ISC2: Cybersecurity Certifications Exam QA: Part1

Q1: A system that collects transactional information and stores it in a record in order to show which users performed which actions is an example of providing ________.

1. Non-repudiation
2. Biometrics
3. Multifactor authentication
4. Privacy

Ans: A system that collects transactional information and stores it in a record to show which users performed which actions is an example of providing non-repudiation.

Non-repudiation ensures that someone cannot deny the validity of their actions or transactions. It provides a verifiable and irrefutable record of who performed what actions, thereby preventing any parties from denying their involvement in those actions.

Q2: For which of the following systems would the security concept of availability probably be most important?

1. Medical systems that store patient data
2. Online streaming of camera feeds that display historical works of art in museums around the world
3. Medical systems that monitor patient condition in an intensive-care unit
4. Retail records of past transactions

Ans: The security concept of availability is crucial for ensuring that systems and data are accessible when needed.

Justification:

1. Medical systems that store patient data: While availability is important, the primary concern here is often confidentiality and integrity to protect sensitive patient information. Availability is still needed to ensure data can be accessed when required, but it is not the most critical compared to the need for privacy and accuracy.
2. Online streaming of camera feeds that display historical works of art in museums around the world: Availability is important to ensure continuous access to the streaming feeds, but it is not as critical as in life-dependent systems. The impact of unavailability is less severe, generally causing inconvenience rather than posing any significant risk.
3. Medical systems that monitor patient condition in an intensive-care unit: Availability is absolutely critical for these systems because they monitor the health and condition of patients in real-time. Any downtime can result in missed vital signs, delayed medical responses, and potentially life-threatening situations.
4. Retail records of past transactions: Availability is important for business continuity and operational efficiency, especially for activities like auditing and customer service. However, it is less critical compared to life-sustaining medical systems. Temporary unavailability might cause business disruptions but not immediate dangers.

Q3: Of the following, which would probably not be considered a threat?

1. Unintentional damage to the system caused by a user
2. Natural disaster
3. An external attacker trying to gain unauthorized access to the environment
4. A laptop with sensitive data on it

Ans: Among the given options, a laptop with sensitive data on it would probably not be considered a threat.

Justification:

1. Unintentional damage to the system caused by a user: This is considered a threat because it can lead to loss of data, system downtime, and other disruptions, even if it is accidental.
2. Natural disaster: Natural disasters are considered threats as they can cause significant damage to physical infrastructure, leading to data loss, system outages, and other operational disruptions.
3. An external attacker trying to gain unauthorized access to the environment: This is clearly a threat, as external attackers can compromise the integrity, confidentiality, and availability of the system.
4. A laptop with sensitive data on it: This, in itself, is not a threat but rather a vulnerability. The laptop could be lost or stolen, or its data could be accessed by unauthorized individuals, which would pose a threat. However, the presence of sensitive data on a laptop is not inherently a threat; it is the circumstances surrounding the laptop (e.g., lack of encryption, improper handling) that create potential threats.

Q4: Within the organization, who can identify risk?

1. Any security team member
2. Anyone
3. The security manager
4. Senior management

Ans: Within an organization, anyone can identify risk.

Here is the justification for each option:

1. Any security team member: While security team members are trained to identify risks, they are not the only ones who can do so. Risk identification can come from various sources within the organization.
2. Anyone: This is correct because risk identification can be done by any employee within the organization. Employees at all levels can encounter risks related to their specific roles and responsibilities, making it important for everyone to be vigilant and report potential risks.
3. The security manager: The security manager is certainly responsible for overseeing the identification and management of risks, but limiting risk identification to this role alone would overlook the potential contributions of other employees who might encounter risks in their day-to-day activities.
4. Senior management: Senior management plays a critical role in understanding and addressing risks from a strategic perspective, but they are not the only ones capable of identifying risks. Risks can be noticed by employees at various levels and in different departments.

Q5: Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be $100, but has seen other laptops of similar type and quality sell for both more and less than that amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if nobody bids that amount. This is an example of ___________.

1. Risk tolerance
2. Threat
3. Risk inversion
4. Vulnerability

Ans: This is an example of risk tolerance.

Justification:

1. Risk tolerance refers to the degree of variability in investment returns that an individual is willing to withstand. In this context, it means Phrenal’s willingness to accept the uncertainty of the auction outcome, knowing that the laptop might sell for more, less, or exactly $100.
2. Threat refers to any circumstance or event that can cause harm or loss, which is not applicable here.
3. Risk inversion is not a standard term in risk management and does not apply to this scenario.
4. Vulnerability refers to a weakness that can be exploited, which is not relevant in the context of Phrenal selling a laptop.

Q6: Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization’s offices. Which sort of security control would probably be best for this purpose?

1. Technical
2. Obverse
3. Administrative
4. Physical

Ans: The best type of security control for ensuring that laptops are not stolen from the organization’s offices would be physical security controls.

Justification:

1. Physical security controls are measures designed to prevent unauthorized physical access, damage, and interference to the organization’s assets and premises. Examples include locks, security guards, surveillance cameras, and secured storage areas. These controls are directly aimed at preventing theft and physical removal of laptops.
2. Technical controls involve the use of technology to protect systems and data, such as encryption, firewalls, and antivirus software. While important for data protection, they do not prevent physical theft.
3. Administrative controls involve policies, procedures, and guidelines that govern the organization’s operations. These include security policies, training programs, and access control procedures. While they can support physical security measures, they are not as directly effective in preventing theft as physical controls.
4. Obverse is not a recognized category of security control.

Q7: ISC2 publishes a Common Body of Knowledge (CBK) that IT security practitioners should be familiar with; this is recognized throughout the industry as a set of material that is useful for practitioners to refer to. Certifications can be issued for demonstrating expertise in this Common Body of Knowledge. What kind of document is the Common Body of Knowledge?

1. Standard
2. Policy
3. Procedure
4. Law

Ans: The Common Body of Knowledge (CBK) published by ISC2 is best described as a standard.

Justification:

1. Standard: A standard is a documented set of guidelines, best practices, and frameworks that are widely accepted and used within an industry. The CBK fits this description as it provides a comprehensive framework of best practices and knowledge areas that IT security practitioners should be familiar with. It is recognized throughout the industry as a valuable reference for ensuring a consistent level of expertise.
2. Policy: A policy is a formalized set of rules and guidelines that an organization creates to govern its actions. The CBK is not an internal rule or guideline specific to any one organization, but rather a broadly recognized body of knowledge.
3. Procedure: A procedure is a detailed set of instructions on how to perform specific tasks or activities. The CBK does not provide step-by-step instructions but instead covers a broad range of topics and best practices in IT security.
4. Law: A law is a system of rules that are created and enforced through social or governmental institutions to regulate behavior. The CBK is not legally binding but is rather a professional standard.

Q8: The Triffid Corporation publishes a strategic overview of the company’s intent to secure all the data the company possesses. This document is signed by Triffid’s senior management. What kind of document is this?

1. Standard
2. Procedure
3. Law
4. Policy

Ans: The document published by Triffid Corporation that outlines the company’s intent to secure all the data it possesses and is signed by senior management is a policy.

Justification:

1. Policy: A policy is a formal document that outlines an organization’s principles, intentions, and guidelines regarding a specific area. It is often approved and signed by senior management to establish its authority and commitment. In this case, the document is a strategic overview signed by senior management, which indicates it is a high-level policy on data security.
2. Standard: A standard provides specific guidelines and criteria for achieving certain practices. While it may be related to a policy, it is not typically a high-level strategic document signed by senior management.
3. Procedure: A procedure provides detailed, step-by-step instructions on how to perform specific tasks. It is not a strategic document outlining the company’s intent but rather operational instructions derived from policies.
4. Law: A law is a rule enforced by governmental institutions. This document is an internal document of the Triffid Corporation, not a legal requirement enforced by a government.

Q9: Grampon municipal code requires that all companies that operate within city limits will have a set of processes to ensure employees are safe while working with hazardous materials. Triffid Corporation creates a checklist of activities employees must follow while working with hazardous materials inside Grampon city limits. The municipal code is a ______, and the Triffid checklist is a ________.

1. Standard, law
2. Law, standard
3. Law, procedure
4. Policy, law

Ans: The Grampon municipal code that requires companies to have processes ensuring employee safety while working with hazardous materials is a law. It is a legal requirement imposed by the city’s municipal code. The checklist created by Triffid Corporation outlining activities employees must follow while working with hazardous materials is a procedure. It provides specific instructions on how to carry out tasks related to complying with the legal requirement (law) imposed by the municipal code.

Q10: Hoshi is an ISC2 member who works for the Triffid Corporation as a data manager. Triffid needs a new firewall solution, and Hoshi is asked to recommend a product for Triffid to acquire and implement. Hoshi’s cousin works for a firewall vendor; that vendor happens to make the best firewall available. What should Hoshi do?

1. Hoshi should ask to be recused from the task
2. Recommend a different vendor/product
3. Recommend the cousin’s product
4. Disclose the relationship, but recommend the vendor/product

Ans: In this situation, Hoshi should disclose the relationship with the cousin who works for the firewall vendor, but should ask to be recused from the task of recommending a firewall solution for Triffid Corporation.

Justification:

1. Disclosure: Hoshi needs to disclose the relationship with the cousin who works for the firewall vendor. This transparency helps in maintaining trust and ensuring that potential conflicts of interest are known.
2. Recusal: Given the direct family relationship (cousin) with an employee of the firewall vendor, recommending that vendor’s product could create a conflict of interest or the appearance of favoritism. To maintain ethical standards and avoid any perception of bias, Hoshi should ask to be recused from the task.
3. Recommendation: Recommending the cousin’s product without recusal could be seen as exploiting the relationship for personal gain, which is not ethical. Similarly, recommending a different vendor/product might not be necessary if the cousin’s product is genuinely the best choice, but the conflict of interest must be managed appropriately.

— — — — — — — — — — — — — — — — — — — — — — — — -

Read more

ISC2: Cybersecurity Certifications Exam QA: Part1

ISC2: Cybersecurity Certifications Exam QA: Part2

ISC2: Cybersecurity Certifications Exam QA: Part3

ISC2: Cybersecurity Certifications Exam QA: Part4