forked from SFMSupersanta/chia-khoa-thanh-cong-fpt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
IAA202.txt
1179 lines (1178 loc) · 136 KB
/
IAA202.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Which of the following is the intangible value? | Customer influence
Both profitability and survivability must be considered when considering risks. You will want to consider which of the following items? | Client/stakeholder confidence
At the suggestion of NIST SP 80030, if a threat exploits the vulnerability, the medium impact is | Result in human injury.
What is the first step of the risk identification? | Identify threats
Although these threats are unintentional, you can address them with a risk management plan. Which of the following is a method do that? | Managing environmental threats
Which of the following is the most serious attacker? | Disgruntled employees
What is the separation of duties? | The principle ensures that any single person does not control all the functions of a critical process.
Companies that practice "separation of duties" force two or more employees to carry out which of the following in order to carry out fraud? | Collusion
Which of the following has an incorrect definition assigned to the term? | Baseline = a description of what the environment will look like, a standard of measure, after security is implemented
The Control Objectives for Information and related Technology (COBIT) is a framework and set of best practices. Which of the following provides an incorrect characteristic of COBIT? | COBIT is broken down into five domains
Which of the following is the de facto standard of best practices for IT service management. It was created because of the increased dependence on information technology to meet business needs. | ITIL
The Kennedy-Kassebaum Act is also known as? | HIPAA
The risk management plan specifies responsibilities. You can assign responsibilities to all except: | Staffs and customers
What is the responsible of risk management PM? | Tracking and managing all project issues.
The IT department is responsible for providing which of the following? | Costs for each of the recommended solutions
There are the major categories of reporting requirements except: | BIA report
What would be an appropriate difference between a qualitative and a quantitative risk analysis? | Qualitative is a subjective observation, while a quantitative approach defines statistical costs associated with a threat.
To calculate the annualized loss expectancy (ALE), which formula is used to calculate the potential loss to an organization for a specific threat? | SLE x ARO
A company issues laptop computers to employees. The value of each laptop is $1,500. About 100 laptops are being used at any time. In the past two years, the company has lost an average of one laptop per quarter. The company provides hardware locks for the laptops in bulk at a cost of $10 each, the ARO will decrease to 1. What is savings with control? | $4,500
What is an ARO? | A number that represents the estimated frequency of an occurrence of an expected threat
Before progressing with the RA, you need to complete which of the following actions? | Define the assessment.
When review the previous findings, the items especially worth investigating are all except: | Obsolete proposals
What is the warm site? | It may include all the hardware but the data may not be up to date.
Which of the following information is not provided by threat model? | Threat controls
What is the category of intellectual property? | Industrial property
Which of the following is not the characteristic of data warehousing? | Decision makers are able to view the data from different perspectives.
What does ELT stand for? | Extract, Load and Transform
In Workstation Domain, you can use automated asset management systems to keep systems up to date. What is the first step of the automated system? | monitoring new updates
Which of the following is an best example of internal threat? | Unintentional access
Which of the following tests verifies user rights and permissions? | Access controls testing
Which correct describes the audit? | It will check to see if an organization is following the policies that are in place.
Which correct describes the audit trail? | It is a series of events recorded in one or more logs.
Which of the following is an example of policy? | AUP
What is a certification authority (CA)? | It issues and manages certificates.
Which of the following is an example of class C in fire suppression systems? | Electrical fires
When identify assets, your asset inventory could have resulted in the high priority with: | Network infrastructure
Which is the most valuable technique when determining if a specific security control should be implemented? | Cost/benefits analysis
What is defense in depth? | security practice that adds multiple layers of protection.
What does TPM stand for? | Technology Protection Measure
Which of the following elements is commonly included in any CBA report for a countermeasure? | Risk to be mitigated
When implementing a risk mitigation plan, you should which of the following goals? | Stay within budget
Which of the following is not consideration when developing the mitigation plan? | Time to approve the countermeasures
What are the costs to implement? | Facility costs
Business processes can survive without the business functions for one or more days. What is this impact value level? | Level 3
What is the second step of a BIA process? | Identify stakeholders.
Which of the following is not the best practice for performing a BIA for your organization? | Look for the quick solution
Which of the following is a CBF? | Sales from the Web site
Which of the following is not a key objectives that directly support the BCP? | Identify critical threats
What is the most crucial piece of developing a disaster recovery plan? | Management support
Business continuity plans address all of the following except: | Critical servers used on the company's LAN
Which of the following things occurs when reconstitution phase begin? | The damage at the original location is repaired
DRP mean essentially the same thing all but which of the following? | Business continuity plan
What is the RTO? | The time when a system or function must be recovered.
Which of the following is not purpose of the DRP? | Identify business impact
Which of the following is critical success factor of the DRP? | Knowledge and authority for DRP developers
Some malware can execute on a user's system alter the user accesses a Web site. The malware executes from within the Web browser. What type of malware Is this? | Mobile code
After an incident has been verified, you need to ensure that it doesn't spread to other systems. What Is this called? | Containment
What is the greatest risk loan organization when peer-to-peer software is installed on a user's system? | Data leakage
What is the second step of the incident response life cycle? | detection and analysis
Several types of malicious code exist. What is malware that appears to be one thing but is actually something else? | Trojan horse
Attackers attempt a DoS attack on servers in your organisation. The CIRT responds and mitigates the attack. What should be the last step that the CIRT will complete in response to this incident? | Document the Incident.
An administrator has discovered that a Web server is responding very slowly investigation shows that the processor, memory and network resources are being consumed by outside attackers. What type of this attack? | DoS or DDoS
A user has installed P2P software on a system. The organization's policy specifically states this is unauthorized. An administrator discovered the software on the user's system. Is this a computer security incident? If so, what type? | This is a form of inappropriate usage.
A company decides to reduce losses of a threat by purchasing insurance. The way it is kind of risk management techniques of the following? | Transfer
A business impact analysis (BIA) includes a maximum allowable outage (MAO). The MAO is used to determine the amount of time in which a system must be recovered. What term is used in the DRP instead of the MAO? | RTO
Which of the following is NOT the risk management technique? | Prevent
Which of the following best describes separation of duties and job rotation? | Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud and ensure that more than one person knows the tasks of a position.
You are considering an alternate location for a DRP. You want to ensure the alternate location can be brought online as quickly as possible. What type of site would you choose? | Hot site
You have applied controls to minimize risk in the environment. What is the remaining risk called? | Residual risk
You are considering using a hot site as an alternate location. You want to consider different technologies to keep the data updated and decrease the time it will take for the hot site to become operational. What are some technologies that may help? | All of these
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing one which of the following work? | Cost/benefit analysis
A DMZ, or demilitarized zone, is used in a networking context for what primary purpose? | To allow systems in the DMZ to be easily accessed by Internet users
A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. You have rebuilt several servers at the primary location. What should you do? | Run the servers concurrently with the alternate location for three to five days.
Why should employers make sure employees take their vacations? | It is a way for fraud to be uncovered
What can you do to show that the BCP will work as planned? | BCP testing
If a programmer is restricted from updating and modifying production code, what is this an example of? | Separation of duties
After a BCP has been activated, who will assess the damages? | DAT
What are the three phases of a BCP? | Activation/notification, recovery, reconstitution
Laura and her team are diligently working on a company-wide risk assessment initiative. At the conclusion of her team's work, all of the following goals could be met, except: | Countermeasures have been put into place and communicated to the appropriate personnel.
Larry is in charge of presenting risk assessment calculations to his boss by the end of the week. He concludes that a server with heavy traffic has an annualized loss expectancy (ALE) of $15,000 with an annualized rate of occurrence (ARO) of 5. What is the server's single loss expectancy (SLE) value? | $3,000
The BIA is a part of | BCP
What type of approach does a BIA use? | Bottom-up approach where servers or services are examined first
What could a password policy include? | Length of password
In the CMMI, which of the following level indicates the highest level of maturity? | Level 5
What will the scope of a risk management plan define? | Boundaries
You have identified the MAO for a system. You now want to specify the time required for a system to be recovered. What is this? | Recovery time objectives
Of the following, what is NOT included in a cost-benefit analysis report? | POAM
Which of the following is NOT valid contents of a risk management plan? | Controls
Which of the following is NOT included in the objectives of a risk management plan? | A customer list
You are evaluating two possible countermeasures to mitigate the risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits? | CBA
What problem can occur if the scope of a risk management plan is not defined? | Scope creep
Of the following, what would be considered a best practice when performing risk assessments? | All of these
What can be used to remind users of the contents of the AUP? | Logon banners
What is the ROI? | The benefit to the investor resulting from an investment of some resource
What must you define when performing a qualitative risk assessment? | Scales used to define probability and impact
Which of the strategies below can help to reduce security gaps even if a security control fails? | Defense in depth
What is an SLE? | A dollar figure that is assigned to a single event
If your organization is governed by FISMA. What is one of the important issues to understand first? | requires different procedures for government agencies to purchase and deploy systems
Which choice MOST closely depicts the difference between qualitative and quantitative risk analysis? | A quantitative RA uses less guesswork than a qualitative RA
What is a proximity card? | Card will activate when it is close to a proximity reader
Which best describes System and Services Acquisition (SA) control? | Controls related to the purchase of products and services, to software usage and user installed software
Risk assessment is not always met with open arms by management for all of the following reasons except: | Due care and due diligence
Which best describes technical controls? | Software tools that automate protection
What is "five nine"? | 99.999 percent up time for certain services
What is NOT a technical control? | Program Management (PM)
What is the first step in an exploit assessment? | Vulnerability test
When performing exploit assessments, best practice is: | Identify as many exploits as possible
Intellectual Property is an example of | Data and information assets
A program that receives too much data so that it cannot execute instructions properly has been exploited by which of the following attacks? | Buffer overflow
1. Which one of the following properly defines risk? | D. Threat x Vulnerability
2. Which one of the following properly defines total risk? | B. Threat x Vulnerability x Asset Value
3. You can completely eliminate risk in an IT environment. | B. False
4. Which of the following are accurate pairings of threat categories? (Select two.) | A External and internal, Intentional and accidental
5. A loss of client confi dence or public trust is an example of a loss of | a. intangible value.
6. A is used to reduce a vulnerability. | a. control
7. As long as a company is profitable, it does not need to consider survivability. | B. False
8. What is the primary goal of an information security program? | D. Reduce losses related to loss of confi dentiality, integrity, and availability
9. The is an industry-recognized standard list of common vulnerabilities. | a. CVE (Common Vulnerabilities and Exposures)
10. Which of the following is a goal of a risk management? | A. Identify the correct cost balance between risk and controls
11. If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a | a. CBA (Cost/Benefit Analysis).
12. A company decides to reduce losses of a threat by purchasing insurance. This is known as risk | a. transfer.
13. What can you do to manage risk? (Select three.) | A. Accept, Transfer, Avoid
14. You have applied controls to minimize risk in the environment. What is the remaining risk called? | D. Residual risk
15. Who is ultimately responsible for losses resulting from residual risk? | C. Senior management
1. What is a security policy? | D. A document created by senior management that identifi es the role of security in the organization
2. You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use? | A. Principle of least privilege
3. You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use? | B. Principle of need to know
4. Which of the following security principles divides job responsibilities to reduce fraud? | C. Separation of duties
5. What can you use to ensure that unauthorized changes are not made to systems? | D. Configuration management
6. What are two types of intrusion detection systems? | C. Host-based and network-based
7. A technical control prevents unauthorized personnel from having physical access to a secure area or secure system. | B. False
8. What allows an attacker to gain additional privileges on a system by sending unexpected code to the system? | A. Buffer overflow
9. What is hardening a server? | A. Securing it from the default configuration
10. Which of the following steps could be taken to harden a server? | E. All of the above
11. Which government agency includes the Information Technology Laboratory and publishes SP 800-30? | A. NIST
12. ITL and ITIL are different names for the same thing. | B. False
13. Which U.S. government agency regularly publishes alerts and bulletins related to security threats? | C. US-CERT
14. The CVE list is maintained by | a. MITRE Corporation.
15. What is the standard used to create Information Security Vulnerability names? | A. CVE
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization? | C. Annually
What law applies to organizations handling health care information? | D. HIPAA
CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from? | A. SOX
What law requires schools and libraries to limit offensive content on their computers? | C. CIPA
Employees in some companies are often required to take an annual vacation of at least five days. The purpose is to reduce fraud and embezzlement. What is this called? | B. Mandatory vacation
6. Fiduciary refers to a relationship of trust. | A. True
7. Merchants that handle credit cards are expected to implement data security. What standard should they follow? | D. PCI DSS
8. The National Institute of Standards and Technology published Special Publication 800-30. What does this cover? | A. Risk management
9. The COBIT framework is organized into four IT domains and 34 IT processes. Which one covers strategy and tactics? | A. Plan and Organize
10. A basic principle of this standard is summarized with four sentences: Business requirements drive investments in IT resources. IT resources are used by IT processes. IT processes deliver enterprise information. Enterprise information responds to business requirements. What is this standard? | A. COBIT
11. Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifi es objectives and controls. Part II is used for certifi cation. | B. ISO 27002 Information Technology Security Techniques
12. Which of the following ISO documents provides generic guidance on risk management? | C. ISO 31000 Risk Management Principles and Guidelines
13. ITIL is a group of five books developed by the United Kingdom's Office of Government Commerce. | A. True
14. In the CMMI, level indicates the highest level of maturity. | 5
15. The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited? | D. It receives authority to operate.
1. What are valid contents of a risk management plan? | E. All of the above
2. What should be included in the objectives of a risk management plan? | E. All of the above
3. What will the scope of a risk management plan define? | D. Boundaries
4. What problem can occur if the scope of a risk management plan is not defined? | C. Scope creep
5. What is a stakeholder? | B. An individual or group that has an interest in the project
6. A key stakeholder should have authority to make decisions about a project. This includes authority to provide additional resources. | A. True
7. A risk management plan project manager oversees the entire plan. What is the project manager responsible for? (Select two.) | A. Ensuring costs are controlled, Ensuring the project stays on schedule
8. A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement? | B. Management
9. A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings? | D. Cause and effect diagram
10. What three elements should be included in the findings of the risk management report? | A. Causes, criteria, and effects
11. What is a primary tool used to identify the financial significance of a mitigation tool? | C. CBA
12. A fishbone diagram can link causes with effects. | A. True
13. You present management with recommendations from a risk management plan. What can management choose to do? | C. Accept, defer, or modify the recommendations.
14. What is a POAM? | D. Plan of action and milestones
15. A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking? | C. GANTT chart
What can you use to help quantify risks? | E. All of the above
16. A risk is a major component of a risk management plan. | a. assessment
17. Risk assessments are a continuous process. | B. False
18. A uses SLE. | a. quantitative risk assessment
19. What elements are included in a qualitative analysis? | C. Probability and impact
20. What elements are included in a quantitative analysis? | A. SLE, ALE, ARO
21. Qualitative analysis is more time consuming than quantitative analysis. | B. False
22. You are trying to decide what type of risk assessment methodology to use. A primary benefit of a risk assessment is that it can be completed quicker than other methods. | a. qualitative
23. You are trying to decide what type of risk assessment methodology to use. A primary benefit of a risk assessment is that it includes details for a cost-benefit analysis. | a. quantitative
24. What must you define when performing a qualitative risk assessment? | B. Scales used to define probability and impact
25. A risk assessment is objective. It uses data that can be verified. | a. quantitative
26. A risk assessment is subjective. It relies on the opinions of experts. | a. qualitative
27. One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data? | D. Uncertainty level
28. You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? (Select two.) | A. Resource allocation, Risk acceptance
29. Of the following, what would be considered a best practice when performing risk assessments? | E. All of the above
1. You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA. | A. True
2. Which of the following should you identify during a risk assessment? | E. All of the above
3. Of the following choices, what would be considered an asset? | E. All of the above
4. When defi ning the system for the risk assessment, what should you ensure is included? | B. The current confi guration of the system
5. What can you use to identify relevant vulnerabilities? | E. None of the above
6. Which type of assessment can you perform to identify weaknesses in a system without exploiting the weaknesses? | A. Vulnerability assessment
7. An acceptable use policy is an example of an security control. | a. administrative
8. Your organization requires users to log on with smart cards. This is an example of a security control. | a. technical
9. You use video cameras to monitor the entrance of secure areas of your building. This is an example of a security control. | a. physical
10. Which of the following should you match with a control to mitigate a relevant risk? | C. Threat/vulnerability pair
11. What does a qualitative RA use to prioritize a risk? | A. Probability and impact
12. What does a quantitative RA use to prioritize a risk? | B. SLE, ARO, and ALE
13. Your organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased? | B. The operational impact of the control
14. What is included in an RA that helps justify the cost of a control? | C. CBA
15. What is created with a risk assessment to track the implementation of the controls? | B. POAM
16. 1. It is possible to ensure a service is operational 99.999 percent of the time even if a server needs to be regularly rebooted. | A. True
17. 2. What is a single point of failure? | B. Any single part of a system that can cause the entire system to fail, if it fails
18. 3. When identifying the assets you have in your organization, what would you include? | E. A, B, and C
19. 4. When identifying hardware assets in your organization, what information should you include? | E. A, B, and C
20. 5. An organization may use a rotation policy to help discover dangerous shortcuts or fraudulent activity. | a. Job
21. 6. What type of data should be included when identifying an organization's data or information assets? | E. A, B, and C
22. 7. What is a data warehouse? | C. A database created by combining multiple databases into a central database
23. 8. What is data mining? | A. The process of retrieving relevant data from a data warehouse
24. 9. You are reviewing your organization's asset management data. You want to ensure that all elements of the organization are included. What can you compare the asset management system against to ensure the entire organization is covered? | D. The seven domains of a typical IT infrastructure
25. 10. You are tasked with updating your organization's business continuity plans. When completing this process, you should only include systems. | a. control or countermeasure
26. 11. What can you use to transfer risk associated with potential disasters? | D. Insurance
27. 12. An organization wants to determine what the impact will be if a specific IT server fails. What should they use? | A. BIA
28. 13. An organization wants to ensure they can continue mission-critical operations in the event of a disaster. What should they use? | B. BCP
29. 14. An organization wants to ensure they can recover a system in the event of a disaster. What should they use? | C. DRP
30. 15. A BCP and DRP are the same thing. | B. False
1. A will reduce or eliminate a threat or vulnerability. | control or countermeasure
2. Controls can be identified based on their function. The functions are preventative, detective, and corrective. | A. True
3. What are the primary objectives of a control? | C. Prevent, recover, detect
4. What type of control is an intrusion detection system (IDS)? | B. Detective
5. NIST SP 800-53 identifies controls in three primary classes. What are they? | D. Technical, Operational, and Management
6. A(n) control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more. | access
7. Logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called? | C. Non-repudiation
8. What should you use to ensure that users understand what they can and cannot do on systems within the network? | C. Rules of behavior
9. What can be used to ensure confidentiality of sensitive data? | A. Encryption
10. What should be logged in an audit log? | D. Who, what, when, and where details of an event
11. Your organization wants to issue certificates for internal systems such as in internal Web server. You'll need to install a to issue and manage certificates. | certification authority (CA)
12. Which of the following is an administrative control? | D. DRP
13. Which of the following is a technical control? | A. PKI
14. Which of the following is a physical control? | B. CCTV
15. A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom. | A. True
1. A is used to identify the impact on an organization if a risk occurs. | business impact analysis (BIA)
2. MAO is the minimal acceptable outage that a system or service can have before affecting the mission. | B. False
3. Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use? | C. SLA
4. What can be used to help identify mission-critical systems? | B. Critical business functions
5. What can be used to remind users of the contents of the AUP? | D. All of the above
6. Routers have to control what traffic is allowed through them. | access control lists (ACLs)
7. Which of the strategies below can help to reduce security gaps even if a security control fails? | C. Defense in depth
8. How much can an organization be fined in a year for mistakes that result in noncompliance? | C. $25,000
9. What determines if an organization is governed by FISMA? | D. If it is a federal agency
10. What determines if an organization is governed by HIPAA? | B. If employees handle health-related information
11. What determines if an organization is governed by SOX? | A. If it is registered with the Securities and Exchange commission
12. What determines if an organization is governed by CIPA? | C. If it receives E-Rate funding
13. You've performed a CBA on a prospective control. The CBA indicates the cost of the control is about the same as the projected benefits. What should you do? | A. Identify the ROI.
14. Which of the following is a valid formula used to identify the projected benefits of a control? | B. Loss before control - loss after control
15. A CBA can be used to justify the purchase of a control. | A. True
1. A(n) countermeasure has been approved and has a date for implementation. | in-place
2. A single risk can be mitigated by more than one countermeasure. | A. True
3. The formula for risk is Risk = | Threat x Vulnerability.
4. What would an account management policy include? | E. All of the above
5. What could a password policy include? | A. Length of password
6. The plan will include details on how and when to implement approved countermeasures. | mitigation
7. You are reviewing a countermeasure to add to the mitigation plan. What costs should be considered? | E. All of the above
8. Which of the following are considered facility costs for the implementation of a countermeasure? | C. Power and air conditioning
9. An account management policy needs to be created as a mitigation countermeasure. You will write the policy. What's a reasonable amount of time for this to be completed and approved? | C. One month
10. What can you use to determine the priority of countermeasures? | B. Threat/vulnerability matrix
11. A risk assessment was completed three months ago. It has recently been approved, and you're tasked with implementing a mitigation plan. What should you do first? | A. Verify risk elements.
12. You are evaluating two possible countermeasures to mitigate the risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits? | C. CBA
13. You are performing a cost-benefit analysis. You want to determine if a countermeasure should be used. Which of the following formulas should you apply? | C. Projected benefits - Cost of countermeasure
14. Of the following, what should be included in a cost-benefit analysis report? | F. All of the above
15. A POAM can be used to follow up on a risk mitigation plan. | A. True
1. The identifies the maximum acceptable downtime for a system. | Maximum acceptable outage (MAO)
2. Stakeholders can determine what functions are considered critical business functions. | A. True
3. The BIA is a part of the | Business continuity plan (BCP).
4. What defines the boundaries of a business impact analysis? | D. Scope
5. What are two objectives of a BIA? (Select two.) | C. Identify critical resources, Identify critical business functions.
6. You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. When calculating the costs, you should calculate the direct and | indirect costs.
7. You are working on a BIA. You want to identify the maximum amount of data loss an organization can accept. What is this called? | D. Recovery point objectives
8. You have identified the MAO for a system. You now want to specify the time required for a system to be recovered. What is this? | C. Recovery time objectives
9. Which of the following statements is true? | B. The RTO applies to any systems or functions. However, the RPO only refers to data housed in databases.
10. You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. Which one of the following is a direct cost? | C. Loss of sales
11. What type of approach does a BIA use? | B. Top-down approach where CBFs are examined first
12. Mission-critical business functions are considered vital to an organization. What are they derived from? | A. Critical success factors
13. You are performing a BIA for an organization. What should you map the critical business functions to? | D. IT systems
14. Of the following choices, what are considered best practices related to a BIA? | D. A and B only
15. A cost-benefit analysis is an important part of a BIA. | B. False
1. A(n) is a plan that helps an organization continue to operate during and after a disruption or disaster. | business continuity plan (BCP)
2. Business continuity and disaster recovery is the same thing. | B. False
3. You want to ensure that a BCP includes specific locations, systems, employees, and vendors. You should identify these requirements in the | scope statement.
4. What is the purpose of a BCP? | C. To ensure mission-critical elements of an organization continue to operate after a disruption
5. What does a BCP help to protect during and after a disruption or disaster? | D. Confidentiality, integrity, and availability
6. The is responsible for declaring an emergency and activating the BCP. | BCP coordinator
7. After a BCP has been activated, who has overall authority for the recovery of systems? | A. EMT
8. After a BCP has been activated, who will assess the damages? | C. DAT
9. After a BCP has been activated, who will recover and restore critical IT services? | D. TRT
10. What are the three phases of a BCP? | B. Activation/notification, recovery, reconstitution
11. A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. What operations should you move back to the original location first? | A. Least critical business functions
12. A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. You have rebuilt several servers at the primary location. What should you do? | C. Run the servers concurrently with the alternate location for three to five days.
13. What can you do to show that the BCP will work as planned? | C. BCP testing
14. What types of exercises can demonstrate a BCP in action? (Select three.) | A. Tabletop exercises, Functional exercises, Full-scale exercises
15. Once a BCP has been developed, it should be reviewed and updated on a regular basis, such as annually. | A. True
1. A(n) is a plan used to restore critical business functions to operation after a disruption or disaster. | disaster recovery plan (DRP)
2. A DRP has multiple purposes. This includes saving lives, ensuring business continuity, and recovering after a disaster. | A. True
3. Disaster recovery and fault tolerance are the same thing. | B. False
4. A is an element necessary for success. For example, the success of a DRP depends on elements such as management support and a disaster recovery budget. | critical success factor (CSF)
5. A business impact analysis (BIA) includes a maximum allowable outage (MAO). The MAO is used to determine the amount of time in which a system must be recovered. What term is used in the DRP instead of the MAO? | D. Recovery time objective (RTO)
6. A certain DRP covers a system that hosts a large database. You want to ensure that the data is copied to an off-site location. What could you use? | D. All of the above
7. A copy of backups should be stored off-site to ensure the organization can survive a catastrophic disaster to the | primary location.
8. You are considering an alternate location for a DRP. You want to minimize costs for the site. What type of site would you choose? | A. Cold site
9. You are considering an alternate location for a DRP. You want to ensure the alternate location can be brought online as quickly as possible. What type of site would you choose? | C. Hot site
10. You are considering an alternate location for a DRP. You want to use a business location that is already running non-critical business functions as the alternate location. This location has most of the equipment needed. What type of site is this? | B. Warm site
11. Which of the following elements are commonly included in a DRP? | C. Purpose, scope, communications, recovery steps and procedures
12. You are considering using a hot site as an alternate location. You want to consider different technologies to keep the data updated and decrease the time it will take for the hot site to become operational. What are some technologies that may help? | D. All of the above
13. Of the following, what is critical for any DRP? | B. Budget
14. Your organization has created a DRP but it hasn't been tested. Which of the following methods can you use to test it? | D. All of the above
15. Once a DRP has been created, it's not necessary to update it. | B. False
1. A(n) is a violation of a security policy or security practice. | computer incident or computer security incident
2. All events on a system or network are considered computer security incidents. | B. False
3. An administrator has discovered that a Web server is responding very slowly. Investigation shows that the processor, memory, and network resources are being consumed by outside attackers. This is a | Denial of service (DoS) or distributed DoS (DDoS) attack.
4. A user has installed P2P software on a system. The organization's policy specifically states this is unauthorized. An administrator discovered the software on the user's system. Is this a computer security incident? If so, what type? | B. This is a form of inappropriate usage.
5. Some malware can execute on a user's system after the user accesses a Web site. The malware executes from within the Web browser. What type of malware is this? | D. Mobile code
6. A malicious virus is replicating and causing damage to computers. How do security professionals refer to the virus? | D. In the wild
7. What is the greatest risk to an organization when peer-to-peer software is installed on a user's system? | C. Data leakage
8. Only police or other law enforcement personnel are allowed to do computer forensics investigations. | B. False
9. A log has shown that a user has copied proprietary data to his computer. The organization wants to take legal action against the user. You are tasked with seizing the computer as evidence. What should you establish as soon as you seize the computer? | D. Chain of custody
10. Many steps are taken before, during, and after an incident. Of the sfollowing choices, what accurately identifies the incident response life cycle? | C. Preparation, detection and analysis, containment, eradication and recovery, and post-incident recovery
11. In general, it's acceptable for members of a CIRT to take actions to attack attackers. This is one of the normal responsibilities of a CIRT. | B. False
12. After an incident has been verified, you need to ensure that it doesn't spread to other systems. What is this called? | B. Containment
13. Which of the following may be included in a CIRT plan? | E. All of the above
14. Attackers attempt a DoS attack on servers in your organization. The CIRT responds and mitigates the attack. What should be the last step that the CIRT will complete in response to this incident? | C. Document the incident.
15. Several types of malicious code exist. Malware that appears to be one thing but is actually something else is | a Trojan horse.
Which of the following is an example of operational control? | Audit and Accountability
Which of the following information is not provided threat model? | Threat controls
What is the responsible of risk management PM? | Tracking and managing project issues
What is the RTO? | The time when a system or function must be recovered
At the suggestion of NIST SP 800... | Noticeably affect
Which of the following is not consideration when developing the mitigation plan? | Time to approve the
Business continuity plans address all of the following except. | The protection...
When identify assets, your asset inventory could have resulted in the high priority with | network in...
The risk management plan specifies responsibilities. You can assigh res.... | Staffs and cus...
Which correct describes the audit trail? | It is series of events recor...
What is the greatest risk loan organization when peer to peer.... | Data leakage
After an incident has been verified, you need to ensure that it doesn't spread to other system | Containment
Which of the following elements is commonly included in any CBA report | Risk to be migigated
Which of the following has an incorrect definition assigned to the term? | Baseline = a description...
What does ELT stand for? | Extract, load and Transform
What would be an appropriate difference between a qualitative and a quantitative risk analysis? | Qualitative is a......
There are the major categories of reporting requirements except | BIA report
Although these threats are unintentional, you can address them with a risk management plan. Which of the following is a method do that? | managing environmental threats
What is the second step of a BIA process? | Identify stakeholders
What is a certification authority (CA)? | It issues and manages cer
Which is the most valuable technique when determining if a specific security control should be implemented? | Cost benefits analysis
Which of the following is critical success factor of the DRP? | Knowledge and authority
Business processes can survive whithout he business functions for one or more days. What is this impact value level? | Level 3
When review the previous findings, the items especially worth investigating are all except | Obsolete propsals
A company issues laptop computers to employess... | 4500
Before progressing with the RA, you need to complete which of the following actions? | Define the assessment
QN=1 What is NOT an example of computer systems? | a. Routers
QN=2 Nimda virus is an example of _______. | a. Buffder overflow
QN=3 Which one is the last phase in DIACAP? | a. Decommission
QN=4 Scope creep comes from ________ changes. | a. uncontrolled
QN=5 What is a benefit of quantitative analysis? | a. Data can easily be used in a CBA
QN=6 A small organization may perform a risk assessment for many systems at the same time. | a. True
QN=7 "Create plan to maintain operation" is a step in: | a. Business Continuity Planning
QN=8 Hardware assets are the assets you just can see it with your eyes. | a. False
QN=9 ______ attempts to exploit vulnerabilities. | a. Penetration test
QN=10 Fire suppression systems vary depending on the type of fire. How many classes of fires? | a. 4
QN=11 ______ has 6 principles and 12 requirements. | a. PCI DSS
QN=12 RTO would be __________ than the MAO. | a. Equal to or less
QN=13 Who has overall authority for recovery of the system? | a. Emergency management team (EMT)
QN=14 A hot site will be able to assume operations within days and sometimes within hours. | a. False
QN=15 What is using network load balancing? | a. Web farm
QN=16 Hardware, Software, Data considerations and the Connectivity to the service consumers are which should be included when developing the scope of DRP | a. True
QN=17 BIA has overall how many steps? | a. 7
QN=18 Once a DRP has been created, it's not necessary to update it. | a. False
QN=19 You can get Group Policy setting once to restrict _________ or unsigned ActiveX controls on all user systems. | a. Execution of scripts
QN=20 The last phase of a computer forensics investigation: | a. Analyze the evidence
Which of the following information is not provided by threat model ? | Threat controls
Which of the following is the most serious attacker | Disgruntled employees
Which of the following is the defacto standard of best practices for IT service management. It was created because of the increased dependence on information technology to meet bussiness needs | NIST SP 53
Steps to harden a server include: | Reduce the attack surface, Keep system up to date, Enable Firewalls, Enable IDSs
NIST SP 800-61 Rev 2 identifies the following three team models of CIRT plan: | Central incident response team, Distributed incident response team, Coordinating team
method transfers the backup data to an off-site location. | Electronic vaulting
If the MAO is 120 minutes, the RTO needs to be written to be ... 120 minutes. | Equal to
When the BCP is completed and activated, the BCP coordinator is responsible for declaring the emergency and developing the BCP. | True
Provide training is _____ step of a BCP. | Last
Which impact value level whose maximum acceptable outage and impact is 3 days? | 3
The BIA is largely a _________ process. | Data-gathering
Common recommended lengths are at least ____ characters for regular users and at least ____ characters for administrator. | 8 - 15
Overlapping countermeasures make security controls more effective and do not cause any problem. | False
Which of the following asset inventory is medium priority? | Database server
Which of the following is a management control? | System and Services Acquisition
Which of the following is NOT a vulnerability assessment tool? | FileZilla
Which type of data requires highest level of protection? | Proprietary
Which site takes the longest time to set up? | Cold site
__________ and __________ attacks are common attacks for Internet-facing Web servers. | Buffer overflow and SQL Injection
Individual responsibility could be assigned for all of the following activities EXCEPT ... | Risk analysis
HIPAA applies only to the health care industry. | False.
Automation and input validation are common methods used to reduce human errors | True
What is out-of-pocket cost? | An additional fee
Threat � Vulnerability | Which one of the following properly defines risk?
Threat � Vulnerability � Asset Value | Which one of the following properly defines total risk?
False | You can completely eliminate risk in an IT environment.
A External and internal, Computer and user | Which of the following are accurate pairings of threat categories?
Intangible value | A loss of client confidence or public trust is an example of a loss of ________.
Control | A ________ is used to reduce a vulnerability.
False | As long as a company is profitable, it does not need to consider survivability.
To reduce losses related to loss of confidentiality, integrity, and availability | What is the primary goal of an information security program?
CVE | The ________ is an industry-recognized standard list of common vulnerabilities
To identify the correct cost balance between risk and controls | Which of the following is a goal of risk management?
CBA or cost-benefit analysis | If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a ________.
Transfer | A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ________.
Accept, Transfer, Avoid | What can you do to manage risk?
Residual risk | You have applied controls to minimize risk in the environment. What is the remaining risk called?
Senior management | Who is ultimately responsible for losses resulting from residual risk?
A document created by senior management that identifies the role of security in the organization | What is a security policy?
Principle of least privilege | You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use?
Principle of need to know | You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use?
Separation of duties | Which of the following security principles divides job responsibilities to reduce fraud?
Configuration management | What can you use to ensure that unauthorized changes are not made to systems?
Host-based and network-based | What are two types of intrusion detection systems?
False | A technical control prevents unauthorized personnel from having physical access to a secure area or secure system.
Buffer overflow | What allows an attacker to gain additional privileges on a system by sending unexpected code to the system?
Securing it from the default configuration | What is hardening a server?
All of the above | Which of the following steps could be taken to harden a server?
NIST | Which government agency includes the Information Technology Laboratory and publishes SP 800-30?
False | ITL and ITIL are different names for the same thing.
US-CERT | Which U.S. government agency regularly publishes alerts and bulletins related to security threats?
The MITRE Corporation | The CVE list is maintained by ________.
CVE | What is the standard used to create Information Security Vulnerability names?
Annually | FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
HIPAA | What law applies to organizations handling health care information?
SOX | CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from?
CIPA | What law requires schools and libraries to limit offensive content on their computers?
Job rotation | Employees in some companies are often required to take an annual vacation of at least five consecutive days. The purpose is to reduce fraud and embezzlement. What is this called?
True | Fiduciary refers to a relationship of trust.
PCI DSS | Merchants that handle credit cards are expected to implement data security. What standard should they follow?
Risk assessments | The National Institute of Standards and Technology published Special Publication 800-30. What does this cover?
Processes to manage IT resources | The COBIT framework refers to IT governance. Of the following choices, what best describes IT governance?
COBIT | This standard is focused on maintaining a balance between benefits, risk, and asset use. It is based on five principles and seven enablers. What is this standard?
ISO 27002 Information Technology Security Techniques | Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification.
ISO 31000 Risk Management Principles and Guidelines | Which of the following ISO documents provides generic guidance on risk management?
True | ITIL is a group of five books developed by the United Kingdom's Office of Government Commerce.
5 | In the CMMI, level ______ indicates the highest level of maturity.
It receives authority to operate. | The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited?
All of the above | What are valid contents of a risk management plan?
All of the above | What should be included in the objectives of a risk management plan?
Boundaries | What will the scope of a risk management plan define?
Scope creep | What problem can occur if the scope of a risk management plan is not defined?
An individual or group that has an interest in the project | What is a stakeholder?
True | A key stakeholder should have authority to make decisions about a project. This includes authority to provide additional resources.
Ensuring costs are controlled, Ensuring the project stays on schedule | A risk management plan project manager oversees the entire plan. What is the project manager responsible for?
Management | A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement?
Cause and effect diagram | A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings?
Causes, criteria, and effects | What three elements should be included in the findings of the risk management report?
CBA | What is a primary tool used to identify the financial significance of a mitigation tool?
True | A fishbone diagram can link causes with effects.
Accept, defer, or modify the recommendations | You present management with recommendations from a risk management plan. What can management choose to do?
Plan of action and milestones | What is a POAM?
Gantt chart | A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking?
All of the above | What can you use to help quantify risks?
Assessment | A risk ________ is a major component of a risk management plan.
False | Risk assessments are a continuous process.
Quantitative | A ________ risk assessment uses SLE.
Probability and impact | What elements are included in a qualitative analysis?
SLE, ALE, ARO | What elements are included in a quantitative analysis?
False | Qualitative analysis is more time consuming than quantitative analysis.
Qualitative | You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it can be completed more quickly than other methods.
Quantitative | You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it includes details for a cost-benefit analysis.
Scales used to define probability and impact | What must you define when performing a qualitative risk assessment?
Quantitative | A ________ risk assessment is objective. It uses data that can be verified.
Qualitative | A ________ risk assessment is subjective. It relies on the opinions of experts.
Uncertainty level | One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
Resource allocation, Risk acceptance | You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations?
All of the above | Of the following, what would be considered a best practice when performing risk assessments?
True | You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA.
All of the above | Which of the following should you identify during a risk assessment?
All of the above | Of the following choices, what would be considered an asset?
The current configuration of the system | When defining the system for the risk assessment, what should you ensure is included?
Historical data, Threat modeling | What can you use to identify relevant vulnerabilities?
Vulnerability assessment | Which type of assessment can you perform to identify weaknesses in a system without exploiting the weaknesses?
Administrative | An acceptable use policy is an example of a(n) ________ control.
Technical | Your organization requires users to log on with smart cards. This is an example of a(n) ________ control.
Physical | You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) ________ control.
Threat/vulnerability pair | Which of the following should you match with a control to mitigate a relevant risk?
Probability and impact | What does a qualitative RA use to prioritize a risk?
SLE, ARO, and ALE | What does a quantitative RA use to prioritize a risk?
The operational impact of the control | Your organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased?
CBA | What is included in an RA that helps justify the cost of a control?
POAM | What is created with a risk assessment to track the implementation of the controls?
True | It is possible to ensure a service is operational 99.999 percent of the time even if a server needs to be regularly rebooted.
Any single part of a system that can cause the entire system to fail, if it fails | What is a single point of failure?
Hardware, Software, Personnel | When identifying the assets you have in your organization, what would you include?
Model and manufacturer, Serial number, Location | When identifying hardware assets in your organization, what information should you include?
Job | An organization may use a ________ rotation policy to help discover dangerous shortcuts or fraudulent activity.
Organizational data, Customer data, Intellectual property | What type of data should be included when identifying an organization's data or information assets?
A database created by combining multiple databases into a central database | What is a data warehouse?
The process of retrieving relevant data from a data warehouse | What is data mining?
The seven domains of a typical IT infrastructure | You are reviewing your organization's asset management data. You want to ensure that all elements of the organization are included. What can you compare the asset management system against to ensure the entire organization is covered?
Mission-critical | You are tasked with updating your organization's business continuity plans. When completing this process, you should only include ________ systems.
Insurance | What can you use to share or transfer risk associated with potential disasters?
BIA | An organization wants to determine what the impact will be if a specific IT server fails. What should it use?
BCP | An organization wants to ensure it can continue mission-critical operations in the event of a disaster. What should it use?
DRP | An organization wants to ensure it can recover a system in the event of a disaster. What should it use?
False | A BCP and DRP are the same thing.
Natural | The two major categories of threats are human and ________.
True | A threat is any activity that represents a possible danger, with the potential to affect confidentiality, integrity, or availability.
Reviewing historical data, Performing threat modeling | Which of the following methods can be used to identify threats?
Disgruntled employee, Equipment failure, Software failure | What are some sources of internal threats?
Assume the systems have not changed since the last threat assessment. | Which of the following choices is not considered a best practice when identifying threats?
Vulnerability | A ________ assessment is used to identify vulnerabilities within an organization.
Either internal or external security professionals, or both | Who should perform vulnerability assessments?
Nessus | What is the name of a common tool used to perform an automated vulnerability assessment scan?
A high false-positive error rate | What is a common drawback or weakness of a vulnerability scanner?
An audit | Your organization wants to check compliance with internal rules and guidelines. The organization wants to ensure that existing policies are being followed. What should be performed?
Access controls | You want to know if users are granted the rights and permissions needed to do their job only, and no more. You should perform a(n) ________ test.
Exploit assessment | You want to identify if any of the discovered vulnerabilities can be exploited. What should you perform?
Gap analysis | Your organization is governed by HIPAA. You suspect that your organization is not in compliance. What would document the differences between what is required and what is currently implemented?
Change management | What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval?
False | Once you have deployed countermeasures, it's not necessary to retest to ensure that the exploit has been mitigated.
Control or countermeasure | A ________ will reduce or eliminate a threat or vulnerability.
True | Controls can be identified based on their function. The functions are preventive, detective, and corrective.
Prevent, recover, and detect | What are the primary objectives of a control?
Detective | What type of control is an intrusion detection system (IDS)?
Procedural, technical, and physical | Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls?
Access | A(n) ________ control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more.
Nonrepudiation | Logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called?
Rules of behavior | What should you use to ensure that users understand what they can and cannot do on systems within the network?
Encryption | What can be used to ensure confidentiality of sensitive data?
Who, what, when, and where details of an event | What should be logged in an audit log?
Certification authority (CA) | Your organization wants to issue certificates for internal systems such as an internal Web server. You'll need to install a ________ to issue and manage certificates.
DRP | Which of the following is a procedural control?
PKI | Which of the following is a technical control?
CCTV | Which of the following is a physical control?
True | A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom.
Business impact analysis (BIA) | A ________ is used to identify the impact on an organization if a risk occurs.
False | MAO is the minimal acceptable outage that a system or service can have before affecting the mission.
SLA | Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use?
Critical business functions | What would you use to identify mission-critical systems?
All of the above | What can an organization use to remind users of AUP contents?
Access control lists (ACLs) | Routers have ________ to control what traffic is allowed through them.
Defense in depth | Which of the following strategies helps reduce security gaps even if a security control fails?
$25,000 | How much can an organization be fined in a year for HIPAA-related mistakes?
If it is a federal agency | What determines if an organization is governed by FISMA?
If employees handle health-related information | What determines if an organization is governed by HIPAA?
If it is registered with the Securities and Exchange commission | What determines if an organization is governed by SOX?
If it receives E-Rate funding | What determines if an organization is governed by CIPA?
Identify the ROI | You've performed a CBA on a prospective control. The CBA indicates the cost of the control is about the same as the projected benefits. What should you do?
Loss Before Control Loss After Control | Which of the following is a valid formula used to identify the projected benefits of a control?
True | A CBA can be used to justify the purchase of a control.
In-place | A(n) ________ countermeasure has been approved and has a date for implementation.
True | A single risk can be mitigated by more than one countermeasure.
Threat � Vulnerability | The formula for risk is Risk ________.
Details on how to create accounts, Details on when accounts should be disabled, Password policy | What would an account management policy include?
Length of password | What could a password policy include?
Mitigation | The ________ plan will include details on how and when to implement approved countermeasures.
All of the above | You are reviewing a countermeasure to add to the mitigation plan. What costs should be considered?
Power and air conditioning | Which of the following are considered facility costs for the implementation of a countermeasure?
One month | An account management policy needs to be created as a mitigation countermeasure. You will write the policy. What's a reasonable amount of time for the written policy to be completed and approved?
Threat/likelihood-impact matrix | What can you use to determine the priority of countermeasures?
Verify risk elements | A risk assessment was completed three months ago. It has recently been approved, and you're tasked with implementing a mitigation plan. What should you do first?
CBA | You are evaluating two possible countermeasures to mitigate a risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits?
Projected Benefits Cost of Countermeasure | You are performing a cost-benefit analysis. You want to determine if a countermeasure should be used. Which of the following formulas should you apply?
Recommended countermeasure, Risk to be mitigated, Costs, Annual projected benefits | Of the following, what should be included in a cost-benefit analysis report?
True | A POAM can be used to follow up on a risk mitigation plan.
Maximum acceptable outage (MAO) | The ________ identifies the maximum acceptable downtime for a system.
True | Stakeholders can determine what functions are considered critical business functions.
Business continuity plan (BCP) | The BIA is a part of the ________.
Scope | What defines the boundaries of a business impact analysis?
Identify critical resources, Identify critical business functions | What are two objectives of a BIA?
Indirect | You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. When calculating the costs, you should calculate the direct and ________ costs.
Recovery point objectives | You are working on a BIA. You want to identify the maximum amount of data loss an organization can accept. What is this called?
Recovery time objectives | You have identified the MAO for a system. You now want to specify the time required for a system to be recovered. What is this called?
The RTO applies to any systems or functions. However, the RPO only refers to data housed in databases | Which of the following statements is true?
Loss of sales | You are working on a BIA. You are calculating costs to determine the impact of an outage for a specific system. Which one of the following is a direct cost?
Top-down approach where CBFs are examined first | What type of approach does a BIA use?
Critical success factors | Mission-critical business functions are considered vital to an organization. What are they derived from?
IT systems | You are performing a BIA for an organization. What should you map the critical business functions to?
Use different data collection methods | Of the following choices, what are considered best practices related to a BIA?
False | A cost-benefit analysis is an important part of a BIA.
BCP or business continuity plan | A(n) ________ is a plan that helps an organization continue to operate during and after a disruption or disaster.
False | Business continuity and disaster recovery are the same thing.
Scope | You want to ensure that a BCP includes specific locations, systems, employees, and vendors. You should identify these requirements in the ________ statement.
To ensure mission-critical elements of an organization continue to operate after a disruption | What is the purpose of a BCP?
Confidentiality, integrity, and availability | What does a BCP help to protect during and after a disruption or disaster?
BCP coordinator | The ________ is responsible for declaring an emergency and activating the BCP.
EMT | After a BCP has been activated, who has overall authority for the recovery of systems?
DAT | After a BCP has been activated, who will assess the damages?
TRT | After a BCP has been activated, who will recover and restore critical IT services?
Notification/activation, recovery, reconstitution | What are the three phases of a BCP?
Least critical business functions | A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. What operations should you move back to the original location first?
Run the servers concurrently with the alternate location for three to five days | A major disruption has forced you to move operations to an alternate location. The disruption is over and you need to begin normalizing operations. You have rebuilt several servers at the primary location. What should you do?
BCP testing | What can you do to show that the BCP will work as planned?
Tabletop exercises, Functional exercises, Full-scale exercises | What types of exercises can demonstrate a BCP in action?
True | Once a BCP has been developed, it should be reviewed and updated on a regular basis, such as annually.
Disaster recovery plan (DRP) | A(n) ________ is a plan used to restore critical business functions to operation after a disruption or disaster.
True | A DRP has multiple purposes. This includes saving lives, ensuring business continuity, and recovering after a disaster.
False | Disaster recovery and fault tolerance are the same thing.
Critical success factor (CSF) | A ________ is an element necessary for success. For example, the success of a DRP depends on elements such as management support and a disaster recovery budget.
Recovery time objective (RTO) | A business impact analysis (BIA) includes a maximum acceptable outage (MAO). The MAO is used to determine the amount of time in which a system must be recovered. What term is used in the DRP instead of the MAO?
All of the above | A certain DRP covers a system that hosts a large database. You want to ensure that the data is copied to an off-site location. What could you use?
Off-site | A copy of backups should be stored ________ to ensure the organization can survive a catastrophic disaster to the primary location.
Cold site | You are considering an alternate location for a DRP. You want to minimize costs for the site. What type of site would you choose?
Hot site | You are considering an alternate location for a DRP. You want to ensure the alternate location can be brought online as quickly as possible. What type of site would you choose?
Warm site | You are considering an alternate location for a DRP. You want to use a business location that is already running noncritical business functions as the alternate location. This location has most of the equipment needed. What type of site is this?
Purpose, scope, communications, recovery procedures | Which of the following elements are commonly included in a DRP?
All of the above | You are considering using a hot site as an alternate location. You want to consider different technologies to keep the data updated and decrease the time it will take for the hot site to become operational. What are some technologies that may help?
Budget | Of the following, what is critical for any DRP?
All of the above | Your organization has created a DRP but it hasn't been tested. Which of the following methods can you use to test it?
False | Once a DRP has been created, it's not necessary to update it.
Computer incident or computer security incident | A(n) ________ is a violation of a security policy or security practice.
False | All events on a system or network are considered computer security incidents.
Denial of service (DoS) or distributed DoS (DDoS) | An administrator has discovered that a Web server is responding very slowly. Investigation shows that the processor, memory, and network resources are being consumed by outside attackers. This is a ________________attack.
This is a form of inappropriate usage | A user has installed P2P software on a system. The organization's policy specifically states this is unauthorized. An administrator discovered the software on the user's system. Is this a computer security incident? If so, what type?
Mobile code | Some malware can execute on a user's system after the user accesses a Web site. The malware executes from within the Web browser. What type of malware is this?
In the wild | A malicious virus is replicating and causing damage to computers. How do security professionals refer to the virus?
Data leakage | What is the greatest risk to an organization when peer-to-peer software is installed on a user's system?
False | Only police or other law enforcement personnel are allowed to do computer forensics investigations.
All of the above | A log has shown that a user has copied proprietary data to his computer. The organization wants to take legal action against the user. You are tasked with seizing the computer as evidence. What should you establish as soon as you seize the computer?
Preparation, detection and analysis, containment, eradication and recovery, and post-incident recovery | Many steps are taken before, during, and after an incident. Of the following choices, what accurately identifies the incident response life cycle?
False | In general, it's acceptable for members of a CIRT to take actions to attack attackers. This is one of the normal responsibilities of a CIRT.
Containment | After an incident has been verified, you need to ensure that it doesn't spread to other systems. What is this called?
All of the above | Which of the following may be included in a CIRT plan?
Document the incident | Attackers attempt a DoS attack on servers in your organization. The CIRT responds and mitigates the attack. What should be the last step that the CIRT will complete in response to this incident?
A Trojan horse | Several types of malicious code exist. Malware that appears to be one thing but is actually something else is ________.
Identify Asset Value, Identify threats, Identify vulnerabilities, Identify consequences | Which one is the order of steps of the Risk Identification Techniques ?
Threat Vulnerability Asset Value | Total Risk = ?
NIDS and HIDS | What is the kind of Intrusion detection system ?
True | The SQL injection attacks is a technique that allows an attacker to insert SQL code into data sent to the server and is implemented on the database server.
Federal Information Security Management Act (FISMA) 2002 | What is US-based Laws ?
All of them | If your company is involved with the sale or trade of securities, what laws do you should be aware of ?
True | A milestone plan chart is a simple graphical representation of major milestones. It shows the major milestones laid out in a graphical format.
Is an individual or group that has a stake, or interest, in the success of a project | What is stakeholder ?
All of them | A risk assessment (RA) is ?
Identify scope, Identify critical areas, Identify team | Which one is Critical Components of Risk Assessment ?
Is the process of determining the fair market value of an asset | What is the Asset valuation ?
True | Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm.
Both of them | The system testing include ?
Is primarily used with software development. It helps ensure that a product meets the functional requirements or specifications defined for the product | What is Functionality Testing ?
False | Technical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls.
All of above | A router can filter traffic based on ?
Requires the protection of any health-related data | HIPAA is ?
All of above | What Is the Scope of Risk Management for Your Organization ?
4 | How many categories of Data and information assets ?
Performance | Which of following NOT true about Risk Management Techniques ?
Employees understand that security is everyone's responsibility | Training help ?
Gramm-Leach-Bliley Act 1999 | GLBA on US-based Laws is ?
SLE, ARO, and ALE | What does a quantitative RA use to prioritize a risk ?
All of the below | Of the following choices, what would be considered an asset ?
True | Quantitative risk assessment is objective. It uses data that can be verified.
POAM | What is created with a risk assessment to track the implementation of the controls ?
4 | How many Technical Controls in the NIST SP 800-53 ?
All of them | What are properties of IA ?
All of them | Two primary assessments to identify and evaluate vulnerabilities
Review Historical Data | Techniques for Identifying Threats ?
6 | How many Legal Requirements, Compliance Laws, Regulations, and Mandates ?
Reducing the impact of threats and a vulnerability to an acceptable level | The primary purpose of countermeasures, safeguards, or controls is to mitigate risk ?
2 | How many preliminary actions that need to complete before progressing with the RA ?
6 | How many elements to consider when Identifying Assets and Activities Within Risk Assessment Boundaries ?
All of them | A vulnerability assessment may have multiple goals, such as ?
Manual | Which of the following methods is methods to Identify Assets and Activities to Be Protected ?
Identify mission-critical business functions and processes | What is 3rd step of Business impact analysis planning ?
Vulnerability | A __________ assessment is used to identify vulnerabilities within an organization.
Either internal or external security professionals, or both | Who should perform vulnerability assessments ?
Nessus | What is the name of a common tool used to perform an automated vulnerability assessment scan ?
A high false-positive error rate | What is a common drawback or weakness of a vulnerability scanner ?
An audit trail | Your organization wants to check compliance with internal rules and guidelines. They want to ensure that existing policies are being followed. What should be performed ?
Change management | What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval ?
False | Configuration management ensures that changes are not made to a system without formal approval.
True | Controls can be identified based on their function. The functions are preventative, detective, and corrective.
Prevent, recover, detect | What are the primary objectives of a control ?
Non-repudation | Logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called ?
Rules of behavior | What should you use to ensure that users understand what they can and cannot do on systems within the network ?
Encryption | What can be used to ensure confidentiality of sensitive data ?
Who, what, when, and where details of an event | What should be logged in an audit log ?
Threat/vulnerability pair | Which of the following should you match with a control to mitigate a relevant risk ?
Probability and impact | What does a qualitative RA use to prioritize a risk ?
BCP | An organization wants to ensure they can continue mission-critical operations in the event of a disaster. What should they use ?
DRP | An organization wants to ensure they can recover a system in the event of a disaster. What should they use ?
All of the below | Of the following, what should be included in a cost-benefit analysis report ?
All of the below | What would an account management policy include ?
Critical business functions | What can be used to help identify mission-critical systems ?
All of them | When identifying hardware assets in your organization, what information should you include ?
Risk Assessment are not relevant to Risk Management program | Which statement is incorrect about Risk Assessment ?
In-Place and Planned controls | Which controls is not belong to Control Categories when identifying and evaluating the countermeasures ?
These are controls that have a specified implementation date. | Which definition is true about Planned controls ?
Physical security controls includes controls such as locks and guards to restrict physical access | Which stateemnt is true about Physical security controls ?
The number of times an incident is expected to occur in a year | Which statement is true about ARO ?
Value to the customers | When evaluating this type of automated method, there are several other things to consider, such as the following ?
Cost, schedule, and quality | According to Maylor, what are traditionally the core three risk categories ?
Identification, analysis, and monitoring and control (Missed) | What are the three stages of cyclical risk management ?
Properly plan by thoroughly thinking through events and activities | What is one way that you can help to reduce safety risks for your organization's activities and events ?
4 | How many element in system access and availability ?
Against | Which of following is NOT a type of risk management techniques ?
CBA | What is included in an RA that helps justify the cost of a control ?
CCTV | Which of the following is a physical control ?
More realistic than either tabletop or functional exercises | What is a full-scale exercise ?
Activated | What their actual responsibilities are when the BCP is ?
All of the below | NIST SP 800-53 identifies controls in three primary classes. What are they ?
In-place | A(n) __________ countermeasure has been approved and has a date for implementation.
SLA | Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use ?
ACLs | Routers have __________ to control what traffic is allowed through them.
$25,000 | How much can an organization be fined in a year for mistakes that result in noncompliance ?
Threat * Vulnerability | The formula for risk is Risk ?
Identify cost of Risk | What is not risk identification techniques ?
Prevent | What is not risk management techniques ?
Use accesses control | What is the best for Managing Threats within Your IT infrastructure ?
Protecting system and data | The Federal Information Security Management Act (FISMA) assigns specific agencies are resoponsible for ?
True | Risk assessments are a continuous process.
CBA | You are evaluating two possible countermeasures to mitigate the risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits ?
Administrative | An acceptable use policy is an example of an __________ security control.
what is out-of-pocket cost | The cost to reduce risks comes from existing funds
take as long one or more days to implement | warm site
the most expensive of the three types of alternate sites | hot site
private | protected internally
public | freely available
method starts with full copies of the data at the remote location | remote journaling
Lost opportunity costs | Money spent to reduce risks can't be spent elsewhere.
Future costs | Some countermeasures require ongoing or future costs. These costs could be for renewing hardware or software. Future costs can also include the cost of employees to implement the countermeasures.
Client/stakeholder confidence | The value of client and stakeholder confidence is also important.
Automation and input validation are common methods used to reduce human errors | t(reducing human errors)
HIPAA applies only to the health care industry | F
Individual responsibility could be assigned for all of the following activities EXCEPT | Risk analysis
__________ and __________ attacks are common attacks for Internet-facing Web servers | Buffer overflow and SQL Injection
Which site takes the longest time to set up | Cold site
Which of the following is a management control | System and Services Acquisition
Which of the following asset inventory is medium priority | E-mail Server
Overlapping countermeasures make security controls more effective and do not cause any problem | False
Common recommended lengths are at least ____ characters for regular users and at least ____ characters for administrator | 8 - 15
The BIA is largely a _________ process | Data-gathering
Provide training is _____ step of a BCP | 5th
When the BCP is completed and activated, the BCP coordinator is responsible for declaring the emergency and developing the BCP | False (and activating BCP)
If the MAO is 120 minutes, the RTO needs to be written to be _________ 120 minutes | Less than/equal to
method transfers the backup data to an off-site location | Electronic vaulting
NIST SP 800-61 Rev 2 identifies the following three team models of CIRT plan | Central incident response team, Distributed incident response team, Coordinating team
Steps to harden a server include | Reduce the attack surface, Keep system up to date, Enable Firewalls, Enable IDSs
which of the following is an example of operational control | audit and accountability (AU)
which of the following tests verifies user rights and permissions | access controls testing
which of the following information is not provided by threat model | threat control
which of the following is a CBF | Sales from the web site
what is the responsible of risk management PM | tracking and managing all project issues
what is the RTO | the time when a system or function must be recovered
at the suggestion of NIST SP 800-30, if a threat exploits the vulnerability, the medium impact is | noticeably affect an organization's mission
which of the following is not consideration when developing the mitigation plan | time to approve the countermeasures
Business continuity plans address all of the following expect | the protection of cold sites at a remote locaition
when identify assets, your asset inventory could have resulted in the high priority with | network infrastructure
what is the second step of the incident response life cycle | detection and analysis
the risk management plan specifies responsibilities. you can assign responsibilities to all except | staffs and customers
which correct describes the audit trail | it is a series of events recorded in one or more logs
which of the following is an best example of internal threat | unintentional access
what is the greatest risk loan organization when peer-to-peer software is installed on a user's system | data leakage
after an incident has been verified, you need to ensure that it doesn't spread to other systems. what is this called | containment
which of the following elements is commonly included in any CBA report for a countermeasure | risk to be mitigated
which of the following has an incorrect definition assigned to the term | Baseline = a description of what the environment will look like, a standard of measure, after security is implemented
DRP mean essentially the same thing all but which of the following | business continuity plan
which of the following is not a key objectives that directly support the BCP | identify critical threats
which of the following is the most serious attacker | disgruntled employees
The _________________ is the de facto standard of best practices for IT service management. IT was created because of the increased dependence on information technology to meet business needs | Information Technology Infrastructure Library (ITIL)
some malware can execute on a user's system alter the user accesses a web site. the malware executes from within the web browser. what type of malware is this | virus
which of the following is not purpose of the DRP | identify business impact
what does ELT stand for | extract, load and transform
what would be an appropriate difference between a qualitative and a quantitative risk analysis | qualitative is a subjective observation, while a quantitative approach defines statistical costs associated with a threat
there are the major categories of reporting requirements except | BIA report
although these threats are unintentical, you can address them with a risk management plan. which of the following is a method do that | managing environmental threats
what is the second step of a BIA process | identify stakeholder
what is a certification authority (CA) | it issues and manages certificates
which of the following is the intangible value | customer influence
which is the most valuable technique when determining if a specific security control should be implemented | cost/benefits analysis
which of the following is critical success factor of the DRP | knowledge and authority for DRP developers
what does TPM stand for | technology protection measure
what is the category of intellectual property | industrial property
business processes can survive without the business functions for one or more days. what is this impact value level | level 3
when review the previous findings, the items especially worth investigating are all except | obsolete proposals
a company issues laptop computers to employees. the value of each laptop is $1,500. about 100 laptops are being used at any time. in the past two years, the company has lost an average of one laptop per quarter. the company provides hardware locks for the laptops in bulk at a cost of $10 each, the ARO will decrease to 1. what is savings with control | $4,500
before progressing with the RA, you need to complete which of the following actions | define the assessment.
Which one is the order of steps of the Risk Identification Techniques ? | Identify Asset Value, Identify threats, Identify vulnerabilities, Identify consequences
Total Risk = ? | Threat Vulnerability Asset Value
What is the kind of Intrusion detection system ? | NIDS and HIDS
The SQL injection attacks is a technique that allows an attacker to insert SQL code into data sent to the server and is implemented on the database server. | True
What is US-based Laws ? | Federal Information Security Management Act (FISMA) 2002
If your company is involved with the sale or trade of securities, what laws do you should be aware of ? | All of them
A milestone plan chart is a simple graphical representation of major milestones. It shows the major milestones laid out in a graphical format. | True
What is stakeholder ? | Is an individual or group that has a stake, or interest, in the success of a project
A risk assessment (RA) is ? | All of them
Which one is Critical Components of Risk Assessment ? | Identify scope, Identify critical areas, Identify team
What is the Asset valuation ? | Is the process of determining the fair market value of an asset
Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm. | True
The system testing include ? | Both of them
What is Functionality Testing ? | Is primarily used with software development. It helps ensure that a product meets the functional requirements or specifications defined for the product
Technical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls. | False
A router can filter traffic based on ? | All of above
HIPAA is ? | Requires the protection of any health-related data
What Is the Scope of Risk Management for Your Organization ? | All of above
How many categories of Data and information assets ? | 4
Which of following NOT true about Risk Management Techniques ? | Performance
Training help ? | Employees understand that security is everyone's responsibility
GLBA on US-based Laws is ? | Gramm-Leach-Bliley Act 1999
What does a quantitative RA use to prioritize a risk ? | SLE, ARO, and ALE
Of the following choices, what would be considered an asset ? | All of the below
Quantitative risk assessment is objective. It uses data that can be verified. | true
What is created with a risk assessment to track the implementation of the controls ? | POAM
How many Technical Controls in the NIST SP 800-53 ? | 4
What are properties of IA ? | All of them
Two primary assessments to identify and evaluate vulnerabilities | All of them
Techniques for Identifying Threats ? | Review Historical Data
How many Legal Requirements, Compliance Laws, Regulations, and Mandates ? | 6
The primary purpose of countermeasures, safeguards, or controls is to mitigate risk ? | Reducing the impact of threats and a vulnerability to an acceptable level
How many preliminary actions that need to complete before progressing with the RA ? | 2
How many elements to consider when Identifying Assets and Activities Within Risk Assessment Boundaries ? | 6
A vulnerability assessment may have multiple goals, such as ? | All of them
Which of the following methods is methods to Identify Assets and Activities to Be Protected ? | Manual
What is 3rd step of Business impact analysis planning ? | Identify mission-critical business functions and processes
A __________ assessment is used to identify vulnerabilities within an organization | Vulnerability
Who should perform vulnerability assessments ? | Either internal or external security professionals, or both
What is the name of a common tool used to perform an automated vulnerability assessment scan ? | Nessus
What is a common drawback or weakness of a vulnerability scanner ? | A high false-positive error rate
Your organization wants to check compliance with internal rules and guidelines. They want to ensure that existing policies are being followed. What should be performed ? | An audit trail
What management program can be implemented to ensure that the configuration of systems is not modified without a formal approval ? | Change management
Configuration management ensures that changes are not made to a system without formal approval. | False
Controls can be identified based on their function. The functions are preventative, detective, and corrective. | True
What are the primary objectives of a control ? | Prevent, recover, detect
Logon identifiers help ensure that users cannot deny taking a specific action such as deleting a file. What is this called ? | Non-repudation
What should you use to ensure that users understand what they can and cannot do on systems within the network ? | Rules of behavior
What can be used to ensure confidentiality of sensitive data ? | Encryption
What should be logged in an audit log ? | Who, what, when, and where details of an event
Which of the following should you match with a control to mitigate a relevant risk ? | Threat/vulnerability pair
What does a qualitative RA use to prioritize a risk ? | Probability and impact
An organization wants to ensure they can continue mission-critical operations in the event of a disaster. What should they use ? | BCP
An organization wants to ensure they can recover a system in the event of a disaster. What should they use ? | DRP
Of the following, what should be included in a cost-benefit analysis report ? | All of the below
What would an account management policy include ? | All of the below
What can be used to help identify mission-critical systems ? | Critical business functions
When identifying hardware assets in your organization, what information should you include ? | All of them
A BCP and DRP are the same thing. | False
Which statement is incorrect about Risk Assessment ? | Risk Assessment are not relevant to Risk Management program
Which controls is not belong to Control Categories when identifying and evaluating the countermeasures ? | In-Place and Planned controls
Which definition is true about Planned controls ? | These are controls that have a specified implementation date.
Which stateemnt is true about Physical security controls ? | Physical security controls includes controls such as locks and guards to restrict physical access
Which statement is true about ARO ? | The number of times an incident is expected to occur in a year
When evaluating this type of automated method, there are several other things to consider, such as the following ? | Value to the customers
According to Maylor, what are traditionally the core three risk categories ? | Cost, schedule, and quality
What are the three stages of cyclical risk management ? | Identification, analysis, and monitoring and control (Missed)
What is one way that you can help to reduce safety risks for your organization's activities and events ? | Properly plan by thoroughly thinking through events and activities
How many element in system access and availability ? | 4
Which of following is NOT a type of risk management techniques ? | Against
What is included in an RA that helps justify the cost of a control ? | CBA
Which of the following is a physical control ? | CCTV
What is a full-scale exercise ? | More realistic than either tabletop or functional exercises
What their actual responsibilities are when the BCP is ? | Activated
NIST SP 800-53 identifies controls in three primary classes. What are they ? | All of the below
A PTZ camera is used within a CCTV system. It can pan, tilt, and zoom. | True
A(n) __________ countermeasure has been approved and has a date for implementation. | In-place
MAO is the minimal acceptable outage that a system or service can have before affecting the mission. | False
Your organization wants to have an agreement with a vendor for an expected level of performance for a service. You want to ensure that monetary penalties are assessed if the minimum uptime requirements are not met. What should you use ? | SLA
Routers have __________ to control what traffic is allowed through them. | ACLs
How much can an organization be fined in a year for mistakes that result in noncompliance ? | $25,000
The formula for risk is Risk ? | Threat * Vulnerability
What is not risk identification techniques ? | Identify cost of Risk
What is not risk management techniques ? | Prevent
What is the best for Managing Threats within Your IT infrastructure ? | Use accesses control
The Federal Information Security Management Act (FISMA) assigns specific agencies are resoponsible for ? | Protecting system and data
Risk assessments are a continuous process. | True
You are evaluating two possible countermeasures to mitigate the risk. Management only wants to purchase one. What can you use to determine which countermeasure provides the best cost benefits ? | CBA
An acceptable use policy is an example of an __________ security control. | Administrative
Which one of the following properly defines risk? | Threat X Vulnerability
Which of the following are accurate pairing of threat categories? | External and internal, Intentional and accidental
A loss of client confidence or public trust is an example of a loss of the following category? | Intangible Value
What is the primary goal of an information security program? | Reduce losses related to loss of confidentiality, integrity, and availability
Which of the following is an industry recognized standard list of common vulnerabilities? | CVE
Which of the following is a goal of a risk management? | Identify the correct cost balance between risk and controls
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing one which of the following work? | CBA Costs Business Analysis
You have applied controls to minimize risk in the environment. What is the remaining risk called? | Transfer
Which of the following is NOT the risk management technique? | Migrate
A company decides to reduce losses of a threat by purchasing insurance. The way it is kind of risk management techniques of the following? | Risk Transfer
What is a security policy? | A document created by senior management that identifies the role of security in the organization
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use? | Principle of least privileg
You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. What should you use? | Principle of need to know
Which of the following security principles divides job responsibilities to reduce fraud? | Separation of duties
What can you use to ensure that unauthorized changes are not made to systems? | Configuration management
What are two types of intrusion detection systems? | Host-based and network-based
A DMZ, or demilitarized zone, is used in a networking context for what primary purpose? | to provide a high level of security for the private network
Why should employers make sure employees take their vacations? | It is a way that fraud can be uncovered.
What is a stakeholder? | An individual or group that has an interest in the project
What three elements should be included in the findings of the risk management report? | Causes, Criteria, and effects
What is a primary tool used to identify the financial significance of a mitigation tool? | CBA
What is a POAM? | Plan of action and milestones
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking? | GANTT chart
A risk management plan project manager oversees the entire plan. What is the project manager responsible for? | Ensuring costs are controlled -Ensuring the project stays on
What are valid contents of a risk management plan? | Objectives, Scope, Recommendations, POAM
What should be included in the objectives of a risk management plan | A list of threats, vulnerabilities, Costs associated with risks, cba
Which of the following is a major component of a risk management plan? | A risk Assessment
What elements are included in a qualitative analysis? | Probability and Impact
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data? | Uncertainty level
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations? | Resource Allocation -Risk Acceptance
Of the following, what would be considered a best practice when performing risk assessments? | ALL OF THE BELOW
What is an ARO? | Annualized Rate of Occurrence
Which choice MOST closely depicts the difference between qualitative and quantitative risk analysis? | Aquantitative RAuses less guesswork than a qualitative RA.
A company needs to determine its security budget for the next year. It interviews users, administrators, and managers in the information technology division, who render opinions and recommendations based upon their perceptions of security risk. This is an example of what kind of approach to risk analysis? | Qualitative
When reviewing historical data, you can look some events. They are | Attack, Accident, Natural Event, Equipment failures
Laura and her team are diligently working on a company-wide risk assessment initiative. At the conclusion of her team's work, all of the following goals could be met, except: | Countermeasures have been put into place and communicated to the appropriate personnel
What does a qualitative RA use to prioritize a risk? | Probability and impact
Shirley is in charge of asset identification and classification as part of a risk assessment initiative. In going through an inventory list, she must decide if an asset is tangible or intangible. Which of the following should she mark as intangible? | Reputation
What is a single point of failure? | Any single part of a system that can cause the entire system to fail, if it fails
Intellectual Property is a example of | organization's data or information assets
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? | The level of insurance required to cover the asset
Corruption/modification is one of the biggest threats to an operations environment. Which of the following is the typical culprit in this type of threat? | Employees
Which of the following is an internal threat? | User accidentally deletes new product designs.
Which of the following is NOT a result of a penetration test? | Modify access control permissions
Mary is creating malicious code that will steal a user's cookies by modifying the original client-side Java script. What type of cross-site scripting vulnerability is she exploiting? | DOM-based
What is the first step in an exploit assessment? | Get permission first
When performing exploit assessments, best practice is: | Get permission first, identify as many as exploits, Use a gap analysis
You want to identify if any of the discovered vulnerabilities can be exploited. What should you perform? | Exploit assessment
You want to know if users are granted the rights and permissions needed to do their job only, and no more. You should perform which of the following tests? | Access controls
Which of the following is NOT a domain of the COBIT categories? | Support and Monitor
What should you use to ensure that users understand what they can and cannot do on systems within the network? | Rules of behavior
Which of the following is used to identify the impact on an organization if a risk occurs? | Business Impact Analysis (BIA)
Which of the following is a valid formula used to identify the projected benefits of a control? | Loss before control - loss after control
What determines if an organization is governed by FERPA? | If it is a federal agency
What can be used to remind users of the contents of the AUP? | Logon banners -Posters -E-mails
Which of the following is accurate pairing of threat categories? | External and internal, intentional and accidental
Which of the following is an industryrecognized standard list of common vulnerabilities ? | CVE
Which of the following statement is correct when referring to qualitative risk assessment | All statement are correct
What is the recovery value? | This is the cost to get the asset operational after a failure
When reviewing historical data, you can look some events. Which of the follwing is not one of them? | Attacks,natural events,accidents,equipment failure
Which of the following is an example of the administrative security control? | Policies and procedures, Security plans, Insurance, Personnel checks, Awareness and training, Rules of behavior
Which of the following is an example of the technical security control? | Login identifier, Session timeout, System log, Audit trails, Input validation, Firewalls, Encryption
Awareness and training is an example of | Administrative Control
Which of the following is NOT a type of assets? | installed components, hardware peripherals, installed software, update versions, and more
What is the information you need to know hardware assets? | Hardware assets are any assets that you can physically touch. This includes computers such as laptops, workstations, and servers. It also includes network devices such as routers, switches, and firewalls
What is "five nine"? | 99.999 percent up time, is sometimes needed for certain services
What is a single point of failure? | A single point of failure is any part of a system that can cause an entire system to fail, if it fails
Intellectual Property is a example of | Data and information assets
What is the risk of the assets in Workstation Domain? | Theft,Update
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? | Replacement value - This is the cost to purchase a new asset in its place, Recovery value - This is the cost to get the asset operational after a failure.
Which of the following is an internal threat? | Employees not following security policy
Which of the following is NOT a result of a penetration test? | System testing, Exploit assessments
What is the first step in an exploit assessment? | The first step in an exploit assessment is to perform a vulnerability test.
In best practices for exploit assessments, what is a solution for legal compliance? | Use a gap analysis
Contingency Planning(CP) is an example of | NIST SP 800-53 Operational Controls
Which best describes System and Services Acquisition (SA) control? | The SA family includes many controls related to the purchase of products and services. It also includes controls related to software usage and user installed software
Which best describes Technical controlsl? | Technical controls are software tools that automate protection. A technical control is enforced using technology
What is a proximity card? | A proximity card is a small credit-card sized device. It includes electronics that will activate when it is close to a proximity reader. The card sends a signal to the reader identifying it. If the card is authorized, the door will open
What is an AUP? | Acceptable use policy (AUP)�An AUP defines acceptable use of systems. It identifies what a user can and cannot do on a system. It is sometimes referred to as Rules of Behavior
Which of the following is used to identify the impact on an organization if a risk occurs? | BIA
What is the MAO? | Maximum acceptable outage (MAO)
Which of the following is a valid formula used to identify the projected benefits of a control? | Loss before control - Loss after control = Projected benefits
What is the scope of risk management for System/Application Domain? | System/Application Domain - A primary requirement to keep these systems secure is to ensure administrators have adequate training and knowledge. Additionally, configuration and change management practices are helpful. Configuration management ensures the systems are configured using sound security practices.
What is the impact of legal and compliance implications on the LAN-to-WAN Domain? | LAN-to-WAN Domain�A firewall is used to protect a network here. PCI DSS specifically requires a firewall. A library may use a proxy server as a TPM to comply with CIPA. A proxy server has access to the Internet and the intranet. It would need additional security to protect it from external attacks.
What determines if an organization is governed by FERPA? | FERPA mandates access to educational records by students or parents. If the school has a large volume of these requests, it could affect regular operations. The school could choose to limit when access to records is granted.
If your organization is governed by FISMA. What is one of the important issues to understand first? | The Federal Information Security Management Act (FISMA) was passed in 2002. Its purpose is to ensure that federal agencies protect their data. It assigns specific responsibilities for federal agencies.
What can be used to remind users of the contents of the AUP? | Companies also sometimes use banners and logon screens to remind personnel of the policy
What is the ROI? | the return on investment
Which of the following is NOT valid contents of a risk management plan? | Objectives, Scope, Recommendations, POAM
Which of the following is NOT included in the objectives of a risk management plan? | A list of threats, vulnerabilities, Costs associated with risks, cba
Which one of the following properly defines risk? | Threat � Vulnerability
Which one of the following properly defines total risk? | Threat � Vulnerability � Asset Value
You can completely eliminate risk in an IT environment. | False
Which of the following are accurate pairings of threat categories? (Select two.) | Computer and user,A External and internal
A loss of client confidence or public trust is an example of a loss of ________. | Intangible value
As long as a company is profitable, it does not need to consider survivability. | fasle
What is the primary goal of an information security program? | To reduce losses related to loss of confidentiality, integrity, and availability
The ________ is an industry-recognized standard list of common vulnerabilities. | CVE
Which of the following is a goal of risk management? | To identify the correct cost balance between risk and controls
If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a ________. | CBA or cost-benefit analysis
A company decides to reduce losses of a threat by purchasing insurance. This is known as risk ________. | Transfer
What can you do to manage risk? (Select three.) | Accept,Transfer,Avoid
Who is ultimately responsible for losses resulting from residual risk? | Senior management
You want to ensure that users are granted only the rights to perform actions required for their jobs. What should you use? | Principle of least privilege
A technical control prevents unauthorized personnel from having physical access to a secure area or secure system. | False
What allows an attacker to gain additional privileges on a system by sending unexpected code to the system? | Buffer overflow
What is hardening a server? | Securing it from the default configuration
Which of the following steps could be taken to harden a server? | All of the above
Which government agency includes the Information Technology Laboratory and publishes SP 800-30? | NIST
ITL and ITIL are different names for the same thing. | False
Which U.S. government agency regularly publishes alerts and bulletins related to security threats? | US-CERT
The CVE list is maintained by ________. | The MITRE Corporation
What is the standard used to create Information Security Vulnerability names? | CVE
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization? | Annually
What law applies to organizations handling health care information? | HIPAA
CEOs and CFOs can go to jail if financial statements are inaccurate. What law is this from? | SOX
What law requires schools and libraries to limit offensive content on their computers? | CIPA
Employees in some companies are often required to take an annual vacation of at least five consecutive days. The purpose is to reduce fraud and embezzlement. What is this called? | Job rotation
Fiduciary refers to a relationship of trust. | True
Merchants that handle credit cards are expected to implement data security. What standard should they follow? | PCI DSS
The National Institute of Standards and Technology published Special Publication 800-30. What does this cover? | Risk assessments
The COBIT framework refers to IT governance. Of the following choices, what best describes IT governance? | Processes to manage IT resources
This standard is focused on maintaining a balance between benefits, risk, and asset use. It is based on five principles and seven enablers. What is this standard? | COBIT
Which of the following ISO standards can be used to verify that an organization meets certain requirements? Part I identifies objectives and controls. Part II is used for certification. | ISO 27002 Information Technology Security Techniques
Which of the following ISO documents provides generic guidance on risk management? | ISO 31000 Risk Management Principles and Guidelines
ITIL is a group of five books developed by the United Kingdom's Office of Government Commerce. | True
In the CMMI, level ______ indicates the highest level of maturity. | 5
The DIACAP is a risk management process applied to IT systems. What happens after a system is accredited? | It receives authority to operate.
What are valid contents of a risk management plan? | All of the above
What should be included in the objectives of a risk management plan? | All of the above
A key stakeholder should have authority to make decisions about a project. This includes authority to provide additional resources. | True
A risk management plan project manager oversees the entire plan. What is the project manager responsible for? (Select two.) | Ensuring costs are controlled,Ensuring the project stays on schedule
A risk management plan includes steps to mitigate risks. Who is responsible for choosing what steps to implement? | Management
A risk management plan includes a list of findings in a report. The findings identify threats and vulnerabilities. What type of diagram can document some of the findings? | Cause and effect diagram
What three elements should be included in the findings of the risk management report? | Causes, criteria, and effects
A fishbone diagram can link causes with effects. | True
You present management with recommendations from a risk management plan. What can management choose to do? | Accept, defer, or modify the recommendations
A POAM is used to track the progress of a project. What type of chart is commonly used to assist with tracking? | Gantt chart
What can you use to help quantify risks? | All of the above
A risk ________ is a major component of a risk management plan. | Assessment
Risk assessments are a continuous process. | False
A ________ risk assessment uses SLE. | Quantitative
What elements are included in a qualitative analysis? | Probability and impact
What elements are included in a quantitative analysis? | SLE, ALE, ARO
Qualitative analysis is more time consuming than quantitative analysis. | False
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it can be completed more quickly than other methods. | Qualitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of a ________ risk assessment is that it includes details for a cost-benefit analysis. | Quantitative