All of the following items should be included in a Business Impact Analysis (BIA) questionnaire
EXCEPT questions that
A
Explanation:
A Business Impact Analysis (BIA) is a process that identifies and evaluates the potential effects of
natural and man-made disasters on business operations. The BIA questionnaire is a tool that collects
information from business process owners and stakeholders about the criticality, dependencies,
recovery objectives, and resources of their processes. The BIA questionnaire should include
questions that:
Identify the operational impacts of a business interruption, such as loss of revenue, customer
satisfaction, reputation, legal obligations, etc.
Identify the financial impacts of a business interruption, such as direct and indirect costs, fines,
penalties, etc.
Determine the technological dependence of the business processes, such as hardware, software,
network, data, etc.
Establish the recovery time objectives (RTO) and recovery point objectives (RPO) for each business
process, which indicate the maximum acceptable downtime and data loss, respectively.
The BIA questionnaire should not include questions that determine the risk of a business
interruption occurring, as this is part of the risk assessment process, which is a separate activity from
the BIA. The risk assessment process identifies and analyzes the threats and vulnerabilities that could
cause a business interruption, and estimates the likelihood and impact of such events. The risk
assessment process also evaluates the existing controls and mitigation strategies, and recommends
additional measures to reduce the risk to an acceptable level.
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
C
Explanation:
Purging or re-imaging the hard disk drive of a laptop before traveling to a high risk area will reduce
the risk of data compromise or theft in case the laptop is lost, stolen, or seized by unauthorized
parties. Purging or re-imaging the hard disk drive will erase all the data and applications on the
laptop, leaving only the operating system and the essential software. This will minimize the exposure
of sensitive or confidential information that could be accessed by malicious actors. Purging or re-
imaging the hard disk drive should be done using secure methods that prevent data recovery, such as
overwriting, degaussing, or physical destruction.
The other options will not reduce the risk to the laptop as effectively as purging or re-imaging the
hard disk drive. Examining the device for physical tampering will only detect if the laptop has been
compromised after the fact, but will not prevent it from happening. Implementing more stringent
baseline configurations will improve the security settings and policies of the laptop, but will not
protect the data if the laptop is bypassed or breached. Changing access codes will make it harder for
unauthorized users to log in to the laptop, but will not prevent them from accessing the data if they
use other methods, such as booting from a removable media or removing the hard disk drive.
Which of the following represents the GREATEST risk to data confidentiality?
C
Explanation:
Generating backup tapes unencrypted represents the greatest risk to data confidentiality, as it
exposes the data to unauthorized access or disclosure if the tapes are lost, stolen, or intercepted.
Backup tapes are often stored off-site or transported to remote locations, which increases the
chances of them falling into the wrong hands. If the backup tapes are unencrypted, anyone who
obtains them can read the data without any difficulty. Therefore, backup tapes should always be
encrypted using strong algorithms and keys, and the keys should be protected and managed
separately from the tapes.
The other options do not pose as much risk to data confidentiality as generating backup tapes
unencrypted. Network redundancies are not implemented will affect the availability and reliability of
the network, but not necessarily the confidentiality of the data. Security awareness training is not
completed will increase the likelihood of human errors or negligence that could compromise the
data, but not as directly as generating backup tapes unencrypted. Users have administrative
privileges will grant users more access and control over the system and the data, but not as widely as
generating backup tapes unencrypted.
What is the MOST important consideration from a data security perspective when an organization
plans to relocate?
C
Explanation:
When an organization plans to relocate, the most important consideration from a data security
perspective is to conduct a gap analysis of the new facilities against the existing security
requirements. A gap analysis is a process that identifies and evaluates the differences between the
current state and the desired state of a system or a process. In this case, the gap analysis would
compare the security controls and measures implemented in the old and new locations, and identify
any gaps or weaknesses that need to be addressed. The gap analysis would also help to determine
the costs and resources needed to implement the necessary security improvements in the new
facilities.
The other options are not as important as conducting a gap analysis, as they do not directly address
the data security risks associated with relocation. Ensuring the fire prevention and detection systems
are sufficient to protect personnel is a safety issue, not a data security issue. Reviewing the
architectural plans to determine how many emergency exits are present is also a safety issue, not a
data security issue. Revising the Disaster Recovery and Business Continuity (DR/BC) plan is a good
practice, but it is not a preventive measure, rather a reactive one. A DR/BC plan is a document that
outlines how an organization will recover from a disaster and resume its normal operations. A DR/BC
plan should be updated regularly, not only when relocating.
A company whose Information Technology (IT) services are being delivered from a Tier 4 data center,
is preparing a companywide Business Continuity Planning (BCP). Which of the following failures
should the IT manager be concerned with?
A
Explanation:
A company whose IT services are being delivered from a Tier 4 data center should be most
concerned with application failures when preparing a companywide BCP. A BCP is a document that
describes how an organization will continue its critical business functions in the event of a disruption
or disaster. A BCP should include a risk assessment, a business impact analysis, a recovery strategy,
and a testing and maintenance plan.
A Tier 4 data center is the highest level of data center classification, according to the Uptime
Institute. A Tier 4 data center has the highest level of availability, reliability, and fault tolerance, as it
has multiple and independent paths for power and cooling, and redundant and backup components
for all systems. A Tier 4 data center has an uptime rating of 99.995%, which means it can only
experience 0.4 hours of downtime per year. Therefore, the likelihood of a power, storage, or network
failure in a Tier 4 data center is very low, and the impact of such a failure would be minimal, as the
data center can quickly switch to alternative sources or routes.
However, a Tier 4 data center cannot prevent or mitigate application failures, which are caused by
software bugs, configuration errors, or malicious attacks. Application failures can affect the
functionality, performance, or security of the IT services, and cause data loss, corruption, or breach.
Therefore, the IT manager should be most concerned with application failures when preparing a BCP,
and ensure that the applications are properly designed, tested, updated, and monitored.
When assessing an organization’s security policy according to standards established by the
International Organization for Standardization (ISO) 27001 and 27002, when can management
responsibilities be defined?
B
Explanation:
When assessing an organization’s security policy according to standards established by the ISO 27001
and 27002, management responsibilities can be defined only when standards are defined. Standards
are the specific rules, guidelines, or procedures that support the implementation of the security
policy. Standards define the minimum level of security that must be achieved by the organization,
and provide the basis for measuring compliance and performance. Standards also assign roles and
responsibilities to different levels of management and staff, and specify the reporting and escalation
procedures.
Management responsibilities are the duties and obligations that managers have to ensure the
effective and efficient execution of the security policy and standards. Management responsibilities
include providing leadership, direction, support, and resources for the security program, establishing
and communicating the security objectives and expectations, ensuring compliance with the legal and
regulatory requirements, monitoring and reviewing the security performance and incidents, and
initiating corrective and preventive actions when needed.
Management responsibilities cannot be defined without standards, as standards provide the
framework and criteria for defining what managers need to do and how they need to do it.
Management responsibilities also depend on the scope and complexity of the security policy and
standards, which may vary depending on the size, nature, and context of the organization. Therefore,
standards must be defined before management responsibilities can be defined.
The other options are not correct, as they are not prerequisites for defining management
responsibilities. Assets are the resources that need to be protected by the security policy and
standards, but they do not determine the management responsibilities. Controls are the measures
that are implemented to reduce the security risks and achieve the security objectives, but they do
not determine the management responsibilities. Procedures are the detailed instructions that
describe how to perform the security tasks and activities, but they do not determine the
management responsibilities.
Which of the following types of technologies would be the MOST cost-effective method to provide a
reactive control for protecting personnel in public areas?
C
Explanation:
Supplying a duress alarm for personnel exposed to the public is the most cost-effective method to
provide a reactive control for protecting personnel in public areas. A duress alarm is a device that
allows a person to signal for help in case of an emergency, such as an attack, a robbery, or a medical
condition. A duress alarm can be activated by pressing a button, pulling a cord, or speaking a code
word. A duress alarm can alert security personnel, law enforcement, or other responders to the
location and nature of the emergency, and initiate appropriate actions. A duress alarm is a reactive
control because it responds to an incident after it has occurred, rather than preventing it from
happening.
The other options are not as cost-effective as supplying a duress alarm, as they involve more
expensive or complex technologies or resources. Installing mantraps at the building entrances is a
preventive control that restricts the access of unauthorized persons to the facility, but it also requires
more space, maintenance, and supervision. Enclosing the personnel entry area with polycarbonate
plastic is a preventive control that protects the personnel from physical attacks, but it also reduces
the visibility and ventilation of the area. Hiring a guard to protect the public area is a deterrent
control that discourages potential attackers, but it also involves paying wages, benefits, and training
costs.
An important principle of defense in depth is that achieving information security requires a balanced
focus on which PRIMARY elements?
C
Explanation:
An important principle of defense in depth is that achieving information security requires a balanced
focus on the primary elements of people, technology, and operations. People are the users,
administrators, managers, and other stakeholders who are involved in the security process. They
need to be aware, trained, motivated, and accountable for their security roles and responsibilities.
Technology is the hardware, software, network, and other tools that are used to implement the
security controls and measures. They need to be selected, configured, updated, and monitored
according to the security standards and best practices. Operations are the policies, procedures,
processes, and activities that are performed to achieve the security objectives and requirements.
They need to be documented, reviewed, audited, and improved continuously to ensure their
effectiveness and efficiency.
The other options are not the primary elements of defense in depth, but rather the phases,
functions, or outcomes of the security process. Development, testing, and deployment are the
phases of the security life cycle, which describes how security is integrated into the system
development process. Prevention, detection, and remediation are the functions of the security
management, which describes how security is maintained and improved over time. Certification,
accreditation, and monitoring are the outcomes of the security evaluation, which describes how
security is assessed and verified against the criteria and standards.
Intellectual property rights are PRIMARY concerned with which of the following?
A
Explanation:
Intellectual property rights are primarily concerned with the owner’s ability to realize financial gain
from their creation. Intellectual property is a category of intangible assets that are the result of
human creativity and innovation, such as inventions, designs, artworks, literature, music, software,
etc. Intellectual property rights are the legal rights that grant the owner the exclusive control over
the use, reproduction, distribution, and modification of their intellectual property. Intellectual
property rights aim to protect the owner’s interests and incentives, and to reward them for their
contribution to the society and economy.
The other options are not the primary concern of intellectual property rights, but rather the
secondary or incidental benefits or aspects of them. The owner’s ability to maintain copyright is a
means of enforcing intellectual property rights, but not the end goal of them. The right of the owner
to enjoy their creation is a personal or moral right, but not a legal or economic one. The right of the
owner to control the delivery method is a specific or technical aspect of intellectual property rights,
but not a general or fundamental one.
Topic 2, Exam Pool B
Which of the following is MOST important when assigning ownership of an asset to a department?
C
Explanation:
When assigning ownership of an asset to a department, the most important factor is to ensure
individual accountability for the asset. Individual accountability means that each person who has
access to or uses the asset is responsible for its protection and proper handling. Individual
accountability also implies that each person who causes or contributes to a security breach or
incident involving the asset can be identified and held liable. Individual accountability can be
achieved by implementing security controls such as authentication, authorization, auditing, and
logging.
The other options are not as important as ensuring individual accountability, as they do not directly
address the security risks associated with the asset. The department should report to the business
owner is a management issue, not a security issue. Ownership of the asset should be periodically
reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members
should be trained on their responsibilities is a preventive measure, but it does not guarantee
compliance or enforcement of the responsibilities.
Which one of the following affects the classification of data?
D
Explanation:
The passage of time is one of the factors that affects the classification of data. Data classification is
the process of assigning a level of sensitivity or criticality to data based on its value, impact, and legal
requirements. Data classification helps to determine the appropriate security controls and handling
procedures for the data. However, data classification is not static, but dynamic, meaning that it can
change over time depending on various factors. One of these factors is the passage of time, which
can affect the relevance, usefulness, or sensitivity of the data. For example, data that is classified as
confidential or secret at one point in time may become obsolete, outdated, or declassified at a later
point in time, and thus require a lower level of protection. Conversely, data that is classified as public
or unclassified at one point in time may become more valuable, sensitive, or regulated at a later
point in time, and thus require a higher level of protection. Therefore, data classification should be
reviewed and updated periodically to reflect the changes in the data over time.
The other options are not factors that affect the classification of data, but rather the outcomes or
components of data classification. Assigned security label is the result of data classification, which
indicates the level of sensitivity or criticality of the data. Multilevel Security (MLS) architecture is a
system that supports data classification, which allows different levels of access to data based on the
clearance and need-to-know of the users. Minimum query size is a parameter that can be used to
enforce data classification, which limits the amount of data that can be retrieved or displayed at a
time.
Which of the following BEST describes the responsibilities of a data owner?
D
Explanation:
The best description of the responsibilities of a data owner is determining the impact the
information has on the mission of the organization. A data owner is a person or entity that has the
authority and accountability for the creation, collection, processing, and disposal of a set of data. A
data owner is also responsible for defining the purpose, value, and classification of the data, as well
as the security requirements and controls for the data. A data owner should be able to determine the
impact the information has on the mission of the organization, which means assessing the potential
consequences of losing, compromising, or disclosing the data. The impact of the information on the
mission of the organization is one of the main criteria for data classification, which helps to establish
the appropriate level of protection and handling for the data.
The other options are not the best descriptions of the responsibilities of a data owner, but rather the
responsibilities of other roles or functions related to data management. Ensuring quality and
validation through periodic audits for ongoing data integrity is a responsibility of a data steward, who
is a person or entity that oversees the quality, consistency, and usability of the data. Maintaining
fundamental data availability, including data storage and archiving is a responsibility of a data
custodian, who is a person or entity that implements and maintains the technical and physical
security of the data. Ensuring accessibility to appropriate users, maintaining appropriate levels of
data security is a responsibility of a data controller, who is a person or entity that determines the
purposes and means of processing the data.
An organization has doubled in size due to a rapid market share increase. The size of the Information
Technology (IT) staff has maintained pace with this growth. The organization hires several contractors
whose onsite time is limited. The IT department has pushed its limits building servers and rolling out
workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
B
Explanation:
Identity as a Service (IDaaS) is the best contract in offloading the task of account management from
the IT staff. IDaaS is a cloud-based service that provides identity and access management (IAM)
functions, such as user authentication, authorization, provisioning, deprovisioning, password
management, single sign-on (SSO), and multifactor authentication (MFA). IDaaS can help the
organization to streamline and automate the account management process, reduce the workload
and costs of the IT staff, and improve the security and compliance of the user accounts. IDaaS can
also support the contractors who have limited onsite time, as they can access the organization’s
resources remotely and securely through the IDaaS provider.
The other options are not as effective as IDaaS in offloading the task of account management from
the IT staff, as they do not provide IAM functions. Platform as a Service (PaaS) is a cloud-based
service that provides a platform for developing, testing, and deploying applications, but it does not
manage the user accounts for the applications. Desktop as a Service (DaaS) is a cloud-based service
that provides virtual desktops for users to access applications and data, but it does not manage the
user accounts for the virtual desktops. Software as a Service (SaaS) is a cloud-based service that
provides software applications for users to use, but it does not manage the user accounts for the
software applications.
When implementing a data classification program, why is it important to avoid too much granularity?
A
Explanation:
When implementing a data classification program, it is important to avoid too much granularity,
because the process will require too many resources. Data classification is the process of assigning a
level of sensitivity or criticality to data based on its value, impact, and legal requirements. Data
classification helps to determine the appropriate security controls and handling procedures for the
data. However, data classification is not a simple or straightforward process, as it involves many
factors, such as the nature, context, and scope of the data, the stakeholders, the regulations, and the
standards. If the data classification program has too many levels or categories of data, it will increase
the complexity, cost, and time of the process, and reduce the efficiency and effectiveness of the data
protection. Therefore, data classification should be done with a balance between granularity and
simplicity, and follow the principle of proportionality, which means that the level of protection
should be proportional to the level of risk.
The other options are not the main reasons to avoid too much granularity in data classification, but
rather the potential challenges or benefits of data classification. It will be difficult to apply to both
hardware and software is a challenge of data classification, as it requires consistent and compatible
methods and tools for labeling and protecting data across different types of media and devices. It will
be difficult to assign ownership to the data is a challenge of data classification, as it requires clear
and accountable roles and responsibilities for the creation, collection, processing, and disposal of
data. The process will be perceived as having value is a benefit of data classification, as it
demonstrates the commitment and awareness of the organization to protect its data assets and
comply with its obligations.
In a data classification scheme, the data is owned by the
B
Explanation:
In a data classification scheme, the data is owned by the business managers. Business managers are
the persons or entities that have the authority and accountability for the creation, collection,
processing, and disposal of a set of data. Business managers are also responsible for defining the
purpose, value, and classification of the data, as well as the security requirements and controls for
the data. Business managers should be able to determine the impact the information has on the
mission of the organization, which means assessing the potential consequences of losing,
compromising, or disclosing the data. The impact of the information on the mission of the
organization is one of the main criteria for data classification, which helps to establish the
appropriate level of protection and handling for the data.
The other options are not the data owners in a data classification scheme, but rather the other roles
or functions related to data management. System security managers are the persons or entities that
oversee the security of the information systems and networks that store, process, and transmit the
data. They are responsible for implementing and maintaining the technical and physical security of
the data, as well as monitoring and auditing the security performance and incidents. Information
Technology (IT) managers are the persons or entities that manage the IT resources and services that
support the business processes and functions that use the data. They are responsible for ensuring
the availability, reliability, and scalability of the IT infrastructure and applications, as well as providing
technical support and guidance to the users and stakeholders. End users are the persons or entities
that access and use the data for their legitimate purposes and needs. They are responsible for
complying with the security policies and procedures for the data, as well as reporting any security
issues or violations.