- Which one of the following risk assessment activities does not require advanced authorization from the target organization?
A. Penetration testing
C. Social engineering
D. Vulnerability scanning
- Ryan is developing a security awareness training program and would like to include information about the person employees should approach if they need to clarify who may access different types of information. What role in an organization has this responsibility?
A. Privileged user
B. System owner
C. Data owner
D. Executive user
- Which one of the following statements is not true about security awareness programs?
A. Some categories of employee do not require any security training.
B. System administrators should receive specialized technical training.
C. Awareness training should be customized to a user's role in the organization.
D. Training updates should occur when there are significant new threats.
- Belinda is negotiating with an internet service provider (ISP) regarding the terms of service they will provide to her organization. Belinda would like the agreement to spell out the specific requirements for the service and include financial penalties if the service does not meet those requirements. What tool would best meet Belinda's needs?
- Which one of the following statements about risk management is true?
A. Risk acceptance should only be done after careful analysis of other options.
B. Insurance policies are an example of risk avoidance.
C. Firewalls and intrusion prevention systems are examples of risk avoidance.
D. Risk avoidance is always preferable to risk acceptance.
- Sonia is concerned that users in her organization are connecting to corporate systems over insecure networks and begins a security awareness campaign designed to encourage them to use the VPN. What type of control has Sonia implemented?
- Greg believes that a recently departed employee is likely to sue the company for employment law violations because the employee threatened to do so during an exit interview. When should the company issue a legal hold to preserve evidence?
A. When the employee issues a formal notice of intent to sue
B. When a lawsuit is filed
C. When they receive a subpoena
Questions 8 through 11 refer to the following scenario:
Gary is conducting a business impact assessment for his organization. During this assessment, he identifies the risk of a power supply failure in a critical database server. He determines that the power supply is likely to fail once every three years and that it will take two days to obtain and install a replacement part.
After consulting with functional experts, Gary determines that the database server is crucial to business functions and would cause considerable disruption if it were down for more than a day. No new transactions would occur during a failure. In the event of a failure, clerks could retrieve the last four hours of transactions from an application log file and use those to recover lost data. Therefore, it would be acceptable to lose four hours of information prior to the failure.
- What is the MTTR in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- What is the MTBF in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- What is the RTO in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- What is the RPO in this scenario?
A. 4 hours
B. 1 day
C. 2 days
D. 3 years
- During an incident response effort, Tony discovers that many systems on his network have different times set on their internal clocks. He wants to avoid the hassle of recording time offsets during future investigations by synchronizing clocks. What protocol would meet this need?
- Andy is developing requirements for a disaster recovery site and needs to be able to recover operations as quickly as possible. Which one of the following recovery site options provides the quickest activation time?
A. Warm site
B. Mobile site
C. Hot site
D. Cold site
- Rhonda is preparing a role-based awareness training program and recently developed a module designed to raise awareness among users of wire transfer fraud schemes where the attacker poses as a business leader seeking to transfer money to a foreign account. Of the following audiences, which would be the most likely to need this training?
A. System administrator
B. Executive user
C. Accounts payable clerk
D. Sales director
- Tom is conducting an incident response effort and believes that a crime may have been committed against his organization involving the theft of intellectual property. Which one of the following statements best describes Tom's obligation based upon the information available at this point?
A. Tom must contact federal law enforcement.
B. Tom must contact local law enforcement.
C. Tom does not have a specific legal obligation to report the incident to anyone outside the organization.
D. Tom must notify customers of the breach.
- Scott's company is entering into a joint venture with another organization and he would like to create a document that spells out the relationship between the two firms. Scott would like the agreement to be enforceable in court. What type of document would be best suited for this task?
- When capturing a system image for forensic purposes, what tool should the analyst use to avoid unintentionally altering the original evidence?
A. Write blocker
B. Imaging software
C. Clean media
- Brenda is a security analyst and is reviewing the alerts that were generated by a content filtering system on her corporate network. She notices that one employee has accessed a large number of sports gambling websites. What action should Brenda take next?
A. Disable the employee's account pending an investigation.
B. Inform the employee that this activity is not acceptable.
C. Consult her manager.
D. Take no action, as this would be an invasion of the employee's privacy.
- Howard is conducting an asset valuation exercise as part of his organization's risk assessment process. He would like to ensure that the valuations included in insurance policies are sufficient to cover the restoration of operations after asset destruction. Which one of the following asset valuation techniques is most appropriate for Howard's use?
A. Replacement cost
B. Original purchase price
C. Depreciated value
D. Subject matter expert estimated value
- Jane is designing an inventory control system and wants to reduce the risk of employee theft. She designs the access controls so that a person who has the ability to order supplies from vendors does not also have the ability to log received shipments into the system. This attempts to prevent someone from ordering supplies, diverting them for their own use, and logging them into the inventory system as received. What principle is Jane most directly enforcing?
A. Least privilege
B. Two-person control
C. Job rotation
D. Separation of duties
- Jake is helping his organization move out of an office complex they are leaving and has a large quantity of sensitive paper records to dispose of. Which one of the following destruction methods would not be appropriate to sufficiently destroy the information?
- Consider the NIST incident response process shown here. Which step in the process is indicated by the question mark?
A. Post-incident activity
C. Containment, Eradication, and Recovery
D. Detection and Analysis
- Which one of the following data governance roles would normally be assigned to someone of the most senior rank in the organization?
A. Data custodian
B. Data steward
C. Data owner
D. Data user
- When labeling sensitive information using the US military classification scheme, which one of the following is the lowest level of classification?
C. Top Secret
D. Top Secret SCI
- Which one of the following categories of information is explicitly governed by HIPAA's security and privacy rules?
- Gordon is considering a variety of techniques to remove information stored on hard drives that are being discarded by his company and donated to a charity for reuse. Which one of the following techniques would not be an effective way to meet this goal?
- Which one of the following activities would not typically be a component of an employee onboarding process?
A. Deprovisioning accounts
B. Security training
C. Computer issuance
D. Credential generation
- Bill is concerned about his organization's practices regarding the timing of disposing records that are no longer necessary for business purposes. Which one of the following policies would be most relevant to this issue?
A. Data retention policy
B. Data encryption standards
C. Data access policy
D. Acceptable use policy
- Which one of the following elements would not be found at a warm disaster recovery site?
A. Computing hardware
B. Electrical infrastructure
C. Current data
- Who has the primary responsibility for ensuring that the security requirements for a system are designed in a manner that is consistent with the organization's security policy?
A. System owner
B. Business owner
C. System administrator
D. Data owner
- Kate is conducting an investigation of activity on her network. She is looking for an information source that might provide the identity of the systems that a user connected to and the times of those connections. Which one of the following data sources is LEAST likely to have this information?
A. Wireless access point logs
B. NetFlow logs
C. Firewall logs
D. Content filter logs
- Wanda is developing an incident response team for her organization. Which one of the following individuals would be the best person to have direct oversight of the team's activities?
- Don maintains a database of information about the spending habits of individual consumers. Which term would best describe this information?
- Vincent is tasked with establishing a disaster recovery site but is charged with providing bare-bones functionality at a minimal cost. Which option should he consider?
A. Hot site
B. Cold site
C. Warm site
D. Mobile site
- Tom is attempting to comply with a requirement of the Payment Card Industry Data Security Standard (PCI DSS) that requires that credit card information not be stored in a system. He is unable to remove the data due to a variety of technical issues and works with regulators to implement encryption as an interim measure while he is working to fully comply with the requirement. What term best describes this control?
A. Detective control
B. Corrective control
C. Preventive control
D. Compensating control
- Sandy is working with her leadership team on documenting the relationship between her firm and a new partner who will be co-marketing products. They would like to document the relationship between the firms but do so in a less formal way than a contract. Which tool would be the most appropriate for this task?
- Which one of the following disaster recovery exercise types will have the greatest impact on an organization's operations?
A. Parallel test
B. Full interruption test
C. Checklist review
D. Structured walkthrough
- Which one of the following statements is correct about evidence gathering and litigation holds?
A. Attorneys should review documents for privilege during the collection phase.
B. Most litigation holds never move forward to the production phase.
C. System administrators do not need to disable log file deletion during a litigation hold if the deletion process is part of a standard business practice.
D. Corporate attorneys bear primary responsibility for preserving evidence during a litigation hold.
- Harold is designing an access control system that will require the concurrence of two system administrators to gain emergency access to a root password. What security principle is he most directly enforcing?
A. Two-person control
B. Least privilege
C. Separation of duties
D. Security through obscurity
- Which one of the following data destruction technique requires the use of chemicals?
- Thomas is considering using guard dogs to patrol the fenced perimeter of his organization's data processing facility. What category best describes this control?
- Which one of the following regulations contains specific provisions requiring that the organization maintain the availability of protected information to facilitate medical treatment?
B. PCI DSS
- Gavin is planning to upgrade the operating system on a production server and would like to obtain approval from the change advisory board. What type of document should he submit to obtain this approval?
- Ron has a hard disk that contains sensitive information. He tried connecting the drive to a computer but a component failure will not allow him to access the drive. Which one of the following destruction techniques would be the most effective?
- When choosing an appropriate off-site storage location for backup media, which one of the following factors is most important when choosing the distance between the storage location and the primary facility?
A. Facility usage fees
B. Nature of the risk
D. Transportation fees
- Consider the evidence log shown here. What is the primary purpose of this tool during a forensic investigation?
A. Ensure evidence is timely
B. Prevent the alteration of evidence
C. Document the chain of custody
D. Ensure evidence is relevant
- Matt is ranking systems in his organization in order of priority for disaster recovery. Which one of the following systems should have the highest impact rating?
A. Enterprise resource planning
B. Routing and switching
C. Fire suppression
D. Customer relationship management
- Which one of the following elements is least likely to be found in a security awareness training program that's been designed for end users?
A. Confidentiality requirements
B. Password management requirements
C. Social engineering education
D. Patching requirements
- What type of risk assessment focuses on evaluating the security controls put in place by vendors and contractors?
A. Penetration test
B. Quantitative assessment
C. Supply chain assessment
D. Qualitative assessment
- Randy is working within a virtualized server environment and would like to back up complete images of his virtual servers so that he can easily restore them in the event of failure. What type of backup is the most appropriate for his needs?
A. Full backup
B. Snapshot backup
C. Differential backup
D. Incremental backup
Questions 51-55 refer to the following scenario.
Tonya is performing a quantitative risk assessment for her organization's new data processing facility. Due to the proximity of this facility to the coast, she is concerned about the risk of flooding.
Tonya consults flood maps from the Federal Emergency Management Agency (FEMA) and determines that the facility lies within the 100-year flood plain. She also reviews a replacement cost estimate for the facility and determines that the cost to replace the facility would be $12 million. Tonya estimates that a typical flood would cause approximately $2 million in damage to the facility and that purchasing an insurance policy would incur a premium of $10,000 annually.
- What is the asset value (AV) in this scenario?
C. $2 million
D. $12 million
- What is the annualized rate of occurrence (ARO) in this scenario?
- What is the single loss expectancy in this scenario?
C. $2 million
D. $12 million
- What is the annualized loss expectancy in this scenario?
C. $2 million
D. $12 million
- Which one of the following statements best describes the risk situation Tonya is in?
A. Tonya should recommend that the business always purchases insurance for any risk with an ALE greater than 0.005.
B. The purchase of insurance in this scenario is not cost-effective from a purely financial viewpoint.
C. The purchase of insurance in this scenario makes good financial sense.
D. Tonya should recommend against the purchase of insurance because the SLE is less than the AV.
- Wayne was called to visit the workstation of a user who believes that an attacker is remotely controlling his computer. Which one of the following evidence-gathering techniques would best document what is appearing on the user's screen?
A. Witness interview
B. Operating system logs
C. Screen capture
- Gordon is considering the implementation of exit interviews for staff who voluntarily resign from his organization. Who would be best suited to perform this exit interview?
A. Immediate supervisor
B. Second-level supervisor
C. Human resources representative
- Where is the most appropriate place for an organization to keep track of risks across a wide variety of risk management disciplines?
A. Audit reports
B. Risk assessment reports
C. Incident tracking system
D. Risk register
- Which one of the following security policies is specifically designed to prevent the unintentional unauthorized observation of sensitive information?
A. Mandatory vacations
B. Separation of duties
C. Least privilege
D. Clean desk policy
- Renee is reviewing the diagram shown here for a critical web application that's used by her company. She is performing a SPOF analysis on this environment. In the context of this analysis, what should raise the most concern?
C. Web server
D. Database server
- When designing a security awareness program for employees, which one of the following groups would generally receive the most technical security training?
B. System administrators
C. Data owners
- Wendy is seeking to design a compensating control for a PCI DSS requirement that she cannot meet. Which one of the following statements is incorrect about compensating controls in this situation?
A. The compensating control must meet the intent of the original control.
B. The compensating control may be used to meet another PCI DSS requirement simultaneously.
C. The compensating control must be commensurate with the additional risk that's introduced by failing to meet the original requirement.
D. The compensating control must meet the rigor of the original control.
- Steven is conducting a forensic investigation and believes that a hard drive may contain critical evidence. Which one of the following statements correctly describes how Steven should analyze this evidence?
A. Steven should not attempt to make a forensic image because it may tamper with the evidence.
B. Steven should make a forensic image of the drive, lock away the image, and conduct analysis on the original.
C. Steven should make a forensic image of the drive, lock away the original, and conduct analysis on the image.
D. Steven should create two forensic images, one for storage and one for analysis, and return the original drive to the user immediately.
- Which one of the following is the best example of a technical security control?
A. Firewall rules
B. Employee credit checks
C. Asset inventory
D. Fire detection system
- Which one of the following activities is the best example of a corrective security control?
A. Vulnerability remediation
B. Perimeter protection
C. Background checks
D. Intrusion prevention system
- What is the primary risk associated with using motion detectors to automatically unlock a data center door when a person is attempting to exit?
A. An employee may exit the facility with unauthorized materials.
B. An intruder may attempt to trigger the motion detector from the outside to gain entry.
C. The motion detector may not work during a power failure.
D. The motion detector may not sense some employees based upon their physical characteristics.
- Which one of the following techniques for destroying physical records is considered the least secure?
C. Straight-cut shredding
D. Cross-cut shredding
- Gwen is reviewing her organization's security policies and would like to update them to restrict the web browsing of employees. Specifically, she would like to prohibit the use of pornographic websites. Where would be the most common place to detail this type of restriction?
D. This type of policy is an invasion of privacy and should not be implemented.
- Evan is conducting a business impact analysis for an industrial products manufacturer. Which one of the following business functions would likely be ranked highest on a list of mission critical functions?
A. IPS systems
B. Billing systems
C. ICS systems
D. HVAC systems
- Patty is the information security officer for a bank. She is concerned about the possibility that a bank teller might be colluding with a customer to commit fraud and using his position to cover up that fraud by updating records each day to shuffle around funds. Which one of the following controls would be the most likely to uncover this type of malfeasance?
A. Intrusion detection
B. Clean desk policy
C. Multifactor authentication
D. Mandatory vacations
Questions 71-74 refer to the following scenario.
Brian is the risk manager for a firm that is considering locating personnel in a country where there is a high risk of kidnapping. He is considering a variety of controls designed to manage this risk.
- Brian is considering using armed bodyguards to protect his organization's employees. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- Brian is also consulting with senior managers to determine whether the business value of this effort justifies the risk. If the value is not sufficient, he is planning to propose not sending employees on this trip. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- After consulting with business leaders, Brian learns that the risk is justified and that the organization will send the employees. He considers purchasing an insurance policy to cover ransoms and other related costs. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- In the end, Brian determines that insurance policies and armed guards are not cost-effective, and the employees leave for the target country without those controls in place. What type of risk management strategy is this?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation
- Which one of the following disaster recovery test types has the least impact on business operations?
A. Full interruption test
B. Structured walk-through
C. Parallel test
D. Checklist review
- Which one of the following is the biggest disadvantage of relying on witness interviews during a forensic investigation?
A. Witness testimony is not admissible in civil court.
B. Witnesses usually want to deceive the interviewer.
C. Witnesses interviews are costly.
D. Witnesses have unreliable memories.
- Bob is performing regular backups of a system and is asked by his boss to create an emergency backup. Which one of the following backup types will consume the most disk space?
A. Full backup
B. Differential backup
C. Incremental backup
D. Transaction log backup
- Helen is examining the contract for a new SaaS provider and is scrutinizing a clause about data sovereignty. What is her primary concern?
A. Vendor viability
C. Fault tolerance
D. Retaining ownership of data
- Dylan is designing a social media security policy for his organization. Which one of the following elements would not be appropriate to include in that policy?
A. Complete ban on use of social media by employees
B. Prohibition of users identifying themselves as an employee of the company on social media
C. Approval requirements for posts from corporate accounts
D. Restrictions on accessing personal social media accounts
- Vivian's organization is about to begin a period of hiring. They will be bringing in a large number of new employees who will handle sensitive financial information. Which one of the following controls may be used as a pre-employment screening technique to reduce the risk of future fraud?
A. Separation of duties
B. Time-of-day restrictions
C. Privileged user monitoring
D. Background checks
- Hayley's team is analyzing the results of a qualitative risk assessment. The assessment uses the reporting structure shown here. Which quadrant should Hayley's team look to first when prioritizing remediation initiatives?
A. Quadrant I
B. Quadrant II
C. Quadrant III
D. Quadrant IV
Questions 82-84 refer to the following scenario.
John's organization performs full backups at midnight on the first day of every month and incremental backups every night at midnight (other than the first night of the month). The organization also performs differential backups every two hours, beginning at 2A.M. and ending at 10P.M. each day.
John is working to restore a system that failed at 9:30A.M. on Wednesday, November 14th.
- How many different backups must John apply to restore the system to the most current possible status?
- How long is the time period where data may have been permanently lost?
A. 30 minutes
B. 90 minutes
C. 2 hours
D. 9.5 hours
- If the system failure occurred at 12:30A.M. instead of 9:30A.M., how many backups would John have needed to restore?
- Which one of the following sources of evidence contains the least volatile information?
A. Archival media
B. Memory contents
C. Files stored on disk
D. ARP tables
- Brianna recently accepted a position at a US financial institution that handles checking the account records of US consumers. Which one of the following laws regulates this type of information?
B. PCI DSS
- Frank is collecting digital evidence and would like to use a technical control that would allow him to conclusively demonstrate that the evidence he later presents in court is identical to the evidence he collected. Which one of the following controls would best meet this requirement?
A. Digital certificates
C. Write blocking
D. Evidence logs
- Barry recently accepted a new position with a marketing agency that collects data from residents of the European Union. Which data processing law most directly applies to this situation?
B. PCI DSS
- Nolan's business maintains trade secret information about their manufacturing process. Which one of the following categories would best describe this information?
- Yvonne is the business continuity analyst for a web hosting company. She is conducting an analysis to identify and prioritize mission-critical systems. Which one of the following systems should be highest on her list?
A. A web server supporting the company's own site
B. Billing system
C. A web server supporting a single client
- Carla is concerned about the exfiltration of sensitive information from her corporate network by employees. Which one of the following controls would be least effective at meeting this requirement?
A. Encrypting data in transit
B. Blocking the use of personal email accounts
C. Implementing data loss prevention systems
D. Building least-privilege access controls
- As part of a business partnership, Norm is working with his counterparts at another firm to interconnect the two networks. He would like to document the security requirements for that interconnection. What tool would best meet Norm's needs?
- Donna was recently approached by the manager of a former employee who was seeking access to that employee's email account. She believes there is a valid business need for the access but is unsure how to obtain approval. What type of control would assist Donna and others in her organization in making these decisions?
A. Service level agreement
B. Data handling guidelines
C. Data classification policy
D. Standard operating procedure
- Roger is wrapping up an incident response effort. The business is now functioning normally again and affected systems and data have been restored. What activity should come next in the process?
D. Lessons learned
- Which one of the following actions would not normally occur during the recovery phase of an incident response effort?
A. Remediate vulnerabilities
B. Restore from backups
C. Shutting down systems
D. Modify firewall rules
- Under the Sarbanes Oxley Act, which one of the following corporate officers bears personal liability for the accuracy of the content of the firm's annual report?
- When designing a continuity of operations plan, which one of the following would be best described as an alternate business practice?
A. Filing an after action report
B. Moving data processing to a failover site
C. Moving data processing to a mobile recovery facility
D. Using paper-based forms while systems are down
- Which one of the following backup types typically takes the shortest amount of time to perform when done several times per day?
A. Complete backup
B. Full backup
C. Incremental backup
D. Differential backup
- Under GDPR, which individual bears responsibility for ensuring that the company understands its privacy responsibilities and serves as the primary liaison to the supervising authority?
A. Data protection officer
B. Chief executive officer
C. Chief information officer
D. Chief information security officer
- When providing security awareness training to privileged users, what threat should be emphasized that is a more likely risk with these employees than standard users?
A. Water cooler attack
B. Spear phishing attack
C. Brute force attack
D. Man-in-the-middle attack
- Darren is an intrusion analyst and feels overwhelmed by the amount of information presented to him by various tools. He would like to find a solution that can correlate information from various other sources. Which one of the following tools would best meet his needs?
- After an incident responder identifies that a security incident is in progress, what is the next step in the incident response process?
- B. Any active testing that's done against an organization should only be conducted with advance approval. This includes penetration testing, vulnerability scanning, and social engineering. Open source intelligence involves consulting publicly available information sources and is passive in nature. It does not require any prior approval.
- C. The responsibility of determining appropriate access to information is the data owner. This data owner may, by the nature of their job, fit into other categories, such as system owner, privileged user, or executive user, but it is the person's assignment to the data owner role that gives them this authority and responsibility.
- A. Continuing education is an important component of security awareness training. All users should receive some level of awareness training on a recurring basis, but users with privileged access, such as system administrators, should receive more frequent training. This training should be based on a user's role, and technical users should receive more technical training. Training should be conducted periodically and should be updated whenever there is a significant change in the security landscape.
- A. A service-level agreement (SLA) spells out the requirements for a service provider who will be offering services to a customer and frequently includes penalties for the vendor failing to meet the SLA requirements. It is the most appropriate tool for this task. An interconnection security agreement (ISA) spells out the security requirements for interconnecting the networks of two organizations. A business partnership agreement (BPA) spells out the relationship between two organizations that are entering into a joint venture or other partnership. A memorandum of understanding (MOU) is a document that spells out an agreement between two organizations but is typically informal and less enforceable than other agreement types. It might be possible to use an MOU in this case, but it is not the best tool for the job because it is less enforceable than a BPA.
- A. Risk acceptance should always be done in an educated manner after the organization excludes other options. It may or may not be preferable to risk avoidance, depending on the specific circumstances. Insurance policies are an example of risk transference, not risk avoidance. Firewalls and intrusion prevention systems are examples of risk mitigation, not risk avoidance.
- B. Security awareness training is an example of an administrative security control. The subject of the training is the use of the VPN, which is a technical control, but the training itself is administrative in nature.
- D. An organization is required to issue a legal hold as soon as they have reason to believe that they may have evidence that will be used in a legal proceeding.
- C. The mean time to repair (MTTR) is the amount of time that it will typically take to restore service after a failure. In this case, the MTTR is 2 days: the amount of time to obtain and install a replacement part.
- D. The mean time between failures (MTBF) is the amount of time that typically passes between failure events. In this scenario, Gary has determined that events typically occur once every three years.
- B. From his conversations with business leaders, Gary determined that the business can tolerate an outage of one day, making this the recovery time objective (RTO).
- A. From his conversations with business leaders, Gary determined that the business can tolerate the loss of four hours' data, making this the recovery point objective (RPO).
- A. The Network Time Protocol (NTP) is used to synchronize system clocks. Transport Layer Security (TLS) is used to encrypt network communications. The Simple Mail Transfer Protocol (SMTP) is used to exchange email messages. The Border Gateway Protocol (BGP) is used to coordinate network routing.
- C. Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware – and possible software – to the mix but do not have a current copy of the data that's running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment's notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.
- C. While it may be reasonable for anyone in the company to have basic awareness of these attacks, the user role that's most in need of this training is the accounts payable clerk. This is the individual who is in a position to actually initiate wire transfers and, therefore, must be aware that these transfers are a common target of fraudsters.
- C. Based upon the information presented in this scenario, Tom is under no obligation to report the incident to anyone outside of his organization. There is no indication that any of the stolen information involved personal data that would trigger a breach notification law. Tom is also not obligated to report the potential crime and should consult legal counsel on the best course of action.
- B. A business partnership agreement (BPA) spells out the relationship between two organizations that are entering into a joint venture or other partnership. It is the most appropriate tool for this task. A service-level agreement (SLA) spells out the requirements for a service provider who will be offering services to a customer and frequently includes penalties for the vendor failing to meet the SLA requirements. An interconnection security agreement (ISA) spells out the security requirements for interconnecting the networks of two organizations. A memorandum of understanding (MOU) is a document that spells out an agreement between two organizations but is typically informal and less enforceable than other agreement types. It might be possible to use an MOU in this case, but it is not the best tool for the job because it is less enforceable than a BPA.
- A. An analyst capturing a forensic image should use all of the tools listed here. However, the write blocker is the only tool specifically designed to preserve the original evidence by preventing the system creating the image from accidentally altering the original drive.
- C. Brenda has detected a potential violation of the organization's acceptable use policy, so she should take action. The employee has no expectation of privacy on a corporate network, so there are no issues with doing so. However, Brenda should not unilaterally take action to disable a user's account or confront the user directly. She should consult with her manager and determine the appropriate next steps.
- A. Replacement cost is the most reliable valuation technique to use when an organization is primarily concerned with replacing assets after a disaster. This ensures that the insurance payout is sufficient to cover the costs of replacing the asset. The replacement cost may be higher or lower than the original purchase price.
- D. This is a clear example of separation of duties: preventing a single employee from having the ability to place orders and receive inventory. Two-person control would require the concurrence of two employees to perform a single task, while this scenario is requiring two employees to each perform two different tasks. There is no discussion of changing job assignments in the scenario, so job rotation is not at play. It is possible to describe this as an implementation of least privilege, but separation of duties is the more directly applicable security principle. Remember, the exam may include many questions that ask you to choose the BEST answer. It's important to read all of the answer options and recognize that more than one may be partially correct.
- A. Burning, shredding, and pulping are all acceptable ways to destroy paper records. Degaussing is a magnetic destruction technique that is only appropriate for digital records.
- D. The first phase in the NIST incident response process is preparation, which is followed by the detection and analysis phase. The final phases are containment, eradication, and recovery and post-incident activity.
- C. The data owner is a very senior position that's assigned to someone who bears overall responsibility for the quality and security of a category of information. The data owner often oversees data stewards, custodians, and users in the performance of their duties.
- A. The lowest level of classified information in the US military system is Confidential. Information may also be marked as Unclassified or For Official Use Only, but these are not levels of classified information.
- D. The Health Insurance Portability and Accountability Act (HIPAA) contains security and privacy provisions covering protected health information (PHI). It does not apply to more general personally identifiable information (PII) or payment card information (PCI). PDI is not a common category of information.
- C. Purging/wiping uses overwriting to remove data from a disk and is an acceptable technique to use. Encryption renders data inaccessible and is acceptable, provided that strong encryption is used. Degaussing can destroy data on the drive but it also will likely destroy the drive, preventing reuse by the charity.
- A. During an employee onboarding process, the organization typically conducts a number of startup activities for the new employee. These commonly include issuing a computer, generating account credentials, and conducting initial security training. Deprovisioning is the removal of user access and accounts and occurs during the offboarding process.
- A. Data retention policies govern the maintenance and disposal of records and normally reference retention schedules that specify the minimum and maximum retention periods for different categories of information.
- C. Cold sites have only a basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware – and possible software – to the mix but do not have a current copy of the data that's running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment's notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.
- A. The system owner is responsible for ensuring that a system's security requirements are aligned with the organization's security policy. The system administrator may be responsible for implementing these requirements, but does not set or align the requirements. The data owner may share some responsibility with the system owner but does not have primary responsibility. The business owner does not normally create system security requirements.
- A. Wireless access points are generally not configured to log network traffic.They typically record only diagnostic information. The other data sources are far more likely to contain network traffic records.
- C. The incident response team should be overseen by an executive with authority and responsibility for cybersecurity activities. Of the choices presented, the Chief Information Security Officer (CISO) is the individual who most directly meets these requirements.
- B. This type of information certainly fits into the category of personally identifiable information (PII). There is no indication that the records contain health information, so they would not qualify as protected health information (PHI). There is also no indication that the records contain credit card information, so they would not constitute payment card information (PCI). PDI is not a common category of information.
- B. Cold sites have only basic infrastructure available and require the longest period of time to activate operations. They are also the cheapest option. Warm sites add hardware – and possible software – to the mix but do not have a current copy of the data running. They require hours to activate. Hot sites are up and running at all times and can assume operations at a moment's notice. They are the most expensive option. Mobile sites are transportable on trailers and are a good choice for a last-minute recovery plan.
- D. The best way to describe this situation is as a compensating control. Tom cannot meet the original requirement and implemented an additional control to help mitigate the risk. This is the definition of a compensating control.
- C. A memorandum of understanding (MOU) is a document that spells out an agreement between two organizations but is typically informal and less enforceable than other agreement types. It seems to be the most appropriate option for Sandy. An interconnection security agreement (ISA) spells out the security requirements for interconnecting the networks of two organizations. It is not appropriate tool for this task. A service-level agreement (SLA) spells out the requirements for a service provider who will be offering services to a customer and frequently includes penalties for the vendor failing to meet the SLA requirements. There is no vendor/client relationship here, so an SLA would not be the appropriate tool. A business partnership agreement (BPA) spells out the relationship between two organizations that are entering into a joint venture or other partnership, but it is a more formal contract, so it would not meet Sandy's requirements.
- B. The full interruption test has the potential to disrupt all of the business activities of an organization by moving processing to the alternate facility. A parallel test also activates the alternate facility but does not switch over operations to that facility. A structured walkthrough gathers everyone together to discuss an exercise in a tabletop format. A checklist review is the least disruptive test because people simply review their disaster recovery checklists in their own time.
- B. Litigation holds occur quite often, but very few of them actually move to the production phase. Attorneys should review documents for privilege prior to production, but it would be unnecessarily costly and time-consuming to do this during the collection phase. System administrators must disable the automatic deletion of logs or other materials subject to a litigation hold. It is the responsibility of all employees, not just attorneys, to preserve evidence when a litigation hold is in place.
- A. Systems that require two individuals to concur before performing a single action follow the principle of two-person control. There is no indication in the question that the control also enforces separation of duties or least privilege. There is also no indication that the mechanism relies upon the dangerous practice of security through obscurity.
- B. Pulping reduces paper to a slurry of fibers and requires the use of chemicals and water. Degaussing and wiping are digital destruction techniques and require no chemicals. Pulverizing reduces an object to dust and does not require the use of chemicals.
- B. Guard dogs may be described as either a deterrent or preventive control, depending on the context. They do serve in a preventive role because they have the ability to corner a potential intruder. However, this is not their primary role. Their main function is to serve as a deterrent to intrusion attempts through their menacing appearance. When taking the exam, remember that you may face questions like this, asking you to choose the BEST answer from among several correct possibilities.
- C. The Health Insurance Portability and Accountability Act (HIPAA) governs health information and includes specific provisions requiring that organizations preserve the availability of that data. PCI DSS governs credit card information, while GLBA covers financial records. GDPR is a European privacy regulation that is most concerned with the confidentiality and integrity of information and does not contain specific provisions about the availability of health records for medical treatment.
- C. A request for change (RFC) is the standard document that's used to document the need for a change, the test plan, implementation plan, and rollback procedure. The change advisory board will review the RFC and either approve or reject the proposed change.
- C. Degaussing uses strong magnetic fields to destroy data on a device and will work even if the drive is not functioning properly. Purging or wiping will not work if the drive is not accessible. Pulping is effective only on paper records.
- B. All of these factors are important when performing off-site storage facility location selection. However, the primary consideration should be the nature of the risk. The off-site facility must be located far away enough from the primary facility that it would not be impacted by the same disaster.
- C. While all of these goals are important for those handling forensic evidence, the primary purpose of an evidence log is to document the chain of custody from the time of collection to the time of use.
- C. Life safety systems should always have a higher impact rating than other systems. Therefore, Matt should prioritize the fire suppression system over other restoration efforts.
- D. Security awareness training should be customized for an individual's role in the organization. An end user would be responsible for protecting the confidentiality of information, managing his or her own password, and staying vigilant for social engineering attempts. Therefore, all three of these topics should be included in security awareness training for end users. An end user would not normally be responsible for applying security patches, so this topic is not necessary in training that's focused on the end user role.
- C. Supply chain assessments specifically focus on the security controls put in place by vendors and other suppliers. Penetration tests, quantitative assessments, and qualitative assessments may indeed look at supplier controls, but they are not necessarily the focus of the assessment.
- B. A snapshot backup is a specialized type of backup that takes a complete image of the system, rather than just storing files from the filesystem. This approach is commonly used in virtualized environments because the virtualization platform can launch a new system directly from that image.
- D. The asset value (AV) is the full value of the facility. In this scenario, Tonya determined that the facility value is $12 million using the replacement cost method.
- A. The annualized rate of occurrence is the number of events expected in a given year. The facility lies within the 100-year flood plain, meaning that risk managers should expect a flood once every 100 years. This is equivalent to a 0.01 annual risk of flood.
- C. The single loss expectancy (SLE) is the amount of damage, in dollars, that the organization should expect as the result of a single incident. From this scenario, we know that a single flood would cause approximately $2 million in damage.
- A. The annualized loss expectancy is the amount of damage expected to occur in any given year. It is computed by multiplying the single loss expectancy by the annualized rate of occurrence (or ALE=SLE*ARO). In this scenario, this is an ALE of $2 million * 0.01 or $20,000.
- C. The purchase of an insurance policy is never purely a financial decision, but in this case, it does make good financial sense because the annualized loss expectancy ($20,000) exceeds the policy premium cost ($10,000). Tonya should not use the ALE or SLE alone to make this decision and must do so in the context of the control costs and other business factors.
- C. Screen capture technology allows the analyst to capture what is appearing on a user's screen directly and is a good source of evidence. Operating system logs may provide information about the activity but they will not directly document what the user saw. Witness interviews may be useful, but the user's memory is not as reliable as a screen capture. It is unlikely that a CCTV camera would be positioned in such a manner as to capture the activity on a user's screen.
- B. Exit interviews should be conducted by someone who is in a position to collect and use information about the employee's experience to positively influence the organization. This rules out a co-worker. They should also be conducted by someone who is independent of the situation, ruling out the employee's immediate supervisor, who may be part of the reason for the departure. HR is a viable option, but they do not have direct knowledge of the employee's work duties and may not capture all of the insight that's provided during an exit interview. The best choice would be the employee's second-level supervisor, who is in a direct position to implement changes, but is separated from the management of the employee by a level of supervision. HR may sit in on the interview if they wish to ensure objectivity.
- D. The best place to track the status of all risks facing an organization is in a formal risk register. The other documents listed here may include information about risks but good practice suggests extracting that information from these sources and placing it in a risk register.
- D. Clean desk policies require that employees clean off their desktops when leaving the immediate vicinity and secure all papers and other materials. The purpose of this policy is to prevent anyone walking by from observing sensitive information. Separation of duties and least privilege practices also protect against unauthorized access to information, but they generally protect against intentional unauthorized access.
- B. In a single point of failure (SPOF) analysis, technologists should review an infrastructure by looking for components where a single failure could cause service disruption. In this case, the web and database servers are redundant, but the firewall is not. Therefore, the firewall should be the greatest concern. Users would not be included in a SPOF analysis.
- B. All employees should receive security awareness training that is tailored to their role in the organization. System administrators are the most technical employees mentioned here, so they should receive the most technical training.
- B. PCI DSS requires that compensating controls must be above and beyond the other PCI DSS requirements. Organizations may not use controls that are required by another section of PCI DSS to compensate controls for a different requirement that they cannot meet. Controls must be commensurate with the new risk that's introduced and must meet the intent and rigor of the original requirement.
- C. In order to ensure preservation of evidence, Steven should make a forensic image of the original drive and lock the original away for safekeeping. He should then perform his analysis on the image. If the end user needs the drive back immediately, Steven should provide the user with another drive made from the image and should retain the original drive as evidence.
- A. The installation and operation of a firewall is an example of a technical security control: the use of technology to meet security objectives. Credit checks for prospective employees and conducting an asset inventory are examples of administrative controls. Fire detection systems are an example of a physical security control.
- A. Vulnerability remediation is an example of a corrective control because it takes actions to fix – or correct – security issues. Perimeter protection, background checks, and intrusion prevention systems (IPS) are all examples of preventive controls.
- B. The primary risk associated with automated exit motion detectors is that an intruder outside the facility may be able to gain access by triggering the motion detector. For example, if it is possible to slide a piece of paper under the door, it may be possible to forcefully push the paper through so it flies up in the air and triggers the detector.
- C. Straight-cut shredding produces long strips of paper that may be reassembled and, therefore, is not considered a secure document destruction technique. Cross-cut shredding, pulping, and incineration are all considered secure.
- A. Gwen should place this restriction in her organization's acceptable use policy (AUP). It would not be appropriate to place usage restrictions in a non-disclosure agreement (NDA) or a bring your own device (BYOD) policy. Employers are well within their rights to impose usage limits on their own networks. Employees do not have an expectation of privacy on a corporate network so there are no privacy issues with such a restriction.
- C. The purpose of a manufacturer is to produce products. An industrial control system (ICS) is directly tied to this mission and would most likely be ranked highest on a list of mission critical functions. Billing is an important activity, but could be delayed due to having lower priority if a manufacturing line is idled. Heating, ventilation, and air conditioning (HVAC) and intrusion prevention systems (IPS) are important functions, but do not impact the mission as directly as an ICS.
- D. The best way to uncover this type of fraud is through a mandatory vacation policy. If the teller is forced to take a vacation of a week or more each year, it would be difficult to continue to perpetrate the fraud during that time, increasing the likelihood that it would come to light. An intrusion detection system may uncover this type of fraud but it is generally more tuned to identifying anomalous network traffic than anomalous transactions. Multifactor authentication requirements and clean desk policies would not be effective against this risk.
- D. Risk mitigation strategies seek to reduce the likelihood or impact of a risk. In this case, armed guards reduce the likelihood of a successful kidnapping and are, therefore, an example of risk mitigation.
- B. Risk avoidance seeks to change business practices to eliminate a risk. By not sending employees to the affected country, Brian avoids the risk of a kidnapping there.
- C. Purchasing insurance moves the financial risk from Brian's organization to an insurance company and is, therefore, an example of risk transference.
- A. Risk acceptance is a deliberate decision to incur risk after considering the costs and benefits of other risk management strategies. That is what occurred in this case.
- D. The full interruption test has the potential to disrupt all of the business activities of an organization by moving processing to the alternate facility. A parallel test also activates the alternate facility but does not switch over operations to that facility. A structured walkthrough gathers everyone together to discuss an exercise in a tabletop format. A checklist review is the least disruptive test because people simply review their disaster recovery checklists in their own time.
- D. Generally speaking, witnesses are not trying to deceive the interviewer unless they are accused of wrongdoing. Generally, they want to assist, but suffer from unreliable memories. Interviews are generally not expensive to conduct and are definitely admissible in court.
- A. Full backups always include all the data that's stored on the backed up media and, therefore, are always at least as large as any other backup type. This system is being regularly backed up, so other backup types will be smaller than a full backup.
- D. While Helen is right to be concerned about all of these issues while examining a vendor contract, her primary concern here is data sovereignty. This means that she wishes to ensure that her company retains ownership of data that is stored in the vendor's systems and has the ability to retrieve that data when necessary.
- A. Employers are able to place a variety of restrictions on social media use by employees. It is entirely appropriate to restrict use during work hours, or prevent employees from mentioning an affiliation with the company on their personal accounts. It is also appropriate to require approval for posts from corporate accounts. Employers generally may not, however, completely block employees from using personal social media accounts in their own time.
- D. All of the techniques described here may be used to reduce the likelihood of fraud. However, background checks are the only control listed that are a pre-employment technique. The remainder of the controls are used to limit risk with current employees, rather than prospective employees.
- A. Hayley's team should first look for high impact, low-cost remediation efforts. These are found in Quadrant I in the diagram.
- D. John must first restore the full backup from November 1st and then apply the incremental backups from each of the 13 days up until the morning of November 14th. Then, he must apply the differential backup from 8A.M. This is a total of 15 backups that he must restore.
- B. The most recent backup occurred at 8A.M. There is no way for John to recover any information that was created or modified between 8:00 and the failure time at 9:30, which is an interval of 90 minutes.
- D. The only difference in this scenario is that there are no differential backups to apply. Therefore, John only needs to restore the full backup and the 13 incremental backups.
- A. Volatile information is information that is likely to be altered or lost as time passes. Archival media is designed for long-term storage and is the least volatile data source listed here. ARP tables in a router and the contents of system memory may change frequently and are the most volatile. Files stored on disk fall in-between these two extremes.
- D. Financial institutions are required to preserve the privacy of consumer records by the Gramm-Leach-Bliley Act (GLBA). The Payment Card Industry Data Security Standard (PCI DSS) does apply to financial records, but its scope is limited to credit and debit card records. The General Data Protection Regulation (GDPR) would apply to these records if they were about European Union residents, but that is not the case here. The Sarbanes Oxley Act (SOX) regulates the financial accounting practices of publicly traded companies and is not applicable here.
- B. If Frank takes a hash of the evidence as he collects it, he may then take a hash at a later date. If the two hashes match, he can demonstrate that the evidence was not altered. A write blocker may prevent tampering but it does not provide a means for Frank to demonstrate the integrity of the evidence.
- C. The General Data Protection Regulation (GDPR) is a European law governing the privacy of personally identifiable information about residents of the European Union. It applies to that data worldwide. The Health Insurance Portability and Accountability Act (HIPAA) regulates health information in the United States. The Gramm Leach Bliley Act (GLBA) covers financial records in the United States. The Payment Card Industry Data Security Standard (PCI DSS) applies worldwide but only to credit and debit card information.
- B. Trade secrets are normally classified as proprietary information. While the term internal may apply to trade secrets, this is not the best term to use because it normally applies to a wide range of information and the term proprietary is more specific. The term classified is normally used to refer only to government information. Trade secrets are certainly not public information.
- D. Yvonne should first limit her prioritization to mission-critical systems. The billing system is important, but not directly tied to the mission of delivering web hosting services. Therefore, she can rank this system as having a low priority. Web servers are clearly quite important to the company's operations and Yvonne should likely rank a client's web server above the company's own server. However, none of these servers will be accessible without a functioning firewall, so the firewall should have the highest priority.
- A. Carla should implement least privilege access controls to limit the amount of information that's available to any individual user. She can also use a data loss prevention (DLP) system to detect the exfiltration of sensitive information. Blocking the use of personal email accounts limits a common method for exfiltrating sensitive information. Adding encryption in transit is not likely to reduce the risk of internal theft, as employees may still access stored sensitive information.
- A. An interconnection security agreement (ISA) spells out the security requirements for interconnecting the networks of two organizations. It is the most appropriate tool for this task. A service-level agreement (SLA) spells out the requirements for a service provider who will be offering services to a customer and frequently includes penalties for the vendor failing to meet the SLA requirements. There is no vendor/client relationship here, so an SLA would not be the most appropriate tool. A business partnership agreement (BPA) spells out the relationship between two organizations that are entering into a joint venture or other partnership, but does not generally include technical requirements. A memorandum of understanding (MOU) is a document that spells out an agreement between two organizations but is typically informal and less enforceable than other agreement types.
- D. Donna's organization should consider implementing a standard operating procedure (SOP) for data access requests. This procedure could spell out the appropriate approval process for granting access to data stored in another user's account. A guideline is not mandatory and would not be appropriate in this case. A data classification policy would generally not cover access request procedures, nor would a service level agreement.
- D. At the conclusion of an incident response, the organization should conduct a thorough lessons learned process that's designed to evaluate the response and identify opportunities for improvement.
- C. According to the NIST incident response guide, shutting down systems would normally occur during the containment phase. In the recovery phase, administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (for example, firewall rulesets, boundary router access control lists, and so on).
- B. The Sarbanes-Oxley (SOX) Act requires that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) certify that the information contained within an annual report is accurate and assigns them personal liability for these statements. The CIO, CISO, and CPO do not bear this responsibility.
- D. During a business continuity event, organizations may choose to adopt alternate business practices that modify their normal business processes. Switching to paper-based forms is a good example of this type of practice. Moving to a failover or mobile processing facility is not a change in business practice but the use of an alternate processing facility. After action reports are a standard part of continuity operations and should be filed after any continuity event.
- C. Incremental backups only back up files that were changed since the most recent full or incremental backup. Therefore, they are faster than full/complete backups, which would back up all files. Differential backups contain all the files that have been modified since the last full or incremental backup and would therefore take longer as each differential backup in a series grows larger since it includes all the files from previous incremental backups. Each differential backup in a series contains all of the files included in prior differential backups, while each file is only contained in one incremental backup from a series.
- A. The data protection officer (DPO) is a formal designation under GDPR and the individual designated as DPO bears significant responsibilities for GDPR compliance.
- B. Privileged users are clearly susceptible to all of these attacks. However, there is no reason to believe that they are more likely to be victims of water cooler attacks, brute force attacks, or man-in-the-middle attacks than any other user. Spear phishing attacks target specific people and are more likely to target privileged users because of their elevated privileges.
- B. A security information and event management (SIEM) system receives information from other security tools and correlates across systems to discover trends and patterns that might indicate an attack. Data loss prevention (DLP) systems, intrusion detection systems (IDS), and intrusion prevention systems (IPS) all generate data that might be fed to a SIEM.
- B. After identifying an incident, the team should move into the containment phase, where they seek to limit the damage caused by the incident. Containment occurs prior to the eradication and recovery phases. The preparation phase occurs before incident identification.