Population Health Epidemiology & Biostatistics |
Questions with Verified Answers | 100% Correct |
Pass Guaranteed
SECTION 1: Security Concepts & Governance
Q1: Which principle of the CIA triad ensures that information has not been altered in an
unauthorized manner?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
Correct Answer: B
Rationale: Integrity guarantees that data remains accurate and unmodified except by authorized
parties. Confidentiality (A) protects against disclosure, Availability (C) ensures timely access,
and Non-repudiation (D) prevents denial of actions; neither focuses on alteration protection.
Q2: A company must decide whether to accept, transfer, mitigate, or avoid a risk with an
annualized loss expectancy (ALE) of $75,000 and annual mitigation cost of $90,000. What is the
MOST business-appropriate response?
A. Accept the risk
B. Transfer the risk via insurance
,C. Mitigate the risk by implementing the control
D. Avoid the risk by discontinuing the activity
Correct Answer: A
Rationale: When mitigation cost ($90k) exceeds the ALE ($75k), accepting the risk is the most
economical choice per NIST SP 800-30. Transfer (B) may still cost more than $75k, mitigation
(C) is negative-ROI, and avoidance (D) is extreme without evidence of greater strategic loss.
Q3: Which ISO standard provides the specification for an information-security management
system (ISMS)?
A. ISO 27001
B. ISO 27701
C. ISO 22301
D. ISO 31000
Correct Answer: A
Rationale: ISO/IEC 27001 is the formal ISMS standard. ISO 27701 (B) extends privacy, ISO
22301 (C) covers business continuity, and ISO 31000 (D) is generic risk management.
Q4: A U.S. federal agency is required to implement minimum security controls for
moderate-impact systems. Which NIST publication supplies the control catalog?
A. SP 800-37
B. SP 800-53
C. SP 800-171
D. SP 800-61
, Correct Answer: B
Rationale: NIST SP 800-53 Rev 5 contains the control catalog for federal systems. SP 800-37
(A) is the Risk Management Framework, SP 800-171 (C) applies to non-federal CUI
environments, and SP 800-61 (D) addresses incident handling.
Q5: Senior management signs off on a residual-risk score that is higher than the risk appetite
documented the previous quarter. Which governance document should be updated FIRST?
A. Business impact analysis (BIA)
B. Risk register
C. Security policy
D. Statement of applicability (SoA)
Correct Answer: B
Rationale: The risk register must reflect the current risk decision and justification. The BIA (A)
measures impact, security policy (C) is too high-level, and the SoA (D) maps ISO 27001 controls
but does not track risk acceptance.
Q6: What is the PRIMARY purpose of a data-classification program?
A. Determine encryption key length
B. Assign ownership and appropriate protection levels
C. Meet PCI-DSS labeling requirements
D. Reduce backup storage costs
Correct Answer: B