CompTIA SecurityX – Questions With Accurate Answers
Bring Your Own Device (BYOD) Correct Answer - Allows employees to
bring their own devices into work and connect them to the corporate
network.
Gap Analysis Correct Answer - Compares the current performance of the
organization's security posture to the desired security posture.
Data Sovereignty Correct Answer - The principle that countries and
states may impose individual requirements on data collected or being stored
within their jurisdiction.
De-Perimeterization Correct Answer - The removal of a boundary
between an organization and the outside world. Constant change in the
boundary of a network.
Downstream Liability Correct Answer - Occurs when a partner or
outsource provider fails to fulfill
the organizational requirement.
Due Care Correct Answer - Defined as having taken all reasonable
actions to prevent security issues or to mitigate a possible security breach.
(Taking Action)
Due Diligence Correct Answer - Defined as having investigated all
reasonable measures to address a given risk. (Gathering Information)
Export Control Regulations Correct Answer - A federal law that prohibits
the unlicensed export of certain commodities or information for reasons of
national security or protections of trade.
Jurisdiction Correct Answer - The area or region covered by an official
power.
Policies Correct Answer - Used to state the role of security in an
organization and establishes the desired end-state of the security program.
They are very broad and provide the basic foundation upon which the
standards, baselines, guidelines, and procedures are built.
,Third-Party Connection Agreement (TCA) Correct Answer - Dictates the
security controls that should be
taken to protect the data being exchanged
between two partners.
Business Impact Analysis (BIA) Correct Answer - A functional analysis
that is conducted as part of the development of the business continuity and
disaster recovery plan.
Business Partnership Agreement (BPA) Correct Answer - Conducted
between two business partners and establishes the conditions of their
relationship.
Interconnection Security Agreement (ISA) Correct Answer - An
agreement for the owners and operators of the IT systems to document what
technical requirements each organization must meet.
Interoperability Agreements Correct Answer - Binding agreements and
are used during normal operations.
Job Rotation Correct Answer - Different users are trained to perform the
tasks of the same position to help prevent an identity fraud that could occur if
only one employee had
that job.
Least Privilege Correct Answer - The concept of providing users or
services with the lowest level of access required to perform their job
functions.
Mandatory Vacation Correct Answer - An employee is required to take a
vacation at some point during the year. (Audit and Job Rotation)
Master Service Agreement (MSA) Correct Answer - This is an agreement
for future agreements, allowing the organizations involved to negotiate future
contracts much more quickly.
,Memorandum of Understanding (MOU) Correct Answer - A non-binding
agreement between two or more organizations to detail an intended common
line of action. (Akin to a handshake)
Need to Know Correct Answer - A security principle that defines the
minimums for each job or business function.
Non-Disclosure Agreement (NDA) Correct Answer - Signed between two
parties and define what data is considered confidential and cannot be shared
outside of the relationship.
Operational Level Agreement (OLA) Correct Answer - An internal
agreement that provides the details of the relationships involved between
different departments of an organization as they support the business
functions.
Personally Identifiable Information (PII) Correct Answer - Any data that
could potentially identify a specific individual.
Request for Information (RFI) Correct Answer - A bidding-process
document that collects written information about the capabilities of various
suppliers. It may be used prior to an RFP or RFQ, if needed, but can also be
used after these if the RFP or RFQ does not obtain enough specification
information.
Request for Proposal (RFP) Correct Answer - A bidding-process
document that is issued by an organization that gives details of a commodity,
a service, or an asset that the organization wants to purchase.
Request for Quote (RFQ) Correct Answer - A bidding-process document
that invites suppliers to bid on specific products or services. It generally
means the same thing as invitation for bid (IFB). They often include item or
service specifications.
Risk Assessment Correct Answer - A tool used during risk management
to identify vulnerabilities and threats, to assess their impact, and to determine
what controls to utilize.
, Separation of Duties Correct Answer - A preventative administrative
control that should be considered whenever we're drafting authentication and
authorization policies for the organization. High risk functions in our
organization should be broken up into smaller functions. (Prevents fraud)
Service-Level Agreement (SLA) Correct Answer - This agreement is
concerned with the ability to support and respond to problems within a given
timeframe while providing the agreed upon level of service to the user.
Statement of Applicability (SOA) Correct Answer - Identifies the controls
selected and explains why those controls are considered appropriate based on
the output of the risk assessment.
Access Control List (ACL) Correct Answer - Controls the flow of traffic
into or out of a certain part of the network. Most specific rules should be
placed at the top of the list, with more generic rules towards the bottom. It is a
best practice to include a deny all rule at the end. Can be configured on the
router interfaces to control the flow of traffic into or out of a certain part of
the network.
Administrative Control Correct Answer - Manages personnel and assets
through security policies, standards, procedures, guidelines, and baselines.
Advisory Policies Correct Answer - Provide guidance for acceptable
activities.
Annual Loss Expectancy (ALE) Correct Answer - The expected cost of a
realized threat over a given year.
● SLE x ARO
Annualized Rate of Occurrence (ARO) Correct Answer - Provides us with
an estimate of how many times per year a given threat might be realized.
Asset Correct Answer - Any object that is of value to an organization,
including personnel, facilities, devices, and so on.
Asset Value (AV) Correct Answer - An element of a risk assessment. It
identifies the value of an asset and can include any product, system, resource,
or process. The value can be a specific monetary value or a subjective value.
Bring Your Own Device (BYOD) Correct Answer - Allows employees to
bring their own devices into work and connect them to the corporate
network.
Gap Analysis Correct Answer - Compares the current performance of the
organization's security posture to the desired security posture.
Data Sovereignty Correct Answer - The principle that countries and
states may impose individual requirements on data collected or being stored
within their jurisdiction.
De-Perimeterization Correct Answer - The removal of a boundary
between an organization and the outside world. Constant change in the
boundary of a network.
Downstream Liability Correct Answer - Occurs when a partner or
outsource provider fails to fulfill
the organizational requirement.
Due Care Correct Answer - Defined as having taken all reasonable
actions to prevent security issues or to mitigate a possible security breach.
(Taking Action)
Due Diligence Correct Answer - Defined as having investigated all
reasonable measures to address a given risk. (Gathering Information)
Export Control Regulations Correct Answer - A federal law that prohibits
the unlicensed export of certain commodities or information for reasons of
national security or protections of trade.
Jurisdiction Correct Answer - The area or region covered by an official
power.
Policies Correct Answer - Used to state the role of security in an
organization and establishes the desired end-state of the security program.
They are very broad and provide the basic foundation upon which the
standards, baselines, guidelines, and procedures are built.
,Third-Party Connection Agreement (TCA) Correct Answer - Dictates the
security controls that should be
taken to protect the data being exchanged
between two partners.
Business Impact Analysis (BIA) Correct Answer - A functional analysis
that is conducted as part of the development of the business continuity and
disaster recovery plan.
Business Partnership Agreement (BPA) Correct Answer - Conducted
between two business partners and establishes the conditions of their
relationship.
Interconnection Security Agreement (ISA) Correct Answer - An
agreement for the owners and operators of the IT systems to document what
technical requirements each organization must meet.
Interoperability Agreements Correct Answer - Binding agreements and
are used during normal operations.
Job Rotation Correct Answer - Different users are trained to perform the
tasks of the same position to help prevent an identity fraud that could occur if
only one employee had
that job.
Least Privilege Correct Answer - The concept of providing users or
services with the lowest level of access required to perform their job
functions.
Mandatory Vacation Correct Answer - An employee is required to take a
vacation at some point during the year. (Audit and Job Rotation)
Master Service Agreement (MSA) Correct Answer - This is an agreement
for future agreements, allowing the organizations involved to negotiate future
contracts much more quickly.
,Memorandum of Understanding (MOU) Correct Answer - A non-binding
agreement between two or more organizations to detail an intended common
line of action. (Akin to a handshake)
Need to Know Correct Answer - A security principle that defines the
minimums for each job or business function.
Non-Disclosure Agreement (NDA) Correct Answer - Signed between two
parties and define what data is considered confidential and cannot be shared
outside of the relationship.
Operational Level Agreement (OLA) Correct Answer - An internal
agreement that provides the details of the relationships involved between
different departments of an organization as they support the business
functions.
Personally Identifiable Information (PII) Correct Answer - Any data that
could potentially identify a specific individual.
Request for Information (RFI) Correct Answer - A bidding-process
document that collects written information about the capabilities of various
suppliers. It may be used prior to an RFP or RFQ, if needed, but can also be
used after these if the RFP or RFQ does not obtain enough specification
information.
Request for Proposal (RFP) Correct Answer - A bidding-process
document that is issued by an organization that gives details of a commodity,
a service, or an asset that the organization wants to purchase.
Request for Quote (RFQ) Correct Answer - A bidding-process document
that invites suppliers to bid on specific products or services. It generally
means the same thing as invitation for bid (IFB). They often include item or
service specifications.
Risk Assessment Correct Answer - A tool used during risk management
to identify vulnerabilities and threats, to assess their impact, and to determine
what controls to utilize.
, Separation of Duties Correct Answer - A preventative administrative
control that should be considered whenever we're drafting authentication and
authorization policies for the organization. High risk functions in our
organization should be broken up into smaller functions. (Prevents fraud)
Service-Level Agreement (SLA) Correct Answer - This agreement is
concerned with the ability to support and respond to problems within a given
timeframe while providing the agreed upon level of service to the user.
Statement of Applicability (SOA) Correct Answer - Identifies the controls
selected and explains why those controls are considered appropriate based on
the output of the risk assessment.
Access Control List (ACL) Correct Answer - Controls the flow of traffic
into or out of a certain part of the network. Most specific rules should be
placed at the top of the list, with more generic rules towards the bottom. It is a
best practice to include a deny all rule at the end. Can be configured on the
router interfaces to control the flow of traffic into or out of a certain part of
the network.
Administrative Control Correct Answer - Manages personnel and assets
through security policies, standards, procedures, guidelines, and baselines.
Advisory Policies Correct Answer - Provide guidance for acceptable
activities.
Annual Loss Expectancy (ALE) Correct Answer - The expected cost of a
realized threat over a given year.
● SLE x ARO
Annualized Rate of Occurrence (ARO) Correct Answer - Provides us with
an estimate of how many times per year a given threat might be realized.
Asset Correct Answer - Any object that is of value to an organization,
including personnel, facilities, devices, and so on.
Asset Value (AV) Correct Answer - An element of a risk assessment. It
identifies the value of an asset and can include any product, system, resource,
or process. The value can be a specific monetary value or a subjective value.
