SBOLC Security Fundamentals Exam Questions and
Answers 2025
National Institute of Standards and Technology - AnswerNIST
/.-Overall framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation - AnswerWhat is the NIST Risk Management
Framework (RMF)?
/.Secure sensitive items when not in use - AnswerClean Desk Policy
/.Just what you need to do your job - AnswerPrinciple of least privilege management
/.-best way to uncover fraud
-part of onboarding procedures - AnswerMandatory vacations
/.-Identify or uncover fraud
-Cross training / Experience for employees - AnswerJob Rotation (rotation of duties)
/.Partitions responsibilities to minimize abuse or fraud - AnswerSeparation of Duties
/.-Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA) - AnswerHiring and Termination Policy Elements
/.Acceptable Use Policy - AnswerAUP
/.End of Life - AnswerEOL
/.End of Service - AnswerEOS
/.Memorandum of Agreement
-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve
agreed-upon goals and objectives. - AnswerMOA
/.Memorandum of Understanding
,-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities - AnswerMOU
/.Business Partners Agreement
-A written agreement defining the general relationship between
business partners with a focus on financial matters - AnswerBPA
/.-Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal - AnswerInformation Lifecycle Model
/.-Low
-Medium
-High - AnswerGeneric Information Classifications
/.-Unclassified
-Confidential
-Secret
-Top Secret - AnswerMilitary Information Classifications
/.-Public
-Private
-Proprietary
-Confidential - AnswerBusiness Information Classifications
/.-Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data - AnswerTypes of Protected Information
/.The process of identifying, monitoring, and reducing risk to an acceptable level. -
AnswerRisk Management
/.-Threat (the potential to cause harm to an asset)
-Vulnerability (a flaw or hole in the security posture)
-Exploit (a method or technique used to manipulate a faw)
-Safeguard (a mitigation security control) - AnswerRisk Analysis
,/.-Acceptance: Have an established plan of action
-Avoidance: Removing the activity that creates risk
-Transference: Offloading the risk to an external party
-Mitigation: Reducing risk by installing security control, safeguard, or countermeasures -
AnswerRisk Management Strategies
/.-Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk - AnswerTypes of RIsk
/.Based on human opinion or judgment derived from interviews, surveys, benchmarking,
scenario-based exercise, lessons learned analysis, or cross-function workshops -
AnswerQualitative Risk Assessment
/.-Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation - AnswerAdvantages of Qualitative Risk Assessment
/.-Prone to inaccuracy or exaggeration
-Limited usefulness towards cost-benefit analysis - AnswerDisadvantages of Qualitative
Risk Assessment
/.-Requires numerical values or both impact and likelihood using data from a variety of
sources
-Can be used to support cost-benefit analysis calculations - AnswerQuantitative Risk
Assessment
/.-Supports cost-benefit analysis of risk response options
-Allows computation of necessary capital to achieve a business goal -
AnswerAdvantages to Quantitative Risk Assessment
/.-Use of numbers may imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized - AnswerDisadvantages to Quantitative RIsk Assessment
/.SLE = Asset Value (AV) x Exposure Factor (EF%) - AnswerSingle Loss Expectancy
(SLE)
, /.ALE = SLE x Annual Rate of Occurrence (ARO) - AnswerAnnualized Loss Expectancy
(ALE)
/.-SLE = 1,000,000 x 70% =700,000
-ALE = 700,000 x 1/7 = 700,000/7 = 100,000 - AnswerScenario: a building is worth
$1,000,000, and a fire breaks out, consuming 70% of the building. A fire occurs about
once every 7 years in this geographical area. What is the SLE, and what is the ALE?
/.-Identify risk due to ongoing business operations (risk control self-
assessment/assessment)
-Assess the risk created due to business operations (likelihood and impact)
-Identify appropriate controls to mitigate the risk (control risk)
-Assessment of controls (identify control gaps) - AnswerMitigating Operational Risk
/.-The preventative and proactive strategic plan to mitigate disruptive incidents to
business operations
-Focuses on anticipating business operation disruptions - AnswerBusiness Continuity
Planning (BCP)
/.-Mission-essential functions
-Critical systems
-Single points of failure - AnswerWhat does BCP identify
/.-A management tool that helps determine the financial impact of business of
organizational changes - AnswerBusiness Impact Analysis (BIA)
/.-Safety
-Reputation
-Revenue
-Property - AnswerImpact Considerations of BIA
/.-Cold site - empty facility with established power, HVAC, and network connectivity to
the building
-Warm site - cold site capabilities plus an established network backbone and rack
system
-Hot site - warm site capabilities plus established computers, servers, and software
-Reciprocal site: mutual agreement between partners. Need a signed MOU. -
AnswerWhat are the different Common Site Implementations?
Answers 2025
National Institute of Standards and Technology - AnswerNIST
/.-Overall framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation - AnswerWhat is the NIST Risk Management
Framework (RMF)?
/.Secure sensitive items when not in use - AnswerClean Desk Policy
/.Just what you need to do your job - AnswerPrinciple of least privilege management
/.-best way to uncover fraud
-part of onboarding procedures - AnswerMandatory vacations
/.-Identify or uncover fraud
-Cross training / Experience for employees - AnswerJob Rotation (rotation of duties)
/.Partitions responsibilities to minimize abuse or fraud - AnswerSeparation of Duties
/.-Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA) - AnswerHiring and Termination Policy Elements
/.Acceptable Use Policy - AnswerAUP
/.End of Life - AnswerEOL
/.End of Service - AnswerEOS
/.Memorandum of Agreement
-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve
agreed-upon goals and objectives. - AnswerMOA
/.Memorandum of Understanding
,-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities - AnswerMOU
/.Business Partners Agreement
-A written agreement defining the general relationship between
business partners with a focus on financial matters - AnswerBPA
/.-Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal - AnswerInformation Lifecycle Model
/.-Low
-Medium
-High - AnswerGeneric Information Classifications
/.-Unclassified
-Confidential
-Secret
-Top Secret - AnswerMilitary Information Classifications
/.-Public
-Private
-Proprietary
-Confidential - AnswerBusiness Information Classifications
/.-Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data - AnswerTypes of Protected Information
/.The process of identifying, monitoring, and reducing risk to an acceptable level. -
AnswerRisk Management
/.-Threat (the potential to cause harm to an asset)
-Vulnerability (a flaw or hole in the security posture)
-Exploit (a method or technique used to manipulate a faw)
-Safeguard (a mitigation security control) - AnswerRisk Analysis
,/.-Acceptance: Have an established plan of action
-Avoidance: Removing the activity that creates risk
-Transference: Offloading the risk to an external party
-Mitigation: Reducing risk by installing security control, safeguard, or countermeasures -
AnswerRisk Management Strategies
/.-Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk - AnswerTypes of RIsk
/.Based on human opinion or judgment derived from interviews, surveys, benchmarking,
scenario-based exercise, lessons learned analysis, or cross-function workshops -
AnswerQualitative Risk Assessment
/.-Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation - AnswerAdvantages of Qualitative Risk Assessment
/.-Prone to inaccuracy or exaggeration
-Limited usefulness towards cost-benefit analysis - AnswerDisadvantages of Qualitative
Risk Assessment
/.-Requires numerical values or both impact and likelihood using data from a variety of
sources
-Can be used to support cost-benefit analysis calculations - AnswerQuantitative Risk
Assessment
/.-Supports cost-benefit analysis of risk response options
-Allows computation of necessary capital to achieve a business goal -
AnswerAdvantages to Quantitative Risk Assessment
/.-Use of numbers may imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized - AnswerDisadvantages to Quantitative RIsk Assessment
/.SLE = Asset Value (AV) x Exposure Factor (EF%) - AnswerSingle Loss Expectancy
(SLE)
, /.ALE = SLE x Annual Rate of Occurrence (ARO) - AnswerAnnualized Loss Expectancy
(ALE)
/.-SLE = 1,000,000 x 70% =700,000
-ALE = 700,000 x 1/7 = 700,000/7 = 100,000 - AnswerScenario: a building is worth
$1,000,000, and a fire breaks out, consuming 70% of the building. A fire occurs about
once every 7 years in this geographical area. What is the SLE, and what is the ALE?
/.-Identify risk due to ongoing business operations (risk control self-
assessment/assessment)
-Assess the risk created due to business operations (likelihood and impact)
-Identify appropriate controls to mitigate the risk (control risk)
-Assessment of controls (identify control gaps) - AnswerMitigating Operational Risk
/.-The preventative and proactive strategic plan to mitigate disruptive incidents to
business operations
-Focuses on anticipating business operation disruptions - AnswerBusiness Continuity
Planning (BCP)
/.-Mission-essential functions
-Critical systems
-Single points of failure - AnswerWhat does BCP identify
/.-A management tool that helps determine the financial impact of business of
organizational changes - AnswerBusiness Impact Analysis (BIA)
/.-Safety
-Reputation
-Revenue
-Property - AnswerImpact Considerations of BIA
/.-Cold site - empty facility with established power, HVAC, and network connectivity to
the building
-Warm site - cold site capabilities plus an established network backbone and rack
system
-Hot site - warm site capabilities plus established computers, servers, and software
-Reciprocal site: mutual agreement between partners. Need a signed MOU. -
AnswerWhat are the different Common Site Implementations?
