1Which of the following equations accurately describes the relationship between Risk, Threat, and Vulnerability?
A.
B.
C.
D.
Correct Answer:
Explanation:Risk is commonly defined in cybersecurity as the probability of a Threat exploiting a Vulnerability to cause a negative impact.
Incorrect! Try again.
2A company decides to purchase cyber insurance to cover the potential financial loss of a data breach. Which risk management strategy is this?
A.Risk Avoidance
B.Risk Mitigation
C.Risk Transference
D.Risk Acceptance
Correct Answer: Risk Transference
Explanation:Risk Transference (or sharing) involves shifting the impact of a risk to a third party, such as an insurance company.
Incorrect! Try again.
3If the Single Loss Expectancy (SLE) is and the Annualized Rate of Occurrence (ARO) is $0.5$, what is the Annualized Loss Expectancy (ALE)?
A.
B.
C.
D.
Correct Answer:
Explanation:The formula for ALE is . Therefore, .
Incorrect! Try again.
4Which document formally defines the level of service a vendor is expected to provide, including uptime guarantees and penalties for non-compliance?
A.NDA (Non-Disclosure Agreement)
B.SLA (Service Level Agreement)
C.MOU (Memorandum of Understanding)
D.ISA (Interconnection Security Agreement)
Correct Answer: SLA (Service Level Agreement)
Explanation:An SLA is a contract between a service provider and a customer that specifies the services to be provided, the expected performance levels (e.g., uptime), and penalties for failure.
Incorrect! Try again.
5What is Residual Risk?
A.The risk that exists before any controls are applied
B.The risk remaining after security controls have been implemented
C.The total financial risk of an organization
D.The risk associated with vendor bankruptcy
Correct Answer: The risk remaining after security controls have been implemented
Explanation:Residual risk is calculated as . It is the risk that management must choose to accept after mitigation efforts.
Incorrect! Try again.
6Which personnel policy is designed specifically to detect fraud or malicious activities by forcing an employee to take time off, allowing others to review their work?
A.Separation of Duties
B.Least Privilege
C.Mandatory Vacation
D.Job Rotation
Correct Answer: Mandatory Vacation
Explanation:Mandatory vacation policies require employees to take leave, during which time their duties are covered by others, potentially exposing fraud or errors they were concealing.
Incorrect! Try again.
7In the context of data classification, which role is typically responsible for implementing the technical controls to protect data (e.g., backups, encryption) based on its classification?
A.Data Owner
B.Data Custodian
C.Data User
D.Chief Information Security Officer (CISO)
Correct Answer: Data Custodian
Explanation:The Data Owner determines the classification and access rights, while the Data Custodian is responsible for the technical implementation of those protections (storage, backups, encryption).
Incorrect! Try again.
8Which compliance standard is mandatory for any organization that handles credit card transactions?
A.HIPAA
B.GDPR
C.PCI-DSS
D.FISMA
Correct Answer: PCI-DSS
Explanation:PCI-DSS (Payment Card Industry Data Security Standard) applies to all entities that store, process, or transmit cardholder data.
Incorrect! Try again.
9What is the primary difference between Qualitative and Quantitative risk assessment?
B.Qualitative relies on subjective terms (Low, Medium, High); Quantitative relies on numerical financial data
C.Qualitative is for financial audits; Quantitative is for IT audits
D.There is no difference
Correct Answer: Qualitative relies on subjective terms (Low, Medium, High); Quantitative relies on numerical financial data
Explanation:Qualitative analysis prioritizes risk based on subjective scales (High/Medium/Low), while Quantitative analysis attempts to assign specific monetary values (e.g., ALE calculation).
Incorrect! Try again.
10Under GDPR, the 'Right to be Forgotten' allows individuals to:
A.Request a copy of all their data
B.Request the deletion of their personal data
C.Sue the company for data breaches
D.Encrypt their own data on the company server
Correct Answer: Request the deletion of their personal data
Explanation:The Right to Erasure, also known as the Right to be Forgotten, allows data subjects to request the removal of personal data when there is no compelling reason for its continued processing.
Incorrect! Try again.
11Which type of audit is conducted by a third-party organization to provide an unbiased verification of compliance?
A.Internal Audit
B.External Audit
C.Self-Assessment
D.Gap Analysis
Correct Answer: External Audit
Explanation:External audits are performed by independent third parties to provide an objective assessment of an organization's compliance and security posture.
Incorrect! Try again.
12Which vendor management concept refers to the process of evaluating a supplier's security posture before signing a contract?
A.Off-boarding
B.Incident Response
C.Due Diligence
D.Risk Acceptance
Correct Answer: Due Diligence
Explanation:Due diligence involves investigating and evaluating a potential vendor's financial stability, security controls, and compliance history before entering a partnership.
Incorrect! Try again.
13In a Zero Trust architecture, which of the following is a core principle?
A.Trust but verify
B.Never trust, always verify
C.Trust internal network traffic implicitly
D.Perimeter firewalls are sufficient
Correct Answer: Never trust, always verify
Explanation:Zero Trust assumes that no user or device, whether inside or outside the network perimeter, should be trusted by default. Every request is authenticated and authorized.
Incorrect! Try again.
14Which term describes the concept of granting users only the permissions necessary to perform their job functions?
A.Defense in Depth
B.Principle of Least Privilege
C.Separation of Duties
D.Security by Obscurity
Correct Answer: Principle of Least Privilege
Explanation:The Principle of Least Privilege (PoLP) dictates that a subject should be given only those privileges necessary to complete its task.
Incorrect! Try again.
15Which report type is best suited for providing detailed security controls testing results to a business partner or auditor (e.g., SOC 2)?
A.Type I Report
B.Type II Report
C.Attestation of Compliance
D.Gap Analysis Report
Correct Answer: Type II Report
Explanation:A SOC 2 Type II report assesses the design and operating effectiveness of controls over a period of time (usually 6-12 months), making it the standard for serious vendor verification.
Incorrect! Try again.
16What is the primary purpose of a Gap Analysis?
A.To punish employees for non-compliance
B.To compare current security posture against a desired standard to identify missing controls
C.To calculate the exact financial cost of a breach
D.To configure a firewall
Correct Answer: To compare current security posture against a desired standard to identify missing controls
Explanation:Gap analysis identifies the difference (gap) between the current state of an organization's security and the target state required by standards or regulations.
Incorrect! Try again.
17Which of the following data types would likely require the highest level of security classification?
A.Marketing brochures on the public website
B.Internal cafeteria menu
C.Employee Personally Identifiable Information (PII) and payroll data
D.Standard operating procedure manuals
Correct Answer: Employee Personally Identifiable Information (PII) and payroll data
Explanation:PII and financial data are sensitive and legally protected, requiring strict confidentiality controls compared to public or internal-only operational data.
Incorrect! Try again.
18What is Supply Chain Risk Management (SCRM) focused on?
A.Managing the logistics of shipping products
B.Identifying and mitigating risks associated with third-party vendors, software, and hardware suppliers
C.Ensuring employees arrive at work on time
D.Managing the internal network cables
Correct Answer: Identifying and mitigating risks associated with third-party vendors, software, and hardware suppliers
Explanation:SCRM focuses on risks introduced by external entities that provide products or services, preventing attacks like the SolarWinds incident.
Incorrect! Try again.
19A Risk Register is used to:
A.Log every user who logs into the system
B.Record identified risks, their severity, and planned mitigation strategies
C.Register new employees for benefits
D.List all hardware assets in the server room
Correct Answer: Record identified risks, their severity, and planned mitigation strategies
Explanation:A Risk Register is a central repository for tracking risks, their probability/impact scores, owners, and status of mitigation efforts.
Incorrect! Try again.
20Which US regulation specifically governs the security and privacy of healthcare data?
A.SOX
B.HIPAA
C.GLBA
D.FERPA
Correct Answer: HIPAA
Explanation:HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient health information (PHI) in the US.
Incorrect! Try again.
21What is the Separation of Duties principle?
A.One person performs all critical steps of a process to ensure speed
B.Dividing critical tasks among multiple people to prevent fraud and error
C.Separating the IT department from the HR department
D.Ensuring servers are in different physical locations
Correct Answer: Dividing critical tasks among multiple people to prevent fraud and error
Explanation:Separation of Duties ensures that no single individual has total control over a critical process (e.g., one person approves a purchase order, another processes the payment).
Incorrect! Try again.
22Which document outlines the rules for employee use of company technology assets, internet, and email?
A.SLA (Service Level Agreement)
B.AUP (Acceptable Use Policy)
C.NDA (Non-Disclosure Agreement)
D.MOU (Memorandum of Understanding)
Correct Answer: AUP (Acceptable Use Policy)
Explanation:The Acceptable Use Policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the internet.
Incorrect! Try again.
23Risk Avoidance involves:
A.Implementing a firewall to block an attack
B.Buying insurance
C.Discontinuing the activity or technology that generates the risk
D.Monitoring the risk without taking action
Correct Answer: Discontinuing the activity or technology that generates the risk
Explanation:Risk Avoidance is the strategy of eliminating the risk entirely by withdrawing from the activity that causes it (e.g., deciding not to collect SSNs to avoid the risk of leaking them).
Incorrect! Try again.
24Which recent trend refers to embedding privacy considerations into the design specifications of technologies from the very beginning?
A.Privacy by Chance
B.Privacy by Design
C.Reactive Privacy
D.Obfuscation
Correct Answer: Privacy by Design
Explanation:Privacy by Design is a framework that requires privacy to be taken into account throughout the whole engineering process, not just added as an afterthought.
Incorrect! Try again.
25When calculating risk quantitatively, what does AV stand for?
A.Annual Velocity
B.Asset Value
C.Attack Vector
D.Assessment Verification
Correct Answer: Asset Value
Explanation:Asset Value (AV) represents the financial worth of the asset being protected, used in formulas like .
Incorrect! Try again.
26What is a Fourth-Party Risk?
A.Risk from internal employees
B.Risk from the government
C.Risk posed by your vendor's vendors
D.Risk from customers
Correct Answer: Risk posed by your vendor's vendors
Explanation:Fourth-party risk refers to the risk introduced by the subcontractors or suppliers of your direct vendors (third parties).
Incorrect! Try again.
27Which term describes a clause in a vendor contract that allows the customer to review the vendor’s compliance and security controls?
A.Right to Audit
B.Right to Refuse
C.Indemnification
D.Limitation of Liability
Correct Answer: Right to Audit
Explanation:A 'Right to Audit' clause grants the organization the legal permission to inspect a vendor’s operations or records to ensure compliance with the contract.
Incorrect! Try again.
28What is Data Sovereignty?
A.The concept that data is subject to the laws of the country in which it is physically located
B.The right of the CEO to own all company data
C.The ability to move data freely across all borders
D.Encryption of data at rest
Correct Answer: The concept that data is subject to the laws of the country in which it is physically located
Explanation:Data Sovereignty implies that digital data is subject to the laws of the country in which it is processed or stored, affecting cloud storage decisions.
Incorrect! Try again.
29During the Onboarding process, which step is crucial for security?
A.Assigning a parking spot
B.Conducting background checks and signing NDAs
C.Showing the location of the coffee machine
D.Providing branded merchandise
Correct Answer: Conducting background checks and signing NDAs
Explanation:Background checks verify the trustworthiness of new hires, and NDAs legally bind them to maintain confidentiality.
Incorrect! Try again.
30What is the formula for Single Loss Expectancy (SLE)?
A.
B.
C.
D.
Correct Answer:
Explanation:SLE is calculated by multiplying the value of the asset by the percentage of loss expected from a single event (Exposure Factor).
Incorrect! Try again.
31Which of the following best describes Inherent Risk?
A.The risk remaining after controls
B.The baseline risk level before any controls or mitigations are applied
C.The risk transferred to insurance
D.The risk of natural disasters only
Correct Answer: The baseline risk level before any controls or mitigations are applied
Explanation:Inherent risk is the natural level of risk in a process or activity if no controls are in place to mitigate it.
Incorrect! Try again.
32Which data sanitization method is most secure for magnetic hard drives that will be discarded?
A.Standard Formatting
B.Degaussing or Physical Destruction
C.Deleting the partition table
D.Reinstalling the OS
Correct Answer: Degaussing or Physical Destruction
Explanation:Physical destruction (shredding) or degaussing (disrupting the magnetic field) ensures data cannot be recovered. Formatting often leaves data recoverable.
Incorrect! Try again.
33What is the primary goal of an Exit Interview regarding security?
A.To ask for feedback on the cafeteria
B.To retrieve assets (laptops, keys) and remind the employee of continuing NDA obligations
C.To convince the employee to stay
D.To plan the farewell party
Correct Answer: To retrieve assets (laptops, keys) and remind the employee of continuing NDA obligations
Explanation:Security-focused exit procedures ensure access is revoked, hardware is returned, and the departing employee understands they are still legally bound not to share trade secrets.
Incorrect! Try again.
34Which recent governance trend involves using AI and automation to ensure continuous adherence to regulations?
A.Manual Auditing
B.Automated Compliance / RegTech
C.Paper-based Governance
D.Annual Checkups
Correct Answer: Automated Compliance / RegTech
Explanation:Regulatory Technology (RegTech) and automated compliance tools monitor systems continuously to ensure they remain within regulatory bounds, replacing periodic manual checks.
Incorrect! Try again.
35What is the definition of Risk Appetite?
A.The total amount of risk an organization can bear before collapsing
B.The amount and type of risk an organization is willing to pursue or retain
C.The cost of insurance premiums
D.The speed at which a risk impacts the organization
Correct Answer: The amount and type of risk an organization is willing to pursue or retain
Explanation:Risk Appetite is a strategic decision by leadership regarding how much risk they are willing to accept in pursuit of their objectives.
Incorrect! Try again.
36Which control type is intended to discourage a potential attacker?
A.Preventive
B.Corrective
C.Deterrent
D.Detective
Correct Answer: Deterrent
Explanation:Deterrent controls (like warning signs, cameras, or fences) are designed to psychologically discourage an attacker from attempting a breach.
Incorrect! Try again.
37In the context of Risk Management, what is Control Risk?
A.The risk that a control will fail to prevent or detect a security issue
B.The risk of controlling too much
C.The risk of an audit
D.The risk of data loss
Correct Answer: The risk that a control will fail to prevent or detect a security issue
Explanation:Control risk is the possibility that a security control (like a firewall or antivirus) is ineffective or bypassed.
Incorrect! Try again.
38What is the distinction between a Vulnerability Assessment and a Penetration Test?
A.Vulnerability assessments exploit flaws; Pen tests only list them
B.Vulnerability assessments identify and list potential flaws; Pen tests attempt to exploit them
C.They are exactly the same
D.Pen tests are automated; Vulnerability assessments are manual
Correct Answer: Vulnerability assessments identify and list potential flaws; Pen tests attempt to exploit them
Explanation:Vulnerability assessments are usually automated scans to find known weaknesses. Penetration tests are active simulations of an attack to see if those weaknesses can actually be exploited.
Incorrect! Try again.
39Which of the following is NOT a category of security controls?
A.Administrative (Managerial)
B.Technical (Logical)
C.Physical
D.Financial
Correct Answer: Financial
Explanation:The three primary categories of security controls are Administrative (policies), Technical (software/hardware), and Physical (locks/guards). Financial is not a standard category of security control.
Incorrect! Try again.
40The CMMC (Cybersecurity Maturity Model Certification) is a recent compliance requirement primarily for:
A.Hospitals
B.Retail stores
C.Contractors in the US Defense Industrial Base (DIB)
D.European banks
Correct Answer: Contractors in the US Defense Industrial Base (DIB)
Explanation:CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DOD contractors).
Incorrect! Try again.
41What is the purpose of Data Retention Policies?
A.To keep all data forever
B.To define how long specific data must be kept and when it should be destroyed
C.To increase storage costs
D.To slow down the database
Correct Answer: To define how long specific data must be kept and when it should be destroyed
Explanation:Retention policies ensure compliance with laws requiring data to be kept for a certain time, and reduce liability/cost by mandating destruction after that time.
Incorrect! Try again.
42If a risk has a high impact but a very low probability of occurrence, how is it usually managed?
A.Ignored completely
B.Transferred (Insurance) or Mitigated via disaster recovery plans
C.Mitigated with expensive daily controls
D.Accepted as a daily cost of business
Correct Answer: Transferred (Insurance) or Mitigated via disaster recovery plans
Explanation:High impact/low probability risks (like earthquakes) are often transferred via insurance or prepared for with contingency plans, rather than expensive daily preventive controls.
Incorrect! Try again.
43What does the term Vendor Lock-in refer to?
A.Locking the vendor's office
B.Dependency on a vendor that makes it difficult or expensive to switch to a competitor
C.Securing vendor data with encryption
D.Signing a long-term NDA
Correct Answer: Dependency on a vendor that makes it difficult or expensive to switch to a competitor
Explanation:Vendor lock-in is a risk where proprietary formats or heavy integration make moving to a new provider prohibitively difficult.
Incorrect! Try again.
44Which is an example of a Technical control?
A.Security Awareness Training
B.Background Checks
C.Firewall ACL (Access Control List)
D.Security Guard
Correct Answer: Firewall ACL (Access Control List)
Explanation:Technical (or logical) controls use technology to restrict access, such as firewalls, encryption, and authentication systems.
Incorrect! Try again.
45Which privacy regulation applies to the personal data of residents in California?
Explanation:CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California.
Incorrect! Try again.
46What is the role of the Data Owner?
A.To perform the daily backups
B.To maintain the server hardware
C.To bear ultimate responsibility for the data and define its classification and access rules
D.To write the code for the application
Correct Answer: To bear ultimate responsibility for the data and define its classification and access rules
Explanation:The Data Owner is usually a senior manager who is ultimately responsible for the data's protection and decides who has the right to access it.
Incorrect! Try again.
47Which of the following is a key component of an Incident Response Plan regarding personnel?
A.Call trees and contact lists
B.Payroll information
C.Employee birthdays
D.Cafeteria schedules
Correct Answer: Call trees and contact lists
Explanation:Personnel policies in incident response rely on up-to-date call trees to notify the correct stakeholders and response teams immediately.
Incorrect! Try again.
48What is Job Rotation primarily used for in security?
A.To prevent boredom
B.To ensure multiple people know how to perform a task and to reduce the risk of undetected fraud
C.To increase salary costs
D.To confuse attackers
Correct Answer: To ensure multiple people know how to perform a task and to reduce the risk of undetected fraud
Explanation:Job rotation prevents a single user from retaining exclusive control over a system for too long, reducing the chance of long-term fraud and increasing redundancy.
Incorrect! Try again.
49In quantitative risk analysis, if a server costs (AV) and a fire would destroy of it (EF), what is the SLE?
A.
B.
C.
D.
Correct Answer:
Explanation:.
Incorrect! Try again.
50Which concept ensures that an organization can survive and recover from significant disruptions?
A.Business Continuity Planning (BCP)
B.Penetration Testing
C.Data Classification
D.Least Privilege
Correct Answer: Business Continuity Planning (BCP)
Explanation:BCP focuses on maintaining business operations during a disaster and recovering them afterwards.
Incorrect! Try again.
Give Feedback
Help us improve by sharing your thoughts or reporting issues.