1. Which of the following is a type of risk mitigation security control?

1. Out-place controls
2. Unplanned controls
3. Planned controls
4. Ad-hoc controls

2. An organization is checking servers to ensure that unneeded services are disabled. What type of control is this?

1. Corrective
2. Detective
3. Preventive
4. Required

3. An organization is implementing an intrusion detection system. What type of control is this?

1. Corrective
2. Detective
3. Preventive
4. Required

4. An organization has created a comprehensive backup plan. What type of control is this?

1. Corrective
2. Detective
3. Preventive
4. Required

5. Which of the following is an example of an administrative control?

1. Policies and procedures
2. Financial records
3. System testing
4. Audit

6. What is required to ensure that employees are aware of security standards within an organization?

1. Awareness training
2. Technical controls
3. Background checks
4. Security policy

7. An unauthorized user has gained access to data and viewed it. What has been lost?

1. Confidentiality
2. Availability
3. Integrity
4. Non-repudiation

8. Which of the following best describes the keys used with asymmetric encryption techniques?

1. 40-bit kit keys used for encryption and decryption
2. Two keys known as a public key and a private key
3. Two keys known as AES keys
4. Two keys with asymmetric bit sizes

9. Which of the following is used for identification and can be used for encryption?

1. Certificate
2. Certificate authority
3. Digital signature
4. Encryption key

10. What is used to encrypt a digital signature?

1. Sender’s public key
2. Sender’s private key
3. Recipient’s public key
4. Recipient’s private key

11. Risk mitigation planning starts with which of the following?

1. Asset inventory
2. Funding meeting
3. Asset valuation
4. Risk status

12. Which of the following is not a valid consideration when planning risk mitigation?

1. Potential loss of availability
2. Potential loss of confidentiality
3. Potential loss of costs
4. Potential loss of integrity

13. Identifying the criticality of business operations is a step in which of the following processes?

1. Risk assessment
2. Calculation of risk value
3. Business impact analysis
4. Cost-benefit analysis

14. Which among the following determines the acceptable downtimes for critical business functions, processes, and IT service in a business impact analysis?

1. Recovery time objective
2. Disaster recovery plan
3. Risk plan
4. MAO

15. In a business impact analysis, the loss of immediate sales and cash flow is an example of which of the following?

1. Hidden costs
2. Cost of doing business in a risky environment
3. Direct cost
4. Indirect cost

16. Which of the following documents identifies an expected level of performance between organizations?

1. Operational level agreement (OLA)
2. Service level agreements (SLA)
3. Shared Access agreement (SAA)
4. All options are incorrect

17. Of the following choices, what represents a function that is critical to an organization? If this fails, the organization will lose the ability to perform essential operations.

1. Business impact analysis
2. Business continuity plan
3. Critical success factor
4. Critical business function

18. What device can filter Web page requests from users and only allow access to specific Web sites?

1. Firewall
2. Router
3. Proxy server
4. Spam filter

19. Which of the following is a valid goal of a control or countermeasure?

1. Eliminate risk
2. Eliminate threats
3. Eliminate vulnerabilities
4. Reduce a vulnerability to an acceptable level

20. Which of the following formulas can you use to determine the projected benefits of a control?

1. R = T x V
2. Loss before control – loss after control
3. Loss after control – loss before control
4. CBA – ROI