Pen used to do a practice exam.

Domain 5 Quiz

Domain 5 Quiz

  1. Mandy is the director of the HR department. In order to cut costs, she has decided to select some good training material that everyone can benefit from, and send all personnel through the same risk management training. The HR department only needs to buy one set of material. If all events contain the same content, just one or a few personnel out of each department can attend a session, meaning that all groups can continue normal operations. But which security advantage has been lost?
    1. Role-based
    2. Risk-prioritized
    3. Agile-based
    4. Morale-boosting
    The last two aren't security advantages. Training should be role-based so it's relevant, addresses job-specific risks, and retains the staff's attention.
  2. Jacqueline, a cybersecurity analyst at a major hospital, has been tasked with a quantitative risk analysis of data loss in the patient billing system. Initial measurements show an EF of 0.5, an ARO of 3, and an ALE of 60,000. How much should the hospital expect to lose in a typical year?
    1. 20,000
    2. 30,000
    3. 60,000
    4. 180,000
    Sometimes the question simply tells you what the answer is, if you know the acronyms. ALE stands for Annualized Loss Expectancy, a fancy way of saying "expected loss per year".
  3. Your corporation is considering moving some operations into the cloud. Amy's manager is worried that the cloud provider being considered might not meet the performance and quality requirements of the project. What should Amy suggest using to solve the problem?
    1. MOU
    2. BPA
    3. SLA
    4. ROI
    The Service-Level Agreement should specify the expectations and requirements. Of course it can't be an absolute guarantee, but an SLA typically defines what the provider will pay if the requirements aren't met.
  4. Pat was required to attend mandatory security awareness training before starting his new job, to learn about protecting highly sensitive corporate secrets and customer data. This is part of the              stage.
    1. NDA
    2. OPSEC
    3. Non-compete
    4. On-boarding
    5. Off-boarding
    Pat is learning about OPSEC, and may have to sign an NDA, but the question is really "Which stage is this?" He is starting a new job, not leaving, so it's on-boarding.
  5. Tony, a new auditor at the company, has been evaluating security and conducting interviews. He has discovered that doorways into sensitive areas, and applications accessing sensitive data, are frequently accessed via widely known combinations and shared accounts. What desirable security attribute has been lost?
    1. Accountability
    2. Responsibility
    3. Deterrence
    4. Assurance
    Accountability lets you map actions to specific people. Responsibility is related to that concept, but it is different. Deterrence would be a mechanism to frighten or intimidate people into behaving a certain way. Assurance might be the ability to provide a logical proof or mathematical calculation of the strength of the proposed defense.
  6. Top management at the company has written a COO policy stating that no more than 4 hours of down-time is allowed for web sales operations. Holly is a web server system administrator, and is responsible for meeting this corporate policy. Which statistic or requirement does this 4 hour figure refer to?
    1. MAD
    2. RPO
    3. RTO
    4. MTTR
    Management has set a requirement or goal, so it's RTO. MAD (or MTD), Maximum Allowable (or Tolerable) Downtime is an estimate of what length of outage would be fatal to the organization. They will estimate MAD/MTD first, and then specify an RTO less than that. RPO is about tolerable loss, usually in terms of how often to make backups. MTTR tells us how quickly recoveries have been happening.
  7. Min, a system engineer with the storage department, has been tasked with planning the creation of a DRP that will lead to implementing clustering and RAID. What should be her first step?
    1. BIA
    2. Risk analysis
    3. Vulnerability assessment
    4. Penetration testing
    5. Service discovery
    A Business Impact Analysis is the first step, as it figures out what is in the critical path, what must be protected. It must be done before risk analysis, which will lead to the desired Disaster Recovery Plan (or Policy).
  8. Management has set a policy specifying the acceptable amount of data loss, which will be used to design the backup process. Which of these has been defined?
    1. RTO
    2. RPO
    3. RAD
    4. MAD
    5. MOU
    If you do backups every night, you could lose up to 24 hours' worth of data. That's your Recovery Point Objective, "the way it was last night."
  9. The company's software development, customer service, and order processing operations are based at three separate facilities. Top management has determined that if there were a massive outage at the sales site, the customer service facility would best be able to assist sales operations. Which of these are they advocating?
    1. Tabletop exercises
    2. Walk-through exercises
    3. Failover
    4. Alternate business practices
    5. Redundancy
    This plan might have its origins in a tabletop or walk-through exercise, and you might say that this could be considered as a form of failover. And it is redundant capability in a way. But "Alternate (or Alternative) Business Practices" is the official CompTIA term.
  10. Brian, manager of the IT department, periodically moves help desk staff from one support category to another. Which security goal will this achieve?
    1. Fraud detection
    2. Fraud prevention
    3. Fraud analysis
    4. Fraud mitigation
    An complex and effective fraud will take a while to research, plan, and set up. The would-be fraudster doesn't have enough time to get entrenched. The employees know of this policy so it would also act as a deterrent, but that isn't a choice. In the CompTIA universe, it's mandatory vacation that does fraud detection.
  11. Gene works with patch management for production systems. Jane, his supervisor, has directed him to deploy a major upgrade to the database server by the end of the week. Gene wants to be able to implement the upgrade, verify its functionality and performance, and then, if needed, roll back. How should he proceed?
    1. Deploy the upgrade, create a snapshot, and monitor the upgraded system.
    2. Create a snapshot, deploy the upgrade, and monitor the upgraded system.
    3. Copy the server's registry, deploy the upgrade, and monitor the upgraded system.
    4. Create an ephemeral snapshot, upgrade it, and if functionality and performance are adequate, apply those updates to the production system.
    That is the only choice that makes a snapshot or backup to which you could roll back before making changes.
  12. Natalie is a security auditor for a financial institution. They are considering moving some of their operations overseas, where they could pay lower wages and thereby increase profits. What security concern should Natalie point out?
    1. Interoperability problems due to language and character set differences
    2. Portability of data
    3. Use of unauthorized apps
    4. Regulatory compliance
    5. Higher risk of DDoS
    Privacy regulations vary from country to country, and generally are much stricter outside the U.S. With the possibility of a company in country A storing and/or processing data about a citizen of country B in a facility located in country C, this can become very complicated.
  13. Many unexplained payments have been sent to a mysterious vendor. The current model is:
    • Add new vendor: Clerk
    • Approve new vendor: Clerk
    • Pay vendor: Clerk
    • Approve payment: Manager
    What should it be?
      • Add new vendor: Manager
      • Approve new vendor: Clerk
      • Pay vendor: Clerk
      • Approve payment: Manager
      • Add new vendor: Clerk
      • Approve new vendor: Manager
      • Pay vendor: Clerk
      • Approve payment: Clerk
      • Add new vendor: Clerk
      • Approve new vendor: Manager
      • Pay vendor: Clerk
      • Approve payment: Manager
      • Add new vendor: Clerk
      • Approve new vendor: Manager
      • Pay vendor: Manager
      • Approve payment: Manager
    The clerk does the tasks, the manager approves the actions.
  14. Terri is a database administrator in the billing department. Her boss, James, has asked her to estimate the number of security lapses and their cost over the coming year. Which of these should she calculate?
    1. MTBF
    2. SLE
    3. ARO
    4. ALE
    5. EF
    The Annualized Loss Expectancy is the product of the cost of a single breach (the Single Loss Expectancy or SLE) times the number of breaches expected in a typical year (the Annualized Rate of Occurrence or ARO).
  15. Harvey, the director of the Billing Department, worries that one of his employees has found a covert way of committing fraud. He wants to find out if this is true or not, before any fraud gets out of hand and he gets fired or the company fails. What should he implement?
    1. Least privilege
    2. Job rotation
    3. Mandatory vacation
    4. Separation of duties
    Least privilege and separation of duties are preventative (or at least they make the likelihood much less likely). Job rotation is deterrent. Mandatory vacation is the detective measure, as management can observe and even investigate an employee's job setting when they are forced out of the office for several days in a row.
  16. Kate is a network engineer at a company that is starting a collaboration with another corporation. What document should Kate consult to set up VPN connectivity?
    1. BPA
    2. SLA
    3. MOU
    4. ISA
    All of those may be involved in the collaboration, but the Interconnection Service Agreement defines how the two organizations will connect their networking.

Passing = 82% of 16 = 13.1

Goal = 91% of 16 = 14.6

To the Cybersecurity Page