Compliance and Assessment

Question 1 of 50

1. Question

A company is facing a security breach that could potentially compromise sensitive customer information. The incident response team has suggested implementing a security measure that involves collecting additional personal data from customers to identify potential fraudulent activity. However, the legal team is concerned about violating privacy laws. What should the company do in this situation?

Implement the security measure to prevent the breach, even if it means violating privacy laws
Consult with legal counsel to ensure the security measure is in compliance with privacy laws
Ignore the potential breach and focus on protecting customer privacy
Refuse to implement the security measure to protect customer privacy

Question 2 of 50

2. Question

A company has recently implemented a new security system that monitors employee internet activity to prevent data breaches. Some employees are concerned that this system may violate their privacy rights. What should the company do to address these concerns?

Inform employees that the security system is necessary to prevent data breaches and ignore their concerns
Explain to employees how the security system works and why it is necessary to protect sensitive data
Promise employees that their internet activity will not be monitored
Terminate employees who express concerns about the security system

Question 3 of 50

3. Question

A company handles sensitive data related to its clients and has recently experienced data breaches. To address this issue, the company has decided to classify its data. What is the primary goal of data classification?

To ensure that only authorized personnel have access to sensitive data
To encrypt all sensitive data to protect it from theft
To maintain the confidentiality, integrity, and availability of sensitive data
To ensure that sensitive data is only accessed by authorized personnel in secure locations

Question 4 of 50

4. Question

A company has classified its data into three categories: public, confidential, and highly confidential. Which of the following is an appropriate non-technical control that can be implemented for the confidential data category?

Implementing two-factor authentication for all users who access confidential data
Storing confidential data on a server that is not connected to the internet
Allowing access to confidential data only to users who have a legitimate business need
Encrypting confidential data using a strong encryption algorithm

Question 5 of 50

5. Question

In a company, who is responsible for ensuring the ownership of data and the protection of sensitive information?

The IT department
The legal department
The HR department
The marketing department

Question 6 of 50

6. Question

What is the purpose of establishing ownership of data in an organization?

To allocate budget resources for data storage
To determine who has access to the data
To assign legal responsibility for the data
To improve the performance of data systems

Question 7 of 50

7. Question

An organization is conducting a review of its data retention policy. Which of the following is the primary reason for establishing a retention policy?

To ensure that data is kept indefinitely
To determine which data should be destroyed and when
To store all data on high-capacity storage devices
To prevent unauthorized access to sensitive data

Question 8 of 50

8. Question

An organization is developing a data retention policy for its customer database. Which of the following is the BEST approach for determining the retention period for this data?

Keep the data indefinitely
Determine the retention period based on the age of the data
Determine the retention period based on the type of data
Determine the retention period based on the data owner's preference

Question 9 of 50

9. Question

A company wants to establish a data classification policy. Which of the following data types should be classified as Confidential?

Customer email addresses
Marketing brochures
Publicly available press releases
Financial statements that contain PII

Question 10 of 50

10. Question

An organization is reviewing its data types and is trying to determine which type of data should be classified as Restricted. Which of the following data types should be classified as Restricted?

Employee names and job titles
Company policies and procedures
Customer email addresses
Intellectual property

Question 11 of 50

11. Question

A company has a retention policy that states that all employee records must be retained for 5 years. However, an employee was terminated and their records were deleted after only 3 years. The company could potentially face legal action from the employee. Which of the following is the BEST non-technical control to prevent this from happening again?

Implement an employee training program on retention policies
Hire a dedicated retention specialist to oversee all record retention
Update the retention policy to state all records will be retained indefinitely
Create an automated system to monitor and enforce retention policies

Question 12 of 50

12. Question

A hospital stores sensitive patient information, including medical records and billing information. Which of the following is the best non-technical control to ensure the privacy and protection of this information?

Implement a shredding policy for all physical documents
Train employees on proper handling of sensitive information
Require all patients to sign a waiver releasing the hospital from liability
Install a security system with biometric authentication

Question 13 of 50

13. Question

An employee receives an email from a colleague containing sensitive information about a new product release. The employee suspects that the email was accidentally sent to them and was not intended for their eyes. What non-technical control can the employee implement to ensure confidentiality of this information?

Delete the email
Forward the email to their manager
Reply to the email asking for clarification
Save the email to a personal folder

Question 14 of 50

14. Question

A company handles sensitive customer data, including names, addresses, and social security numbers. What non-technical control can the company implement to ensure the confidentiality of this data?

Access controls
Encryption
Audit trails
Retention policies

Question 15 of 50

15. Question

A company stores the personal data of its customers, including their name, address, and credit card information. A hacker has gained access to this information and is now threatening to release it online unless the company pays a ransom. The company wants to ensure that they comply with legal requirements related to data privacy and protection. Which non-technical control would be MOST effective in this scenario?

Confidentiality agreements with employees
Encryption of stored data
Data classification and labeling
Notification of affected individuals

Question 16 of 50

16. Question

A government agency holds classified information related to national security. The agency wants to ensure that this information is protected from unauthorized access and disclosure. Which non-technical control would be MOST effective in this scenario?

Access control policies
Background checks for personnel
Data retention policies
Data labeling

Question 17 of 50

17. Question

A multinational company has operations in multiple countries and regions across the world. The company is required to comply with various data privacy regulations and laws in each country they operate. Which of the following non-technical control ensures that the data of each country remains in that country and is protected according to the laws of that country?

Data classification
Data retention standards
Data sovereignty
Legal requirements

Question 18 of 50

18. Question

A company based in Country A has a subsidiary in Country B. The company stores its data on servers located in Country A, but the subsidiary in Country B requires access to some of the data for its business operations. Which non-technical control should the company implement to ensure compliance with data sovereignty regulations?

Data classification
Data ownership
Data residency
Data retention

Question 19 of 50

19. Question

An organization is working on a project that involves collecting sensitive information from customers. The project team wants to ensure that the collected data is protected from unauthorized access, but they are also concerned about data minimization. Which of the following actions would best align with data minimization principles while still providing adequate security for the data?

Collect all customer data and implement strong security controls to protect it
Collect all customer data, but only use a portion of it for the project
Collect only the minimum amount of customer data necessary and implement strong security controls to protect it
Collect all customer data and delete it once the project is complete

Question 20 of 50

20. Question

A company is preparing to implement a new customer relationship management (CRM) system that will collect and store customer information. The management team is concerned about the potential privacy implications of this new system and wants to ensure that data minimization principles are followed. Which of the following actions should the company take to implement data minimization controls?

Collect and store all possible customer information to ensure maximum accuracy
Collect and store only the information necessary to achieve the intended purpose
Collect and store all information related to customers and keep it indefinitely
Collect and store customer information, but don't worry about minimizing the amount of data

Question 21 of 50

21. Question

A company hires a contractor to develop a new software application. The company has sensitive intellectual property that it wants to protect from being shared or stolen. Which non-technical control is BEST suited to protect the company’s sensitive intellectual property?

Data ownership
Data classification
Data minimization
Non-disclosure agreement (NDA)

Question 22 of 50

22. Question

An organization is outsourcing a project to a third-party vendor. The vendor will have access to the organization’s confidential data during the project. Which of the following non-technical controls should be implemented to protect the organization’s data privacy and confidentiality?

Acceptable use policy
Data minimization policy
Non-disclosure agreement (NDA)
Data classification policy

Question 23 of 50

23. Question

An organization is concerned about unauthorized access to sensitive data stored on its file servers. Which of the following technical controls can help mitigate this risk?

Intrusion prevention system (IPS)
Two-factor authentication (2FA)
Data loss prevention (DLP)
Access control list (ACL)

Question 24 of 50

24. Question

A company stores sensitive customer data on its servers, which are accessible to multiple employees. The company wants to ensure the data is protected in transit and at rest. Which technical control should the company implement?

Firewall
VPN
Encryption
Intrusion Detection System

Question 25 of 50

25. Question

In a software development company, developers have access to sensitive customer data for testing purposes. The company wants to ensure that the developers cannot view or manipulate the actual data while still being able to perform testing. Which technical control can be implemented to address this concern?

Data encryption
Data loss prevention (DLP)
Data masking
Access control

Question 26 of 50

26. Question

A healthcare organization needs to share patient data with a research organization to conduct a study. The healthcare organization wants to protect the privacy of the patients and comply with HIPAA regulations. Which technical control would be MOST appropriate to use in this scenario?

Encryption
Data masking
Deidentification
Access controls

Question 27 of 50

27. Question

A company wants to protect its digital media content from illegal copying and distribution. Which technical control can they implement to prevent piracy of their media content?

Digital rights management (DRM)
Watermarking
Data masking
Data loss prevention (DLP)

Question 28 of 50

28. Question

A company handles sensitive customer data that needs to be protected. They want to implement a security measure that replaces sensitive data with a unique identifier while maintaining the data’s functionality. Which technical control should they implement?

Data masking
Deidentification
Encryption
Tokenization

Question 29 of 50

29. Question

In conducting a business impact analysis (BIA), which of the following is the primary goal?

To identify assets and resources critical to the organization's operations
To evaluate the likelihood and impact of various risks on the organization
To develop an incident response plan
To assess the effectiveness of security controls in place

Question 30 of 50

30. Question

A company’s IT department is performing a risk assessment on its network infrastructure. During the process of identifying potential threats, they realize that their network perimeter security is weak and vulnerable to external attacks. Which of the following is the most appropriate risk identification process that the IT department should use to mitigate this risk?

Asset management
Vulnerability assessment
Threat modeling
Risk register

Question 31 of 50

31. Question

A company has recently identified a vulnerability in its software that could potentially result in unauthorized access to sensitive customer data. The IT department has remediated the vulnerability but the management team wants to ensure that all stakeholders are informed of the situation. Which of the following is the MOST appropriate method to communicate this risk factor to the stakeholders?

A technical report detailing the vulnerability and the remediation steps taken
An email sent to all stakeholders informing them of the vulnerability and the remediation steps taken
A press release outlining the vulnerability and the steps taken to remediate it
No communication is necessary as the vulnerability has been remediated

Question 32 of 50

32. Question

A company is evaluating the risk of a potential data breach. They have identified several possible attack vectors and have assigned likelihood scores to each. The company now needs to calculate the probability of a data breach occurring. What method should they use?

Qualitative analysis
Quantitative analysis
Delphi method
Monte Carlo simulation

Question 33 of 50

33. Question

During a systems assessment, an organization identifies multiple vulnerabilities in its network infrastructure. Which of the following is the BEST approach to address the identified vulnerabilities?

Implement security controls to mitigate the vulnerabilities
Ignore the vulnerabilities and continue operations as normal
Report the vulnerabilities to upper management and wait for further instructions
Shut down the network infrastructure until the vulnerabilities are completely resolved

Question 34 of 50

34. Question

In a software development project, the team has identified several potential risks related to security, cost, and schedule. After evaluating each risk, the team has determined that the risk of a security breach has the highest impact on the project. However, mitigating this risk requires significant additional resources, which may affect the project’s schedule and budget. What is the BEST approach for the team to take?

Accept the risk and continue with the project as planned
Mitigate the risk of a security breach, regardless of the impact on the project's schedule and budget
Prioritize the risk of a security breach and work with stakeholders to make informed decisions about tradeoffs between risk mitigation and schedule/budget
Avoid the risk altogether by canceling the project

Question 35 of 50

35. Question

A company wants to improve its security posture by conducting a blue team exercise. Which of the following activities is typically performed by the blue team?

Attacking the network to identify vulnerabilities
Monitoring and defending the network against simulated attacks
Evaluating the security controls and policies in place
Conducting a risk assessment of the company's assets

Question 36 of 50

36. Question

A company has hired a red team to test the effectiveness of its security controls. The red team successfully gained access to sensitive data by exploiting a vulnerability in the company’s network. What should be the next step taken by the company?

Implement a security patch to fix the vulnerability
Terminate the contract with the red team
Conduct a root cause analysis to identify the cause of the vulnerability
Notify the customers and stakeholders about the breach

Question 37 of 50

37. Question

In a white team exercise, what is the primary responsibility of the white team?

To mimic the tactics of attackers and test the effectiveness of defensive measures
To assess vulnerabilities and weaknesses in the organization's security posture
To provide training and guidance to the red and blue teams
To monitor and evaluate the performance of the red and blue teams

Question 38 of 50

38. Question

A large corporation is preparing for a potential cyber attack and wants to conduct a simulated exercise to test its incident response plan. The management team is concerned about potential damage to their reputation and financial losses. What type of training and exercise would be most appropriate for this situation?

White team exercise
Red team exercise
Tabletop exercise
Blue team

Question 39 of 50

39. Question

Which of the following is a benefit of using a risk-based framework for security?

Ensuring compliance with regulations
Reducing the likelihood and impact of security incidents
Implementing controls without a clear understanding of the risks
Reacting to security incidents as they occur

Question 40 of 50

40. Question

A company recently implemented a new code of conduct policy for its employees. Which of the following is the primary objective of this policy?

To establish a baseline for expected employee behavior
To outline specific technical controls that must be implemented
To require employees to sign an NDA
To specify the risk tolerance of the organization

Question 41 of 50

41. Question

A company has experienced several security incidents recently, and it has been determined that weak passwords are the cause of most of these incidents. The company wants to implement a new password policy to ensure stronger passwords. Which of the following should be included in the policy?

Users must change their passwords every month
Passwords must be at least 8 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols
Passwords must be written down and kept in a secure location
Users can reuse their previous passwords

Question 42 of 50

42. Question

ABC company recently implemented an Acceptable Use Policy (AUP) to regulate the use of company resources by employees. However, some employees are still using company computers for personal activities during work hours, violating the AUP. Which of the following is the BEST course of action for the company to take?

Provide additional training and education on the AUP
Terminate the employees who are violating the AUP
Ignore the violations since they are not causing any harm to the company
Restrict internet access for all employees

Question 43 of 50

43. Question

A company is conducting a review of its data retention policy. The policy currently states that all data must be retained for a minimum of five years. However, the company has recently been receiving complaints from customers who are concerned about their personal data being stored for such a long period of time. What should the company do to address these concerns?

Amend the policy to reduce the data retention period to two years
Ignore the customer complaints and continue to follow the current policy
Conduct a risk assessment to determine if the current retention period is necessary
Consult with legal counsel to determine if the policy violates any regulations

Question 44 of 50

44. Question

A company has recently implemented a new security system to protect its network and data from unauthorized access. The security team has created a policy for continuous monitoring of the system. What is the main purpose of the continuous monitoring policy?

To ensure that the security system is up-to-date with the latest patches and updates
To identify and respond to potential security threats in a timely manner
To control the amount of data being collected by the system
To limit the number of users who have access to the security system

Question 45 of 50

45. Question

In which of the following situations would managerial control be the most effective?

Preventing unauthorized access to a server room
Detecting and blocking network traffic from a malicious IP address
Ensuring employees are only accessing data necessary for their job functions
Creating a backup and recovery plan for critical systems

Question 46 of 50

46. Question

An organization is implementing a new security control to prevent unauthorized access to its systems. The control involves requiring all employees to authenticate using a smart card before accessing any system. Which type of control does this represent?

Operational
Technical
Physical
Managerial

Question 47 of 50

47. Question

A company is concerned about insider threats and wants to implement controls that will detect any malicious activity. Which of the following is an example of a detective control?

Firewalls
Intrusion Prevention System (IPS)
Security cameras
Encryption

Question 48 of 50

48. Question

A company has implemented a security control that requires users to change their passwords every 90 days. What type of control is this?

Preventative control
Detective control
Corrective control
Deterrent control

Question 49 of 50

49. Question

In a compliance audit, which of the following is the primary focus of the auditor?

Ensuring all controls are in place
Identifying and mitigating risks
Ensuring adherence to legal and regulatory requirements
Analyzing the financial performance of the organization

Question 50 of 50

50. Question

A company is required to comply with a new data privacy regulation. What is the best approach to ensure regulatory compliance?

Conduct a regulatory audit to identify gaps in compliance and develop a remediation plan
Implement a new security control to mitigate risks
Increase the frequency of security awareness training
Review and update the company's business continuity plan