SANS MGT 433 NEW - Book 2
UPDATED Exam Questions and
CORRECT Answers
Maturity Levels (Pg 11 Book 2) - CORRECT ANSWER - - Nonexistent
- Compliance focused
- Promoting Behavior Awareness and Change
- Long Term Sustainment and Culture Change
- Strategic Metrics Framework
Challenges with Compliance - CORRECT ANSWER - - Easy way to get support for your
program, management will only provide minimal resources
- Standards are often vague
- By focusing on human risk, we go beyond requirements for compliance
**PCI DSS, NERC, ISO 27001, FISMA, FERPA, HIPPAA
Mandatory Training - CORRECT ANSWER - - For compliance, not changing behaviors
- Make it as short as possible
- Allow/enable workforce to test out of training
- Track results and compare completion rates by department
Risk (Book 2 pg 30) - CORRECT ANSWER - Risk = Probability X Impact
- The more likely an event is to happen, the greater the risk
Risk Management
- A structured an formalized approach on how organizations reduce risk to an acceptable level
1. Reduce the risk
2. Avoid the risk
, 3. Transfer the risk
4. Accept the risk
DBIR - Data breach investigations report - CORRECT ANSWER - Verizon found over
80% of breaches involve human element.
Vulnerabilities - CORRECT ANSWER - - Technical
- Process
- People
By reducing vulnerabilities, you are less likely to have an incident
Threats exploit your vulnerabilities
Vulnerabilities - Processes - CORRECT ANSWER - Processes, policies and procedures
keep your organization secure
- ISO/IEC 2700 exist to ensure policies and procedures are in place
How are people vulnerable? - CORRECT ANSWER - 1. Humans overestimate risk for
highly VISUAL events
2. Humans overestimate risk for events in which they are not in control
3. Humans far too often make decisions based on emotion
Exploiting People (Book 2 pg 43) - CORRECT ANSWER - People UNDERESTIMATE
risk on the internet.
- They feel they are in control
- Impact is often not seen
- Cyber attackers leverage emotion
Threats - CORRECT ANSWER - - Threats exploit vulnerabilities
- 3 types (ISO 27005) Enviornmental, Accidental, Deliberate
UPDATED Exam Questions and
CORRECT Answers
Maturity Levels (Pg 11 Book 2) - CORRECT ANSWER - - Nonexistent
- Compliance focused
- Promoting Behavior Awareness and Change
- Long Term Sustainment and Culture Change
- Strategic Metrics Framework
Challenges with Compliance - CORRECT ANSWER - - Easy way to get support for your
program, management will only provide minimal resources
- Standards are often vague
- By focusing on human risk, we go beyond requirements for compliance
**PCI DSS, NERC, ISO 27001, FISMA, FERPA, HIPPAA
Mandatory Training - CORRECT ANSWER - - For compliance, not changing behaviors
- Make it as short as possible
- Allow/enable workforce to test out of training
- Track results and compare completion rates by department
Risk (Book 2 pg 30) - CORRECT ANSWER - Risk = Probability X Impact
- The more likely an event is to happen, the greater the risk
Risk Management
- A structured an formalized approach on how organizations reduce risk to an acceptable level
1. Reduce the risk
2. Avoid the risk
, 3. Transfer the risk
4. Accept the risk
DBIR - Data breach investigations report - CORRECT ANSWER - Verizon found over
80% of breaches involve human element.
Vulnerabilities - CORRECT ANSWER - - Technical
- Process
- People
By reducing vulnerabilities, you are less likely to have an incident
Threats exploit your vulnerabilities
Vulnerabilities - Processes - CORRECT ANSWER - Processes, policies and procedures
keep your organization secure
- ISO/IEC 2700 exist to ensure policies and procedures are in place
How are people vulnerable? - CORRECT ANSWER - 1. Humans overestimate risk for
highly VISUAL events
2. Humans overestimate risk for events in which they are not in control
3. Humans far too often make decisions based on emotion
Exploiting People (Book 2 pg 43) - CORRECT ANSWER - People UNDERESTIMATE
risk on the internet.
- They feel they are in control
- Impact is often not seen
- Cyber attackers leverage emotion
Threats - CORRECT ANSWER - - Threats exploit vulnerabilities
- 3 types (ISO 27005) Enviornmental, Accidental, Deliberate
