(ISC)2 CERTIFIED IN CYBERSECURITY - EXAM PREP
Document specific requirements that a customer has about any aspect of a vendor's
service performance.
A) DLR
B) Contract
C) SLR
D) NDA - Answers :C) SLR (Service-Level Requirements)
_________ identifies and triages risks. - Answers :Risk Assessment
_________ are external forces that jeopardize security. - Answers :Threats
_________ are methods used by attackers. - Answers :Threat Vectors
_________ are the combination of a threat and a vulnerability. - Answers :Risks
We rank risks by _________ and _________. - Answers :Likelihood and impact
_________ use subjective ratings to evaluate risk likelihood and impact. - Answers
:Qualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and impact. -
Answers :Quantitative Risk Assessment
_________ is the level of risk an organization is willing to accept. - Answers :Risk
Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. - Answers
:Security Controls
_________ stop a security issue from occurring. - Answers :Preventive Control
_________ identify security issues requiring investigation. - Answers :Detective Control
_________ remediate security issues that have occurred. - Answers :Recovery Control
Hardening == Preventative - Answers :Virus == Detective
Backups == Recovery - Answers :For exam (Local and Technical Controls are the
same)
_________ use technology to achieve control objectives. - Answers :Technical Controls
,_________ use processes to achieve control objectives. - Answers :Administrative
Controls
_________ impact the physical world. - Answers :Physical Controls
_________ tracks specific device settings. - Answers :Configuration Management
_________ provide a configuration snapshot. - Answers :Baselines (track changes)
_________ assigns numbers to each version. - Answers :Versioning
_________ serve as important configuration artifacts. - Answers :Diagrams
_________ analyzes and implements possible responses to control risk. - Answers
:Risk Treatment
_________ changes business practices to make a risk irrelevant. - Answers :Risk
Avoidance
_________ reduces the likelihood or impact of a risk. - Answers :Risk Mitigation
An organization's _________ is the set of risks that it faces. - Answers :Risk Profile
_________ Initial Risk of an organization. - Answers :Inherent Risk
_________ Risk that remains in an organization after controls. - Answers :Residual Risk
_________ and _________ help ensure a stable operating environment. - Answers
:Change and Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? -
Answers :Risk Transference
What two factors are used to evaluate a risk? - Answers :Likelihood and Impact
What term best describes making a snapshot of a system or application at a point in
time for later comparison? - Answers :Baselining
What type of security control is designed to stop a security issue from occurring in the
first place? - Answers :Preventive
What term describes risks that originate inside the organization? - Answers :Internal
What four items belong to the security policy framework? - Answers :Policies,
Standards, Guidelines, Procedures
,_________ describe an organization's security expectations. - Answers :Policies
(mandatory and approved at the highest level of an organization)
_________ describe specific security controls and are often derived from policies. -
Answers :Standards (mandatory)
_________ describe best practices. - Answers :Guidelines (recommendations/advice
and compliance is not mandatory)
_________ step-by-step instructions. - Answers :Procedures (not mandatory)
_________ describe authorized uses of technology. - Answers :Acceptable Use Policies
(AUP)
_________ describe how to protect sensitive information. - Answers :Data Handling
Policies
_________ cover password security practices. - Answers :Password Policies
_________ cover use of personal devices with company information. - Answers :Bring
Your Own Device (BYOD) Policies
_________ cover the use of personally identifiable information. - Answers :Privacy
Policies
_________ cover the documentation, approval, and rollback of technology changes. -
Answers :Change Management Policies
Which element of the security policy framework includes suggestions that are not
mandatory? - Answers :Guidelines
What law applies to the use of personal information belonging to European Union
residents? - Answers :GDPR
What type of security policy normally describes how users may access business
information with their own devices? - Answers :BYOD Policy
_________ the set of controls designed to keep a business running in the face of
adversity, whether natural or man-made. - Answers :Business Continuity Planning
(BCP)
BCP is also known as _________. - Answers :Continuity of Operations Planning
(COOP)
Defining the BCP Scope: - Answers :What business activities will the plan cover? What
systems will it cover? What controls will it consider?
, _________ identifies and prioritizes risks. - Answers :Business Impact Assessment
BCP in the cloud requires _________ between providers and customers. - Answers
:Collaboration
_________ protects against the failure of a single component. - Answers :Redundancy
_________ identifies and removes SPOFs. - Answers :Single Point of Failure Analysis
_________ continues until the cost of addressing risks outweighs the benefit. - Answers
:SPOF Analysis
_________ uses multiple systems to protect against service failure. - Answers :High
Availability
_________ makes a single system resilient against technical failures. - Answers :Fault
Tolerance
_________ spreads demand across systems. - Answers :Load Balancing
3 Common Points of Failure in a system. - Answers :Power Supply, Storage Media,
Networking
Disk Mirroring is which RAID level? - Answers :1
Disk striping with parity is which RAID level? - Answers :5 (uses 3 or more disks to store
data)
What goal of security is enhanced by a strong business continuity program? - Answers
:Availability
What is the minimum number of disk required to perform RAID level 5? - Answers :3
What type of control are we using if we supplement a single firewall with a second
standby firewall ready to assume responsibility if the primary firewall fails? - Answers
:High Availability
_________ provide structure during cybersecurity incidents. - Answers :Incident
Response Plan
_________ describe the policies and procedures governing cybersecurity incidents. -
Answers :Incident Response Plans
_________ leads to strong incident response. - Answers :Prior Planning
Document specific requirements that a customer has about any aspect of a vendor's
service performance.
A) DLR
B) Contract
C) SLR
D) NDA - Answers :C) SLR (Service-Level Requirements)
_________ identifies and triages risks. - Answers :Risk Assessment
_________ are external forces that jeopardize security. - Answers :Threats
_________ are methods used by attackers. - Answers :Threat Vectors
_________ are the combination of a threat and a vulnerability. - Answers :Risks
We rank risks by _________ and _________. - Answers :Likelihood and impact
_________ use subjective ratings to evaluate risk likelihood and impact. - Answers
:Qualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and impact. -
Answers :Quantitative Risk Assessment
_________ is the level of risk an organization is willing to accept. - Answers :Risk
Tolerance
_________ reduce the likelihood or impact of a risk and help identify issues. - Answers
:Security Controls
_________ stop a security issue from occurring. - Answers :Preventive Control
_________ identify security issues requiring investigation. - Answers :Detective Control
_________ remediate security issues that have occurred. - Answers :Recovery Control
Hardening == Preventative - Answers :Virus == Detective
Backups == Recovery - Answers :For exam (Local and Technical Controls are the
same)
_________ use technology to achieve control objectives. - Answers :Technical Controls
,_________ use processes to achieve control objectives. - Answers :Administrative
Controls
_________ impact the physical world. - Answers :Physical Controls
_________ tracks specific device settings. - Answers :Configuration Management
_________ provide a configuration snapshot. - Answers :Baselines (track changes)
_________ assigns numbers to each version. - Answers :Versioning
_________ serve as important configuration artifacts. - Answers :Diagrams
_________ analyzes and implements possible responses to control risk. - Answers
:Risk Treatment
_________ changes business practices to make a risk irrelevant. - Answers :Risk
Avoidance
_________ reduces the likelihood or impact of a risk. - Answers :Risk Mitigation
An organization's _________ is the set of risks that it faces. - Answers :Risk Profile
_________ Initial Risk of an organization. - Answers :Inherent Risk
_________ Risk that remains in an organization after controls. - Answers :Residual Risk
_________ and _________ help ensure a stable operating environment. - Answers
:Change and Configuration Management
Purchasing an insurance policy is an example of which risk management strategy? -
Answers :Risk Transference
What two factors are used to evaluate a risk? - Answers :Likelihood and Impact
What term best describes making a snapshot of a system or application at a point in
time for later comparison? - Answers :Baselining
What type of security control is designed to stop a security issue from occurring in the
first place? - Answers :Preventive
What term describes risks that originate inside the organization? - Answers :Internal
What four items belong to the security policy framework? - Answers :Policies,
Standards, Guidelines, Procedures
,_________ describe an organization's security expectations. - Answers :Policies
(mandatory and approved at the highest level of an organization)
_________ describe specific security controls and are often derived from policies. -
Answers :Standards (mandatory)
_________ describe best practices. - Answers :Guidelines (recommendations/advice
and compliance is not mandatory)
_________ step-by-step instructions. - Answers :Procedures (not mandatory)
_________ describe authorized uses of technology. - Answers :Acceptable Use Policies
(AUP)
_________ describe how to protect sensitive information. - Answers :Data Handling
Policies
_________ cover password security practices. - Answers :Password Policies
_________ cover use of personal devices with company information. - Answers :Bring
Your Own Device (BYOD) Policies
_________ cover the use of personally identifiable information. - Answers :Privacy
Policies
_________ cover the documentation, approval, and rollback of technology changes. -
Answers :Change Management Policies
Which element of the security policy framework includes suggestions that are not
mandatory? - Answers :Guidelines
What law applies to the use of personal information belonging to European Union
residents? - Answers :GDPR
What type of security policy normally describes how users may access business
information with their own devices? - Answers :BYOD Policy
_________ the set of controls designed to keep a business running in the face of
adversity, whether natural or man-made. - Answers :Business Continuity Planning
(BCP)
BCP is also known as _________. - Answers :Continuity of Operations Planning
(COOP)
Defining the BCP Scope: - Answers :What business activities will the plan cover? What
systems will it cover? What controls will it consider?
, _________ identifies and prioritizes risks. - Answers :Business Impact Assessment
BCP in the cloud requires _________ between providers and customers. - Answers
:Collaboration
_________ protects against the failure of a single component. - Answers :Redundancy
_________ identifies and removes SPOFs. - Answers :Single Point of Failure Analysis
_________ continues until the cost of addressing risks outweighs the benefit. - Answers
:SPOF Analysis
_________ uses multiple systems to protect against service failure. - Answers :High
Availability
_________ makes a single system resilient against technical failures. - Answers :Fault
Tolerance
_________ spreads demand across systems. - Answers :Load Balancing
3 Common Points of Failure in a system. - Answers :Power Supply, Storage Media,
Networking
Disk Mirroring is which RAID level? - Answers :1
Disk striping with parity is which RAID level? - Answers :5 (uses 3 or more disks to store
data)
What goal of security is enhanced by a strong business continuity program? - Answers
:Availability
What is the minimum number of disk required to perform RAID level 5? - Answers :3
What type of control are we using if we supplement a single firewall with a second
standby firewall ready to assume responsibility if the primary firewall fails? - Answers
:High Availability
_________ provide structure during cybersecurity incidents. - Answers :Incident
Response Plan
_________ describe the policies and procedures governing cybersecurity incidents. -
Answers :Incident Response Plans
_________ leads to strong incident response. - Answers :Prior Planning
