SBOLC Security Fundamentals Exam Questions & Answers 100% Solved!

SBOLC Security Fundamentals
Exam Questions & Answers 100%
Solved!
NIST - ANSWERSNational Institute of Standards and Technology

What is the NIST Risk Management Framework (RMF)? - ANSWERS-Overall
framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation

Clean Desk Policy - ANSWERSSecure sensitive items when not in use

Principle of least privilege management - ANSWERSJust what you need to do your job

Mandatory vacations - ANSWERS-best way to uncover fraud
-part of onboarding procedures

Job Rotation (rotation of duties) - ANSWERS-Identify or uncover fraud
-Cross training / Experience for employees

Separation of Duties - ANSWERSPartitions responsibilities to minimize abuse or fraud

Hiring and Termination Policy Elements - ANSWERS-Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA)

AUP - ANSWERSAcceptable Use Policy

EOL - ANSWERSEnd of Life

EOS - ANSWERSEnd of Service

MOA - ANSWERSMemorandum of Agreement

-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve

,agreed-upon goals and objectives.

MOU - ANSWERSMemorandum of Understanding

-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities

BPA - ANSWERSBusiness Partners Agreement

-A written agreement defining the general relationship between
business partners with a focus on financial matters

Information Lifecycle Model - ANSWERS-Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal

Generic Information Classifications - ANSWERS-Low
-Medium
-High

Military Information Classifications - ANSWERS-Unclassified
-Confidential
-Secret
-Top Secret

Business Information Classifications - ANSWERS-Public
-Private
-Proprietary
-Confidential

Types of Protected Information - ANSWERS-Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data

Risk Management - ANSWERSThe process of identifying, monitoring, and reducing risk
to an acceptable level.

Risk Analysis - ANSWERS-Threat (the potential to cause harm to an asset)

-Vulnerability (a flaw or hole in the security posture)

,-Exploit (a method or technique used to manipulate a faw)

-Safeguard (a mitigation security control)

Risk Management Strategies - ANSWERS-Acceptance: Have an established plan of
action

-Avoidance: Removing the activity that creates risk

-Transference: Offloading the risk to an external party

-Mitigation: Reducing risk by installing security control, safeguard, or countermeasures

Types of RIsk - ANSWERS-Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk

Qualitative Risk Assessment - ANSWERSBased on human opinion or judgment derived
from interviews, surveys, benchmarking, scenario-based exercise, lessons learned
analysis, or cross-function workshops

Advantages of Qualitative Risk Assessment - ANSWERS-Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation

Disadvantages of Qualitative Risk Assessment - ANSWERS-Prone to inaccuracy or
exaggeration
-Limited usefulness towards cost-benefit analysis

Quantitative Risk Assessment - ANSWERS-Requires numerical values or both impact
and likelihood using data from a variety of sources
-Can be used to support cost-benefit analysis calculations

Advantages to Quantitative Risk Assessment - ANSWERS-Supports cost-benefit
analysis of risk response options
-Allows computation of necessary capital to achieve a business goal

Disadvantages to Quantitative RIsk Assessment - ANSWERS-Use of numbers may
imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized

, Single Loss Expectancy (SLE) - ANSWERSSLE = Asset Value (AV) x Exposure Factor
(EF%)

Annualized Loss Expectancy (ALE) - ANSWERSALE = SLE x Annual Rate of
Occurrence (ARO)

Scenario: a building is worth $1,000,000, and a fire breaks out, consuming 70% of the
building. A fire occurs about once every 7 years in this geographical area. What is the
SLE, and what is the ALE? - ANSWERS-SLE = 1,000,000 x 70% =700,000

-ALE = 700,000 x 1/7 = 700,000/7 = 100,000

Mitigating Operational Risk - ANSWERS-Identify risk due to ongoing business
operations (risk control self-assessment/assessment)

-Assess the risk created due to business operations (likelihood and impact)

-Identify appropriate controls to mitigate the risk (control risk)

-Assessment of controls (identify control gaps)

Business Continuity Planning (BCP) - ANSWERS-The preventative and proactive
strategic plan to mitigate disruptive incidents to business operations
-Focuses on anticipating business operation disruptions

What does BCP identify - ANSWERS-Mission-essential functions
-Critical systems
-Single points of failure

Business Impact Analysis (BIA) - ANSWERS-A management tool that helps determine
the financial impact of business of organizational changes

Impact Considerations of BIA - ANSWERS-Safety
-Reputation
-Revenue
-Property

What are the different Common Site Implementations? - ANSWERS-Cold site - empty
facility with established power, HVAC, and network connectivity to the building

-Warm site - cold site capabilities plus an established network backbone and rack
system

-Hot site - warm site capabilities plus established computers, servers, and software