs
- Barry recently accepted a new position with a marketing agency that collects data from residents of the European Union. Which data processing law most directly applies to this situation?
A. HIPAA
B. PCI DSS
C. GDPR
D. GLBA
- Nolan's business maintains trade secret information about their manufacturing process. Which one of the following categories would best describe this information?
A. Classified
B. Proprietary
C. Public
D. Internal
- Yvonne is the business continuity analyst for a web hosting company. She is conducting an analysis to identify and prioritize mission-critical systems. Which one of the following systems should be highest on her list?
A. A web server supporting the company's own site
B. Billing system
C. A web server supporting a single client
D. Firewall
- Carla is concerned about the exfiltration of sensitive information from her corporate network by employees. Which one of the following controls would be least effective at meeting this requirement?
A. Encrypting data in transit
B. Blocking the use of personal email accounts
C. Implementing data loss prevention systems
D. Building least-privilege access controls
- As part of a business partnership, Norm is working with his counterparts at another firm to interconnect the two networks. He would like to document the security requirements for that interconnection. What tool would best meet Norm's needs?
A. ISA
B. BPA
C. MOU
D. SLA
- Donna was recently approached by the manager of a former employee who was seeking access to that employee's email account. She believes there is a valid business need for the access but is unsure how to obtain approval. What type of control would assist Donna and others in her organization in making these decisions?
A. Service level agreement
B. Data handling guidelines
C. Data classification policy
D. Standard operating procedure
- Roger is wrapping up an incident response effort. The business is now functioning normally again and affected systems and data have been restored. What activity should come next in the process?
A. Containment
B. Recovery
C. Eradication
D. Lessons learned
- Which one of the following actions would not normally occur during the recovery phase of an incident response effort?
A. Remediate vulnerabilities
B. Restore from backups
C. Shutting down systems
D. Modify firewall rules
- Under the Sarbanes Oxley Act, which one of the following corporate officers bears personal liability for the accuracy of the content of the firm's annual report?
A. CIO
B. CFO
C. CISO
D. CPO
- When designing a continuity of operations plan, which one of the following would be best described as an alternate business practice?
A. Filing an after action report
B. Moving data processing to a failover site
C. Moving data processing to a mobile recovery facility
D. Using paper-based forms while systems are down
- Which one of the following backup types typically takes the shortest amount of time to perform when done several times per day?
A. Complete backup
B. Full backup
C. Incremental backup
D. Differential backup
- Under GDPR, which individual bears responsibility for ensuring that the company understands its privacy responsibilities and serves as the primary liaison to the supervising authority?
A. Data protection officer
B. Chief executive officer
C. Chief information officer
D. Chief information security officer
- When providing security awareness training to privileged users, what threat should be emphasized that is a more likely risk with these employees than standard users?
A. Water cooler attack
B. Spear phishing attack
C. Brute force attack
D. Man-in-the-middle attack
- Darren is an intrusion analyst and feels overwhelmed by the amount of information presented to him by various tools. He would like to find a solution that can correlate information from various other sources. Which one of the following tools would best meet his needs?
A. DLP
B. SIEM
C. IPS
D. IDS
- After an incident responder identifies that a security incident is in progress, what is the next step in the incident response process?
A. Eradication
B. Containment
C. Recovery
D. Preparation