QUESTION 1

Which of the following is not a step that would be performed in a vulnerabilty assessment?

a. Apply security controls

b. Testing the system for vulnerabilities, using a tool such as Nessus

c. Review of security documentation

d. Perform personnel interviews

QUESTION 2

Which of the following is not a source of historical data you can use to identify IT threats in your organization?

a. Software failures

b. The number of times that a virus necessitated downtime to clean the system

c. Number of times the hospital was sued for malpractice

d. Equipment failures

QUESTION 3

Purchasing cybersecurity insurance would be considered which of the following risk management techniques?

a. Mitigation

b. Acceptance

c. Share or Transfer

d. Avoidance

QUESTION 4

Which of the following documents contains the 18 security control families that Federal agencies are required to implement?

a. SP 800-61

b. SP 800-37

c. SP 800-30

d. SP 800-53

QUESTION 5

Which of the following is not a primary control objective?

a. Prevent

b. Report

c. Detect

d. Recover

QUESTION 6

Exploit assessments start with a vulnerability assessment and attempt to actually simulate the attack to determine if it could be successful.

True

False

QUESTION 7

This regulation applies to how institutions handle the privacy of your student records at the University.

a. CIPA

b. HIPAA

c. GLBA

d. FERPA

QUESTION 8

Discuss some of the roles that would participate in risk management, and decribe some of their responsibilties. -- 5 points

QUESTION 9

Which of the following is an example of an intangible asset?

a. Server software

b. Sales database

c. Server hardware

d. Good will or the branding that is associated with a well-liked product

QUESTION 10

An organization must post a critical report every 24 hours, or else they will be fined for non-compliance. To which of the following disaster recovery considerations does this apply?

a. MTTF

b. MTBF

c. RPO

d. RTO

QUESTION 11

Which of the following is not an indicator that a DDoS is occuring?

a. Unexplained connection losses

b. Unusally high traffic

c. Unusual file names are found on the server

d. Intrusion detection system alerts

QUESTION 12

If a hacker hacks in to a hospital and changes a patients blood type on his patient healthcare record, which of the following security services was the one that was principally violated?

a. Integrity

b. Authentication

c. Confidentiality

d. Availability

QUESTION 13

A/an __________ is the possibility that the company will incur a loss.

a. Threat

b. Risk

c. Vulnerability

d. Exploit

QUESTION 14 Which of the following is the first step to performing threat modeling?

a. Risk Assessment

b. Identify threats

c. Asset identification

d. Vulnerability Assessment

QUESTION 15

A document created with the risk assessment, used to track vulnerabilities and the application of security countermeasures and their timelines.

a. POA&M

b. Gantt Chart

c. BIA

d. Critical Path

QUESTION 16

Which of the following best describes the purpose of a risk mitigation plan?

a. To reduce threats

b. To identify and implement security controls

c. To ensure compliance to regulations

d. Provide verification of a risk assessment

QUESTION 17

HIPAA fines can be as high as ___________ a year.

a. $75,000

b. $25,000

c. $50,000

d. $250,000

QUESTION 18

The area inside the firewall is considered to be the

a. Secured Domain

b. User Domain

c. LAN Domain

d. Workstation Domain

QUESTION 19

Which of the following is not a step in creating a Contingency Plan?

a. Create a plan for testing and training on the Contingency Plan

b. Conduct a BIA

c. Perform a Cost-Benefit Analysis

d. Create contingency strategies

QUESTION 20

NISTs Special Publication 800-30 describes what

a. Maturity levels associated with CMMI

b. A framework of good practices

c. How to perform a risk assessment.

d. Certification and accreditation practices

QUESTION 21 Which of the following is not a U.S. Government risk management initiative or program?

a. MITREs CVE List

b. DHS NCCIC

c. US-CERT

d. ITIL

QUESTION 22

Which of the following would be the best solution for an organization that critical availability requirements, such that they could not afford any amount of downtime?

a. Redundant backup site

b. Cold site

c. Hot site

d. Warm site

QUESTION 23

Sri has determined that the impact to the business from a failure of the database sever, would be $50,000 He calculates that this could happen at least once every two years. As an option, he could implement a CDP solution at a cost of $30,000 per year. Which of the following makes the most sense as a risk strategy?

a. Accept the risk and dont do anything, as it is less expensive than the proposed control.

b. Install the CDP solution.

c. Avoid using the server until a solution can be found.

d. Find a new job because they are just going to blame him anyway when it fails.

QUESTION 24

Which of the following would be used to identify that a server has not had any patches installed for 6 months, making it sucesptible to a buffer overflow and other attacks?

a. Vulernability assessment

b. Threat assessment

c. Business Impact Assessment

d. Risk assessment

QUESTION 25

What are valid contents of a risk management plan?

a. POA&M

b. Scope

c. Recommendations

d. Objectives

e. All of the above

QUESTION 26

A policy that has been implemented that requires two different individuals perform different functions. An example is with a Certificate Authority that issues digital certificates where one role can only identify-proof the person the requesting the certificate and issue a request, and a different person can actually issue the digital certificate.

a. Separation of Duties

b. Acceptable Use

c. Job Rotation

d. Need to Know

QUESTION 27

You are a very small company that sells healthcare insurance plans. You estimate that the breach of your customer database will cost you $100,000, and that this might happen once in 5 years. A vendor wants to sell you a Data Loss Prevention (DLP) solution that would cost $30,000 per year. Which of the following is the best course of action?

a. Spend $25,000 on cyber insurance to transfer the risk

b. Spend the $30,000 to mitigate the risk

c. Accept the risk

d. Spend whatever it takes to ensure that this data is safe. Its sensitive data, after all!

QUESTION 28 Which of the following would be the recommended control to counter piggybacking?

a. turnstiles or mantrap

b. badges and PINs

c. guards

d. bollards

QUESTION 29

The amount of money that a negative event will cost us, each time that it occurs

. a. Annualized Rate of Occurrence (ARO)

b. Annual Loss Expectancy (ALE)

c. Single Loss Expectancy (SLE)

d. Exposure Factor (EF)

QUESTION 30

The impact of the risk, if it happens, for every instance that it happens, is the:

a. SLE (Single Loss Expectancy)

b. ALE (Annualized Loss Expectancy)

c. ARO (Annualized Rate of Occurrence

d. EF (Exposure Factor)

QUESTION 31 An hurricane has forced you to move operations to your alternate site for several months while the building was being repaired. You are moving back now to the original production facility. Which is the best strategy?

a. Move the most critical business functions first

b. Move non-mission critical personnel back first

c. Move least critical business functions back first

d. Move mission-critical personnel back first

QUESTION 32 An attack in which a switch is overwhelmed with spoofed frmes such that it fails open and acts like a hub is known as a switch replay attack.

True

False

QUESTION 33 This Act applies only to federal government agencies, establishing expectations for their security programs.

a. GLBA

b. FISMA

c. CIPA

d. FERPA

QUESTION 34 The act of taking advantage of a weakness within a system to gain unauthorized access is best described as a/an:

a. risk

b. vulnerability

c. exploit

d. threat

QUESTION 35

An organization has a large database they use to record web transactions. They have determined that the loss of more than 8 hours worth of data would be catestrophic for them, so they need to ensure that backups run every 8 hours. To which of the following disaster recovery considerations does this apply?

a. RTO

b. MTTF

c. MTBF

d. RPO

QUESTION 36

In which phase of a CIRT plan (IRP) would you find steps the steps to quarantine a virus to prevent its spread to other systems?

a. Eradication

b. Detection and Analysis

c. Preparation

d. Containment