Vlad’s organization recently underwent a security audit that resulted in a finding that the
organization fails to promptly remove the accounts associated with users who have left
the organization. This resulted in at least one security incident where a terminated user
logged into a corporate system and took sensitive information. What identity and access
management control would best protect against this risk?
A. Automated deprovisioning
B. Quarterly user account reviews
C. Separation of duties
D. Two-person control. Suki’s organization has a policy that restricts them from doing any business with any customer
that would subject them to the terms of the General Data Protection Regulation
(GDPR). Which one of the following controls would best help them achieve this objective?
A. Encryption
B. Tokenization
C. Geographic access requirements
D. Data sovereignty. Which one of the following is not one of the five core security functions defined by the
NIST Cybersecurity Framework?
A. Respond
B. Recover
C. Protect
D. Review. After conducting a security review, Oskar determined that his organization is not conducting
regular backups of critical data. What term best describes the type of control gap that
exists in Oskar’s organization?
A. Preventive
B. Corrective
C. Detective
D. Deterrent. Mike’s organization adopted the COBIT standard, and Mike would like to find a way to
measure their progress toward implementation. Which one of the following COBIT components
is useful as an assessment tool?
A. Process descriptions
B. Control objectives
C. Management guideline
D. Maturity models. Dan is the chief information security officer (CISO) for a bank in the United States. What
law most directly governs the personal customer information that his bank handles?
A. HIPAA
B. PCI DSS
C. GLBA
D. SOX. Tina is preparing for a penetration test and is working with a new vendor. She wants to
make sure that the vendor understands exactly what technical activities are permitted
within the scope of the test. Where should she document these requirements?
A. MOA
B. Contract
C. RoE
D. SLA. Azra is reviewing a draft of the Domer Doodads information security policy and finds that
it contains the following statements. Which one of these statements would be more appropriately
placed in a different document?
A. Domer Doodads designates the Chief Information Security Officer as the individual
with primary responsibility for information security.
B. The Chief Information Security Officer is granted the authority to create specific
requirements that implement this policy.
C. All access to financial systems must use multifactor authentication for remote
connections.
D. Domer Doodads considers cybersecurity and compliance to be of critical importance to
the business. Ben is conducting an assessment of an organization’s cybersecurity program using the NIST
Cybersecurity Framework. He is specifically interested in the organization’s external participation
and determines that the organization has a good understanding of how it relates to
customers on cybersecurity matters but does not yet have a good understanding of similar
relationships with suppliers. What tier rating is appropriate for this measure?
A. Partial
B. Risk Informed
C. Repeatable
D. Adaptive. What is the SLE for this scenario?
A. $625
B. $6,250
C. $7,500
D. $75,000. Piper’s organization handles credit card information and is, therefore, subject to the
Payment Card Industry Data Security Standard (PCI DSS). What term best describes
this standard?
A. Prescriptive
B. Minimal
C. Optional
D. Risk-based. When Piper implements this new isolation technology, what type of risk management action
is she taking?
A. Risk acceptance
B. Risk avoidance
C. Risk transference
D. Risk mitigation. Ruth is helping a business leader determine the appropriate individuals to consult about
sharing information with a third-party organization. Which one of the following policies
would likely contain the most relevant guidance for her?
A. Data retention policy
B. Information security policy
C. Data validation policy
D. Data ownership policy. Ryan is compiling a list of allowable encryption algorithms for use in his organization.
What type of document would be most appropriate for this list?
A. Policy
B. Standard
C. Guideline
D. Procedure. Julie is refreshing her organization’s cybersecurity program using the NIST Cybersecurity
Framework. She would like to use a template that describes how a specific organization
might approach cybersecurity matters. What element of the NIST Cybersecurity
Framework would best meet Julie’s needs?
A. Framework Scenarios
B. Framework Core
C. Framework Implementation Tiers
D. Framework Profiles. During the design of an identity and access management authorization scheme, Katie
took steps to ensure that members of the security team who can approve database access
requests do not have access to the database themselves. What security principle is Katie
most directly enforcing?
A. Least privilege
B. Separation of duties
C. Dual control
D. Security through obscurity. Which one of the following controls is useful to both facilitate the continuity of operations
and serve as a deterrent to fraud?
A. Succession planning
B. Dual control
C. Cross-training
D. Separation of duties. Which one of the following elements is least likely to be found in a data retention policy?
A. Minimum retention period for data
B. Maximum retention period for data
C. Description of information to retain
D. Classification of information elements.
|