Module 3: Protect Against Threats, Risks and Vulnerabilities

Q: What are some of the primary purposes of security frameworks? Select three answers.

• Aligning security with business goals 
• Identifying security weaknesses 
• Securing financial information 
• Safeguarding specific individuals

Explanation: The process of ensuring that the security measures that are already in place align with and contribute to the broader goals and strategy of the company.To avoid possible security breaches and assaults, providing assistance to firms in identifying and addressing weaknesses in their security posture. Assuring the integrity of sensitive financial data, preventing unauthorized access to that data, and complying with legal obligations are all important aspects of data protection. In general, the objective of "safeguarding specific individuals" is not a key emphasis of security frameworks. Instead, security frameworks are primarily focused on protecting the assets, data, and systems of an organization.

Q: Which of the following are core components of security frameworks? Select two answers.

• Establishing regulatory compliance measures
• Implementing security processes
• Managing data requests
• Monitoring and communicating results 

Explanation: This involves putting in place and maintaining efficient security controls and processes to safeguard the assets of the company. To facilitate informed decision-making, it is necessary to continuously monitor the efficiency of security measures and communicate the results to the appropriate stakeholders.

Q: Fill in the blank: A security professional implements encryption and multi-factor authentication (MFA) to better protect customers’ private data. This is an example of using _____

• security teams
• security controls 
• organizational upgrades
• networking regulations

Explanation: To provide a higher level of protection for the confidential information of consumers, a security specialist will use encryption and multi-factor authentication (MFA). This is an illustration of the use of security measures.

Q: You are helping your security team consider risk when setting up a new software system. Using the CIA triad, you focus on confidentiality, availability, and what else?

• Information
• Intelligence
• Inconsistencies
• Integrity

Explanation: In the process of establishing a new software system, you are assisting your security team in taking risk into consideration. Confidentiality, availability, and integrity are the three elements that you prioritize while using the CIA triad.

Q: Fill in the blank: A key aspect of the CIA triad is ensuring that only ______ can access specific assets.

• social media sites
• business competitors
• authorized users 
• internet providers

Explanation: There is a crucial component of the CIA trinity that involves making certain that only authorized people can access certain assets.

Q: Which of the following statements accurately describe the NIST CSF? Select all that apply.

• It is only effective at managing long-term risk.
• Security teams use it as a baseline to manage risk.
• It consists of standards, guidelines, and best practices.
• Its purpose is to help manage cybersecurity risk.

Explanation: The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a basic framework that companies may use to evaluate and enhance their capacity to avoid, detect, and react to cybersecurity threats. Businesses can improve their cybersecurity posture by adopting the framework, which consists of a collection of industry standards, recommendations, and best practices. The major objective of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is to provide a systematic method for detecting and mitigating possible threats to help companies manage and minimize cybersecurity risk.

Q: For what reasons might disgruntled employees be some of the most dangerous threat actors? Select two answers.

• They know where to find sensitive information. 
• They have access to sensitive information.
• They have advanced technical skills.
• They are less productive than other employees.

Explanation: Employees dissatisfied with their jobs often have insider knowledge about the activities of the business, including the identities of sensitive information and the locations of sensitive information. Because these personnel often have legitimate access to sensitive data and systems, it is much simpler for them to steal information or abuse the information they have access to.

Q: A security professional overhears two employees discussing an exciting new product that has not been announced to the public. The security professional chooses to follow company guidelines concerning confidentiality and does not share the information about the new product with friends. Which concept does this scenario describe?

• Security controls
• Preserving evidence
• Security ethics 
• Data encryption

Explanation: An individual who works in security can overhear two colleagues talking about an amazing new product that has not yet been made public. When it comes to maintaining secrecy, the security expert makes the decision to adhere to the standards set out by the firm and does not disclose any information on the new product to their friends. A case like this illustrates the ethics of security.

Q: Fill in the blank: The ethical principle of ______ involves safeguarding a company database that contains sensitive information about employees.

• honesty
• privacy protection 
• unrestricted access
• non-bias

Explanation: Within the context of the ethical concept of privacy protection, the security of a firm database that includes sensitive information about workers is an essential component.

Q: Which ethical principle describes the rules that are recognized by a community and enforced by a governing entity?

• Guidelines
• Protections
• Restrictions
• Laws 

Explanation: Laws are the ethical concepts that outline the norms that are accepted by a society and enforced by an agency that is in charge of governance. The establishment of norms and regulations that regulate conduct within a community or organization often involves the intersection of ethical frameworks and legal frameworks.

Q: Fill in the blank: A security professional has been tasked with implementing strict password policies on workstations to reduce the risk of password theft. This is an example of

• hardware changes
• security teams
• networking regulations
• security controls

Explanation: One of the responsibilities of a security expert is to ensure that workstations adhere to stringent password regulations to decrease the likelihood of password theft. The following is an example of a security control.

Q: You are helping your security team consider risk when setting up a new software system. Using the CIA triad, you focus on integrity, availability, and what else?

• Communication
• Confidentiality 
• Conformity

Explanation: According to the CIA triangle, which consists of confidentiality, integrity, and availability, the third focal area that should be considered while evaluating risk is confidentiality.

Q: Fill in the blank: As a security professional, you monitor the potential threats associated with _____ because they often have access to sensitive information, know where to find it, and may have malicious intent.

• disgruntled employees 
• external vendors
• existing customers
• governing agencies

Explanation: Dissatisfied workers often have access to sensitive information, are aware of where to obtain it, and may have malevolent intentions. As a security expert, it is your responsibility to keep an eye out for the possible dangers that are linked with these individuals.

Q: A security professional is updating software on a coworker’s computer and happens to see a very interesting email about another employee. The security professional chooses to follow company guidelines with regards to privacy protections and does not share the information with coworkers. Which concept does this scenario describe?

• Business email compromise
• Preserving evidence
• Security ethics
• Security control 

Explanation: A case like this illustrates the ethics of security. To demonstrate ethical conduct while dealing with sensitive material, the security expert makes the decision to preserve privacy safeguards and refrain from sharing the fascinating email with peers.

Q: A security professional working at a bank is running late for a meeting. They consider saving time by leaving files on their desk that contain client account numbers. However, after thinking about company guidelines with regards to compliance, the security professional takes the time to properly store the files. Which concept does this scenario describe?

• Security controls
• Public finance
• Preserving evidence
• Security ethics 

Explanation: A case like this illustrates the ethics of security. The expert in charge of security takes into consideration the company's rules and the compliance requirements that pertain to the management of sensitive customer information. To display ethical conduct in the context of preserving security and confidentiality requirements, they have made the decision to appropriately keep the data rather than leaving them on their desk to save time.

Q: You are a security professional working for a state motor vehicle agency that stores drivers’ national identification numbers and banking information. Which ethical principle involves adhering to rules that are intended to protect these types of data?

• Investigations
• Restrictions
• Laws 
• Guidelines

Explanation: Adherence to laws is the ethical concept that entails following to regulations that are meant to secure sensitive data such as the national identity numbers of drivers and banking information. Laws offer the legal framework and regulations that companies are required to adhere to in order to secure such data from any unlawful access or abuse.