SBOLC Security Fundamentals
Exam Questions & Answers 100%
Solved!
NIST - ANSWERSNational Institute of Standards and Technology
What is the NIST Risk Management Framework (RMF)? - ANSWERS-Overall
framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation
Clean Desk Policy - ANSWERSSecure sensitive items when not in use
Principle of least privilege management - ANSWERSJust what you need to do your job
Mandatory vacations - ANSWERS-best way to uncover fraud
-part of onboarding procedures
Job Rotation (rotation of duties) - ANSWERS-Identify or uncover fraud
-Cross training / Experience for employees
Separation of Duties - ANSWERSPartitions responsibilities to minimize abuse or fraud
Hiring and Termination Policy Elements - ANSWERS-Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA)
AUP - ANSWERSAcceptable Use Policy
EOL - ANSWERSEnd of Life
EOS - ANSWERSEnd of Service
MOA - ANSWERSMemorandum of Agreement
-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve
,agreed-upon goals and objectives.
MOU - ANSWERSMemorandum of Understanding
-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities
BPA - ANSWERSBusiness Partners Agreement
-A written agreement defining the general relationship between
business partners with a focus on financial matters
Information Lifecycle Model - ANSWERS-Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal
Generic Information Classifications - ANSWERS-Low
-Medium
-High
Military Information Classifications - ANSWERS-Unclassified
-Confidential
-Secret
-Top Secret
Business Information Classifications - ANSWERS-Public
-Private
-Proprietary
-Confidential
Types of Protected Information - ANSWERS-Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data
Risk Management - ANSWERSThe process of identifying, monitoring, and reducing risk
to an acceptable level.
Risk Analysis - ANSWERS-Threat (the potential to cause harm to an asset)
-Vulnerability (a flaw or hole in the security posture)
,-Exploit (a method or technique used to manipulate a faw)
-Safeguard (a mitigation security control)
Risk Management Strategies - ANSWERS-Acceptance: Have an established plan of
action
-Avoidance: Removing the activity that creates risk
-Transference: Offloading the risk to an external party
-Mitigation: Reducing risk by installing security control, safeguard, or countermeasures
Types of RIsk - ANSWERS-Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk
Qualitative Risk Assessment - ANSWERSBased on human opinion or judgment derived
from interviews, surveys, benchmarking, scenario-based exercise, lessons learned
analysis, or cross-function workshops
Advantages of Qualitative Risk Assessment - ANSWERS-Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation
Disadvantages of Qualitative Risk Assessment - ANSWERS-Prone to inaccuracy or
exaggeration
-Limited usefulness towards cost-benefit analysis
Quantitative Risk Assessment - ANSWERS-Requires numerical values or both impact
and likelihood using data from a variety of sources
-Can be used to support cost-benefit analysis calculations
Advantages to Quantitative Risk Assessment - ANSWERS-Supports cost-benefit
analysis of risk response options
-Allows computation of necessary capital to achieve a business goal
Disadvantages to Quantitative RIsk Assessment - ANSWERS-Use of numbers may
imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized
, Single Loss Expectancy (SLE) - ANSWERSSLE = Asset Value (AV) x Exposure Factor
(EF%)
Annualized Loss Expectancy (ALE) - ANSWERSALE = SLE x Annual Rate of
Occurrence (ARO)
Scenario: a building is worth $1,000,000, and a fire breaks out, consuming 70% of the
building. A fire occurs about once every 7 years in this geographical area. What is the
SLE, and what is the ALE? - ANSWERS-SLE = 1,000,000 x 70% =700,000
-ALE = 700,000 x 1/7 = 700,000/7 = 100,000
Mitigating Operational Risk - ANSWERS-Identify risk due to ongoing business
operations (risk control self-assessment/assessment)
-Assess the risk created due to business operations (likelihood and impact)
-Identify appropriate controls to mitigate the risk (control risk)
-Assessment of controls (identify control gaps)
Business Continuity Planning (BCP) - ANSWERS-The preventative and proactive
strategic plan to mitigate disruptive incidents to business operations
-Focuses on anticipating business operation disruptions
What does BCP identify - ANSWERS-Mission-essential functions
-Critical systems
-Single points of failure
Business Impact Analysis (BIA) - ANSWERS-A management tool that helps determine
the financial impact of business of organizational changes
Impact Considerations of BIA - ANSWERS-Safety
-Reputation
-Revenue
-Property
What are the different Common Site Implementations? - ANSWERS-Cold site - empty
facility with established power, HVAC, and network connectivity to the building
-Warm site - cold site capabilities plus an established network backbone and rack
system
-Hot site - warm site capabilities plus established computers, servers, and software
Exam Questions & Answers 100%
Solved!
NIST - ANSWERSNational Institute of Standards and Technology
What is the NIST Risk Management Framework (RMF)? - ANSWERS-Overall
framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation
Clean Desk Policy - ANSWERSSecure sensitive items when not in use
Principle of least privilege management - ANSWERSJust what you need to do your job
Mandatory vacations - ANSWERS-best way to uncover fraud
-part of onboarding procedures
Job Rotation (rotation of duties) - ANSWERS-Identify or uncover fraud
-Cross training / Experience for employees
Separation of Duties - ANSWERSPartitions responsibilities to minimize abuse or fraud
Hiring and Termination Policy Elements - ANSWERS-Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA)
AUP - ANSWERSAcceptable Use Policy
EOL - ANSWERSEnd of Life
EOS - ANSWERSEnd of Service
MOA - ANSWERSMemorandum of Agreement
-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve
,agreed-upon goals and objectives.
MOU - ANSWERSMemorandum of Understanding
-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities
BPA - ANSWERSBusiness Partners Agreement
-A written agreement defining the general relationship between
business partners with a focus on financial matters
Information Lifecycle Model - ANSWERS-Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal
Generic Information Classifications - ANSWERS-Low
-Medium
-High
Military Information Classifications - ANSWERS-Unclassified
-Confidential
-Secret
-Top Secret
Business Information Classifications - ANSWERS-Public
-Private
-Proprietary
-Confidential
Types of Protected Information - ANSWERS-Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data
Risk Management - ANSWERSThe process of identifying, monitoring, and reducing risk
to an acceptable level.
Risk Analysis - ANSWERS-Threat (the potential to cause harm to an asset)
-Vulnerability (a flaw or hole in the security posture)
,-Exploit (a method or technique used to manipulate a faw)
-Safeguard (a mitigation security control)
Risk Management Strategies - ANSWERS-Acceptance: Have an established plan of
action
-Avoidance: Removing the activity that creates risk
-Transference: Offloading the risk to an external party
-Mitigation: Reducing risk by installing security control, safeguard, or countermeasures
Types of RIsk - ANSWERS-Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk
Qualitative Risk Assessment - ANSWERSBased on human opinion or judgment derived
from interviews, surveys, benchmarking, scenario-based exercise, lessons learned
analysis, or cross-function workshops
Advantages of Qualitative Risk Assessment - ANSWERS-Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation
Disadvantages of Qualitative Risk Assessment - ANSWERS-Prone to inaccuracy or
exaggeration
-Limited usefulness towards cost-benefit analysis
Quantitative Risk Assessment - ANSWERS-Requires numerical values or both impact
and likelihood using data from a variety of sources
-Can be used to support cost-benefit analysis calculations
Advantages to Quantitative Risk Assessment - ANSWERS-Supports cost-benefit
analysis of risk response options
-Allows computation of necessary capital to achieve a business goal
Disadvantages to Quantitative RIsk Assessment - ANSWERS-Use of numbers may
imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized
, Single Loss Expectancy (SLE) - ANSWERSSLE = Asset Value (AV) x Exposure Factor
(EF%)
Annualized Loss Expectancy (ALE) - ANSWERSALE = SLE x Annual Rate of
Occurrence (ARO)
Scenario: a building is worth $1,000,000, and a fire breaks out, consuming 70% of the
building. A fire occurs about once every 7 years in this geographical area. What is the
SLE, and what is the ALE? - ANSWERS-SLE = 1,000,000 x 70% =700,000
-ALE = 700,000 x 1/7 = 700,000/7 = 100,000
Mitigating Operational Risk - ANSWERS-Identify risk due to ongoing business
operations (risk control self-assessment/assessment)
-Assess the risk created due to business operations (likelihood and impact)
-Identify appropriate controls to mitigate the risk (control risk)
-Assessment of controls (identify control gaps)
Business Continuity Planning (BCP) - ANSWERS-The preventative and proactive
strategic plan to mitigate disruptive incidents to business operations
-Focuses on anticipating business operation disruptions
What does BCP identify - ANSWERS-Mission-essential functions
-Critical systems
-Single points of failure
Business Impact Analysis (BIA) - ANSWERS-A management tool that helps determine
the financial impact of business of organizational changes
Impact Considerations of BIA - ANSWERS-Safety
-Reputation
-Revenue
-Property
What are the different Common Site Implementations? - ANSWERS-Cold site - empty
facility with established power, HVAC, and network connectivity to the building
-Warm site - cold site capabilities plus an established network backbone and rack
system
-Hot site - warm site capabilities plus established computers, servers, and software
