WGU D488 Pre-Assessment

Which type of security should a business use on its layer 2 switch to isolate the finance network from other departmental networks? A - Virtual Private Network (VPN) B - Internet Protocol Security (IPSec) C - Virtual Local Area Network (VLAN) D - Remotely Triggered Black Hole (RTBH) - ANS-- C - Virtual Local Area Network (VLAN) VLANs allow companies to logically segment network traffic, ensuring devices on different VLANs cannot communicate unless otherwise specified in a layer 3 device like a router. Which type of software testing should be used when there has been a change within the existing environment? A - Regression Testing B - Penetration Testing C - Requirements Testing D - Release Testing - ANS-- A - Regression Testing Regression testing ensures that recent changes within the environment have not introduced new defects or broken existing functionality. Which security technique should be used to detect a weak password that may match common dictionary words? A - Password Spraying B - Password Auditing C - Password Guessing D - Password History - ANS-- B - Password Auditing Password auditing allows for existing passwords to be compared against known weak passwords to help determine the security of a credential. What should an organization implement if it wants users of their site to provide a password, memorable word, and pin? A - Multi-factor authentication (MFA) B - Two-factor authentication (2FA) C - Two-step verification D - Single-factor authentication - ANS-- A - Multi-factor authentication MFA enhances security by requiring multiple forms of authentication, therefore reducing the risk of unauthorized access. A network technician is asked by their manager to update security to block several known bad actor IP addresses. A - Signature rules B - Firewall rules C - Behavior rules D - Data loss prevention (DLP) rules - ANS-- B - Firewall rules Firewall rules can be set up to deny traffic coming from known malicious IP addresses. On a shopping website, there is a 500-millisecond delay when the authorized payment button is selected for purchases. Attackers have been running a script to alter the final payment that takes 200 milliseconds. Which vulnerability on the website is being targeted by the attackers? A - Buffer Overflow B - Integer Overflow C - Broken Authentication D - Race Condition - ANS-- D - Race Condition A race condition occurs when multiple processes or actions are executed simultaneously, and the outcome depends on the sequence or timing of events. A company wants to provide laptops to its employees so they can work remotely. What should be implemented to ensure only work applications can be installed on company laptops? A - Containerization B - Token-based access C - Patch repository D - Whitelisting - ANS-- D - Whitelisting Whitelisting ensures that only approved applications can be installed and executed on company laptops. What should a business use to provide non-repudiation for emails between employees? A - TLS/SSL B - AES-256 C - S/MIME D - IPSec - ANS-- C - S/MIME (Secure/Multipurpose Internet Mail Extensions) S/MIME provides non-repudiation for emails by using digital signatures. Which strategy is appropriate for a risk management team to determine if a business has insufficient security controls? A - Qualitative assessment B - Gap assessment C - Quantitative risk assessment D - Impact assessment - ANS-- B - Gap assessment A gap assessment identifies the gaps between the current security control and the desired or required levels of security. An organization has leased office space that is suitable for its computer equipment so personnel and systems can be relocated if the main office location is unavailable. It currently has some equipment. Which type of site is the organization using? A - Cold site B - Warm site C - Hot site D - Mobile site - ANS-- B - Warm site A warm site is a disaster recovery site that provides a partially equipped facility that can be used to restore critical operations faster than having no equipment at all. A risk assessment consultant is discussing segmentation options with a client. What are a few standard options the consultant could offer? Select the best 2 answers. A - VLANs B - Transmission Control C - Physical D - Access control lists - ANS-- A & C; VLANs & Physical A network device can perform segmentation logically, for example, implementing virtual local area networks (VLANs). A system can bypass VLANs if an attacker gains access to a trunk port where all VLANs can talk. Physical segmentation is another type of segmentation more commonly found in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks. This is where, traditionally, there is an IT and OT (operational technology) network. Transmission control is not a type of segmentation. Transmission control defines how a system protects communication channels from infiltration, exploitation, and interception. Access control lists (ACLs) are used to define permissions on a network, file, or object. While they can restrict access to resources, they do not segment a network in the same way as VLANs or physical segmentation. A disaster recovery manager wants to perform a qualitative analysis on intangible assets but is unsure how to perform the calculations. Which departments should the manager bring on to help determine metrics? Select 3 answers. A - Marketing B - Sales C - Human Resources D - Communications - ANS-- A, B & D; Marketing, Sales, and Communications Marketing is one of the departments that should help the manager with the metrics. Qualitative risk assessment is well-suited to the analysis of intangible assets, for example, an organization's reputation or brand image. Sales is another department brought on to assist the manager with metrics. These groups are best-suited to provide input based on their unique insights. Communications is another department that can help the manager assess the value of many intangible business assets and the impacts that various risk events can have on them. The Human Resource department does not necessarily need to participate in an intangible metric discussion. A security analyst is performing a security assessment and is recommending ways to manage risk relating to personnel. Which of the following should the analyst recommend? Select 3 answers. A - Mandatory vacation B - Least privilege C - Email protection D - Auditing requirements - ANS-- A, B & D; Mandatory Vacation, Least Privilege, and Auditing Requirements Mandatory vacation is one way of helping to manage personnel risk. An administrator forces employees to take their vacation time, during which someone else fulfills their duties. The principle of least privilege is a practice in which an administrator only gives users account privileges they need to perform their duties. This practice serves in various capacities, such as helping against both insider threats and compromised accounts. Auditing requirements describe the capability for auditing account creation, modification, deletion, and account activity for all accounts. Auditing is a way to help manage personnel risk. Email protection is a technical control, although it does help to safeguard against attacks against personnel. A security engineer is considering moving his organization's IT services to the cloud but is concerned whether the vendor they are considering will be in business on an ongoing basis. What type of vendor assessment is this? A - Vendor viability B - Source code escrow C - Vendor lock-in D - Vendor lockout - ANS-- A - Vendor Viability Vendor viability considers whether a vendor will remain in business on an ongoing basis, that they have a viable and in-demand product, and the financial means to stay afloat. Source code escrow is a copy of vendor-developed source code provided to a trusted third party in case a vendor ceases business. Vendor lock-in occurs when a customer is completely dependent on a vendor for products or services, as switching is either impossible or would result in substantial complexity and costs. Vendor lockout occurs when a vendor develops its product in such a way that makes it inoperable with other products, and the ability to integrate it with other vendor products is not a feasible option, or it does not exist. A security manager is standing up a risk management program at a company. What should the security manager set up that might be considered the most recognized output? A - Processes B - Key Performance Indicators C - Key Risk Indicators D - Risk Register - ANS-- D - Risk Register The risk register can be the most recognized output of the risk management program. It includes metadata such as threat, impact, likelihood, plan, and risk level. Processes are an important component of risk, but the risk register would be the most recognized output. Processes drive consistency and reliability. Key Performance Indicators (KPIs) are a formal mechanism designed to measure the performance of a program against desired goals. Key Risk Indicators (KRIs) are closely related to KPIs. By analyzing KPIs, trends may appear and be indicative of additional risk items and should be further analyzed and addressed proactively. A security architect for an organization is conducting an internal assessment on current policies, processes, and procedures to ensure protection for the businesses' technology and financial operations. Which of the following would be best suited to support this assessment? A - STAR B - SOC C - ISO D - CMMC - ANS-- B - SOC System and Organization Controls (SOC) uses standards established by the American Institute of Certified Public Accountants (AICPA) to evaluate policies, processes, and procedures to protect technology and financial operations. The Cloud Security Alliance (CSA) Security Trust and Risk (STAR) program demonstrate a cloud service provider's adherence to key principles of transparency, auditing, and best practice security operations. International Organization for Standardization (ISO) audits can evaluate many aspects of an organization. However, in terms of cybersecurity, an audit for compliance with the ISO 27k standard is most relevant. Cybersecurity Maturity Model Certification (CMMC) is a set of cybersecurity standards developed and designed by the United States Department of Defense (DoD) to help fortify the DoD supply chain. A vulnerability management lead for a major company is working with various teams to keep their company secure, but there are a significant amount of legacy systems the company worries about, so the management lead recommends purchasing an insurance policy. What type of risk strategy is this? A - Risk avoidance B - Risk acceptance C - Risk mitigation D - Risk transference - ANS-- D - Risk transference Risk transference (or sharing) refers to assigning risk to a third party. Purchasing an insurance policy most typically exemplifies risk transference. Risk avoidance means to stop doing the activity considered to be risk-bearing. Risk acceptance means that an identified risk area has been evaluated and results in an agreement to continue operating the software, hardware, processes, actions, or other types of similar tasks, despite the identified risks. Risk mitigation is the overall process of reducing exposure to, or the effects of, risk factors. This is where the work of risk management really comes into focus. A security architect is planning a Statement of Work to perform services at various levels of the Risk Management Lifecycle. The security architect should allocate the most hours to which phase? A - Identify B - Assess C - Control D - Review - ANS-- C - Control The control phase identifies effective ways to reduce identified risks. The effective identification and implementation of these controls represent a significant amount of the work effort undertaken by security practitioners. The identify phase includes the identification of risk items. In accordance with the beginning critical security controls, security starts with a foundation of inventorying. The assess phase analyzes identified risks to determine their associated level of risk. In the review phase, an administrator must periodically re-evaluate each risk item to determine if the risk level has changed or if the identified controls are still effective. A security engineer works for a mid-sized retail company on the systems administration team. The company wants to estimate the potential financial impact of a single occurrence of a web server going down, which could lead to lost sales. What is this estimated financial impact per incident called? A -SLE B - ALE C - ARO D - EF - ANS-- A - SLE (Single Loss Expectancy) Single Loss Expectancy (SLE) is the amount lost in a single occurrence of the risk factor, such as the cost during downtime. Annual Loss Expectancy (ALE) is the amount lost over the course of a year, or the sum-total of all single loss events over the span of 12 months. Annual Rate of Occurrence (ARO) is the number of times in a year that the single loss occurs. Exposure Factor (EF) is the percentage of the asset value lost. The SLE is equal to the exposure factor multiplied by the Asset Value (AV). The AV is the value of an asset, such as a server or even an entire building. A security project manager is considering transitioning to a cloud-based strategy for a company. The company currently operates with a minimal team in their data center services and aims to reduce their responsibilities while maintaining service quality. Which cloud solution would require the least amount of management and maintenance from this team? A - IaaS B - PaaS C - SaaS D - On-site - ANS-- C - SaaS Software as a Service (SaaS) represents the lowest amount of responsibility for the customer as the facilities, utilities, physical security, platform, and applications are the provider's responsibility. Infrastructure as a Service (IaaS) provides hardware hosted at a provider facility, using the provider's physical security controls and utilities, such as power. Platform as a Service (PaaS) provides a selection of operating systems loaded and configured by the customer. The underlying infrastructure, facilities, utilities, and physical security are the provider's responsibility. On-premise would not alleviate the company's workload since it would still remain on-site, and they would be responsible for everything. A security consultant is conducting a security assessment and is trying to communicate reasons that flaws may exist. What are the primary categories in which these flaws exist? Select 3 answers. A - Communication B - People C - Process D - Technology - ANS-- B, C, & D; People, Process, and Technology People ultimately are most directly impacted by technology. This is one of the major categories for finding flaws and the reason phishing is the most common form of breaches. Process is another major area where flaws occur. An ambiguous process might exist that allows attacks to use fraudulent emails to request wire transfers. Technological controls also provide effective defenses against many security threats, but they also rely on people and processes. While communication is a component of people and processes, the three main categories where flaws exist are people, process, and technology. A disaster recovery manager is trying to assess the residual risk when comparing it to the company's inherent risk. What measures should the manager look at to determine this? Select 3 answers. A - Risk transference B - Risk acceptance C - Risk appetite D - Risk mitigation - ANS-- A, B, & C; Risk transference, Risk acceptance, and Risk Mitigation Risk transference is one component of finding residual risk compared to inherent risk. It means assigning risk to a third party, typically exemplified through the purchase of an insurance policy. Risk acceptance is another component of finding residual risk compared to inherent risk. An administrator identifies and evaluates the risk area, resulting in an agreement to continue operating the software, hardware, processes, or other tasks. Risk mitigation is another component of finding residual risk compared to inherent risk. It is the overall process of reducing exposure to, or the effects of, risk factors. This is where the work of risk management really comes into focus. Risk appetite is a strategic assessment of what level of residual risk is tolerable for an organization. A security architect is explaining logistics security to a non-technical person. What term would the security architect use to describe all of the suppliers, vendors, and partners needed to deliver a final product? A - Transmission control B - Vendor policy C - Vendor viability D - Supply chain - ANS-- D - Supply chain The supply chain describes all of the suppliers, vendors, and partners needed to deliver a final product. The supply chain presents a significant amount of risk. Transmission control defines how a system protects communication channels from infiltration, exploitation, and interception. Establishing the maturity of vendor security operations and defining the minimum set of requirements and expectations in a policy is essential. Vendor viability is important when determining if a vendor will be in business on an ongoing basis, that they have a viable and in-demand product, and the financial means to stay afloat. A security engineer at a software company is currently analyzing its supply chain. What would the company's supply chain most likely involve? Select 3 answers. A - Chips B - Source code repositories C - Development language D - Third-party libraries - ANS-- B, C, & D; Source code repositories, development language, and third party libraries Platforms where developers store and manage their code play a significant role. Examples like GitHub, GitLab, and Bitbucket are vital components of many modern software supply chains. Events such as Microsoft's acquisition of GitHub highlight the importance of these repositories in the software supply chain. The programming language can have various implications, such as the libraries and frameworks a company might use and their target platforms. Third-party libraries are often integrated into software projects to expedite development. They can also represent security risks if they aren't updated regularly or originate from untrusted sources. Chips are not as likely to be involved in software company supply chains but are much more likely to be part of companies that sell hardware. A U.S. government agency has contracted a risk auditor to conduct a risk assessment. Which of the following frameworks should the auditor use? A - ISO 31000 B - COBIT C - NIST RMF D - COSO - ANS-- C - NIST RMF (Risk Management Framework) The National Institute of Standards and Technology Risk Management Framework (NIST RMF) defines standards that US Federal Agencies must use to assess and manage cybersecurity risks. The International Organization for Standardization (ISO) is one of the world's largest developers of standards. Many international organizations have adopted ISO standards to establish a common taxonomy among diverse industries. The Control Objectives for Information and Related Technologies (COBIT) is a framework created and maintained by Information Systems Audit and Control Association (ISACA). COBIT frames IT risk from a business leadership viewpoint. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an initiative of five private sector organizations collaborating on the development of risk management frameworks. What are the two major components of risk? Select 2 answers. A - Impact B - Exploitability C - Integrity D - Likelihood - ANS-- A & D - Impact & Likelihood Impact is the severity of the risk when realized. Determining factors include the scope, the value of the asset, or the financial impacts of the event. The likelihood of occurrence is the probability that a threat is taking place. Exploitability is a factor, though not one of the main components. It is one of the primary scores multiplied to assess the CVSS score. While integrity is not one of the main components, it does play a role in calculating scores based on the Common Vulnerability Scoring System (CVSS). The integrity metric describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability. A consultant for various IT services wants to draft a document that explains basic responsibilities but has concerns that companies will try to fight about additional changes in the project. Therefore, the consultant wants to draft a document to set expectations and keep companies from trying to get more services than they paid for in the agreement. Which would best fit this situation? A - MOU B - NDA C - MSA D - ISA - ANS-- A - MOU (Memorandum of Understanding) Widely considered as a non-binding agreement or one that is difficult to enforce in a court setting, a Memorandum of Understanding (MOU) serves as a formal means to define roles and expectations. Non-disclosure agreements (NDAs) occur between entities and define the conditions upon which the entities can use data and information. Master service agreements (MSAs) are typically "umbrella" contracts that establish an agreement between two entities to conduct business during a defined term. An interconnection security agreement (ISA) occurs between two entities that need to share data via an interface. A systems administrator has a litigation hold for HIPAA data that is older than four years old. How should the administrator respond? A - Inform the litigators that data is only kept for 4 years due to HIPAA compliance B - Release the information requested C - Deny the request since HIPAA data cannot be shared D - Consult with the company attorney - ANS-- D - Consult with the company attorney Systems administrators should consult with company attorneys and management on how to proceed before providing any data to anyone. By regulation, companies must keep HIPAA data for six years. If the administrator had sent the reply regarding four years, the company would most likely be in trouble during a court proceeding, regardless of whether they allowed the data in litigation. The systems administrator should not immediately release the information since HIPAA information, by law, may not allow it. Attorneys would be able to provide specific guidance in this regard. Denying the data without first consulting attorneys is not advisable as the litigation could have already taken into account that it was HIPAA data and justified it to be released. An IT consultant is starting to travel abroad but has concerns about being able to VPN back home to access a private home network. The consultant would like to be able to watch the latest TV shows previously recorded digitally while traveling. What should the consultant research? A - National export controls B - Encryption laws C - Wassenaar arrangement D - e-Discovery - ANS-- B - Encryption laws Technologies commonly used in the United States, such as a virtual private network (VPN), may employ encryption techniques that violate laws in other countries. Export laws govern the export of commodities, software, and technology. Enforcing export controls requires coordination between countries and the establishment of healthy foreign relations. The Wassenaar arrangement includes forty-two participating states and generally defines controls crafted to prevent a destabilizing accumulation of weaponry by any single nation, to prevent advanced weaponry and military capabilities from terrorist factions acquiring them. e-Discovery describes the electronic component of identifying, collecting, and providing the electronically stored information (ESI) identified by a legal hold. A growing company is researching operations in Europe and is trying to find the regulation applicable to collecting or analyzing data on subjects located there. Which regulation should they research? A - GDPR B - COPPA C - PCI DSS D - CMMI - ANS-- A - GDPR The General Data Protection Regulation (GDPR) enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and analyze data on the subject located there. Children's Online Privacy Protection Act (COPPA) is a US federal law designed to protect the privacy of children (inside and outside of the United States) under the age of thirteen. Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. Capability Maturity Model Integration (CMMI) describes five levels of maturity within the operational or software capabilities of an organization. A large corporation has just completed an audit by an Authorization Official who determined that they are compliant. What will the Authorization Official award the corporation? Select 2 answers. A - Certification B - ATO C - Accreditation D - POAM - ANS-- B & C; ATO & Accreditation After the Authorization Official accredits a system, they provide a formal letter of accreditation to the system owner, granting the Authority to Operate (ATO) the system for a period of three years. For the corporation to obtain accreditation, the Authorization Official will review the company's information system and the results of the independent audit. For certification, an independent audit will review the information system and associated documentation to identify if the company has implemented the necessary controls outlined in NIST special publication (SP) 800-53. A Plan of Actions and Milestones (POAM) identifies existing risks, ongoing monitoring, corrective actions, and current disposition. A government agency seeks to employ the most robust techniques to guarantee their data on hard drives is irrecoverable under all circumstances, including advanced recovery methods used by nation-state actors. Which of the following methods would meet these stringent requirements? Select 2 answers. A - Format (Quick Format) B - Crypto erase C - Disk Defragmentation D - Purge - ANS-- B & D; Crypto Erase & Purge A U.S.-based coffee company is expanding its operations to Japan and plans to implement a new payment system that processes credit card transactions. To ensure they follow data protection standards for credit card data, which of the following standards should they comply with? A - STAR B - CMMI C - PCI DSS D - GDPR - ANS-- C - PCI DSS Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. A Cloud Security Alliance Security Trust and Assurance (CSA STAR) evaluation measures the security capabilities and privacy controls of a cloud service provider against the CSA Cloud Controls Matrix (CCM). Capability Maturity Model Integration (CMMI) describes five levels of maturity within the operational or software capabilities of an organization. The General Data Protection Regulation (GDPR) enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and analyze data on the subject located there. A new security analyst starts reading about varying privacy laws across different countries. Privacy data typically refers to which of the following? A - Companies B - Individuals C - Children D - Non-profit organizations - ANS-- B - Individuals Privacy data generally refers to the type of data that can uniquely identify an individual. Companies generally have to comply with privacy laws, but privacy data does not refer to companies. Children are part of the category that privacy data aims to protect, but they are not the only group. Privacy data is typically data that can identify individuals. However, the Children's Online Privacy Protection Act (COPPA) does specifically aim to protect children. Non-profit organizations are not the category that privacy data aims to protect either. It typically refers to data that can identify individuals. A U.S.-based company has expanded operations globally and decided to start following the 27k standard. However, they have migrated all of their services to the cloud, and they want to follow cloud controls. Which of the following is part of the 27k cloud standards? Select 2 answers. A - 27002 B - 27017 C - 27018 D - 27701 - ANS-- B & C; 27017 & 27018 27017 is one of the standards for cloud security, providing guidelines for information security controls. The International Organization for Standardization (ISO) manages the ISO 27k. 27018 is another standard for cloud security, providing guidelines for protecting personally identifiable information (PII). ISO 27k includes over a dozen standards and is more suited to global standards than the NIST framework. 27002 defines security controls, providing guidelines for organizational security standards and used in conjunction with ISO 27001. One important note is that the ISO 27001 Information Security Management standard cannot be obtained free of charge like NIST. 27701 focuses on personal data and privacy and provides guidance for privacy information management. A security auditor is conducting a compliance audit for his company. Which audit area would describe how long the company is required to keep copies of data? A - Data classification B - Data retention C - Data ownership D - Data destruction - ANS-- B - Data retention Data retention defines the timespan for which a company must keep its data. Retention defines not only the minimum amount of time to keep data but also the maximum (or "no longer than") timespan. Data classification establishes the necessary controls, such as security configurations, encryption, access controls, procedures, and physical security required to adequately protect data. The data owner is the entity held accountable for the protection of the data under their control. Data destruction describes the legally compliant means by which data is removed and made inaccessible. A small business owner is reviewing third-party vendors to manage the server environment. The company provides IT services, so it is important that they define areas such as data protection requirements, privacy protection requirements, and other concerns. What document should the business owner draft? A - Data sovereignty B - Attestation of compliance C - Integration agreement D - Statement of classification - ANS-- B - Attestation of compliance (AOC) An attestation of compliance (AOC) describes the set of policies, contracts, and standards identified as essential in the agreement between two parties. Data sovereignty identifies the laws governing the country (where the company stores data) and has control over the data. It describes the legal dynamics of data collection and its use in a global economy. An integration agreement is not an industry standard, but integration is an industry concern. Modern organizations depend upon an ever-growing network of vendors, suppliers, and contractors. A statement of classification is not an industry standard, but data classification establishes the necessary controls, such as security configurations, encryption, access controls, procedures, and physical security, required to adequately protect data. A motivated technology analyst is starting a company focused on privacy and anonymity. What country would the technology analyst most likely want to operate from? A - United States B - China C - Argentina D - Switzerland - ANS-- D - Switzerland Switzerland would probably be the country of choice due to its uniquely protective privacy laws. Some organizations establish operations in Switzerland based on their supporting legal framework. The United States would probably not be the first choice for privacy, as Europe has much more privacy protection and anonymity coverage. China is one of the least likely places for people to expect privacy and anonymity. For example, Google was discussing with China to remove data regarding certain events. Argentina enacted privacy laws to protect personnel, but Switzerland is considered the gold standard. An owner of a small company produces digital manga in the United States, but it has also become very popular in Japan. Which privacy law should the owner comply with to set up an operation in Japan? A - APPI B - HIPAA C - PDPA D - GDPR - ANS-- A - APPI Japan's privacy law, the Act on the Protection of Personal Information (APPI), is a relevant law the owner would want to research before expanding operations. HIPAA is the Health Insurance Portability and Accountability Act which applies to medical information in the United States. HIPAA is not applicable outside the U.S., but countries do have parallel standards. The Personal Data Protection Act (PDPA) is the privacy act that Singapore has enacted. The General Data Protection Regulation enforces rules for organizations that offer services to entities in the European Union (EU) or that collect and analyze data on subjects located there. A system administrator has decided to start a small data center venture for small businesses. What type of agreement should the sysadmin set up to meet the performance metrics defined in Service Level Agreements? A - ISA Interconnection security agreement) B - MSA (Master service agreement) C - OLA (Operational level agreement) D - PLA (Privacy level agreement) - ANS-- C - OLA (Operational level agreement) Operational-level agreements are typically internal documents established by an organization to define the essential operational needs of an organization. OLAs meet the performance metrics defined in a Service Level Agreement. An interconnection security agreement (ISA) occurs between two entities that need to share data via an interface. Master service agreements (MSAs) are typically "umbrella" contracts that establish an agreement between two entities to conduct business during a defined term. A Privacy Level Agreement (PLA) commonly establishes a relationship with a cloud service provider (CSP), going beyond the provisions detailed in an SLA to include metrics and measures related to conforming with specific information privacy and data protection requirements. A consultant is conducting a compliance audit for a hospital. What type of information is the consultant auditing? A - PHI B - PIFI C - IP D - PII - ANS-- A - PHI Protected Health Information (PHI) describes data used to identify an individual and contains information about past, present, or future health, including related payments and data used in the operation of a healthcare business. Personal Identifiable Financial Information (PIFI) describes information about a consumer provided to a financial institution and includes information such as account number, credit/debit card number, personal information, and more. Intellectual property (IP) describes intangible products of human thought and ingenuity. Various laws protect intellectual property, such as copyrights, patents, trademarks, and trade secrets. Personally identifiable information (PII) describes data used to directly or indirectly identify an individual. A system engineer is trying to explain due diligence to a group of system administrators. What word would best describe the idea behind due diligence? A - Prudent B - Reasonable C - Continuous D - Patching - ANS-- C - Continuous Due diligence describes the ongoing and documented effort to continuously evaluate and improve the mechanisms that protect assets. Prudent would be more akin to due care, which is the basis of due diligence. Due diligence would be the continued effort of due care. Reasonable is also more akin to due care, which an ongoing effort of would be due diligence. Due care is intentionally open-ended as "reasonable and expected" and defined in many different ways, depending upon circumstances. Patching is just a component of both due care, and by extension, due diligence. There are several defense in depth layers beyond patching that would also apply. A data center lead is preparing an organization for disaster recovery by performing an actual test to ensure systems can failover but wants to minimize impact to production systems. Which method should the data center lead use? A - Parallel test B - Full interruption C - Walk-through D - Tabletop exercise - ANS-- A - Parallel test In a parallel test, the organization isolates the DR site from the primary site, activating it as though the company is using the DR site. This is the best option to minimize impact. Any mistakes or issues in a full interruption test can cause a true DR event since the organization is performing the exercise on live systems and data. A walk-through is not an active test, but it requires all groups included in the BCDR plan to identify a representative to participate in a meeting to review the plan. A tabletop exercise is not active but identifies a specific objective and then uses it to determine whether all parties involved in the response know what to do. A security architect is looking for examples of standards and regulations with descriptions of Business Continuity and Disaster Recovery (BCDR) capabilities. Which of the following are examples? Select 3 answers. A - SOX B - GLBA C - DRaaS D - FFIEC - ANS-- A, B, & D; SOX, GLBA & FFIEC The Sarbanes-Oxley (SOX) Act regarding fraudulent accounting is one example of standards and regulations with descriptions of Business Continuity and Disaster Recovery (BCDR) capabilities. The Gramm-Leach-Bliley (GLBA) Act regarding personal financial information is another example of standards and regulations with descriptions of Business Continuity and Disaster Recovery (BCDR) capabilities. The Federal Financial Institutions Examination Council (FFIEC) regarding financial institutions is another example of standards and regulations with descriptions of Business Continuity and Disaster Recovery (BCDR) capabilities. Disaster Recovery as a Service (DRaaS) uses public cloud services as a DR site. This is not a standard or regulation but rather a mechanism to achieve it. A security manager is planning for the needs of an immediate frantic and pressing emergency. Which plan should the security manager focus on developing? A - DRP B - BCP C - MSA D - PLA - ANS-- A - DRP Disaster Recovery Plans (DRPs) focus on when events are their most frantic and pressing. DRPs focus on the tasks required to bring critical systems back online. Business Continuity Plans (BCPs) have a broad scope and cover the range of activities from the development of a business continuity policy through the creation of the response plans. Master Service Agreements (MSAs) are typically "umbrella" contracts that establish an agreement between two entities to conduct business during a defined term. A Privacy Level Agreement (PLA) goes beyond the provisions detailed in an SLA to include metrics and measures related to conforming with specific information privacy and data protection requirements. A major retail company needs to set up alternate sites so that despite any unforeseen circumstances, the business has as little impact on its operation as possible. Which of the following would be the best setup? A - Cold site B - Warm site C - Hot site D - Mobile site - ANS-- C - Hot site A hot site is by far the most expensive and complicated option to implement but results in close to real-time activation with little to no service disruption. A cold site is simply a facility under the organization's control but does not have any pre-established information system capability. A warm site includes a data center that is typically scaled-down from the primary site to include the capacity and throughput needed to run critical systems and software. A mobile site can be described as a data center in a box and is a technique employed by the military. A data center manager is planning for disaster recovery. What key element should the manager first gain that is critical to success? A - Staff resources B - Testing activities C - Metrics D - Leadership support - ANS-- D - Leadership support Senior leadership's participation and sponsorship of Business Continuity and Disaster Recovery (BCDR) activities are essential for successful preparedness. Before taking staff resources away from business development projects to work on BCDR planning, first requires senior leadership support. Some organizations may have significant plans in place, but the organizations may not have properly tested them. Testing activities gaining BCDR development work will come to a halt if senior leadership is not on board with dedicating resources to perform the testing activities. Key strategic objectives and developing metrics must include BCDR activities to measure operational success. A security consultant works for a U.S.-based company and sets up a data recovery site in Germany. The security consultant is beginning the first verification of a data center failover scenario. What are some common issues the consultant might expect to encounter? Select 3 answers. A - Recovery failure B - Conflicting laws C - Data loss D - Software not working - ANS-- A, C & D; Recovery failure, Data loss, Software not working Failure to recover can be a common issue for various reasons. For example, the entire data center had syncing issues, or the Storage Area Network could have issues syncing, or disks were corrupt at the recovery site. Data loss is another common issue for similar reasons. An administrator should monitor the health status of disaster recovery (DR) devices to help avoid issues. Software may not work when brought up from recovery for various reasons. For example, server configurations may not have deployed exactly the same, or the configurations are the same but need changes made for the DR environment. The administrator should have vetted for conflicting laws when choosing the data recovery site, not after setting everything up and performing failover tests. A security engineer is trying to identify appropriate groups to help determine which groups should be part of incident response. Which guide could they use? A - NIST 800-53 B - NIST 800-61 C - ISO standard 15408 D - COBIT - ANS-- B - NIST 800-61 The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, "Computer Security Incident Handling Guide," identifies the groups that are necessary when responding to an incident. NIST 800-53, "Security and Privacy Controls for Information Systems," outlines necessary controls for audits of information systems used for certification. The ISO standard 15408 addresses IT security techniques, including the introduction and general model and the functional and assurance components that define various operations. The Control Objectives for Information and Related Technologies (COBIT) is a framework created and maintained by Information Systems Audit and Control Association (ISACA). COBIT frames IT risk from a business leadership viewpoint. A security architect is creating a business continuity plan (BCP) and is currently assessing how much data the company can lose without causing harm to business operations. What objective is the security architect defining in the BCP? A - Recovery effectiveness B - RPO C - RTO D - RSL - ANS-- B - RPO (Recovery Point Objective) Recovery Point Objective (RPO) defines the amount of data that the company can lose without irreparable harm to the operation of the business. The system architect must define this metric through careful collaboration with the organization, as the requirements may be specified within laws and regulations. Recovery Time Objective (RTO) defines the maximum amount of time that performing a recovery can take and the amount of system downtime an organization can handle. Recovery effectiveness requires the system architect to define how quickly and in what state bringing systems online should occur. The Recovery Service Level (RSL) defines what threshold the recovery effort may exist. For many organizations, this may be the critical operations systems identified in the beginning phases. A security engineer is performing a business impact assessment (BIA) for an organization. Where should the security engineer begin? A - Preventative measures B - Inventory C - Contingency strategies D - Patching - ANS-- B - Inventory As with critical security controls, the first step in the development of the BIA is to identify the information systems and the various elements that are part of it. Identifying preventative measures is the third step in business continuity planning. However, security engineers cannot identify preventative measures for information systems unless they are known to exist. Contingency strategies are the fourth step in business continuity planning. Contingency strategies are a critical component in the event that planned strategies fail, but a contingency strategy requires an accurate inventory. Patching may serve to help prevent catastrophic events, but it is not part of the business impact analysis. A disaster recovery planner needs to focus prioritization efforts around operational impact. The disaster recovery planner should focus on which system? A - Demilitarized Zone B - External systems C - Systems with critical vulnerabilities D - Mission critical - ANS-- D - Mission Critical Mission critical systems are most important for operational continuity. However, identifying mission critical systems depends upon collaboration with business units to be able to gauge the impacts realized from an outage. While demilitarized zone (DMZ) systems have an extra risk factor for being externally facing, they may not necessarily be mission critical systems that keep operations running. External systems should be in the demilitarized zone but do not always follow architectural design. As with DMZ systems, they may not necessarily be mission critical. Systems with critical vulnerabilities present an increased risk to the organization, but in disaster recovery planning, the mission critical systems keep operations running and should be a top priority. A military unit is going into a foreign country and setting up a small data center for their operations but wants to have an alternate option that is flexible and versatile. Which of the following options would best suit their needs? A - Cold site B - Warm site C - Hot site D - Mobile site - ANS-- D - Mobile site A mobile site can be described as a data center in a box and is a technique employed by the military. A cold site is simply a facility under the organization's control but does not have any pre-established information system capability. A warm site includes a data center that is typically scaled-down from the primary site to include the capacity and throughput needed to run critical systems and software. A hot site is by far the most expensive and complicated option to implement but results in close to real-time activation with little to no service disruption. A mid-size company is considering a backup alternative solution for their small data center operations but is running a skeleton crew. They are starting to look at cloud solutions. Which solution should be their focus? A - DRaaS B - SaaS C - PaaS D - IaaS - ANS-- A - DRaaS Disaster Recovery as a Service (DRaaS) would be a suitable choice for a company with limited personnel. DRaaS offers a turnkey solution where the cloud provider manages disaster recovery process. Software as a Service (SaaS) represents the lowest amount of responsibility for the customer as the facilities, utilities, physical security, platform, and applications are the provider's responsibility. Platform as a Service (PaaS) provides a selection of operating systems that the customer can load and configure. The underlying infrastructure, facilities, utilities, and physical security are the responsibility of the provider. Infrastructure as a Service (IaaS) provides hardware hosted at a provider facility using the provider's physical security controls and utilities, such as power. The underlying infrastructure, facilities, utilities and physical security are the responsibility of the provider. A security analyst is leading a disaster recovery simulation and wants to determine whether all parties involved in the response know what to do and how to work together to complete the exercise. What simulation should they perform? A - Checklist B - Walk-through C - Tabletop exercise D - Active failover - ANS-- C - Tabletop exercise The tabletop exercise will identify a specific objective or goal and then use it to determine whether all parties involved in the response know what to do and how to work together to complete the exercise. A checklist test requires copies of the BCDR plan distributed to all the departments, teams, and other participants included in the plan. A walk-through requires all groups included in the BCDR plan to identify a representative to participate in a meeting to review the plans. An active failover is not a simulation, but it would be an option if the parties want to attempt performing an active failover. A security analyst is setting up documents for the outputs of the test or incident, along with recommendations based on the outputs and findings. Which standard should the analyst reference? A - NIST 800-53 B - NIST 800-61 C - NIST 800-84 D - ISO standard 15408 - ANS-- C - NIST 800-84 NIST SP 800-84, the "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities," includes an after-action report template that helps with documentation and findings. NIST 800-53, "Security and Privacy Controls for Information Systems," outlines necessary controls for audits of information systems used for certification. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, "Computer Security Incident Handling Guide," identifies the groups that are necessary when responding to an incident. The ISO standard 15408 addresses IT security techniques, including the introduction and general model and the functional and assurance components that define various operations. A security practitioner is conducting a privacy impact assessment (PIA) as part of a business continuity plan. What should the practitioner assess? Select 3 answers. A - Sensitivity B - Collection methods C - Sharing methods D - System inventory - ANS-- A, B & C; Sensitivity, Collection methods, Sharing methods A large part of this assessment includes analyzing the sensitivity level of privacy data. A system containing full names will need to be handled differently from one containing social security numbers or other similar government-supplied identifiers. Another large part of this assessment includes collection methods, including how the company uses and maintains data. This helps to ensure that these processes continue in the event of a disaster. A privacy impact assessment should also document whether the company shares the data and the parties included in the sharing arrangement. The company should have performed a system inventory during the initial stage of the business continuity planning. A network administrator is trying to set up network security so that only trusted devices have network access. What solution should the administrator set up? A - VPN B - DNSSEC C - NGFW D - NAC - ANS-- D - NAC Network Access Control (NAC) allows the creation of policies designed to evaluate connected devices and determine whether to allow access to a network environment. In an enterprise setting, a virtual private network (VPN) has two primary applications: to enable people to connect to the enterprise from home or other remote locations or to provide connectivity between branch locations. Domain Name System Security Extensions (DNSSEC) help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. A next-generation firewall (NGFW) can perform all of the tasks of a standard firewall but add additional functionality allowing it to inspect higher-level protocols, such as HTTP, to provide more granular protection against malicious traffic. A website administrator is setting up a cluster of web servers and wants to ensure that if one server goes down, the system in place will route the traffic through the others. Which network appliance should the administrator use? A - Firewall B - Load balancer C - Router D - NAT gateway - ANS-- B - Load balancer A common implementation for load balancers is for fault tolerance, where the load balancer is able to determine if a particular web server in a group is inoperable so that the system can re-direct traffic. Firewalls provide a foundational level of protection for any network by blocking or allowing traffic based on a set of pre-configured rules. Routers forward traffic between subnets by inspecting IP addresses and so operate at layer 3 of the OSI model. A NAT gateway allows connectivity between private subnets, or Virtual Private Clouds (VPC), and the Internet. A security analyst is attempting to create efficiencies by automating certain tasks defined in the security playbook. Which automation tool would help the analyst accomplish this? A - SOAR B - Bootstrapping C - Autoscaling D - VDI - ANS-- A - SOAR Security orchestration, automation, and response (SOAR) automate some of the routine tasks ordinarily performed by security personnel in response to a security incident. Bootstrapping describes the set of automated tasks performed as part of the deployment of an instance. This is not related to security incident handling but is more along the lines of system administration tasks. Autoscaling allows the application of policies that include specific definitions of minimum and maximum capacity. Virtual desktop infrastructure (VDI) uses desktop virtualization to separate the personal computing environment from the user's physical machine. A systems administrator has been running a data center full of physical servers for a small company but is worried about ensuring operations. The administrator begins assessing various Type 1 hypervisors for future migration. What are some major Type 1 hypervisors the sysadmin can evaluate for future migration? Select 3 answers. A - ESXi B - Hyper-V C - Windows Server D - XEN - ANS-- A, B & D; ESXi, Hyper-V, XEN VMware ESXi Server is a very popular bare metal virtual platform. It allows installing multiple operating systems that can run simultaneously on a single computer. Microsoft's Hyper-V is Microsoft's solution for Type 1 hypervisors. When choosing a solution, the administrator can do a physical to virtual migration to virtualize the servers to run on the hypervisor. Citrix's XEN Server is another popular solution for Type 1 hypervisors. The hardware needs to only support the base system requirements for the hypervisor plus resources for the type and number of guest OSs that the sysadmin will install. The Windows Server itself is not the Type 1 hypervisor, but Hyper-V is the solution provided by Microsoft. A solutions architect is designing a security architecture for a nuclear power plant facility. Which of the following would be the best design? A - Jump box B - Guest environment C - Peer-to-peer D - Air gap - ANS-- D - Air gap An air gap provides an empty area surrounding a high-value asset, and a security administrator closely monitors it for intrusions. As well as being disconnected from any network, the physical space surrounding the host makes it easier to detect unauthorized attempts to approach the asset. A jump box is a specially configured, highly hardened, and closely monitored system used to perform administrative tasks or to access servers located within an environment. Guest environments describe the hosts and networks available for use by visitors, such as the public or vendors. Peer-to-Peer networks are de-centralized networks, meaning that the participating nodes self-organize to provide the types of services typically associated with client-server networks. A cloud engineer is setting up controls between VPCs. Which of the following should the engineer use? A - NAC lists B - VNET C - Screened subnet D - Jump box - ANS-- A - NAC lists In a cloud environment, network access control (NAC) Lists (or "nackles") control inbound and outbound traffic between networks, or more specifically, between virtual private clouds (VPCs). A VPC or virtual network (VNET) allows for the creation of cloud resources within private networks that parallel the functionality of creating the same resources in a traditional, privately operated data center. A screened subnet uses two firewalls placed on either side of the demilitarized zone (DMZ). The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. A jump box is a specially configured, highly hardened, and closely monitored system used to perform administrative tasks or to access servers located within an environment. 40.0% complete Question A cloud architect is analyzing the benefits of a Content Delivery Network (CDN) to assess the potential value to their organization. Which of the following are benefits of a CDN? Select 3 answers. A.Horizontal scalability B.Vertical scalability C.DDoS protection D.Improved customer experience - ANS-- A, C & D; Horizontal scalability, DDoS protection, Improved customer experience Content Delivery Network (CDN) is an example of implementing horizontal scalability. By scaling horizontally, the system achieves additional capacity by adding servers to help process the same workload. CDNs provide a level of DDoS protection. CDN architecture improves availability and redundancy, reduces costs, and improves website security by mitigating DDoS attacks. CDNs aim to improve customer experience by improving website load times. CDNs are not examples of vertical scaling. Vertical scaling adds additional resources to an individual system, such as adding processors, memory, and storage to an existing server. A cloud engineer is setting up a zero trust architecture in the company's cloud environment but is looking for a standard to base the design on. Which of the following should the engineer use? A - NIST 800-53 B - NIST 800-61 C - NIST 800-84 D - NIST 800-207 - ANS-- D - NIST 800-207 NIST SP 800-207 is the standard for Zero Trust Architecture. Zero Trust does not define security via network boundaries but instead via resources such as users, services, and workflows. NIST 800-53 Security and Privacy Controls for Information Systems outlines necessary controls for audits of information systems used for certification. The NIST SP 800-61 Computer Security Incident Handling Guide identifies the groups that are necessary when responding to an incident. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-84, "Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities," includes an after-action report template that helps with documentation and findings. A security architect is designing a strategy to help continue operating in the face of a cyber-attack. Which of the following will help to accomplish this objective? Select 3 answers. A - Heterogeneity B - Clustering C - COA development D - Migrating to the cloud - ANS-- A, B & C; Heterogeneity, Clustering, COA Development Heterogeneity (or diversity) refers to components that are not the same as or similar to each other. This diversity adds a layer of complexity that can slow an adversary from infiltrating an enterprise before detection. Clustering allows multiple redundant processing nodes that share data with one another to accept connections, providing redundancy. Part of a resilience strategy is to apply some course of action (COA) development in response to specific events. COA helps to respond accordingly in a prepared manner. Migrating to the cloud will not help protect organizations if they do not apply a defense in depth security approach. The cloud might make it easier to do, but they still have to do it. A Linux administrator is configuring ModSecurity for Apache servers. Which type of attacks should the administrator set rule configurations? Select 2 answers. A - File inclusion B - Geoblocking C - Directory traversal D - Cleartext protocols - ANS-- A & C; File inclusion & Directory traversal ModSecurity is a popular web application firewall for Apache servers, which helps defend against application layer attacks. File inclusion attacks are one of these application-level attacks. Directory traversal attacks are also application layer attacks that web application firewalls help defend against. Geoblocking is a network layer defense that is typically set up on perimeter routers before traffic reaches a web application firewall. WAFs typically focus on the application layer. Protocols and network layer protections are usually set up on a traditional firewall before it reaches a web application firewall. A security architect is setting up their demilitarized zone to place one firewall on each side. What is this type of configuration called? A - Staging environment B - ACLs C - Screened subnet D - Peer-to-peer - ANS-- C - Screened subnet A screened subnet uses two firewalls placed on either side of the DMZ. The edge firewall restricts traffic on the external/public interface and allows permitted traffic to the hosts in the DMZ. Staging environments are a mirror of the production environment often used to test changes to infrastructure, software, and data. An access control list (ACL) is a broad term that defines how objects can interact with each other. Peer-to-Peer networks are de-centralized networks, meaning that the participating nodes self-organize to provide the types of services typically associated with client-server networks. A security engineer is setting up a security solution that can enforce mandatory access controls between two connected sites. Which of the following should the engineer implement? A - Directory services B - IdP (Identity provider) C - CDS (Cross domain solution) D - Nackles (NAC lists) - ANS-- C - CDS (Cross domain solution) Cross Domain Solutions (CDS) operate as guardians between two connected sites. CDSs are typically associated with military establishments whereby the CDS can enforce mandatory access controls (MAC) and interpret data sensitivity levels. Directory services are the principal means of providing privilege management and authorization on an enterprise network, storing information about users, computers, security groups/roles, and services. An identity provider (IdP) allows users to access various service providers (SPs) by authenticating the user and granting a token for access to the SP. In a cloud environment, NAC Lists (or "nackles") control inbound and outbound traffic between networks, or more specifically, between virtual private clouds (VPCs). A young technician is in charge of the security awareness program for an organization and begins looking at common attack vectors. Which tools are best suited to help defend against social engineering attacks? A - Firewall B - Email Security C - Web Application Firewall D - DDoS Protection - ANS-- B - Email Security