Questions from the following topics are included in this domain:
- Basics of security and risk management
- Differing data roles and responsibilities
- Identifying administrative, physical, and technical controls
- Ethics of security professionals
- Administrative policies, procedures, and guidelines
- Object categorization and classification
- Importance of security training
To pass the Certified Information Systems Security Professional (CISSP) exam, you have to score high in the Security and Risk Management domain. Domain 1 has a 15% weighting on the exam and requires you to understand professional ethics, apply security concepts, understand how to apply security governance principles, and look at the big picture when it comes to compliance and other regulations, industry standards, or contractual and legal obligations. There is huge importance in understanding privacy security and keeping your customers' data protected.
If there are any corporate investigations due to a breach, these can follow administrative, criminal, civil, or regulatory investigations, and the security professional must be prepared. Management policies help reduce the risk of damage and litigation from incidents and other security threats.
Understanding how to implement business impact analysis (BIA) and knowing business continuity requirements are also important for Domain 1. Mastering this domain puts you a step ahead in preparing to pass the entire exam because it summarizes the other seven domains.
- Dorian automatically backs up his smartphone nightly to the cloud. Does this represent safety, confidentiality, integrity, or availability?
- Aisha just received an International Information Systems Security Certification Consortium (ISC)² certification. Her primary service as per their Code of Ethics is to:
- Ian's private data has been attacked and leaked on the internet. Which of the following is NOT his personally identifiable information (PII)?
B. Facial photo
C. Media access control (MAC) address
D. Internet Protocol (IP) address
- Gwendolyn completes all the backups for her cloud subscribers. What is her role at the company?
A. Data owner
B. Data subject
C. Data custodian
D. Data processor
- Usain has lost his login and password for the Verbal Co. software-as-a-service (SAAS) system set up in 1999. The system is so old, he no longer has the email account to recover the password. Verbal Co.'s policy is to not provide credentials via technical support. What is his next BEST step?
A. Scour the dark web for the credentials.
B. Recover the login details from 1999 backup tapes.
C. Continue emailing technical support.
D. Give up—he has done everything he can do.
- Quinonez, a CISSP security engineer with SMR Tech, has discovered that Mike and Dave, also CISSPs, colluded and harmed a contractor. How should she report this ethics violation to (ISC)²?
A. Only with the sponsorship of another (ISC)²-certified individual
B. By emailing email@example.com
C. Through the (ISC)² ethics web page
D. In a typed or handwritten letter
- Elimu has installed firewalls to protect his users from outside attacks. This is a good example of what?
A. Due diligence
B. Due process
C. Due care
D. Regulatory requirements
- Which of the following is it only recommended to follow?
- Wade is required to rebuild the organization and build an IT helpdesk infrastructure for customer support. Which framework and standards would help him BEST facilitate this?
C. International Organization for Standardization (ISO) 27001
D. Control Objectives for Information and Related Technologies (COBIT)
- Montrie is required to destroy card verification value (CVV) codes after transactions have been completed. She is complying with which standard?
- Teecee is running the computer sales department and sees that her team has sold $600,000 of their yearly goal of $1,000,000. What are the key performance indicator (KPI) and the key goal indicator (KGI)?
A. The KPI is 60%, and the KGI is $600,000.
B. The KPI is $600,000, and the KGI is 60%.
C. The KPI is $600,000, and the KGI is $600,000.
D. The KPI is -$400,000, and the KGI is $1,000,000.
- Phillip is reviewing frameworks that would help him with the types of controls that should be in place to secure his organization. Which standard should he use?
A. ISO 27001
B. ISO 27002
C. ISO 27003
D. ISO 27004
- Nina, a forensic accountant, suspects fraud within the organization, and implemented separation of duties (SoD) to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is MOST LIKELY occurring?
B. Miscalculation of taxes
C. Miscalculation of expenses
D. Miscalculation of net income
- Nina, a forensic accountant, suspects fraud within the organization and implemented SoD to mitigate the issues. Later investigation shows the fraud has appeared to continue. What is her BEST next step?
A. Implement countermeasures
B. Implement business continuity
C. Implement job rotation
- What represents the indirect costs, direct costs, replacement costs, and upgrade costs for the entire life cycle of an asset?
A. Total cost of ownership (TCO)
B. Return on investment (ROI)
C. Recovery point objective (RPO)
D. Recovery time objective (RTO)
- Negligence uses a reasonable person standard in cybersecurity measures, showing necessary due care when working with PII. This is also known as:
A. Due diligence principle
B. Due care principle
C. Prudent person principle
D. Measured negligence rule
- Scoop loaned a job slot to the Systems Engineering (SE) department and stored the details using multi-factor authentication (MFA). The SE department refuses to return the job slot because Scoop cannot prove the loan agreement. What should he use combined with his personal identification number (PIN) to recover the detailed records of the loan agreement?
A. Common access card (CAC)
C. Mother's maiden name
D. His birthday
- Randi is an engineering manager who hires Percy, a senior engineer, to manage the ASAN Corp account in Cleveland. Bud, also a senior engineer, hears complaints from the ASAN customers and reports them to Randi instead of Percy. What is Randi's BEST next step?
A. Thank Bud for being a great spy.
B. Get feedback directly from the customer.
C. Immediately transfer Percy to the Detroit office.
D. Follow corporate policies on staff management.
- Dito works in the Detroit office of the organization, and Greg states a management opportunity is soon opening and guarantees that Dito will get the job. Dito would feel more comfortable if the verbal guarantee came with a(n):
A. Non-disclosure agreement (NDA)
C. Intellectual property (IP)
D. Acceptable use policy (AUP)
- Yaza is planning on selling COVID-19 masks online to the European Union (EU). Which regulation is the most important for her to consider?
B. Health Insurance Portability and Accountability Act (HIPAA)
C. General Data Protection Regulation (GDPR)
- Trevor is considering transferring much of his organization's data to the cloud. Which vendor-neutral certification helps him to validate that the cloud provider has good security quality assurance (QA)?
A. Cloud Security Allowance Security, Trust, Assurance, and Risk (CSA STAR)
B. Azure certification
- Shewan's credit card information was stolen, and she realizes this occurred at the AXQA store. She believes the owner should go to prison. Which would MOST LIKELY occur?
A. The PCI-DSS is a contractual agreement between the store owner and the credit card provider. At worst, the owner will lose the right to accept credit cards.
B. The PCI-DSS is a federal regulation, violations of which are punishable by up to 5 years in federal prison.
C. The PCI-DSS is an industry standard. At worst, the owner will lose their credit card license.
D. The PCI-DSS is a legal standard, violations of which are punishable by up to 5 years in state prison.
- Pat plans on outsourcing their Information Technology (IT) services so that they can focus on designing cars and trucks. Which is the BEST way for them to monitor the effectiveness of the service provider?
A. Key risk indicator (KRI)
D. Service-level agreement (SLA)
- Tara's computer started performing very slowly, and then a popup locked her computer and notified her that unless she paid $300, she would never have access to her data again. Which of the following BEST describes this attack?
C. Denial of Service (DoS)
D. Man in the Middle (MitM)
- Karthik receives a threatening email stating that they have a video of him performing lewd acts while watching porn. They will release the videos unless he pays them $1,000. This type of attack is BEST called:
A. Social engineering
- Alexis is a security engineer and must secure her network from outside attackers. Which is the first BEST step she can take?
B. Install the latest security update patches
C. Remove default logins and passwords
D. Implement security-hardening standards
- Zosimo works for Maximo Smartphones, and for years, their new smartphone plans have been leaked to the public 2 years ahead of time, hurting sales. What is the BEST administrative control he can use to stop this?
A. Have employees sign an NDA
B. Install DLP
C. Install an internal proxy server
D. Have guards scan workers' briefcases when they leave for the day
- Angalina has noticed that several books have gone missing from the corporate library. She would like to install security controls but is on a budget. Which is the BEST solution for her?
B. Security guards
C. Dummy cameras
D. Security cameras
- Coop, a security manager, practices decrypting secure documents. He has plain text of some of the files and needs to decrypt the rest. Which attack should he use?
A. Chosen plaintext
B. Known ciphertext
C. Chosen ciphertext
D. Known plaintext
- Which of the following is NOT a directive control type?
B. Terms of service (ToS)
C. Guard dog
D. Beware of dog sign
- Ysaline has discovered her staff is spending over 80% of their time on IT-related issues, instead of designing and engineering smartphones. She wants to outsource IT-related issues to AXQO Corp. Which type of risk management is this?
A. Risk mitigation
B. Risk transference
C. Risk avoidance
D. Risk acceptance
- Levi has purchased tablets for his staff for $2,000 each. Insurance will cover 50% if they are lost, stolen, or damaged. On an average year, five laptops are lost, stolen, or damaged. What would be the annualized loss expectancy (ALE) calculation?
- Zulene has spent weeks collecting pricing, performance, and tuning data to conduct her risk assessment meeting. Now that she has all the data, her team will perform which type of risk analysis?
- Zhenyu advises on security matters, helps draft security policy, and sits on the configuration management board. What is his role in the organization?
A. Senior management
B. Security director
C. Security personnel
D. Systems administrator
- Bianca has already contacted SGI News regarding the use of her copyrighted images on their website, but they refuse to take them down. What is her BEST next step to have her images removed from the site?
A. Use stronger watermarking procedures so that her images are not cloned.
B. Consider that the SGI News posting gives her free publicity.
C. Contact her lawyer to take immediate legal action.
- Roger, the chief financial officer (CFO) of NUS Micro, just received an email from his boss requesting he immediately wire $50 million to China to close a business deal. He calls his boss but cannot reach him. The email looks genuine, including the email address and domain name. He wires the money, only to find out later that his boss did not make this request. This represents which type of attack?
B. Spear phishing
C. Business email compromise (BEC)
- Sloane received a phone call from her administrator to confirm an email received from her. She then gets a phone call from her CFO that he received a message from her to transfer $1 million overseas. What has MOST LIKELY occurred?
A. Email account compromise (EAC)
B. Spear phishing
- Rafael, a systems administrator, notices that spam and phishing attacks are increasing. Which is the next BEST step he can take to safeguard the organization?
A. Add additional firewall rules
B. Implement training on spam and phishing attacks
C. Modify the SpamAssassin rules
D. Modify the external proxy server
- Which of the following represents an acceptable amount of data loss measured in time?
C. Maximum tolerable downtime (MTD)
D. Work recovery time (WRT)
- Individuals from all departments of the organization meet to prioritize risks based on impact, likelihood, and exposure. Which process is this?
A. Business Continuity Planning (BCP)
B. Disaster Recovery Planning (DRP)
C. Incident Response Planning (IRP)
- Attacks such as dumpster diving, phishing, baiting, and piggybacking all represent a class of attacks called:
C. Social engineering
- Unexpectedly, Coco has been given 2 weeks of paid time off. What is the security purpose of this event?
A. Mandatory vacation as part of a healthy worker campaign
B. Mandatory vacation to help expose fraud
C. Mandatory vacation because she clicked a phishing email
- Simon needs to calculate risk. Which formula will he use?
A. Risk = Likelihood * Exposure
B. Risk = Threat/Vulnerability
C. Risk = Threat * Vulnerability
D. Risk = Exposure * Impact
- Qiang has been assigned to find recovery sites as a result of the DR planning meeting. Her job is to find sites with heating, cooling, electricity, internet access, and power. The site will require no computers. Which type of recovery site is this?
A. Mirrored site
B. Hot site
C. Warm site
D. Cold site
- Milos is the chief security officer (CSO) of the organization and is designing a policy that includes fences, secured parking, security policies, firewalls, account management, and patch management. This is an example of which strategy?
B. Use of physical controls
C. Proper use of technical controls
D. Combining administrative, technical, and physical controls
- As part of a disaster strategy, Caty asks management for approval of deploying a warm site. Warm sites are which type of control functionality?
- Arthur, chief executive officer (CEO) of Funutek, wishes to implement online purchasing via their website. The chief marketing officer (CMO) likes the idea because the new system can double sales. The CSO fears internet attacks and suggests NOT moving forward. How should Arthur proceed?
A. Implement the website once certain there is no risk of attack.
B. Implement the website after the CMO collects research on securing websites.
C. Implement the website and secure it within acceptable risk levels.
D. Listen to the CSO and do not implement the website.
- NIST outlines security controls to put in place of federal agencies in which Special Publication (SP)?
- Bud has just learned about hacking, knows a little about programming, and likes to bring misery to others. He decides to attempt hacking into his school website to change his grades. This puts him in which class of hackers?
A. Advanced persistent threat (APT)
B. Script kiddie
C. Ethical hacker
D. Internal threat
- When it comes to dual-use goods (items that can be used by the military and ordinary citizens), there are special requirements and agreements for import and export. One that seeks to limit military buildup that could threaten international security is called Conventional Arms and Dual-Use Goods and Technologies, or the:
A. Arms Agreement
B. Wassenaar Arrangement
C. Dual-Use Agreement
D. Import/Export Law
- Taylor just won her court case through the benefit of the doubt. Her case falls under which legal system?
- Gael and his team have developed the perfect advertising algorithm so that when users search on his website, it leads them exactly to the information they need to reach. What is his BEST approach to assuring the secrecy of this algorithm?
A. Trade secret
- Su-wei uses the Linux operating system, and freely copies it and gives it to friends. She is allowed to do this because of which of the following licenses?
C. End-user license agreement (EULA)
- The area of United States (US) copyright law that makes it a crime to copy and distribute stolen software is called:
C. Privacy Act
D. Business Software Alliance (BSA)
- Fritz works with a document providing him step-by-step instructions. Which of the following is he working with?
- Naomi needs to calculate the TCO. Which of the following will she NOT use to complete the calculation?
A. Support costs
B. Cost to replace the unit
C. Cost of maintenance
D. Asset cost
- Viktor is conducting a risk assessment and needs to determine the percentage of risk his organization would suffer if an asset is compromised. Which of the following signifies this aspect of risk?
C. Exposure factor
- Ons, a security manager, is working with her team to develop and update policies for staff and vendors. Controls in this area are considered which of the following?
- Which of these is NOT true?
A. Procedures are the same as written directions.
B. Strategic documents would be considered policies.
C. Guidelines contain step-by-step instructions that must be followed.
D. Standards can define KPIs.
- Kei, a security manager, just completed a risk assessment with his team, and they determined that the new planned plant location was too dangerous, so they decided not to expand there. Which risk response did his team use?
- Molla, a project engineer, puts together a project, and she adds security according to which of the following life cycles?
A. Requirements, planning, design, test, develop, production, disposal
B. Planning, requirements, design, develop, test, production, disposal
C. Design, develop, requirements, planning, test, production, disposal
D. Planning, design, requirements, test, develop, production, disposal
- Wilfried is the security administrator of a store and is preparing for the PCI-DSS audit. Which is NOT one of the PCI-DSS requirements?
A. Configure switch settings
B. Maintain the firewall
C. Encrypt transmission of credit card transactions
D. Use antivirus software
- Vania, an administrative assistant, has discovered that her employer has been listening to her telephone conversations and reading her emails. She approaches her boss, and she shows her that she signed the reasonable expectation of privacy (REP) agreement. Which steps can Vania take next?
B. File a civil lawsuit.
C. Nothing—she waived her rights to phone privacy while at work.
D. Contact the police or federal authorities and open a criminal case.
- Grigor fears he will lose his job if his employer learns of his cancer diagnosis. He does not want which of the following to leak?
A. Health and Human Services (HHS)
B. Health Information Technology for Economic and Clinical Health Act (HITECH)
D. Personal health information (PHI)
- Martina seeks to press criminal charges against the CEO of RMS Foods Inc. because their employee stole her credit card. What happens next?
A. The government will press charges against the CEO.
B. Conflicts are managed under PCI-DSS agreements, not the government.
C. Conflicts are managed under ISO or NIST certification, not the government.
D. Conflicts are managed under GDPR laws, so there will only be fines.
- Boris is working to complete a design project. He decides to hire a contractor to help complete the project on time. Which type of risk response is he using?
- Petra uses her own secret formula to manufacturer her synthetic gut tennis string. This is then stolen by the SGI Strings Company. Which law or agreement has been broken?
B. Trade secret
- As Bjorn leaves the office this day, Steffi tells him she overheard men starting to break in earlier that evening to steal documents. The men are later caught, and Bjorn is brought onto the witness stand in court to mention what he heard. This type of evidence is termed which of the following?
D. Best evidence
- Garbine performs inspections of whether security policies, procedures, standards, and guidelines are followed according to the organization's security objectives. What is her role for the firm?
B. Chief information security officer (CISO)
C. Information security manager (ISM)
D. Data owner
- Which is critical for proper incident response?
A. Evidence handling
B. Security information and event management (SIEM)
C. Intrusion detection system (IDS)
D. Incident response policy
- Novak is preparing a DR exercise and emails the emergency task lists to the DR teams for review. Which type of exercise is he running?
A. Full interruption test
B. Parallel test
C. Tabletop test
D. Checklist test
- Simona is a space fleet lieutenant putting together classifications for her computer system. Which of the following sensitivity systems will she follow?
A. Confidential, private, sensitive, public
B. Top-secret, secret, confidential, unclassified
C. Highly sensitive, sensitive, classified, unclassified
D. Top-secret, secret, classified, unclassified
- Andre has provided his phone number, email address, and home address to Pyramid Grocer so that they can deliver groceries to his home. He is considered to be which of the following?
A. Data owner
B. Data custodian
C. Data subject
D. Data auditor
- Venus needs an administrative control to enhance the confidentiality of data. Which should she choose?
A. DLP system
C. Security guards
- Juan plans to perform testing on his website and generate random input to see if it is vulnerable to which type of attack?
D. Input validation
- Victoria has worked in several departments of the company, including marketing, quality, and production. An audit found she still has privileges in all of her past departments even though she works in finance. This is called:
C. Privilege creep
D. Least privilege
- Stan wishes to set up secure authentication for his users. Which of the following is NOT BEST for authentication?
A. Retinal scan
C. Palm vein scan
- Billie needs to determine how much risk her organization can handle and still operate efficiently. She will first conduct a?
A. Risk assessment
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance
- Which of the following does NOT require an AUP?
- Stefanos has just signed an SLA with NUS Systems. Which of the following is NOT part of the agreement?
A. Financial credit for downtime
B. Alpha services
C. Covered service
D. Service-level objectives (SLOs)
- Madison received an email from Justine stating that $1,000 in funds had been transferred to her. Justine states she never sent the email. Which process would prove Justine sent the email?
- Security education should be required for whom in an organization?
A. Computer users
C. Senior executives
D. Security teams
- Lleyton is planning on hiring 50 new engineers. What should be his FIRST step when reviewing new candidates?
A. Make sure prospects pass lie-detector screening.
B. Conduct thorough background checks.
C. Follow the employment candidate-screening process.
D. Perform drug screenings.
- Non-compete agreements (NCAs) are generally unenforceable because:
A. NCAs are illegal.
B. Courts value a citizen's right to earn a reasonable income.
C. Competition is covered in the NDA.
D. NCAs are always enforceable.
- Ana, a systems engineer, caught Bud stealing corporate financial documents and informed her manager. Which department handles Bud's termination?
- Daniil has finished a successful career with DDA Motors. As part of the exit interview, he's required to return everything Except for:
A. Last week's paycheck
B. Smart card
C. Corporate smartphone
- Which of the following does NOT represent an asset for an organization?
A. Sunk costs
- Which is BEST represented as the product of a threat and vulnerability?
- What is the biggest threat to any organization?
C. Clear text
D. Disgruntled employees
- Elina is interviewing risk consulting firms. What is the main item she should NOT look for in a qualified firm?
A. Can assist in defining the scope and purpose of risk assessments
B. Categorizes and prioritizes assets
C. Helps in defining acceptable levels of risk
D. Years of experience in bringing organizations' risk to zero
- What represents the product of the asset value (AV) and exposure factor (EF)?
A. Annual rate of occurrence (ARO)
B. Single loss expectancy (SLE)
D. Annual cost of a safeguard (ACS)
- An organization is initiating the qualitative risk analysis process. Which of the following is NOT part of the process?
A. Cost versus benefit analysis
B. Educated guesses
C. Opinions considered
D. Multiple experts
- The Risk Management Framework (RMF) is also known as which NIST SP?
- Feliciano has applied multiple risk mitigations to protect an asset. When should he stop?
A. When risk reaches an acceptable level
B. When the asset becomes unusable
C. After purchasing insurance for the asset
D. When the risk is reduced to zero
- According to the Cisco 2020 CISO Benchmark Report, cyber (security) fatigue is defined as virtually giving up on proactively defending against malicious actors. What is the number 1 source of cyber fatigue?
B. Phishing attacks
C. Shadow IT
D. Password management
- Sofia, a senior manager, needs to get a Linux update installed on her team's server. Central IT has not performed the update even after being asked three times. Sofia selects a team member to install it and work around the IT department. This is BEST referred to as:
B. Delegation of IT
C. Policy violation
D. Shadow IT
- Benoit, the company CISO, is researching high-security systems that authenticate everything attempting connections to the corporate network. Such an architecture is called:
A. Zed trust
B. No trust
C. Zero trust
D. Null trust
- The following type of security learning yields a credential such as a certificate or a degree:
D. Birds of a feather (BOAF) sessions
- For most organizations, which is the most important asset when a firm enters into BCP or DRP mode?
C. Server room
- Eugenie is the production manager at FAUX Widgets, and the lights went out for the entire building. Which action does she execute FIRST?
A. Contact the electric company.
B. Check the fuse box.
C. Follow the DRP plan.
D. Follow the BCP plan.
Answers with explanations
- Answer: C Dorian conducting nightly backups provides him availability in case his smartphone is lost or stolen. There is no mention of encryption or password protection, so confidentiality is not a possibility, and there is no discussion of hashing, so integrity is not a possibility. Finally, there is no mention of personal security to Dorian, so safety is not an option.
- Answer: D Aisha's primary concern per the (ISC)² Code of Ethics is the safety and welfare of society and the common good. The preamble finally states: strict adherence to this Code is a condition of certification. Since option D, humanity, includes all of the other options, answer D is correct.
- Answer: A PII refers to data that can be used to help identify an individual. A facial photo, MAC address, and IP address can be used to identify Ian, but not a password. Learn more here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf.
Reference: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST Special Publication 800-122, McCallister, Grance, Scarfone, Apr 2010.
- Answer: C Gwendolyn's job, in this case, is the data custodian because her role is to manage data for the data owners, which are her subscribers. Data subjects are the individuals referred to within the PII data. Data processors keep the PII content up to date.
- Answer: A Usain's next best step is to recover credentials from the dark web. Most websites were not using HyperText Transfer Protocol Secure (HTTPS) during that period, so it is likely hackers stole PII from Verbal Co., which likely contains clear passwords. If this fails, he can try contacting technical support again. Most corporate policies require data over 3 to 7 years old to be destroyed. Also, if the tapes are recovered, it is likely there are no passwords. Technical support firms are required to follow policies of not providing credentials, and recovery resets will not work because he no longer has access to the email account.
- Answer: D Quinonez must report such incidents in writing. Although additional sponsors would boost the validity of the complaint, this is not required. Electronic submissions are not acceptable.
- Answer: C Installing firewalls is a sign of due care. Exercising due care, such as setting up rules to block traffic and tracking the number of false positives, is due diligence. Due process is fair treatment of citizens in the judicial system. The question does not imply that Elimu's firm is required to follow specific regulations.
- Answer: D Guidelines are non-mandatory, advisory recommendations. Policies are put together by management and are required to be followed across the organization. Procedures are detailed step-by-step instructions to achieve a given goal or mandate. Standards form metrics to help measure the success of procedures and policies.
- Answer: A Wade would use ITIL, which provides best practices for delivering IT services. COSO is an internal framework for risk assessments. The ISO 27001 specification provides the framework for ISM systems. COBIT defines a framework for IT management and governance.
- Answer: D Montrie is complying with her PCI-DSS contract to protect PII in credit cards. NIST provides a cybersecurity framework similar to ISO for ISM. ITIL provides best practices for delivering IT services. COSO is an internal framework for risk assessments.
- Answer: B A KPI is a metric that quantifies the current state of reaching a goal, generally in dollars, quality, efficiency, or satisfaction. A KGI is a metric that monitors the evolution of efforts and helps to plan the next course of action, usually shown as a percentage of the goal. KPIs look to the future to see if corrections need to be made, but KGIs look at the past to see if plans are working.
- Answer: B Phillip will use ISO 27002, which focuses on security controls being put in place. ISO 27001 focuses more on security policy. ISO 27003 provides suggestions and guidance on the proper implementation of controls, and ISO 27004 focuses on the validation of controls after implementation.
- Answer: A Since Nina is a forensic accountant, common accounting practices would have been validated, so this leaves collusion as the only possibility.
- Answer: C Nina's next best step is to implement job rotation, which best mitigates collusion. Job rotation is a type of countermeasure because it offsets the threat, but job rotation is more specific. Business continuity means being able to operate after a disaster, and DLP would be an issue if corporate plans or finances were being leaked to the public.
- Answer: A The TCO includes all costs for the entire life cycle of an asset. ROI is the value returned on an investment less the cost of the investment, divided by the cost of the investment. The RPO is the last point in time where data is in a usable format. The RTO is how long systems can be down without causing significant damage—for example, the business has to shut down. Learn more here: https://ithandbook.ffiec.gov/it-booklets/business-continuity-management/iii-risk-management/iiia-business-impact-analysis/iiia3-impact-of-disruption.aspx.
- Answer: C The prudent person principle is a standard of care that a reasonably prudent person would follow in certain situations. This principle, borrowed from the law and insurance industries, is also followed in cybersecurity if it is outside a NIST, PCI-DSS, Center for Internet Security (CIS), or another standard. Due care is the effort made to avoid harm to others, such as putting mitigating controls in place. Due diligence is the practice of due care—for example, making sure the mitigating controls work. Measuring negligence helps to determine if an organization acted prudently.
- Answer: A Scoop will use the CAC. This is the best authentication type to combine something-that-you-know authentication with. Since your password, mother's maiden name, and birthday are all something you know, these combined with a PIN would simply be single-factor authentication (SFA).
- Answer: D Randi must always follow the corporate policy. Getting customer feedback is good, and rewarding inside information can be beneficial, but following management policy is always the most important. Transferring Percy exposes the client to the threat of an immediate bad hire; for example, the new hire may get searched by the Federal Bureau of Investigation (FBI).
- Answer: B If Greg provides a written contract, Dito will have a signed document stating what was expected. If the opportunity fell through, Dito could ask for alternatives by enforcing the contract. An NDA states that Dito keeps corporate secrets private. An AUP states Dito will use the product in an acceptable manner. Intellectual property (IP) is works or inventions that have value to an organization.
- Answer: C Yaza needs to consider the GDPR because she wants to sell masks to EU clients, and in order to do that, she must abide by GDPR law. (A key tenet of GDPR is the data subject's right to be forgotten, which is not a part of most other privacy acts). The FTC focuses on US trade and consumer protections. HIPAA affects hospitals and other medical providers. SOX makes corporate fraud a criminal act.
- Answer: A Trevor would consider CSA STAR certification, which demonstrates the cloud service provider's (CSP's) adherence to privacy and security best practices, and the only option that is vendor-neutral. Azure certification is a Microsoft-only standard. AWS is an Amazon-only standard. RH cloud certification is a Red Hat-only standard.
- Answer: A PCI-DSS is a contractual standard between stores and credit card providers. Vendors agree to provide minimal security measures to protect customer PII. Results from poor audits risk the shop owner losing the ability to accept credit cards. Federal and legal standards may include fines and even prison time, but PCI-DSS is a contractual standard. PCI-DSS is not an industry standard, and there is no credit card license. Industry standards are non-contractual agreements—for example, automotive manufacturers deciding to put steering wheels on the right if selling to Japan.
- Answer: D Pat would use an SLA to monitor the effectiveness of the service provider. KRIs, KGIs, and KPIs are part of SLAs.
- Answer: B This is an excellent example of ransomware. Once Tara pays the attacker, there is a good chance she will have access to her data. Ransomware is a type of malware that asks for a ransom payment. This is a type of DoS attack, but DoS attacks are, in general, considered availability attacks over a network. MitM attacks in general are network attacks design to sniff packets.
- Answer: B Karthik was attacked with a sextortion scam. Most of these are fake, and the victim should not send money. Ransomware is distinguished by locking the victim's data. Although this is unwanted email like spam, sextortion demands a monetary threat. Most social engineering attacks come with a degree of spoofing, where the sender pretends to be someone they are not.
- Answer: D Alexis' next best step would be to implement security hardening standards, which includes disabling Telnet and FTP services, installing the latest security updates and patches, and removing default logins and passwords.
- Answer: A Of the four options, the only administrative option is having staff sign the NDA. Zosimo can further layer security with technical controls (for example, DLP and proxy servers) as well as physical controls (for example, security guards).
- Answer: C The key point to this question is on a budget. Dummy cameras are deterrent-type controls that reduce the likelihood of an attack and are very inexpensive. RFID is a detective-type control that is not that expensive but requires a lot of labor expense to add the RFID tags to the books. Security cameras are detective and deterrent control types and are expensive to purchase, install, and monitor. Security guards are an expensive detective type of control as well.
- Answer: D Coop has some of the plain text that goes with the encrypted message, so this is a known plaintext attack.
- Answer: C Guard dogs are detective control types that recognize attacks and other negative activities. PPs, ToS, and signage are all directive control types.
- Answer: B Ysaline is performing risk transference since AXQO Corp will now manage the day-to-day IT functions. Risk mitigation is what happens if she continues to operate as is. Risk avoidance would not work for her because it would mean not having any IT equipment at all to manage. Risk acceptance is the amount of acceptable risk after mitigations are put in place.
- Answer: B AV = $2,000; EF = 50%
SLE = AV * EF = $2,000 * 50% = $1,000
ARO = 5
ALE = SLE * ARO = $1,000 * 5 = $5,000
- Answer: A Quantitative risk analysis takes more time than qualitative risk analysis because participants need all of the data to proceed. This can be time-consuming. Qualitative risk analysis is much quicker because it relies on educated guesses. It is important that the people who understand the areas of risk to their departments are in the room. Likelihood and impact are used in risk analysis to prioritize asset protection.
- Answer: B Security directors advise on security matters, draft security policy, and contribute to the Configuration Management Board. Senior management includes positions such as CEO, CFO, CIO, and so on, and mandates policies, determines strategic goals, and determines which security frameworks to use. Security personnel follow the security processes of the organization. System administrators manage day-to-day IT operations, including helpdesks.
- Answer: D Bianca's next best step is to submit a DCMA takedown request to the DMCA designated agent of the hosting company, with a list of the copyrights and location on the website. Legal action generally follows this step if the copyrighted material is not removed. Legal action is a much longer process, and it will take much longer to have her material removed. Free publicity and watermarking do not help her get her images removed.
- Answer: C A BEC contains characteristics of spear phishing, but the domain name is very similar, and the email appears to be from internal management. Finally, large sums of money are directed outside of the company. Sometimes, funds can be recovered by working with the federal police.
- Answer: A An EAC is when a hacker uses phishing, spear phishing, whaling, password attacks, malware, and so on to compromise a C-level executive's email account for the purpose of tricking targets to send funds.
- Answer: B Updates of firewalls, SpamAssassin, and proxies can help reduce the volume of attacks, but none of these systems is perfect. Continuous training programs via live training, videos, podcasts, and so on are the best way to safeguard the organization.
- Answer: A The RPO represents the acceptable amount of data loss in time— for example, snapshots might be taken every 15 minutes, so 15 minutes is the RPO. The RTO is the period to bring all systems back online after a disaster. WRT is the time needed to verify systems and data integrity. MTD is the maximum amount of downtime before going out of business and is generally the sum of WRT and RTO.
- Answer: D BIA includes prioritization of risks based on impact, likelihood, and exposure. Risk analysis can be qualitative or quantitative. BIA is part of BCP, which defines how to continue business operations after a disaster. DRP details how to recover business operations after a disaster. IRPs are executed when legal authorities must be involved—for example, when PII or financial records are stolen over the internet.
Reference: Contingency Planning Guide for Federal Information Systems, NIST Special Publication 800-34 Revision 1, Swanson et al., May 2010.
- Answer: C Dumpster diving, phishing, baiting, and piggybacking are all non-high-technical methods to engage the victim. MitM attacks use high-tech tools to download conversations of the victim. DoS is a network attack where data floods the device. Doxxing is searching and publishing private information about individuals.
- Answer: B Mandatory vacations are designed to expose any fraud that might be occurring. If Coco is involved in fraud, she needs to be at work to be monitored for fraudulent activity. Healthy worker vacations are planned and expected. Phishing email issues are better resolved with training than with vacation. Staff need to be on-site for DR simulations so that they know their part in a disaster.
- Answer: C Risk is the product of vulnerability and a possible threat.
- Answer: D Cold sites are empty rooms and designed for low-priority data that can take several weeks or months for recovery. Warm sites have some computer equipment but no current backup tapes. Hot sites have recent backups for fast recovery within minutes to hours. Mirrored sites have the most current information in case of failure.
- Answer: A Although D might be true, the strategy is called DiD, or a layered approach.
- Answer: A Preventative functionality implements incident avoidance—for example, locks or mantraps. Detective functionality detects or alerts an incident—for example, motion detectors and job rotations. Deterrents diminish threats by reducing the confidence of the intruder—for example, fences and fake cameras. Recovery brings organizations back to normal operations.
- Answer: C The CSO is an advisor to the organization, seeking ways to implement operations and enable business functions within an acceptable risk level. Option A is wrong because there is no such thing as zero risks, and B is wrong because CMOs are not in charge of security.
- Answer: D SP 800-53 is the Security and Privacy Controls for Federal Information Systems and Organizations document. The document outlines various administrative, technical, and physical security controls to protect organizations.
- Answer: B Script kiddies are in general non-sophisticated and new to hacking. APTs generally work as a group, carefully study the target, and are patient enough to wait for the right time to exploit a vulnerability. Ethical hackers are generally paid to attack organizations to find vulnerabilities but do not harm. Bud could almost be an internal threat since he is a student at the school, but he does not work for the school.
- Answer: B The Wassenaar Arrangement applies export controls and rules for computers, electronics, encryption, and more.
- Answer: D Criminal law is invoked when a person violates governmental laws, whereas civil law depends on the preponderance of the evidence. Administrative law is handled internally within organizations, similarly to internal affairs for police. Contract law is handled between the parties of a working agreement and can be disputed in court or through a mediator.
- Answer: A Copyrights and software patents require the algorithm to be published, making it easy for a competitor to reverse-engineer. Trademarks are used to protect an organization's logo or brand.
- Answer: C Shareware, commercial, and academic licenses come with a EULA, which states how software can be used. Linux's EULA is a call to the GNU General Public License (GNU GPL), giving freedom to users to distribute software as long as they give credit to the authors.
- Answer: A The Digital Millennium Copyright Act helps to reduce software piracy by criminalizing the dissemination of stolen software. The EULA limits what users can do with software they purchase—for example, only allow 10 users. The BSA promotes the enforcement of software copyrights. The Privacy Act helps to protect user PII.
- Answer: B Fritz is working with procedures because they provide explicit directions on performing specific operations. Policies are documents with concepts developed by management and must be followed. Guidelines are strong recommendations from management but do not have to be followed. Standards are metrics and are meant for use as a type of scoring system.
- Answer: B Naomi will need support costs, maintenance costs, and asset costs to calculate the TCO, but not replacement costs.
- Answer: C Viktor needs the exposure factor, which defines the percentage of loss of an asset if a threat is realized. Safeguards add controls to mitigate risks, such as locks or firewalls. Vulnerabilities are weaknesses or flaws in a system, and risk is the probability of an attack or negative event.
- Answer: A Management controls develop policies. Logical and technical controls support technology such as firewalls, switches, and so on. Operational and physical controls support day-to-day activities such as security guards, grounds security, and so on.
- Answer: C Guidelines are informal recommendations that do not have to be followed. Policies are generated by management and are mandatory. Procedures are step-by-step instructions, and standards detail metrics that should be met.
- Answer: B Since Kei's team has decided not to locate their business in a dangerous area, they are avoiding the risk. Mitigation would be building the business and then adding 8-foot (ft)-tall barbed wire fences around the building. When they purchase insurance on the building, they will be transferring that risk to the insurance company. Any leftover risk, they will accept.
- Answer: B The security life cycle for products and software starts with idea planning, then putting together the requirements, designing an item based on the requirements, and then developing the item based on the design. Testing ensures that the item functions correctly. Now that the item has passed testing, it can be moved into production. Once the item reaches the end of life (EOL), it is disposed of securely.
- Answer: A PCI-DSS requires firewalls, encryption, antivirus software, physical restrictions, regular testing, and more to protect cardholder data.
- Answer: C The REP signed by employees waives their privacy rights at the organization. Employee monitoring has to be work-related—that is, only work-related conversations can be monitored, not personal conversations. Monitoring must also be consistent (all staff, not just Vania).
- Answer: D PHI is details about an individual's medical records. HIPAA makes healthcare providers use due care for patients' PHI. HITECH states that if healthcare providers properly protect PHI, they do not have to report breaches to HHS.
- Answer: B Credit card issues are managed under PCI-DSS merchant contract agreements. RMS Foods may launch an internal investigation to fire and file criminal charges for the staff that conducted the theft, but the CEO does not face criminal charges for such incidents. NIST, ISO, and GDPR do not direct credit card merchant agreements.
- Answer: A Boris is transferring the risk when asking for assistance from a contractor or other third party. The relationship with the contractor will be finalized with a working agreement. Risk acceptance is when Boris accepts the risk of the project not being completed on time. Risk division is not a proper risk response. Risk avoidance is if Boris decided not to continue with the project.
- Answer: B Trade-secret lawyers help their clients protect trade secrets with licensing agreements, NDAs, and NCAs. Unlike patents, copyrights, and trademarks, trade secrets are not registered with governments.
- Answer: C Since Bjorn heard evidence of the threat through a third party, this is considered hearsay and is normally inconclusive and inadmissible in court. The best evidence rule holds that an original document is the best evidence, not a copy, assuming the original is accessible.
- Answer: A Auditors make sure security policies are followed. Audit reports go to senior management. The CISO sets policy and assigns responsibilities. Managers generally design and implement policy. Data owners make certain security classification levels are properly set.
- Answer: D A SIEM system and an IDS can collect plenty of records regarding an incident, but these can be compromised. Evidence handling is also very important in the case of court prosecution or insurance investigations, but the policy is the most important because it explains how the teams should respond to an incident and which procedures should be followed.
- Answer: D With the checklist test, groups review checklists on their own and follow up with changes later. A tabletop test is a walkthrough where no live changes are made to any systems. A parallel test interrupts the DR environment, but primary systems remain untouched. A full interruption interrupts the primary site to test the backup site. A full interruption event can cause a real disaster event but is the most thorough test.
- Answer: B Since Simona is in the military, she will use top-secret, secret, confidential, and unclassified. Most corporate environments use confidential, private, sensitive, and public. Classified is generally considered any data that is not unclassified, including top-secret or secret.
- Answer: C In this case, Andre is the data subject, or who the data is about. A data owner is a party liable for the protection of the data—in this case, Pyramid Grocer. A data custodian is responsible for protecting the data—for example, Azure or Amazon Cloud. A data auditor verifies that security policies are being followed on any PII.
- Answer: D An NDA is the only administrative control listed here. Security guards and fencing help prevent data leaks but are physical controls. A DLP mitigates data leaks, but this is a technical control.
- Answer: A Fuzz-testing applications load tons of random input into fields—for example, the name, address, phone number, and so on. Input validation mitigates fuzz testing, throwing away invalid input. Malware is software installed on a system to harm functionality. DoS is an attack on the network or memory to make a system unusable.
- Answer: C Privilege creep occurs as individuals move from department to department and administrators neglect to remove their old privileges. Least privilege occurs when privileges are removed, leaving the user with the least privileges needed to do their jobs. Collusion is when two or more people work together and commit fraud against an organization, mitigating SoD.
- Answer: B Usernames are for identification purposes only, combined with a password for authentication. A retinal scanner, palm vein scanner, and a CAC are used for both identification and authentication.
- Answer: B Billie performs risk mitigation to take proper steps before negative events occur. A risk assessment identifies potential events and prioritization of assets. Risk acceptance is risk allowed after mitigations are in place. Risk avoidance is deciding not to take on an activity or purchase an asset.
- Answer: D An AUP states practice users must agree to access the organization's network or internet. For best security, all users must accept the AUP.
- Answer: B Alpha and beta services are for testing new customer features that users might enjoy, but could go away if enough users don't like them. Financial credits, covered services, and SLOs are all part of SLAs.
- Answer: C Non-repudiation is a method whereby the sender of an email cannot dispute their authorship. Hashing and encryption are used as part of this process but alone are not non-repudiation. A fingerprint might help on a physical document, depending on the process.
- Answer: B Everyone within an organization needs security education. Threats such as malware come through computers, and anyone can leave a door open that allows an attacker to enter the building.
- Answer: C The employment candidate-screening process or policy includes conducting background checks, drug screenings, lie-detector screening, interviewing of neighbors, fingerprinting, and so on, depending on the job.
- Answer: B NCAs are legal agreements, but in most cases are unenforceable because workers need to earn an income on what they have been trained in.
- Answer: A HR understands the policies best for proper provisioning and deprovisioning of staff, and can handle it with the lowest risk of litigation. Other departments may be involved to provide data for the termination, but HR is in charge.
- Answer: A Since Daniil worked the last week, he does not have to return the paycheck. All of the other items are corporate-owned and must be returned.
- Answer: A Sunk costs are expenditures that cannot be recovered. An item the organization has purchased—for example, a computer—is an asset, but not an expense. Trademarks and other intellectual property are also assets, even though they are intangible. Staff are also assets.
- Answer: C Risk is the likelihood a threat will exploit a vulnerability and cause harm to some asset. Safeguards protect assets from threats. Exposure is the degree of asset loss endangerment due to threats. A breach occurs when security has been compromised.
- Answer: D The biggest threat to organizations is internal threats that develop from disgruntled employees. All of the others are threats and can cause a lot of damage and expensive recoveries, but because internal threats have white-box knowledge of the organization, they are the biggest threat.
- Answer: D Do not use firms that bring risk to zero because they are working with firms that do no business, as there is no such thing as zero risks. Risk assessment and analysis involve determining scope, categorizing assets, and bringing risks to acceptable levels.
- Answer: B The following values get used in quantitative risk analysis. SLE = AV * EF. The ARO is the frequency a risk occurs in a year. The ALE = the ARO * SLE.
- Answer: A Qualitative risk analysis depends less on hard calculations such as quantitative risk, and more on rankings and judgment.
- Answer: C The NIST SP 800-37 provides guidance on using the RMF for federal systems. The steps include categorizing the asset, selecting controls, implementing controls, assessing controls, authorizing assets, and monitoring controls.
- Answer: A Once risk reaches an acceptable level, no other mitigations need to be applied.
- Answer: D According to Thycotic Engineering, the remembering and changing of passwords is the number 1 source of cyber fatigue. To ease this fatigue, implement 2FA, autofill, and simpler password rules. Learn more here: https://www.cisco.com/c/en/us/products/security/ciso-benchmark-report-2020.html.
- Answer: D Although all of the others are true, working around the central IT department is referred to as shadow IT.
- Answer: C A zero trust architecture (ZTA) trusts no one, verifying inside and outside traffic before connecting to the network or any of the systems.
- Answer: B Education leads to some type of a degree such as a Bachelor or Master. Training is target-focused on specific knowledge or a specific job. Awareness is a minimal understanding of security issues. BOAF sessions generally occur at conferences where people with similar backgrounds exchange knowledge and ideas.
- Answer: A The military is one exception where secret data could be more important than people. Others might argue the Star Trek defense, where the many (lives) outweigh the few.
- Answer: D A DRP is only executed if at first, the BCP fails. Checking the fuse box or contacting the electric company might be the first steps of the BCP, but always follow the plan first.