Chapter 5

Governance, Risk, and Compliance

Caroline has been asked to find an international standard to guide her company's choices in implementing information security management systems. Which of the following would be the best choice for her?

A. ISO 27002

B. ISO 27017

C. NIST 800-12

D. NIST 800-14

A. Caroline should select ISO 27002. ISO 27002 is an international standard for implementing and maintaining information security systems. ISO 27017 is an international standard for cloud security; NIST 800-12 is a general security standard and it is a U.S. standard, not an international one; and NIST 800-14 is a standard for policy development, and it is also a U.S. standard, not an international one.

Adam is concerned about malware infecting machines on his network. One of his concerns is that malware would be able to access sensitive system functionality that requires administrative access. What technique would best address this issue?

A. Implementing host-based antimalware

B. Using a nonadministrative account for normal activities

C. Implementing full-disk encryption (FDE)

D. Making certain the operating systems are patched

B. If a system is infected with malware, the malware will operate with the privileges of the current user. If you use nonadministrative accounts, with least privileges, then the malware won’t be able to access administrative functionality without a privilege escalation capability.

You are responsible for setting up new accounts for your company network. What is the most important thing to keep in mind when setting up new accounts?

A. Password length

B. Password complexity

C. Account age

D. Least privileges

D. Least privilege is the most fundamental concept in establishing accounts. Each user should have just enough privileges to do their job. This concept also applies to service accounts. Although each of the other options is something you would consider, they are not as critical as the principle of least privilege.

Which of the following principles stipulates that multiple changes to a computer system should not be made at the same time?

A. Due diligence

B. Acceptable use

C. Change management

D. Due care

C. Change management is the process of documenting all changes made to a company’s network and computers. Avoiding making changes at the same time makes tracking any problems that can occur much simpler. Due diligence is the process of investigation and verification of the accuracy of a particular act. Acceptable use policies state what actions and practices are allowed in an organization while using technology. Due care is the effort made by a reasonable party to avoid harm to another. It is the level of judgment, care, determination, and activity a person would reasonably expect to do under certain conditions.

You are a security engineer and discovered an employee using the company's computer systems to operate their small business. The employee installed their personal software on the company's computer and is using the computer hardware, such as the USB port. What policy would you recommend the company implement to prevent any risk of the company's data and network being compromised?

A. Acceptable use policy

B. Clean desk policy

C. Mandatory vacation policy

D. Job rotation policy

A. An acceptable use policy (AUP) is a document stating what a user may or may not have access to on a company’s network or the Internet. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Job rotation is a policy that describes the practice of moving employees between different tasks. Job rotation can help detect fraud because employees cannot perform the same actions for long periods of time.

What standard is used for credit card security?

A. GDPR

B. COPPA

C. PCI-DSS

D. CIS

C. The PCI-DSS, or Payment Card Industry Data Security Standard, is a security standard that is mandated by credit card vendors. The Payment Card Industry Security Standards Council is responsible for updates and changes to the standard. GDPR, or the General Data Protection Regulation, is a standard for data privacy and security in the European Union (EU). COPPA is the Children’s Online Privacy Protection Act, a U.S. federal law. CIS is the Center for Internet Security and is not a law or a regulation.

You are a security manager for your company and need to reduce the risk of employees working in collusion to embezzle funds. Which of the following policies would you implement?

A. Mandatory vacations

B. Clean desk

C. NDA

D. Continuing education

A. Companies will use mandatory vacation policies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities. Clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands. Continuing education is the process of training adult learners in a broad list of postsecondary learning activities and programs. Companies will use continuing education in training their employees on the new threats and also reiterating current policies and their importance.

After your company implemented a clean desk policy, you have been asked to secure physical documents every night. Which of the following would be the best solution?

A. Department door lock

B. Locking cabinets and drawers at each desk

C. Proximity cards

D. Onboarding

B. Locking cabinets and drawers is the best solution because they allow individuals to lock their drawers and ensure that access to a single key does not allow broad access to documents like a department door lock or proximity cards for the space. Onboarding is the process of adding an employee to a company’s identity and access management system and would not help with securing documents, but it might teach the process of doing so.

Which of the following techniques attempts to predict the likelihood a threat will occur and assigns monetary values should a loss occur?

A. Change management

B. Vulnerability assessment

C. Qualitative risk assessment

D. Quantitative risk assessment

D. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have. Change management is the process of managing configuration changes made to a network. Vulnerability assessment attempts to identify, quantify, and rank the weaknesses in a system. Qualitative risk assessment is the process of ranking which risk poses the most danger using ratings like low, medium, and high.

Which of the following agreements is less formal than a traditional contract but still has a certain level of importance to all parties involved?

A. SLA

B. BPA

C. ISA

D. MOU

D. A memorandum of understanding (MOU) is a type of agreement that is usually not legally binding. This agreement is intended to be mutually beneficial without involving courts or money. An SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations.

As part of the response to a credit card breach, Sally discovers evidence that individuals in her organization were actively working to steal credit card information and personally identifiable information (PII). She calls the police to engage them for the investigation. What has she done?

A. Escalated the investigation

B. Public notification

C. Outsourced the investigation

D. Tokenized the data

A. Escalation is necessary in cases where the current breach goes beyond the scope of the organization or investigators or is required by law. In this case, Sally believes a crime has been committed and has escalated the case to law enforcement. Other escalations might be to federal or state law enforcement, or to other more capable internal or external investigators. Tokenizing data uses a deidentified replacement data item, public notification notifies the population or customers at large, and outsourcing investigations may be done if specialized skills are needed.

You have an asset that is valued at $16,000, the exposure factor of a risk affecting that asset is 35 percent, and the annualized rate of occurrence is 75 percent. What is the SLE?

A. $5,600

B. $5,000

C. $4,200

D. $3,000

A. The single loss expectancy (SLE) is the product of the value ($16,000) and the exposure factor (.35), or $5,600.

During a meeting, you present management with a list of access controls used on your network. Which of the following controls is an example of a corrective control?

A. IDS

B. Audit logs

C. Antivirus software

D. Router

C. Antivirus is an example of a corrective control. A corrective control is designed to correct a situation. An IDS (intrusion detection system) is a detective control because it detects security breaches. An audit log is a detective control because it detects security breaches. A router is a preventive control because it prevents security breaches with access control lists (ACLs).

You are the new security administrator and have discovered your company lacks deterrent controls. Which of the following would you install that satisfies your needs?

A. Lighting

B. Motion sensor

C. Hidden video cameras

D. Antivirus scanner

A. A deterrent control is used to warn a potential attacker not to attack. Lighting added to the perimeter and warning signs such as a “no trespassing” sign are deterrent controls. The other options are examples of detective controls. A detective control is designed to uncover a violation, although some detective controls may serve as a deterrent—for example, when a camera is visible, they are not primarily deterrent controls.

Your company's security policy includes system testing and security awareness training guidelines. Which of the following control types is this?

A. Detective technical control

B. Preventive technical control

C. Detective administrative control

D. Preventive administrative control

D. Testing and training are preventive administrative controls. Administrative controls dictate how security policies should be executed to accomplish the company’s security goals. A detective technical control uncovers a violation through technology. A preventive technical control attempts to stop a violation through technology. Detective administrative controls uncover a violation through policies, procedures, and guidelines.

You are a security administrator for your company and you identify a security risk. You decide to continue with the current security plan. However, you develop a contingency plan in case the security risk occurs. Which of the following type of risk response technique are you demonstrating?

A. Accept

B. Transfer

C. Avoid

D. Mitigate

A. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or that has such limited impact that a corrective control is not warranted. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat

Jim's company operates facilities in Illinois, Indiana, and Ohio, but the headquarters is in Illinois. Which state laws does Jim need to review and handle as part of his security program?

A. All U.S. state laws

B. Illinois

C. Only U.S. federal laws

D. State laws in Illinois, Indiana, and Ohio

D. In most cases, operating a facility in a state is sufficient reason to need to comply with state laws. Jim should check with a lawyer, but he should plan on needing to comply with Illinois, Indiana, and Ohio law, as well as federal laws.

You are an IT administrator for a company and you are adding new employees to an organization's identity and access management system. Which of the following best describes the process you are performing?

A. Onboarding

B. Offboarding

C. Adverse action

D. Job rotation

A. Onboarding is the process of adding an employee to a company’s identity and access management system. Offboarding is the process of removing an employee from the company’s identity and access management system. Adverse action is an official personnel action that is taken for disciplinary reasons. Job rotation gives individuals the ability to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee’s attack is easier when multiple employees understand the company’s security posture.

Mark is an office manager at a local bank branch. He wants to ensure that customer information isn't compromised when the deskside employees are away from their desks for the day. What security concept would Mark use to mitigate this concern?

A. Clean desk

B. Background checks

C. Continuing education

D. Job rotation

A. A clean desk policy ensures that sensitive information and documents are not left on desks after hours and requires employees to place those files into a less exposed or secure location. Background checks, continuing education, and job rotation do not protect confidential information left on desks from being exposed.

\
You are a security administrator and advise the web development team to include a CAPTCHA on the web page where users register for an account. Which of the following controls is this referring to?

A. Deterrent

B. Detective

C. Compensating

D. Degaussing

A. As users register for an account, they enter letters and numbers they are given on the web page before they can register. This is an example of a deterrent control since it prevents bots from registering and proves this is a real person. Detective controls detect intrusion as it happens and uncovers a violation. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. Degaussing is a method of removing data from a magnetic storage media by changing the magnetic field.

Which of the following is not a common security policy type?

A. Acceptable use policy

B. Social media policy

C. Password policy

D. Parking policy

D. A parking policy generally outlines parking provisions for employees and visitors. This includes the criteria and procedures for allocating parking spaces for employees and is not a part of organizational security policy. Instead, it is an operational or business policy. An acceptable use policy describes the limits and guidelines for users to make use of an organization’s physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. Social media policy defines how employees should use social media networks and applications such as Facebook, Twitter, LinkedIn, and others. It can adversely affect a company’s reputation. Password policies define the complexity of creating passwords. It should also define weak passwords and how users should protect password safety.

As the IT security officer for your organization, you are configuring data label options for your company's research and development file server. Regular users can label documents as contractor, public, or internal. Which label should be assigned to company trade secrets?

A. High

B. Top secret

C. Proprietary

D. Low

C. Proprietary data is a form of confidential information, and if the information is revealed, it can have severe effects on the company’s competitive edge. High is a generic label assigned to data internally that represents the amount of risk being exposed outside the company. The top-secret label is often used in governmental systems where data and access may be granted or denied based on assigned categories. Low is a generic label assigned to data internally that represents the amount of risk being exposed outside the company.

Which of the following is not a physical security control?

A. Motion detector

B. Fence

C. Antivirus software

D. Closed-circuit television (CCTV)

C. Antivirus software is used to protect computer systems from malware and is not a physical security control. Physical controls are security measures put in place to reduce the risk of harm coming to a physical property. This includes protection of personnel, hardware, software, networks, and data from physical actions and events that could cause damage or loss.

Your security manager wants to decide which risks to mitigate based on cost. What is this an example of?

A. Quantitative risk assessment

B. Qualitative risk assessment

C. Business impact analysis

D. Threat assessment

A. Quantitative risk assessment is the process of assigning numerical values to the probability an event will occur and what impact the event will have. Qualitative risk assessment is the process of ranking which risk poses the most danger such as low, medium, and high. A business impact analysis (BIA) is used to evaluate the possible effect a business can suffer should an interruption to critical system operations occur. This interruption could be as a result of an accident, emergency, or disaster. Threat assessment is the process of identifying and categorizing different threats such as environmental and person-made. It also attempts to identify the potential impact from the threats.

Your company has outsourced its proprietary processes to Acme Corporation. Due to technical issues, Acme wants to include a third-party vendor to help resolve the technical issues. Which of the following must Acme consider before sending data to the third party?

A. This data should be encrypted before it is sent to the third-party vendor.

B. This may constitute unauthorized data sharing.

C. This may violate the privileged user role-based awareness training.

D. This may violate a nondisclosure agreement.

D. A nondisclosure agreement (NDA) protects sensitive and intellectual data from getting into the wrong hands. An NDA is a legal contract between the company and third-party vendor to not disclose information per the agreement. Encrypted data that is sent can still be decrypted by the third-party vendor if they have the appropriate certificate or the key but does not restrict access to the data. Violating an NDA would constitute unauthorized data sharing, and a violation of privileged user role-based awareness training has nothing to do with sharing proprietary information

Which of the following is considered a detective control?

A. Closed-circuit television (CCTV)

B. An acceptable use policy

C. Firewall

D. IPS

A. Detective controls like CCTV detect intrusion as it happens and can help uncover violations. Policies are administrative controls. Firewalls and intrusion prevention system (IPS) devices are technical controls. Technical controls are applied through technology and may be also be deterrent, preventive, detective, or compensating.

Which of the following is typically included in a BPA?

A. Clear statements detailing the expectation between a customer and a service provider

B. The agreement that a specific function or service will be delivered at the agreed-on level of performance

C. Sharing of profits and losses and the addition or removal of a partner

D. Security requirements associated with interconnecting IT systems

C. Sharing of profits and losses and the addition or removal of a partner, as well as the responsibilities of each partner, are typically included in a BPA (business partner agreement). Expectations between parties such as a company and an Internet service provider are typically found in a service level agreement (SLA). Expectations include the level of performance given during the contractual service. An SLA will provide a clear means of determining whether a specific function or service has been provided according to the agreed-on level of performance. Security requirements associated with interconnecting IT systems are typically found in an interconnection security agreement, or ICA.

You are the network administrator of your company, and the manager of a retail site located across town has complained about the loss of power to their building several times this year. The branch manager is asking for a compensating control to overcome the power outage. What compensating control would you recommend?

A. Firewall

B. Security guard

C. IDS

D. Backup generator

D. A backup generator is a compensating control—an alternate control that replaces the original control when it cannot be used due to limitations of the environment. A firewall is considered a preventive control, a security guard is considered a physical control, and an IDS (intrusion detection system) is considered a detective control.

James is a security administrator and is attempting to block unauthorized access to the desktop computers within the company's network. He has configured the computers’ operating systems to lock after 5 minutes of no activity. What type of security control has James implemented?

A. Preventive

B. Corrective

C. Deterrent

D. Detective

A. Preventive controls stop an action from happening—in this scenario, preventing an unauthorized user from gaining access to the network when the user steps away. A corrective control is designed to correct a situation, a deterrent control is used to deter a security breach, and a detective control is designed to uncover a violation.

An accounting employee changes roles with another accounting employee every 4 months. What is this an example of?

A. Separation of duties

B. Mandatory vacation

C. Job rotation

D. Onboarding

C. Job rotation allows individuals to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee’s attack is easier when multiple employees understand the company’s security posture. Separation of duties is the concept of having more than one person required to complete a task, allowing problems to be noted by others involved. A mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities while the person who normally performs them is out of the office. Onboarding is the process of adding an employee to a company’s identity and access management system or other infrastructure.

Tony's company wants to limit their risk due to customer data. What practice should they put in place to ensure that they have only the data needed for their business purposes?

A. Data masking

B. Data minimization

C. Tokenization

D. Anonymization

B. Data minimization is the process of ensuring that only data that is required for business functions is collected and maintained. Tony should ensure that his organization is minimizing the data collected. Data masking redacts data but does not decrease how much is collected. Tokenization replaces sensitive values with a unique identifier that can be looked up in a lookup table. Anonymization removes the ability to identify individuals from data but is quite difficult.

Your company website is hosted by an Internet service provider. Which of the following risk response techniques is in use?

A. Risk avoidance

B. Risk register

C. Risk acceptance

D. Risk mitigation

A. Risk avoidance is a strategy to deflect threats in order to avoid the costly and disruptive consequences of a damaging event. It also attempts to minimize vulnerabilities that can pose a threat. A risk register is a document that tracks an organization’s risks and information about the risks like who owns it, if it is being remediated, and similar details. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or that has such limited impact that a corrective control is not warranted. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat.

A security administrator is reviewing the company's continuity plan, and it specifies an RTO of four hours and an RPO of one day. Which of the following is the plan describing?

\
A. Systems should be restored within one day and should remain operational for at least four hours.

B. Systems should be restored within four hours and no later than one day after the incident.

C. Systems should be restored within one day and lose, at most, four hours’ worth of data.

D. Systems should be restored within four hours with a loss of one day's worth of data at most.

D. Systems should be restored within four hours with a minimum loss of one day’s worth of data. The RTO (recovery time objective) is the amount of time within which a process or service must be restored after a disaster to meet business continuity. It defines how much time it takes to recover after notification of process disruption. The recovery point objective, or RPO, specifies the amount of time that can pass before the amount of data lost may exceed the organization’s maximum tolerance for data loss.

Which of the following statements is true regarding a data retention policy?

A. Regulations require financial transactions to be stored for seven years.

B. Employees must remove and lock up all sensitive and confidential documents when not in use.

C. It describes a formal process of managing configuration changes made to a network.

D. It is a legal document that describes a mutual agreement between parties.

A. A data retention policy defines how long an organization will keep data. Removing sensitive documents not in use is a clean desk policy. A formal process for managing configuration changes is change management, and a memorandum of understanding consists of legal documents that describe mutual agreement between two parties.

How do you calculate the annual loss expectancy (ALE) that may occur due to a threat?

A. Exposure factor (EF) / single loss expectancy (SLE)

B. Single loss expectancy (SLE) × annual rate of occurrence (ARO)

C. Asset value (AV) × exposure factor (EF)

D. Single loss expectancy (SLE) / exposure factor (EF)

B. ALE (annual loss expectancy) is the product of the ARO (annual rate of occurrence) and the SLE (single loss expectancy) and is mathematically expressed as ALE = ARO × SLE. Single loss expectancy is the cost of any single loss, and it is mathematically expressed as SLE = AV (asset value) × EF (exposure factor).

Michelle has been asked to use the CIS benchmark for Windows 10 as part of her system security process. What information will she be using?

A. Information on how secure Windows 10 is in its default state

B. A set of recommended security configurations to secure Windows 10

C. Performance benchmark tools for Windows 10 systems, including network speed and firewall throughput

D. Vulnerability scan data for Windows 10 systems provided by various manufacturers

B. The Center for Internet Security (CIS) benchmarks provide recommendations for how to secure an operating system, application, or other covered technology. Michelle will find Windows 10–specific security configuration guidelines and techniques.

Which of the following is the best example of a preventive control?

A. Data backups

B. Security camera

C. Door alarm

D. Smoke detectors

A. Preventive controls like data backups are proactive and are used to avoid a security breach or an interruption of critical services before they can happen. Security cameras, smoke detectors, and door alarms are examples of detective control. Detective controls detect intrusion as it happens and uncovers a violation.

You are a security administrator for your company and you identify a security risk that you do not have in-house skills to address. You decide to acquire contract resources. The contractor will be responsible for handling and managing this security risk. Which of the following type of risk response techniques are you demonstrating?

A. Accept

B. Mitigate

C. Transfer

D. Avoid

C. Risk transfer is the act of moving the risk to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or that has such limited impact that a corrective control is not warranted. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether.

Each salesperson who travels has a cable lock to lock down their laptop when they step away from the device. To which of the following controls does this apply?

A. Administrative

B. Compensating

C. Deterrent

D. Preventive

D. A preventive control is used to avoid a security breach or an interruption of critical services before they can happen. Administrative controls are defined through policies, procedures, and guidelines. A compensating control is used to satisfy a requirement for a security measure that is too difficult or impractical to implement at the current time. A deterrent control is used to deter a security breach.

You are a server administrator for your company's private cloud. To provide service to employees, you are instructed to use reliable hard disks in the server to host a virtual environment. Which of the following best describes the reliability of hard drives?

A. MTTR

B. RPO

C. MTBF

D. ALE

C. Mean time between failures (MTBF) is a measurement to show how reliable a hardware component is. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. An RPO (recovery point objective) is the period of time a company can tolerate lost data being unrecoverable between backups. ALE (annual loss expectancy) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

All of your organization's traffic flows through a single connection to the Internet. Which of the following terms best describes this scenario?

A. Cloud computing

B. Load balancing

C. Single point of failure

D. Virtualization

C. A single point of failure (SPOF) is a single weakness that can bring an entire system down and prevent it from working. Cloud computing allows the delivery of hosted service over the Internet. Load balancing spreads traffic or other load between multiple systems or servers. Virtualization uses a system to host virtual machines that share the underlying resources such as RAM, hard drive, and CPU.

Which of the following best describes the disadvantages of quantitative risk analysis compared to qualitative risk analysis?

A. Quantitative risk analysis requires detailed financial data.

B. Quantitative risk analysis is sometimes subjective.

C. Quantitative risk analysis requires expertise on systems and infrastructure.

D. Quantitative risk provides clear answers to risk-based questions.

A. Quantitative risk analysis requires complex calculations and is more time-consuming because it requires detailed financial data and calculations. Quantitative risk assessment is often subjective and requires expertise on systems and infrastructure, and both types of assessment can provide clear answers on riskbased questions.

Leigh Ann is the new network administrator for a local community bank. She studies the current file server folder structures and permissions. The previous administrator didn't properly secure customer documents in the folders. Leigh Ann assigns appropriate file and folder permissions to be sure that only the authorized employees can access the data. What security role is Leigh Ann assuming?

A. Power user

B. Data owner

C. User

D. Custodian

D. A custodian configures data protection based on security policies. The local community bank is the data owner, not Leigh Ann. Leigh Ann is a network administrator, not a user, and power user is not a standard security role in the industry.

Categorizing residual risk is most important to which of the following risk response techniques?

A. Risk mitigation

B. Risk acceptance

C. Risk avoidance

D. Risk transfer

B. Risk acceptance is a strategy of recognizing, identifying, and accepting a risk that is sufficiently unlikely or has such limited impact that a corrective control is not warranted. Risk mitigation is when a company implements controls to reduce vulnerabilities or weaknesses in a system. It can also reduce the impact of a threat. Risk avoidance is the removal of the vulnerability that can increase a particular risk so that it is avoided altogether. Risk transfer is the act of moving the risk to other organizations like insurance providers or hosting companies who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from a risk.

You are the IT manager and one of your employees asks who assigns data labels. Which of the following assigns data labels?

A. Owner

B. Custodian

C. Privacy officer

D. System administrator

A. Data owners assign labels such as top secret to data. Custodians assign security controls to data. A privacy officer ensures that companies comply with privacy laws and regulations. System administrators are responsible for the overall functioning of IT systems

Which of the following is the most pressing security concern related to social media networks?

A. Other users can view your MAC address.

B. Other users can view your IP address.

C. Employees can leak a company's confidential information.

D. Employees can express their opinion about their company

C. Employees can leak a company’s confidential information. Exposing a company’s information could put the company’s security position at risk because attackers can use this information as part of attacks against the company. Gaining access to a computer’s MAC address is not relevant to social media network risk. Gaining access to a computer’s IP address is not relevant to social media network risk. Employees can easily express their concerns about a company in general. This is not relevant to social media network risk as long as the employee doesn’t reveal any confidential information.

What concept is being used when user accounts are created by one employee and user permissions are configured by another employee?

A. Background checks

B. Job rotation

C. Separation of duties

D. Collusion

C. Separation of duties is the concept of having more than one person required to complete a task. A background check is a process that is performed when a potential employee is considered for hire. Job rotation allows individuals to see various parts of the organization and how it operates. It also eliminates the need for a company to rely on one individual for security expertise should the employee become disgruntled and decide to harm the company. Recovering from a disgruntled employee’s attack is easier when multiple employees understand the company’s security posture. Collusion is an agreement between two or more parties to defraud a person of their rights or to obtain something that is prohibited by law.

A security analyst is analyzing the cost the company could incur if the customer database was breached. The database contains 2,500 records with personally identifiable information (PII). Studies show the cost per record would be $300. The likelihood that the database would be breached in the next year is only 5 percent. Which of the following would be the ALE for a security breach?

A. $15,000

B. $37,500

C. $150,000

D. $750,000

B. ALE (annual loss expectancy) = SLE (single loss expectancy) × ARO (annualized rate of occurrence). SLE equals $750,000 (2,500 records × $300), and ARO equals 5%, so $750,000 times 5% equals $37,500.

Which of the following concepts defines a company goal for system restoration and acceptable data loss? A. MTBF

B. MTTR

C. RPO

D. ARO

C. RPO (recovery point objective) specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning’s maximum acceptable threshold. MTBF (mean time between failures) is the rating on a device or component that predicts the expected time between failures. MTTR (mean time to repair) is the average time it takes for a failed device or component to be repaired or replaced. ARO (annual rate of occurrence) is the ratio of an estimated possibility that a threat will take place within a one-year time frame.

Your company hires a third-party auditor to analyze the company's data backup and long-term archiving policy. Which type of organization document should you provide to the auditor?

A. Clean desk policy

B. Acceptable use policy

C. Security policy

D. Data retention policy

D. A data retention policy states how data should be stored based on various types, such as storage location, amount of time the data should be retained, and the type of storage medium that should be used. A clean desk policy ensures that all sensitive/confidential documents are removed from an end-user workstation and locked up when the documents are not in use. An AUP, or acceptable use policy, describes the limits and guidelines for users to make use of an organization’s physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours. A security policy defines how to secure physical and information technology assets. This document should be continuously updated as technology and employee requirements change.

You are a network administrator and have been given the duty of creating user accounts for new employees the company has hired. These employees are added to the identity and access management system and assigned mobile devices. What process are you performing?

A. Offboarding

B. System owner

C. Onboarding

D. Executive user

C. Onboarding is the process of adding an employee to company’s identity and access management system. Offboarding is the process of removing an employee from the company’s identity and access management system. A system owner is an individual who is in charge of managing one or more systems and can include patching and updating operating systems. An executive user was made up for this question.

What type of control is separation of duty?

A. Physical

B. Operational

C. Technical

D. Compensating

B. Separation of duty can be classified as an operational control that attempts to minimize fraud by ensuring that an individual cannot exploit a process and conceal the errors or issues that they are creating. It is not a physical control or a technical control, and nothing in the question indicates that this is compensating for gaps left by another control.

Which of the following rights is not included in the GDPR?

A. The right to access

B. The right to be forgotten

C. The right to data portability

D. The right to anonymity

D. The General Data Protection Regulation (GDPR) does not include a right to anonymity, although organizations must be able to provide security safeguards that may include anonymization where appropriate.

Nick is following the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) and has completed the prepare and categorize steps. Which step in the risk management framework is next?

A. Assessing controls

B. Implementing controls

C. Monitoring controls

D. Selecting controls

D. The NIST RMF’s Process is.

1\. Prepare

2\. Categorize system

3\. Select controls

4\. Implement controls'

5\. Assess control

6\. Authorize system

7\. Monitor controls

Why are diversity of training techniques an important concept for security program administrators?

A. It allows for multiple funding sources.

B. Each person responds to training differently.

C. It avoids a single point of failure in training compliance.

D. It is required for compliance with PCI-DSS.

B. Security program administrators often use different types of training to ensure that trainees who react and respond differently to training are given training that helps them. There may be other valid reasons, but this is the most common reason for training diversity.

Alyssa has been asked to categorize the risk of outdated software in her organization. What type of risk categorization should she use?

A. Internal

B. Quantitative

C. Qualitative

D. External

A. Risks that the organization itself creates are internal risks. External risks are those created by factors outside the organization’s control. Qualitative and quantitative are both types of risk assessment, rather than categorizations of risk.

What term is used to describe a listing of all of an organization's risks, including information about the risk's rating, how it is being remediated, remediation status, and who owns or is assigned responsibility for the risk? A. An SSAE

B. A risk register

C. A risk table

D. A DSS

B. Risk registers are documents used by organizations to track and manage risks and include information including the owner or responsible party, details about the risk, and other useful information. Statement on Standards for Attestation Engagements (SSAEs) are audit reports, Payment Card Industry Data Security Standard (PCI-DSS) is a security standard used for credit card operations, and risk table is not a common industry term.

Which of the following terms is used to measure how maintainable a system or device is?

A. MTBF

B. MTTF

C. MTTR

D. MITM

C. The mean time to repair (MTTR) for a system or devices is the average time that it will take to repair it if it fails. The MTTR is used as part of business continuity planning to determine if a system needs additional redundancy or other options put in place if a failure and repair would exceed the maximum tolerable outage. It is calculated by dividing the total maintenance time by the total number of repairs. MTBF is the mean time between failures, MTTF the mean time to fail, and MITM is an on-path attack, a term that has been increasingly replaced with on-path.

The company that Olivia works for has recently experienced a data breach that exposed customer data, including their home addresses, shopping habits, email addresses, and contact information. Olivia's company is an industry leader in their space but has strong competitors as well. Which of the following impacts is not likely to occur now that the organization has completed their incident response process?

A. Identity theft

B. Financial loss

C. Reputation loss

D. Availability loss

D. Common results of breaches like this include identity theft using the personal information of the customers, financial loss to the company due to breach costs and lawsuits, and reputational loss. Since the incident response process is over, Olivia’s company should have remediated the underlying issues that led to the breach, hopefully preventing further downtime and thus availability loss.

Eric works for the U.S. government and needs to classify data. Which of the following is not a common classification type for U.S. government data?

A. Top Secret

B. Secret

C. Confidential

D. Civilian

D. There is no civilian classification level for government data. Data may be unclassified, or sensitive but unclassified. Top Secret, Secret, and Confidential are all commonly used classifications.

Which of the following is not a common location for privacy practices to be recorded or codified?

A. A formal privacy notice

B. The source code for a product

C. The terms of the organization's agreement with customers

D. None of the above

B. The source code for a product is not typically used as a location for privacy terms and conditions. Instead, they are in the contract, user license or related legal terms, or in a formal privacy notice.

What key difference separates pseudonymization and anonymization?

A. Anonymization uses encryption.

B. Pseudonymization requires additional data to reidentify the data subject.

C. Anonymization can be reversed using a hash.

D. Pseudonymization uses randomized tokens.

B. Pseudonymization can allow reidentification of the data subject if additional data is available. Properly done anonymization cannot be reversed. Anonymization techniques will group information so that individuals cannot be identified from data and use other techniques to prevent additional information, leading to de-anonymization of individuals.

What policy clearly states the ownership of information created or used by an organization?

A. A data governance policy

B. An information security policy

C. An acceptable use policy

D. A data retention policy

A. A data governance policy clearly states who owns the information collected and used by an organization. Information security policies provide the high-level authority and guidance for security programs and efforts. Acceptable use policies (AUPs) define what information resources can be used for and how. Data retention policies establish what information an organization will collect and how long it will be kept before destruction.

Helen's organization provides telephone support for their entire customer base as a critical business function. She has created a plan that will ensure that her organization's Voice over IP (VoIP) phones will be restored in the event of a disaster. What type of plan has she created?

A. A disaster recovery plan

B. An RPO plan

C. A functional recovery plan

D. An MTBF plan

C. Helen has created a functional recovery plan focused on a specific technical and business function. A disaster recovery plan (DRP) has a broader perspective and might include multiple functional recovery plans. RPOs, or recovery point objectives, and MTBF, or mean time between failures, are not types of plans typically built by organizations.

Greg has data that is classified as health information that his organization uses as part of their company's HR data. Which of the following statements is true for his company's security policy?

A. The health information must be encrypted.

B. Greg should review relevant law to ensure the health information is handled properly.

C. Companies are prohibited from storing health information and must outsource to third parties.

D. All of the above

B. Health information may be covered by state, local, or federal law, and Greg’s organization should ensure that they understand any applicable laws before storing, processing, or handling health information.

What type of information does a control risk apply to?

A. Health information

B. Personally identifiable information (PII)

C. Financial information

D. Intellectual property

C. Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information.

What type of impact is an individual most likely to experience if a data breach that includes PII occurs?

A. IP theft

B. Reputation damage

C. Fines

D. Identity theft

D. An individual is most likely to face identity theft issues if their personally identifiable information (PII) is stolen or breached.

Isaac has been asked to write his organization's security policies. What policy is commonly put in place for service accounts?

A. They must be issued only to system administrators.

B. They must use multifactor authentication.

C. They cannot use interactive logins.

D. All of the above

C. It is common practice to prohibit interactive logins to a GUI or shell for service accounts. Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC).

Nina is tasked with putting radio frequency identification (RFID) tags on every new piece of equipment that enters her datacenter that costs more than $500. What type of organizational policy is most likely to include this type of requirement?

A. A change management policy

B. An incident response policy

C. An asset management policy

D. An acceptable use policy

C. Asset management policies typically include all stages of an asset’s life cycle, and asset tags like those described are used to track assets in many organizations. Change management, incident response, and acceptable use policies do not require asset tagging.

Megan is reviewing her organization's datacenter network diagram as shown in the following image. What should she note for point A on the diagram?

A. A wireless link

B. A redundant connection

C. A wired link

D. A single point of failure

D. The diagram shows a fully redundant internal network with pairs of firewalls, routers, and core switches, but with a single connection to the Internet. This means that Megan should consider how her organization would connect to the outside world if that link was severed or disrupted. There is no indication whether this is a wired or wireless link, and the image does not show a redundant link.

Emma is reviewing third-party risks to her organization, and Nate, her organization's procurement officer, notes that purchases of some laptops from the company's hardware vendor have been delayed due to lack of availability of SSDs (solid state drives) and specific CPUs for specific configurations. What type of risk should Emma describe this as?

A. Financial risk

B. A lack of vendor support

C. System integration

D. Supply chain

D. Emma should categorize this as a supply chain risk. When organizations cannot get the systems, equipment, and supplies they need to operate, it can have significant impact on their ability to conduct business. That could create financial risk, but financial risk is not the direct risk here. There is no indication that the vendor will not support the systems, nor is there any information about whether there is an integration issue in the description.

Henry has implemented an intrusion detection system. What category and control type could he list for an IDS?

A. Technical, Detective

B. Administrative, Preventative

C. Technical, Corrective

D. Administrative, Detective

A. An intrusion detection system (IDS) can detect attacks, and is a detective control. Since it is a technical system rather than a physical control or an administrative policy or procedure, Henry can correctly categorize it as a technical, detective control.

Amanda administers Windows 10 workstations for her company and wants to use a secure configuration guide from a trusted source. Which of the following is not a common source for Windows 10 security benchmarks? A. CIS

B. Microsoft

C. The FTC

D. The NSA

C. The Federal Trade Commission (FTC) does not provide security configuration guides or benchmarks for operating systems or devices. The Center for Internet Security (CIS), Microsoft (and other vendors), and the National Security Agency (NSA) all provide configuration benchmarks.

Katie has discovered a Windows 2008 web server running in her environment. What security concern should she list for this system?

A. Windows 2008 only runs on 32-bit platforms.

B. Windows 2008 cannot run modern web server software.

C. Windows 2008 has reached its end of life and cannot be patched.

D. All of the above

C. Legacy systems that no longer receive support are a significant concern because they cannot be patched if security vulnerabilities are discovered. Windows 2008 reached its end of life in January 2020. It ran on both 32-bit and 64-bit platforms, and you can still install modern web servers on it.

Patching systems immediately after patches are released is an example of what risk management strategy?

A. Acceptance

B. Avoidance

C. Mitigation

D. Transference

B. Patching is a form of avoidance because it works to remove a risk from the environment. Acceptance of flaws that need patching would involve leaving the software unpatched; mitigation strategies might include firewalls, intrusion prevention systems (IPSs), or web application firewall (WAF) devices; and transference options include third-party hosting or services.

Charles wants to display information from his organization's risk register in an easy-to-understand and -rank format. What common tool is used to help management quickly understand relative rankings of risk?

A. Risk plots

B. A heat map

C. A qualitative risk assessment

D. A quantitative risk assessment

B. Risk heat maps or a risk matrix can allow an organization to quickly look at risks and compare them based on their probability and impact or other rating elements. Qualitative and quantitative risk assessments are types of assessment, not means of presenting risk information in an easy-to-understand format, and risk plots are not a common term used in the field.

What key element of regulations, like the European Union's (EU's) GDPR, drive organizations to include them in their overall assessment of risk posture?

A. Potential fines

B. Their annual loss expectancy (ALE)

C. Their recovery time objective (RTO)

D. The likelihood of occurrence

A. The fines that can result from violation or infringement of regulations like the General Data Protection Regulation can have a significant impact on an organization, or could even potentially put it out of business. Due to this, organizations will track compliance with regulations as part of their risk posture.

What phases of handling a disaster are covered by a disaster recovery plan?

A. What to do before the disaster

B. What to do during the disaster

C. What to do after the disaster

D. All of the above

D. Disaster recovery requires forethought and preparation, response to issues to minimize impact during a disaster, and response activities after a disaster. Thus, a complete disaster recovery plan should include actions that may or will occur before, during, and after a disaster, and not just the recovery process after the fact.

Naomi's organization has recently experienced a breach of credit card information. After investigation, it is discovered that her organization was inadvertently not fully compliant with PCIDSS and is not currently fully compliant. Which of the following penalties is her organization most likely to incur?

A. Criminal charges

B. Fines

C. Termination of the credit card processing agreement

D. All of the above

B. Although data breaches could result in termination of a card processing agreement, the fact that her organization is noncompliant is most likely to result in a fine. PCI-DSS, or Payment Card Industry Data Security Standard, is a vendor standard, not a law, and criminal charges would not typically be filed in a situation like this.

Alaina wants to map a common set of controls for cloud services between standards like COBIT (Control Objectives for Information and Related Technology), FedRAMP (Federal Risk and Authorization Management Program), HIPAA (the Health Insurance Portability and Accountability Act of 1996), and others. What can she use to speed up that process?

A. The CSA's reference architecture

B. ISO 27001

C. The CSA's cloud control matrix

D. ISO 27002

C. The Cloud Security Alliance’s Cloud Control Matrix maps existing standards to common control descriptions allowing control requirements to be compared and validated across many standards and regulations. The CSA reference architecture is a set of standard designs, and ISO 27001 and ISO 27002 are standards for managing information security.

Gary has created an application that new staff in his organization are asked to use as part of their training. The application shows them examples of phishing emails and asks the staff members to identify the emails that are suspicious and why. Correct answers receive points, and incorrect answers subtract points. What type of user training technique is this?

A. Capture the flag

B. Gamification

C. Phishing campaigns

D. Role-based training

B. Gamification makes training into a game to get more involvement and interest. Scoring points and receiving rewards, either in-game or virtually, can have a significant positive impact on the response to training. Capture-the-flag events focus on techniques like finding hidden information or otherwise obtaining “flags” as part of a contest. Phishing campaigns send fake phishing emails to staff to identify individuals who may fall for them. Role-based training focuses on training specifically for the role or job that an individual has or will have.

What law or regulation requires a DPO in organizations?

A. FISMA

B. COPPA

C. PCI-DSS

D. GDPR

D. The General Data Protection Regulation, or GDPR, requires a data protection officer (DPO). They oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR.

The university that Susan works for conducts top secret research for the U.S. Department of Defense as part of a partnership with its engineering school. A recently discovered breach points to the school being compromised for over a year by an advanced persistent threat actor. What consequence of the breach should Susan be most concerned about?

A. Cost to restore operations

B. Fines

C. Identity theft

D. IP theft

D. Although recovering from a breach can be costly, the loss of data like intellectual property in circumstances like these is the most critical issue. The institution is likely to suffer reputational harm and may not be trusted to conduct research like this in the future, leading to an even greater cost to the university’s ability to do new research with the government.

What term is used to describe the functions that need to be continued throughout or resumed as quickly as possible after a disaster?

A. Single points of failure

B. Mission-essential functions

C. Recovery time objectives

D. Core recovery functions

B. Mission-essential functions are defined as those functions that an organization must run throughout a disaster or that must be resumed as quickly as possible after one if they cannot be sustained. They are the core functions of the organization and are key to its success and ongoing existence. A single point of failure (SPOF) is a point where a device, system, or resource can fail and cause an entire function or organization to no longer work. Recovery time objectives (RTOs) are the time allotted to return to normal functionality. Core recovery functions were made up for this question.

Your company is considering moving its mail server to a hosting company. This will help reduce hardware and server administrator costs at the local site. Which of the following documents would formally state the reliability and recourse if the reliability is not met?

A. MOU

B. SLA

C. ISA

D. BPA

B. A SLA (service level agreement) defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area. An MOU (memorandum of understanding) is a legal document that describes a mutual agreement between parties. An ISA (interconnection security agreement) is an agreement that specifies the technical and security requirements of the interconnection between organizations. A BPA (business partnership agreement) is a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners

Rick's organization provides a website that allows users to create an account and then upload their art to share with other users. He is concerned about a breach and wants to properly classify the data for their handling process. What data type is most appropriate for Rick to label the data his organization collects and stores?

A. Customer data

B. PII

C. Financial information

D. Health information

A. Customer data can include any information that a customer uploads, shares, or otherwise places in or creates via a service. Customers may have contractual security guarantees in the terms of service, and notification or other clauses may also impact what Rick needs to do if the data is breached. PII is personally identifiable information like name, address, or other details that can identify a person. Financial information may include bills, account balances, and similar details. Health information covers a broad range of data about an individual’s medical and health status or history.

Jack is conducting a risk assessment, and a staff member notes that the company has specialized, internal AI algorithms that are part of the company's main product. What risk should Jack identify as most likely to impact those algorithms?

A. External

B. Internal

C. IP theft

D. Licensing

C. Theft of proprietary information like a formula or code is an example of intellectual property (IP) theft. IP theft can be harder to quantify the cost of a loss in many cases but can have significant impact to an organization that relies on the IP for their business. External risk is risk created by factors outside the organization, internal risk is created by the organization itself or its decisions, and licensing risk exists through software and other contracts.

Dan has written a policy that prohibits employees from sharing their passwords with their coworkers, family members, or others. What type of credential policy has he created?

A. Device credential policy

B. Personnel credential policy

C. A service account policy

D. An administrative account policy

B. This is an example of a personnel credential policy since it applies to the staff who are employed by his organization. Policies like this help to ensure that accounts are not shared or reused. There is no mention of specific devices, service accounts, or administrative accounts.

Risk severity is calculated using the equation shown here. What information should be substituted for X? Risk severity = X \* Impact

A. Inherent risk

B. MTTR (mean time to repair)

C. Likelihood of occurrence

D. RTO (recovery time objective)

C. The likelihood of occurrence, or probability, is multiplied by the impact to determine a risk’s severity.

How is asset value determined?

A. The original cost of the item

B. The depreciated cost of the item

C. The cost to replace the item

D. Any of the above based on organizational preference

D. Organizations can determine how they want to determine asset value, but consistency is important in many cases. Thus, the original cost, the replacement cost, or a depreciated cost may be used.

What process is used to help identify critical systems?

A. A BIA

B. An MTBF

C. An RTO

D. An ICD

A. A business impact analysis (BIA) helps to identify critical systems by determining which systems will create the largest impact if they are not available. MTBF is the mean time between failures, an RTO is a recovery time objective, and an ICD was made up for this question.

Zarmeena wants to transfer the risk for breaches to another organization. Which of the following options should she use to transfer the risk?

A. Explain to her management that breaches will occur.

B. Blame future breaches on competitors.

C. Sell her organization's data to another organization.

D. Purchase cybersecurity insurance.

D. The most common means of transferring breach risk is to purchase cybersecurity insurance. Accepting breaches is rarely considered a valid risk process, blaming breaches on competitors does not actually transfer risk, and selling data to another organization is not a risk handling process but may be a business process.

Which of the following is a common security policy for service accounts?

A. Limiting login hours

B. Prohibiting interactive logins

C. Limiting login locations

D. Implementing frequent password expiration

B. Service accounts are not typically allowed to use interactive logins, and thus prohibiting interactive logins is a common security policy for them. Limited login hours or locations are more commonly used for employee accounts when they should not be accessing resources after hours or from nonwork locations. Frequent password expiration for service accounts is actually likely to cause a service outage, and many service accounts have complex passwords and are set with longer password expiration timeframes or are set to never expire.

The financial cost of a breach is an example of what component of risk calculations?

A. Probability

B. Risk severity

C. Impact

D. All of the above

C. The cost of a breach is an example of the impact of a breach. Probability is how likely the risk is to occur, and risk severity is calculated by multiplying probability and impact.

As part of his organization's effort to identify a new headquarters location, Sean reviews the Federal Emergency Management Agency (FEMA) flood maps for the potential location he is reviewing. What process related to disaster recovery planning includes actions like this?

A. Business impact analysis (BIA)

B. Site risk assessment

C. Crime prevention through environmental design

D. Business continuity planning

B. Sean is conducting a site risk assessment that will help him understand and communicate the risks that the site itself has. If the location is in a FEMA-identified flood plain, or if there are concerns about tornadoes or other natural disasters, those need to be taken into account as the organization makes its decisions about the location. A BIA identifies mission-critical functions and the systems that support them. Crime prevention through environmental design is a design concept that uses the design of facilities to reduce the likelihood of criminal actions through use of lighting and other controls. Business continuity planning focuses on how to keep an organization operating despite disruptions.

Joanna wants to request an audit report from a vendor she is considering and plans to review the auditor's opinions on the effectiveness of the security and privacy controls the vendor has in place. What type of Standard for Attestation Engagements (SSAE) should she request?

A. SSAE-18 SOC 1, Type 2

B. SSAE-18 SOC 2, Type 1

C. SSAE-18 SOC 1, Type 1

D. SSAE-18 SOC 2, Type 2

D. SOC 2 engagement assesses the security and privacy controls that are in place, and a Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place. An SOC 1 report assesses the controls that impact the accuracy of financial reporting. Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed. They do not look at the actual operating effectiveness of the controls.

Jason has created a risk register for his organization and regularly updates it with input from managers and senior leadership throughout the organization. What purpose does this serve?

A. It decreases inherent risk.

B. It increases risk awareness.

C. It decreases residual risk.

D. It increases risk appetite.

B. Ensuring that leadership throughout an organization is aware of the risks the organization faces and that they are regularly updating and providing feedback on those risks helps increase risk awareness. Inherent risk is risk that exists before controls are in place, and residual risk is risk that remains after controls are in place. Risk appetite is the risk that an organization is willing to take as part of doing business.

Laura is aware that her state has laws that guide her organization in the event of a breach of personally identifiable information, including Social Security numbers (SSNs). If she has a breach that involves SSNs, what action is she likely to have to take based on state law?

A. Destroy all Social Security numbers. B. Reclassify all impacted data.

C. Provide public notification of the breach.

D. Provide a data minimization plan.

C. State laws often include breach notification thresholds and requirements that organizations must follow. Laura should ensure that she is both aware of the breach laws for her state and any other states or countries her company operates in, and that her incident response plans have appropriate processes in place if a breach occurs. Organizations that process data like SSNs are unlikely to delete them even if a breach occurs, reclassifying data would not help unless the data was improperly classified before the breach, and data minimization plans are used to limit how much data an organization has, not to respond to a breach directly.

Which of the following does not minimize security breaches committed by internal employees?

A. Job rotation

B. Separation of duties

C. Nondisclosure agreements signed by employees

D. Mandatory vacations

C. Nondisclosure agreements (NDAs) are signed by an employee at the time of hiring, and they impose a contractual obligation on employees to maintain the confidentiality of information. Disclosure of information can lead to legal ramifications and penalties. NDAs cannot ensure a decrease in security breaches. A job rotation policy is the practice of moving employees between different tasks to promote experience and variety. Separation of ties has more than one person required to complete a task. Mandatory vacation policy is used by companies to detect fraud by having a second person, familiar with the duties, help discover any illicit activities.

Olivia's cloud service provider claims to provide “five nines of uptime” and Olivia's company wants to take advantage of that service because their website loses thousands of dollars every hour that it is down. What business agreement can Oliva put in place to help ensure that the reliability that the vendor advertises is maintained?

A. An MOU

B. An SLA

C. An MSA

D. A BPA

B. Olivia should establish a service level agreement (SLA) with her provider to ensure that they meet the expected level of service. If they don’t, financial or other penalties are typically included. Olivia should ensure that those penalties are meaningful to her vendor to make sure they are motivated to meet the SLA. An MOU is a memorandum of understanding and explains the relationship between two organizations; an MSA is a master services agreement, which establishes a business relationship under which additional work orders or other documentation describe the actual work that is done; and a BPA is a business partnership agreement, which is used when companies wish to partner on efforts and may outline division of profits or responsibilities in the partnership.