# Security and Risk Management

```https://chercher.tech/cissp-certification/cissp-security-management
What is the ISO 27002 standard focused on?
Options are :

ITSM.

Protecting PHI.

Risk management.

HIPAA.
Explanation ISO 27002: (From BS 7799, 1/2, ISO 17799) Provides practical advice on
how to implement security controls. It has 10 domains it uses for ITSM.
As part of our risk management, we are working on quantitative risk analysis. Select all the terms
we would use in this phase:
Options are :

Asset Value (AV)

Future Growth Potential (FGP)

Risk Analysis Matrix (RAM)

Exposure factor (EF)

Annualized Loss Expectancy (ALE)
Answer : Asset Value (AV) Exposure factor (EF) Annualized Loss Expectancy (ALE)
Explanation Quantitative Risk Analysis – We want exactly enough security for our
needs. This is where we put a number on that. We find the asset’s value: How much of it
is compromised, how much one incident will cost, how often the incident occurs and
how much that is per year. Asset Value (AV) – How much is the asset worth? Exposure
factor (EF) – Percentage of Asset Value lost? Single Loss Expectancy (SLE) – (AV x EF) –
What does it cost if it happens once? Annual Rate of Occurrence (ARO) – How often will
this happen each year? Annualized Loss Expectancy (ALE) – This is what it cost per year
if we do nothing.
We are in a court of law and we are presenting real evidence. What constitutes real evidence?
Options are :

The data on our hard drives.

Something you personally saw or witnessed.

Tangible and physical objects.

Logs, audit trails and other data from the time of the attack.
Answer : Tangible and physical objects.
Explanation Real Evidence is tangible and physical objects, in IT Security it is things like
hard disks, USB drives and not the data on them.
What was the intent of the US Electronic Communications Privacy Act of 1986 (ECPA)?
Options are :

To allow search and seizure without immediate disclosure.

To protect electronic communication against warrantless wiretapping.

To protect electronic communication by mandating service providers to use strong
encryption.

To allow law enforcement to use wiretaps without a warrant or oversight.
Answer : To protect electronic communication against warrantless wiretapping.
Explanation Electronic Communications Privacy Act (ECPA) was designed for protection
of electronic communications against warrantless wiretapping, but it was very
weakened by the Patriot Act.
Our organization is using least privilege in our user access management. How are our users
assigned privileges?
Options are :

The same privileges as the rest of the group has.

More privileges than they need for their day-to-day job, so they can perform certain tasks
in an emergency.

Exactly the minimum feasible access for the user to perform their job.

Privileges at the on the data owners discretion.
Answer : Exactly the minimum feasible access for the user to perform their job.
Explanation Least Privilege also called &quot;Minimum necessary access&quot;, we give our users
and systems exactly the access they need, no more, no less.
When we are performing background checks on our new employees, we would NEVER look at
which of these?
Options are :

References, degrees, criminal records, credit history.

References, degrees, political affiliation, employment history.

References, employment history, criminal records.

Employment history, credit history, references.
Answer : References, degrees, political affiliation, employment history.
Explanation When we hire new staff we often do background to ensure we minimize
our risks. We can check: References, Degrees, Employment, Criminal, Credit history
(less common, more costly). We have new staff sign an NDA (Non-Disclosure
Agreement). It is illegal to check or inquire about political preference.
After a security breach, Bob has been asked to ensure evidence integrity. What would he do with
the compromised hard drive?
Options are :

Hash the drive and take a bit level copy, hash the copy drive and they should match, then
work on the bit level copy.

Encrypt the drive, then do his forensics on the original drive and when he is done do a
hash.

Add another drive to the system and copy all he can see on the compromised drive onto
the new drive and then do his analysis on the new drive.

Pull the drive from the system, format it and reinsert it into another production server.
Answer : Hash the drive and take a bit level copy, hash the copy drive and they should
match, then work on the bit level copy.
Explanation Evidence Integrity – It is vital that the evidence’s integrity cannot be
questioned. We do this with hashes; any forensics is done on copies and never the
originals. We make a bit level copy of the original, hash it, and the copy should match.
We do another hash after the forensics, and that should be the same as the prior two.
Which of these hackers would you hire to do penetration testing?
Options are :

Black hat hacker.

Gray hat hacker.

Script kiddie.

White hat hacker.
Explanation White Hat hackers: Professional Pen Testers trying to find flaws so we can
fix it (Ethical Hackers). Black Hat hackers: Malicious hackers, trying to find flaws to
exploit them (Crackers – they crack the code). Gray/Grey Hat hackers: They are
somewhere between the white and black hats, they go looking for vulnerable code,
systems or products. They often just publicize the vulnerability (which can lead to black
hats using it before a patch is developed). Gray hats sometimes also approach the
company with the vulnerability and ask them to fix it and if nothing happens they
publish. Script Kiddies: They have little or no coding knowledge, but many sophisticated
hacking tools are available and easy to use. They pose a very real threat. They are just as
dangerous as skilled hackers; they often have no clue what they are doing.
When the patriot act was signed into law in 2001, it allowed law enforcement to do what?
Options are :

Allows search and seizure without immediate disclosure.

Protect electronic communication against warrantless wiretapping.

Protect electronic communication by mandating service providers to use strong
encryption.

Allow law enforcement to use wiretaps without a warrant or oversight.
Answer : Allows search and seizure without immediate disclosure.
Explanation PATRIOT Act of 2001: Expands law enforcement electronic monitoring
capabilities. Allows search and seizure without immediate disclosure.
We are implementing biometric authentication. What would be a good reason to do that?
Options are :

It is easy to copy.

People can easily change their biometrics.

It rarely changes.

It is much cheaper than knowledge factors.
Explanation Biometric features rarely change unless we have a serious accident. It is
more difficult to copy, people can't change them unless they get surgery and it is
normally more expensive than possession or knowledge factors.
Those acting under &quot;the color of law&quot; can act on an exigent circumstance. What would constitute
exigent circumstances?
Options are :

Potential threat to data or human life in the future.

An unpatched vulnerability on our systems, attackers have no way of exploiting.

Immediate threat to human life or of evidence destruction.

An outside circumstance which does not pose any threat to life or data.
Answer : Immediate threat to human life or of evidence destruction.
Explanation Exigent circumstances apply if there is an immediate threat to human life
or of evidence destruction. This will later be decided by a court if it was justified. Only
applies to law enforcement and those operating under the “color of law�? – Title 18.
U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.
For access control management, which of these is considered something you have?
Options are :

Fingerprint.



PIN.
Explanation Things in your possession, not things you know (knowledge factor) or
something you are (biometrics).
As part of improving the security posture of our organization we have added multifactor
authentication. Which of these pairs does NOT constitute multifactor authentication?
Options are :


PIN and credit card.

Fingerprint and PIN.

Explanation Multifactor authentication uses authentication from more than one factor
(something you know, are or have). Passwords and usernames are not multifactor, they
are both knowledge factors.
Which type of security governance and management would we want to see in our organization?
Options are :

Bottom-up.

Top-down.


Agile.
Explanation We always want top-down security governance and management, we want
senior leadership on our side. Top-Down: IT leadership is on board with IT Security,
they lead and set the direction. Bottom-Up: IT Security is seen as a nuisance and not a
helper, often change when breaches happen.
When someone is typosquatting, what are they doing?
Options are :

Always illegal.

Potentially illegal.

Legal.

Never profitable.
Explanation Typosquatting – Buying an URL that is VERY close to real website name
(Can be illegal in certain circumstances).
With the CIA triad in mind, if we have too much confidentiality which other control will suffer the
MOST?
Options are :

Availability.

Integrity.

Accountability.

Authentication.
Explanation Finding the right mix of Confidentiality, Integrity and Availability is a
balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for
your organization. Too much Confidentiality and the Availability can suffer.
We are asked to help design the policies for our organization in regarding to PHI. What is that?
Options are :

Personal Health Information.

Protected Human Interactions.

Procured Hospital Information.

Personal Heuristic Information.
Explanation PHI is the abbreviation for Personal Health Information.
One of your coworkers is telling you about our new policies for PII. What is she referring to?
Options are :

Professional Information Identifiers.

Personally Identifiable Information.

Personality Indicator Information.

Personally Information Indicators.
Explanation PII is the abbreviation for Personally Identifiable Information.
Which industry is the US Gramm-Leach-Bliley Act (GLBA) focused on?
Options are :

Healthcare.

Aerospace.

Online stores.

Financial.
Explanation Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by
the Federal Financial Institutions Examination Council (FFIEC); enforced by member
agencies, OCC, FDIC, FRB, NCUA, and CFPB. Enacted in 1999, requires protection of the
confidentiality and integrity of consumer financial information.
Which is NOT one of the (ISC)&sup2; ethics canons?
Options are :

Protect society, the common good, necessary public trust and confidence, and the
infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principles.

Think about the social consequences of the program you are writing or the system you are
designing.
Answer : Think about the social consequences of the program you are writing or the
system you are designing.
Explanation ISC2 Code of Ethics Canons: Protect society, the common good, necessary
public trust and confidence, and the infrastructure. Act honorably, honestly, justly,
responsibly, and legally. Provide diligent and competent service to principles. Advance
and protect the profession.
Which type of a phishing attack is it when an attacker use phone calls to try to get access to our
sensitive data?
Options are :

Spear phishing.

Whale phishing.

Phishing.

Vishing.
Explanation Vishing (Voice Phishing): Attacks over automated VOIP (Voice over IP)
systems, bulk spam similar to Phishing. These are: “Your taxes are due�?, “Your
account is locked�? or “Enter your PII to prevent this�? types of calls.
By implementing a layered defense strategy across our organization, what do we improve?
Options are :

Availability.

Integrity.

Confidentiality.

All of these.
Explanation Defense in Depth – Also called Layered Defense or Onion Defense. We
implement multiple overlapping security controls to protect an asset. By implementing
Defense in Depth you improve your organizations Confidentiality, Integrity and
Availability.
When you sign the (ISC)&sup2; code of ethics prior to taking the exam, what do you NOT promise to
protect?
Options are :

Society.


Infrastructure.

The common good.
Explanation While your organization is important, it is not part of the ISC2 code of
ethics. The common good, infrastructure and society is.
Who will ULTIMATELY determine if the evidence we present was obtained legally?
Options are :

The police.

The lawyers.

Senior management.

The courts.
Explanation The court will determine if evidence was obtained legally. If not, it is
When we are talking about the governance part of our organization, who are we referring to?
Options are :

Middle management.

The users.

Senior management.

Explanation The senior leadership in our organization sets the company direction and
clarifies when there are questions. They are the governing body, although they can at
times be doing so under the directions of the board.
Who is the person leading our organization?
Options are :

CFO.

CTO.

CEO.

CIO.
Explanation The CEO (Chief Executive Officer) is the head of the senior executives.
If we are wanting to implement governance standard and control frameworks focused on internal
risk analysis, which of these could we implement?
Options are :

COBIT.

ITIL.

COSO.

FRAP
Explanation FRAP (Facilitated Risk Analysis Process) analyses one business unit,
application or system at a time in a roundtable brainstorm with internal employees.
Impact analyzed, Threats and Risks Prioritized.
n our organization we have a lot of policies, procedures, standards, and guidelines we use to make
our decisions. Which of them is non-mandatory?
Options are :

Policies.

Procedures.

Standards.

Guidelines.
Explanation Guidelines – non-Mandatory. Recommendations, discretionary –
Suggestions on how you would to do it.
Which of these could be something we use to help us protect our datas confidentiality?
Options are :

Hashes.

Multifactor authentication.

Redundant hardware.

Redundant software
Explanation To ensure confidentiality we can use strong passwords, multi factor
authentication, masking, access control, need-to-know, least privilege and many other
factors.
Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health
Insurance Portability and Accountability Act) if they operate in the United States. Which of these
are rules they MUST follow? (Select all that apply).
Options are :


Encryption rule.

Disclosure rule.

Security rule.

Privacy rule.
Explanation Puts strict privacy and security rules on how PHI (Personal Health
Information is handled by health insurers, providers and clearing house agencies
(Claims)). HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards. Security Breach
Notification Laws. NOT Federal, 48 states have individual laws, know the one for your
state (none in Alabama and South Dakota). They normally require organizations to
inform anyone who had their PII compromised. Many have an encryption clause. Lost
encrypted data may not require disclosure.
When an attacker is attacking our encryption, they are MOSTLY targeting which leg of the CIA
Options are :

Authentication.

Confidentiality.

Availability.

Integrity.
Explanation To ensure confidentiality we use encryption for data at rest (for instance
AES256), full disk encryption. Secure transport protocols for data in motion. (SSL, TLS
or IPSEC). There are many attacks against encryption, it is almost always easier to steal
the key than breaking it, this is done with cryptanalysis.
When authenticating against our access control systems, you present your ID. Which type of
authentication are you using?
Options are :

A possession factor.

A knowledge factor.

A biometric factor.

A location factor.
Explanation Something you have - Type 2 Authentication: ID, passport, smart card,
token, cookie on PC, these are called Possession factors. The subject uses these to
authenticate their identity, if they have the item, they must be who they say they are.
In the IAAA model, which of these is not NOT of the A's?
Options are :

Authentication.

Alteration.

Authorization.

Accountability.
Explanation IAAA is Identification and Authentication, Authorization and
Accountability. Alteration is the opposite of integrity from the CIA triad.
We often use the IAAA model in IT security, but what does it do?
Options are :

Provide a framework where we authorize, identify and authenticate our users and hold
accountable for their actions.

Provide a framework where we provide integrity, authenticate, authorize our users and
hold accountable for their actions.

Provide a framework where we identify, authenticate, authorize our users and make sure
the data they need is available.

Provide a framework where we identify, authenticate, give users access dependent on
their job title.
Answer : Provide a framework where we authorize, identify and authenticate our users
and hold accountable for their actions.
Explanation IAAA is Identification and Authentication, Authorization and
Accountability, we identify our staff, have them authenticate, authorize them to access
what they are permitted and hold them accountable for their actions.
During a security breach, one of our honeypots was used for a downstream attack on a rival
business. The competitor lost over \$200,000 in revenue from the attack. Who is ULTIMATELY
liable?
Options are :

The IT security team.

Middle management.

Whomever deployed the honeypot.

Senior management.
Explanation C-Level executives (senior leadership) are ultimately liable, this does not
mean anyone else is not liable, if other people involved did not perform due care and
due diligence they may be liable as well, but the questions was ultimately liable.
We are in a court where the proof must be &quot;More likely than not&quot;. Which court are we in?
Options are :

Criminal court.

Civil court.


Probation court.
Explanation Administrative Law (Regulatory Law): Laws enacted by Government
Agencies (FDA Laws, HIPAA, FAA Laws etc.) Proof “More likely than not�?.
During a security incident you see something that is usable in court. This constitutes which type of
evidence?
Options are :

Real evidence.

Direct evidence.

Secondary evidence.

Circumstantial evidence.
Explanation Direct Evidence: Testimony from a first hand witness, what they
experienced with their 5 senses.
Which of these is something that is COMMONLY trademarked?
Options are :

Software.

Logos.

Inventions.

Public domain (CC0) photos.
slogans, etc. Must be registered, is valid for 10 years at a time, can be renewed
indefinitely.
What would be one of the security concern we would need to address in a divestiture?
Options are :

Who gets the IT Infrastructure?

How do we ensure their security standards are high enough?

Security is part of the SLA.

All of these.
Answer : Who gets the IT Infrastructure?
Explanation Divestitures: Your organization is being split up. How do you ensure no
data crosses boundaries it shouldn't? Who gets the IT Infrastructure?
Within our organization, it is important that we have a layered defense strategy. Which of these
would be an example of a recovery access control?
Options are :

Encryption.

Alarms

Backups.

Patches.
Explanation Recovery: Controls that help us Recover after an attack – DR Environment,
Backups, HA Environments .
In our risk analysis, we are looking at the total risk of a vulnerability. What would we look at to
find the total risk?
Options are :

Threat + vulnerability.

Threat * vulnerability.

Threat * vulnerability * asset value.

(threat * vulnerability * asset value) - countermeasures.
Answer : Threat * vulnerability * asset value.
Explanation Total Risk = Threat * Vulnerability * Asset Value.
We are looking at the different classifications for access controls. Which of these is a type of
detective access control?
Options are :

Encryption.

Backups.

Patches.

Intrusion detection systems.
Explanation IDSs (Intrusion Detection Systems) on our network to capture and alert
traffic seen as malicious. They can be categorized into 2 types and with 2 different
approaches to identifying malicious traffic. Network based, placed on a network
segment (a switch port in promiscuous mode). Host based, on a client, normally a server
or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic
against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses
a normal traffic pattern baseline to monitor for abnormal traffic.
Looking at the governance of our organization, our standards could be described by which of
these?
Options are :

Non-specific, but can contain patches, updates, strong encryption.

Specific: all laptops are W10, 64-bit, 8GB memory.

Low level step-by-step guides.

Recommendations.
Answer : Specific: all laptops are W10, 64-bit, 8GB memory.
Explanation Standards – Mandatory. Describes a specific use of technology (All laptops
are W10, 64-bit, 8GB memory, etc.)
In our quantitative risk analysis, we are looking at the ARO. What does that tell us?
Options are :

How many times it happens per year.

How much many percent of the asset is lost.

What will it cost us it if happens once.

What will it cost us per year if we do nothing.
Answer : How many times it happens per year.
Explanation Annual Rate of Occurrence (ARO) – How often will this happen each year?
Where would be a good place for us to NOT implement defense in depth?
Options are :

Our data centers.

Nowhere.

Our call center.

Our VPNs
Explanation We would implement defense in depth everywhere. We would not
implement it &quot;no where&quot;, the double negative would cancel each other out. Remember
this is also an exam in the English language assuming you take it in English, it does
intend to trick you at times.
We are in criminal court and the defendant says we used enticement. In this setting, enticement is
which of these?
Options are :

A solid legal defense strategy.

Not a solid legal defense strategy.

Something we can do without consulting our legal department.

Legal and unethical.
Answer : Not a solid legal defense strategy.
Explanation Enticement (Legal and ethical): Making committing a crime more enticing,
but the person has already broken the law or at least has decided to do so. Honeypots
can be a good way to use enticement. Have open ports or services on a server that can
be attacked. Enticement is not a valid defense.
One of our senior VPs calls you up to explain a term he heard at a conference. He heard about
cybersquatting and wants to know more. Which of these is TRUE about it?
Options are :

Always illegal.

Potentially illegal.

Legal.

Never profitable.
Explanation Cybersquatting – Buying an URL you know someone else will need (To sell
at huge profit – not illegal).
As an IT Security professional, you are expected to perform due care. What does this mean?
Options are :

Researching and acquiring the knowledge to do your job right.

Do what is right in the situation and your job. Act on the knowledge.

Continue the security practices of your company.

Apply patches annually.
Answer : Do what is right in the situation and your job. Act on the knowledge.
Explanation Due Care – Prudent person rule – What would a prudent person do in this
situation? Implementing the IT Security architecture, keep systems patched. If
compromised: fix the issue, notify affected users (Follow the Security Policies to the
letter).
Senior management is looking at the ISO27799 standard. What is it focused around?
Options are :

ITSM.

Protecting PHI.

Risk management.

PCI-DSS.
Explanation ISO 27799: Directives on how to protect PHI (Personal Health Information).
We are working on our risk management and we are doing quantitative risk analysis. What does
the ALE tell us?
Options are :

How many times it happens per year.

How much many percent of the asset is lost.

What will it cost us if it happens once.

What will it cost us per year if we do nothing.
Answer : What will it cost us per year if we do nothing.
Explanation Annualized Loss Expectancy (ALE) – This is what it cost per year if we do
nothing.
With the CIA triad in mind, when we choose to have too much integrity, which other control will
MOST LIKELY suffer?
Options are :

Confidentiality.

Availability.

Identity.

Accountability.
Explanation Finding the right mix of Confidentiality, Integrity and Availability is a
balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for
your organization. Too much Integrity and the Availability can suffer.
Which of these would NOT be a factor we would consider to protect our availability?
Options are :

Patch management.

Redundant hardware.

SLA's.

Non-redundant hardware.
Explanation To ensure availability we use: IPS/IDS. Patch Management. Redundancy on
Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic
paths (Network Design), HVAC, Staff, HA (high availability) and much more. SLA’s – How
high uptime to we want (99.9%?) – (ROI).
We are looking at our risk responses. We are considering buying insurance to cover the gaps we
have. Which type of response would that be?
Options are :

Risk transference.

Risk rejection.

Risk avoidance.

Risk mitigation.
Explanation Transfer the Risk – The Insurance Risk approach – We could get flooding
insurance for the Data Center, the flooding will still happen, we will still lose 15% of the
infrastructure, but we are insured for cost.
Jane has suggested we implement full disk encryption on our laptops. Our organization, on
average, loses 25 laptops per year, and currently it costs us \$10,000 per laptop. The laptop itself
costs \$1,000, as well as \$9,000 in losses from non-encrypted data being exposed. We want to keep
using laptops, and have our ARO (Annualized Rate of Occurrence) stay the same. How much can
the countermeasures we implement cost, for us to break even??
Options are :

2250000

225000

250000

22500