CASP+ Practice Tests. Nadean H. Tanner
Чтение книги онлайн.
Читать онлайн книгу CASP+ Practice Tests - Nadean H. Tanner страница 10
20 You have an asset that is valued at $1,000. The EF for this asset is 10 percent. The ARO is 2. What is the ALE?The ALE is $200.The ALE is $100.The ALE is $400.ALE cannot be calculated with the numbers provided.
21 A security administrator is reviewing an audit and finds that two users in human resources also have access to finance data. One of these users is a recruiter, while the other is an intern. What security measure is being violated?Job rotationDisclosureMandatory vacationLeast privilege
22 Your organization experienced a security event that led to the loss and disruption of services. You were chosen to investigate the disruption to prevent the risk of it happening again. What is this process called?Incident managementForensic tasksMandatory vacationJob rotation
23 Your new role with a law enforcement agency is to support the development of policies and to implement standard IT security practices. You will be writing the procedures for ______________ such as collecting digital evidence, recording observations, and taking photographs.least privilegeincident responsesmaster service agreementsforensic tasks
24 Your company is working with a new ISP and wants to find out technical details, such as system numbers, port numbers, IP addressing, and the protocols used. What document will you find this information in?Memorandum of understandingDisclosure of assetsOperation level agreementInterconnection security agreements
25 Your new line of business is selling directly to the public. Two major risks are your lack of experience with establishing and managing credit card processing and the additional compliance requirements. What is the BEST risk strategy?Transferring the initial risk by outsourcingTransferring the risk to another internal departmentMitigating the risks by hiring additional IT staffAccepting the risks and log acceptance
26 A large enterprise is expanding through the acquisition of a second corporation. What should be done first before connecting the networks?System and network vulnerability scanImplementation of a firewall systemDevelopment of a risk analysis for the two networksComplete review of the new corporation
27 The CISO is researching ways to reduce risk associated with the separation of duties. In the case where one person is not available, another needs to be able to perform all the duties of their co-workers. What should the CISO implement to reduce risk?Mandatory requirement of a shared account for administrative purposesAudit of all ongoing administration activitiesSeparation of duties to ensure no single administrator has accessRole-based security on the primary role and provisional access to the secondary role on a case-by-case basis
28 How can you secure third-party applications and introduce only acceptable risk into your environment?Code review and simulationRoundtable discussionsParallel trialsFull deployment
29 Your company policy states that only authorized software is allowed on the corporate network, and BYOD needs to be configured by IT for the proper software and security controls to adhere to company policy. The marketing manager plugs in a USB received at a conference into their laptop and it auto-launches. What is the greatest risk?Employee transferring the customer database and IPEmployee using non-approved accounting applicationsInfecting the network with malwareFile corruption by the USB exiting out improperly
30 What risks and mitigations are associated with BYOD?Risk: Data exfiltrationMitigation: Remote wipeRisk: Confidentiality leaksMitigation: Corporate policyRisk: TheftMitigation: Minimal storageRisk: GPS trackingMitigation: Minimal cost
31 Your software company is acquiring a new program from a competitor. All the people working with that company will become your employees. They will retain all access to their former network and resources for two weeks to ease the transition. For productivity, the decision was made to join the two networks. Which of the following threats is the highest risk for your company?IP filtersLoss of codeMalwareComingling the networks
32 Your bank outsourced the security department to an outside firm. The CISO just learned that this third-party outside firm subcontracted security operations to another organization. The board of directors is now pressuring the CISO to ensure that the bank is protected legally. What is the BEST course of action for the CISO to take?Creating another NDA directly with the subcontractorConfirming that the current outside firm has an SLA with the subcontractorPerforming a risk analysis on the subcontractorTerminating the contract immediately and looking for another outside firm
33 The CIO created a goal for the security team to reduce vulnerabilities. They are not high profile, but they still exist. Many of these vulnerabilities have compensating controls in place for security reasons. At this point in time, the budget has been exhausted. What is the BEST risk strategy to use?Accepting riskMitigating riskTransferring riskAvoiding risk
34 Your database team would like to use a service-oriented architecture (SOA). The CISO suggested you investigate the risk for adopting this type of architecture. What is the biggest security risk to adopting an SOA?SOA available only over the enterprise networkLack of understanding from stakeholders Risk of legacy networks and system vulnerabilitiesSource code
35 With traditional network architecture, one best practice is to limit network access points. This limitation allowed for a concentration of network security resources and a protected attack surface. With the introduction of 802.1x into enterprise network architecture, what was introduced into the network?Increased capability and increased risk and higher TCODecreased capability and increased risk and higher TCOIncreased capability and decreased risk and lower TCODecreased capability and decreased risk and lower TCO
36 Marketing asked for web-based meeting software with a third-party vendor. The software you reviewed requires user registration and installation, and the user has to share their desktop. To ensure that information is secure, which of the following controls is BEST?Disallow. Avoid the risk.Hire a third-party organization to perform the risk analysis, and based on outcomes, allow or disallow the software.Log and record every single web-based meeting.After evaluating several providers, ensure acceptable risk and that the read-write desktop mode can be prevented.
37 You are tasked with writing the security viewpoint of a new program that your organization is starting. Which of the following techniques make this a repeatable process and can be used for creating the best security architecture?Data classification, CIA triad, minimum security required, and risk analysisHistorical documentation, continuous monitoring, and mitigation of high risksImplementation of proper controls, performance of qualitative analysis, and continuous monitoringRisk analysis; avoidance of critical risks, threats, and vulnerabilities; and the transference of medium risk
38 Because of time constraints and budget, your organization has opted to hire a third-party organization to begin working on an important new project. From a security point of view, what BEST balances the needs of the organization and managing the risk of a third-party vendor?Outsourcing is a valid option and not much of a concern for security because any damage is the responsibility of the third party.If the company has an acceptable security record, then it makes perfect sense to outsource.You should never outsource. It leads to legal and compliance issues.The third party should have the proper NDA, SLA, and OLA in place and should be obligated to perform adequate security activities.
39 Your organization must perform vast amounts of computations of big data overnight. To minimize TCO, you rely on elastic cloud services. The virtual machines and containers are created and destroyed nightly. What is the biggest risk to confidentiality?Data center distributionEncryptionPhysical loss of control of assetsData scraping
40 You work for a SOHO and replace servers whenever there is money readily available for expenditure. Over the past few tech-refresh cycles, you have received many servers and workstations from several different vendors. What is the challenge and risk of this style of asset management?OS and asset EOL issues and updatesOS