CISSP - Security and Risk Management Pratice Questions

Laws, regulations, and standards should not be confused. Which of these are NOT a law?

Options are :

  • HIPAA.
  • PCI-DSS. (Correct)
  • Homeland security act.
  • Gramm-Leach-Bliley act.

Answer : PCI-DSS.

Explanation Payment Card Industry Data Security Standard (PCI-DSS) – Technically not a law. Created by the payment card industry. The standard applies to cardholder data for both credit and debit cards. Requires merchants and others to meet a minimum set of security requirements. Mandates security policy, devices, control techniques, and monitoring.

When we are authenticating our employees, which of these would NOT be considered useful?

Options are :

  • Something you are.
  • Something you know.
  • Something you believe. (Correct)
  • Something you have.

Answer : Something you believe.

Explanation Something you know - Type 1 Authentication (passwords, pass phrase, PIN etc.). Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.). Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.). Somewhere you are - Type 4 Authentication (IP/MAC Address). Something you do - Type 5 Authentication (Signature, Pattern unlock).

CISSP Security Engineering Certification Practice Exam Set 5

Which type of companies are subject to the Sarbanes-Oxley act (SOX)?

Options are :

  • Private companies.
  • Publicly traded companies. (Correct)
  • Healthcare companies.
  • Startup companies.

Answer : Publicly traded companies.

Explanation Sarbanes-Oxley Act of 2002 (SOX): Directly related to the accounting scandals in the late 90’s. Regulatory compliance mandated standards for financial reporting of publicly traded companies. Intentional violations can result in criminal penalties.

We are looking at lowering our risk profile and we are doing our quantitative risk analysis. What would EF tell us?

Options are :

  • How many times it happens per year.
  • How much many percent of the asset is lost. (Correct)
  • What will it cost us if it happens once.
  • What will it cost us per year if we do nothing.

Answer : How much many percent of the asset is lost.

Explanation Exposure factor (EF) – Percentage of Asset Value lost?

We are in a court where the evidence must be "the majority of the proof." Which type of law does that relate to?

Options are :

  • Civil law. (Correct)
  • Criminal law.
  • Administrative law.
  • Private regulations.

Answer : Civil law.

Explanation Civil Law (Tort Law): Individuals, groups or organizations are the victims and proof must be ?the Majority of Proof?. Financial fines to “Compensate the Victim(s)?.

CISSP Security Engineering Certification Practice Exam Set 3

In our risk management, how would we define residual risk?

Options are :

  • How bad is it if we are compromised?
  • A potential harmful incident.
  • A weakness that can possibly be exploited.
  • The total risk after we have implemented our countermeasures. (Correct)

Answer : The total risk after we have implemented our countermeasures.

Explanation Residual Risk = Total Risk – Countermeasures.

Which of these would be a type of corrective access control?

Options are :

  • Encryption.
  • Backups.
  • Patches. (Correct)
  • Intrusion detection systems.

Answer : Patches.

Explanation Corrective: Controls that Correct an attack – Anti-virus, Patches, IPS.

We are training some of our new employees in our policies, procedures, and guidelines. Our guidelines are which of these?

Options are :

  • Non-specific, but can contain patches, updates, strong encryption.
  • Specific, all laptops are W10, 64bit, 8GB memory, etc.
  • Low level step-by-step guides.
  • Recommendations. (Correct)

Answer : Recommendations.

Explanation Guidelines – non-mandatory; recommendations; discretionary; suggestions on how you would to do it.

CISSP Security Engineering Certification Practice Exam Set 9

Jane is looking at the CIA triad and working on mitigating our availability vulnerabilities. Select all the threats against our availability:

Options are :

  • Distributed Denial of Service (DDoS) (Correct)
  • Hardware failure. (Correct)
  • Keyloggers.
  • Code injections.
  • Software coding errors. (Correct)

Answer : Distributed Denial of Service (DDoS) Hardware failure. Software coding errors.

Explanation Common attacks on our availability includes DDOS attacks, hardware failures, software failures. Keyloggers are normally attacks on our confidentiality and code injections are attacks on our integrity.

At a meeting with upper management, we are looking at different types of intellectual property materials. How is copyright protected?

Options are :

  • Protected for 70 years after the creators death or 95 years for corporations. (Correct)
  • You tell no one, if discovered you are not protected.
  • Protected for 20 years after filing.
  • Protected 10 years at a time, can be renewed indefinitely.

Answer : Protected for 70 years after the creators death or 95 years for corporations.

Explanation Copyright © - (Exceptions: first sale, fair use). Books, Art, Music, Software. Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

We are in a court of law presenting our case from a security incidence. What constitutes collaborative or corroborative evidence?

Options are :

  • Testimony from a first hand witness.
  • Tangible objects.
  • Logs and system documents from the time of the attack.
  • Supporting facts and elements. (Correct)

Answer : Supporting facts and elements.

Explanation Collaborative Evidence: Supports facts or elements of the case, not a fact on its own, but support other facts.

CISSP Security Engineering Certification Practical Exam Set 2

Under which type of law can incarceration, financial penalty, and death penalty be the punishment?

Options are :

  • Civil law.
  • Criminal law. (Correct)
  • Administrative law.
  • Private regulations.

Answer : Criminal law.

Explanation Criminal Law: “Society? is the victim and proof must be “beyond a reasonable doubt." Incarceration, death, and financial fines to “Punish and Deter?.

You hear that senior management is looking at the ISO 27005 standard, and a colleague asks you, "What is that focused on?"

Options are :

  • ITSM.
  • Protecting PHI.
  • Risk management. (Correct)
  • HIPAA.

Answer : Risk management.

Explanation ISO 27005: Standards based approach to Risk Management.

Who would determine the risk appetite of our organization?

Options are :

  • Middle management.
  • The users.
  • Senior management. (Correct)
  • The IT leadership team.

Answer : Senior management.

Explanation Governance – This is C-level Executives they determine our risk appetite – Aggressive, neutral, adverse. Stakeholder needs, conditions and options are evaluated to define: Balanced agreed-upon enterprise objectives to be achieved. Setting direction through prioritization and decision making. Monitoring performance and compliance against agreed-upon direction and objectives.

CISSP - Software Development Security Mock Questions

Looking at the CIA triad, when we have TOO MUCH availability, which other controls can suffer?

Options are :

  • Confidence.
  • Integrity.
  • Confidentiality and Integrity. (Correct)
  • Confidentiality.

Answer : Confidentiality and Integrity.

Explanation Too much Availability and both the Confidentiality and Integrity can suffer.

Which would NOT be a factor to protect our integrity?

Options are :

  • Missing database injection protection. (Correct)
  • Digital signatures.
  • Message digests.
  • Database injection protection through input validation.

Answer : Missing database injection protection.

Explanation Database injections would most likely compromise out confidentiality, not integrity. We would use digital signatures, MDs, and input validation to ensure out integrity.

When an attacker is using code injections, it is MOSTLY targeting which leg of the CIA triad?

Options are :

  • Authentication.
  • Confidentiality.
  • Availability.
  • Integrity. (Correct)

Answer : Integrity.

Explanation Code injections: code injected into user forms; often seen is SQL/LDAP; often used to compromise the integrity of our data. Our countermeasures should include: only allowing users to input appropriate data into the fields - only letters in names, numbers in phone number, dropdowns for country and state (if applicable); we limit how many characters people can use per cell, etc.

CISSP Security Engineering Certification Practice Exam Set 9

Which of these could be something we would use to ensure data availability?

Options are :

  • Hashes.
  • Multifactor authentication.
  • Redundant hardware. (Correct)
  • None of these.

Answer : Redundant hardware.

Explanation To ensure system integrity and sata availability we can use patch management, redundancy on hardware power (multiple power supplies/UPSs/generators), disks (RAID), traffic paths (network design), HVAC, staff, HA (high availability) and much more.

During an attack, some of our data was deleted. Which leg of the CIA triad would be MOSTLY affected?

Options are :

  • Authentication.
  • Confidentiality.
  • Availability. (Correct)
  • Integrity.

Answer : Availability.

Explanation Destruction is the opposite of availability our data or systems have been destroyed or rendered inaccessible.

When authenticating against our access control systems, you present your fingerprint. Which type of authentication are you using?

Options are :

  • A possession factor.
  • A knowledge factor.
  • A biometric factor. (Correct)
  • A location factor.

Answer : A biometric factor.

Explanation Something you are - Type 3 Authentication (Biometrics): Fingerprint, iris scan, facial geometry etc., these are also called realistic authentication. The subject uses these to authenticate their identity, if they are that, they must be who they say they are. Something that is unique to you, this one comes with more issues than the two other common authentication factors.

CISSP - Security Operations Mock Questions

You are explaining the IAAA model to one of the directors from payroll. Which of these is NOT is not one of the A's from the model?

Options are :

  • Authentication.
  • Access. (Correct)
  • Authorization.
  • Accountability.

Answer : Access.

Explanation IAAA is Identification and Authentication, Authorization and Accountability. Access is something you are given based on your authorization.

We are implementing governance standard and control frameworks focused on goals for the entire organization. Which of these would be something we would consider?

Options are :

  • COBIT.
  • ITIL.
  • COSO. (Correct)
  • FRAP

Answer : COSO.

Explanation COSO (Committee Of Sponsoring Organizations) focuses on goals for the entire organization.

We are in a court, where the proof must be "the Majority of Proof". Which type of court are we in?

Options are :

  • Criminal court.
  • Civil court. (Correct)
  • Administrative court.
  • Probation court.

Answer : Civil court.

Explanation Civil Law (Tort Law): Individuals, groups or organizations are the victims and proof must be ?the Majority of Proof." Financial fines to “Compensate the Victim(s)."

CISSP - Mock Questions with all domains

We have had a security incident. After our forensics is completed, we present the compromised hard drive in court. Which type of evidence does the actual hard drive represent?

Options are :

  • Real evidence. (Correct)
  • Direct evidence.
  • Secondary evidence.
  • Circumstantial evidence.

Answer : Real evidence.

Explanation Real Evidence: Tangible and Physical objects, in IT Security: Hard Disks, USB Drives – NOT the data on them.

Which of these would be something that could get the case dismissed, or at least make our evidence inadmissible in court?

Options are :

  • Entrapment. (Correct)
  • Complete chain of custody.
  • Taking a bit level copy of the compromised hard drive, hashing both drives, hashes are identical. Do forensics on the copy drive, hash after forensics is identical too.
  • Enticement.

Answer : Entrapment.

Explanation Entrapment (Illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.

As a part of being a CISSP certified individual you promise to follow the (ISC)² code of ethics. Which of these are part of that? (Select all that apply).

Options are :

  • Prevent unauthorized use of internet resources.
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure. (Correct)
  • Always act in accordance with the CISSP curriculum, regardless of your organizations policies.
  • Provide diligent and competent service to principles. (Correct)
  • Advance and protect the profession. (Correct)

Answer : Protect society, the common good, necessary public trust and confidence, and the infrastructure. Provide diligent and competent service to principles. Advance and protect the profession.

Explanation Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession.

CISSP - Mock Questions with all domains

Which of these is automatically granted, you do NOT have to apply for it?

Options are :

  • Trademark.
  • Patent.
  • Copyright. (Correct)
  • Legal immunity.

Answer : Copyright.

Explanation Copyright © - (Exceptions: first sale, fair use). Books, Art, Music, Software. Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

Which of these would be a security concern we need to address in an acquisition?

Options are :

  • Who gets the IT Infrastructure?
  • How do we ensure their security standards are high enough? (Correct)
  • Security is part of the SLA.
  • All of these.

Answer : How do we ensure their security standards are high enough?

Explanation Acquisitions: Your organization has acquired another. How do you ensure their security standards are high enough? How do you ensure data availability in the transition?

Which of these is an example of a detective access control type?

Options are :

  • Encryption.
  • Alarms (Correct)
  • Backups.
  • Patches.

Answer : Alarms

Explanation Detective: Controls that detect during or after an attack – IDS, CCTV, Alarms, anti-virus.

CISSP Security Engineering Certification Practice Exam Set 7

In our risk analysis we are looking at the residual risk. What would that comprise of?

Options are :

  • Threat + vulnerability.
  • Threat * vulnerability.
  • Threat * vulnerability * asset value.
  • (threat * vulnerability * asset value) - countermeasures. (Correct)

Answer : (threat * vulnerability * asset value) - countermeasures.

Explanation The residual risk is what is left over after we implement our countermeasures against the total risk. Residual Risk = Total Risk – Countermeasures.

In our risk analysis, we are looking at the risks, vulnerabilities, and threats. Which type of risk analysis are we using?

Options are :

  • Quadratic risk analysis.
  • Cumulative risk analysis.
  • Quantitative risk analysis. (Correct)
  • Qualitative risk analysis.

Answer : Quantitative risk analysis.

Explanation Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, total $ value of asset, math is involved, to quantify it we use Risk = Threat x Risk = Threat x Vulnerability.

We are looking at our risk responses. We are choosing to ignore an identified risk. What type of response would that be?

Options are :

  • Risk transference.
  • Risk rejection. (Correct)
  • Risk avoidance.
  • Risk mitigation.

Answer : Risk rejection.

Explanation Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

CISSP Security Engineering Certification Practice Exam Set 7

In which type of an attack is the attacker sending hundreds of thousands of untargeted emails?

Options are :

  • Spear phishing.
  • Whale phishing.
  • Phishing. (Correct)
  • Vishing.

Answer : Phishing.

Explanation Phishing (Social Engineering Email Attack): Click to win, Send information to get your inheritance or similar promises. Sent to hundreds of thousands of people; if just 0.02% follow the instructions they have 200 victims. A Public Treasurer in Michigan sent 1,2m to Nigeria (1,1m of taxpayer funds and $72,000 of his own).

What is the PRIMARY focus of the PCI-DSS standard?

Options are :

  • PHI.
  • Credit cards. (Correct)
  • PII.
  • ITSM.

Answer : Credit cards.

Explanation PCI-DSS (Payment Card Industry Data Security Standard) is a standard used in the payment card industry, it is not mandated, but it is enforced by excluding vendors who do not adhere to it.

Who can act in exigent circumstances?

Options are :

  • Law enforcement. (Correct)
  • Our IT security team.
  • Our legal team.
  • Lawyers.

Answer : Law enforcement.

Explanation Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law? – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.

CISSP Security Engineering Certification Practice Exam Set 10

When we are doing quantitative risk analysis, what does the Asset Value (AV) tell us?

Options are :

  • How much something is worth. (Correct)
  • How often that asset type is compromised per year.
  • What it will cost us per year if we do nothing.
  • How much of the asset is lost per incident.

Answer : How much something is worth.

Explanation Asset Value (AV) – How much is the asset worth?

At the quarterly leadership conference, you are talking about threats to our environments, and one of the participants asks you to define what a threat is. Which of these could be your answer?

Options are :

  • How bad is it if we are compromised?
  • A potential harmful incident. (Correct)
  • A weakness that can possibly be exploited.
  • The total risk after we have implemented our countermeasures.

Answer : A potential harmful incident.

Explanation Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)

When we design our defense in depth we use multiple overlapping controls. Which of these is a type of preventative access control?

Options are :

  • Encryption. (Correct)
  • Backups.
  • Patches.
  • Intrusion detection systems.

Answer : Encryption.

Explanation Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.

CISSP - Security Operations Mock Questions

Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?

Options are :

  • Non-specific, but can contain patches, updates, strong encryption. (Correct)
  • Specific, all laptops are W10, 64 bit, 8GB memory, etc.
  • Low level step-by-step guides.
  • Recommendations.

Answer : Non-specific, but can contain patches, updates, strong encryption.

Explanation Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption?, they will not be specific to “OS, Encryption type, Vendor Technology?

There are many different types of attacks on intellectual property. Which of these is a COMMON type of attack on trademarks?

Options are :

  • Software piracy.
  • There are none. This is security through obscurity. If discovered, anyone is allowed to use it.
  • Counterfeiting. (Correct)
  • Someone using your protected design in their products.

Answer : Counterfeiting.

Explanation The most common attacks against trademarks is counterfeiting: fake Rolexes, Prada, Nike, Apple products; either using the real name or a very similar name.

We have just added biometrics to our access control systems, and we are seeing a lot of Type 2 authentication errors. Looking at the image, which data point would be the Type 2 errors?


Options are :

  • A (Correct)
  • B
  • C

Answer : A

Explanation FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

CISSP - Security Operations Mock Questions

When an attacker is using DDOS attacks, which leg of the CIA Triad is that meant to disrupt?

Options are :

  • Confidentiality.
  • Accountability.
  • Availability. (Correct)
  • Integrity.

Answer : Availability.

Explanation When we get hit by a DDOS (Distributed Denial Of Service), is disrupts our availability, but not integrity or confidentiality.

We use different risk analysis approaches and tools in our risk assessments. In which type of risk analysis would you see these terms?: Exposure factor (EF), Asset Value (AV), and Annual Rate of Occurrence (ARO)?

Options are :

  • Quantitative (Correct)
  • Qualitative.
  • Quadratic.
  • Residual.

Answer : Quantitative

Explanation Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?

6 months ago, we had an attacker trying to gain access to one of our servers. The attack was not successful, and the authorities were able to find the attacker using our forensics. In court, the attacker claims we used entrapment. Which of these options describes entrapment?

Options are :

  • A solid legal defense strategy for the attacker; entrapment is illegal and unethical. (Correct)
  • Not a solid legal defense strategy for the attacker.
  • Something we can do without consulting our legal department.
  • Legal and unethical.

Answer : A solid legal defense strategy for the attacker; entrapment is illegal and unethical.

Explanation Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.

CISSP Security Engineering Certification Practice Exam Set 1

The US HIPAA laws have 3 core rules. Which of these is NOT one of them?

Options are :

  • Privacy rule.
  • Security rule.
  • Breach notification rule.
  • Encryption rule. (Correct)

Answer : Encryption rule.

Explanation HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.

Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?

Options are :

  • Health Information Portability and Authorization Act.
  • Health Insurrection Portability and Accountability Act.
  • Health Information Portability and Accountability Act.
  • Health Insurance Portability and Accountability Act. (Correct)

Answer : Health Insurance Portability and Accountability Act.

Explanation HIPAA is the Health Insurance Portability and Accountability Act.

Jane has written a book on IT security. With books, copyright is automatically granted, and Jane owns all the rights to her materials. How long is copyrighted materialS protected after the creator’s death?

Options are :

  • 20 years.
  • 70 years. (Correct)
  • 95 years.
  • 10 years.

Answer : 70 years.

Explanation Copyright © applies to books, art, music, software and much more. It is automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

CISSP Security Engineering Certification Practice Exam Set 10

Acting ethically is very important, especially for IT security professionals. If we look at the IAB's "Ethics and the Internet," which of these behaviors does it NOT consider unethical?

Options are :

  • Disrupts the intended use of the internet.
  • Seeks to gain unauthorized access to resources of the internet.
  • Compromises the privacy of users.
  • Having fake social media profiles and accounts. (Correct)

Answer : Having fake social media profiles and accounts.

Explanation IAB’s Ethics and the Internet, defined as a Request for Comment (RFC), #1087 - Published in 1987. It considered the following unethical behavior: Seeks to gain unauthorized access to the resources of the Internet. Disrupts the intended use of the Internet. Wastes resources (people, capacity, computer) through such actions. Destroys the integrity of computer-based information. Compromises the privacy of users.

You have been tasked with looking at PURELY physical security controls for a new implementation. Which of these would you consider using?

Options are :

  • Regulations.
  • Dogs. (Correct)
  • Biometric authentication.
  • Access lists.

Answer : Dogs.

Explanation Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.

We have acquired a competing organization and your team is working on the risk analysis for the applications they use internally. You would use which of these as PART of your Qualitative Risk Analysis?

Options are :

  • A risk analysis matrix. (Correct)
  • Risk = threat x vulnerability.
  • ALE, SLE and ARO.
  • Fact based analysis.

Answer : A risk analysis matrix.

Explanation Qualitative Risk Analysis: This is vague, guessing, based on a feeling, and relatively quick to do. We add all our assets to a matrix and assign them values on "how likely is it to happen and how bad is it if it happens?" It is often done to know where to focus the Quantitative Risk Analysis.

CISSP - Security Operations Mock Questions

The CIA triad is of the foundational pieces of IT Security. We want to find the right mix of confidentiality, integrity and availability and we want to ensure none of the legs are compromised. Which of these is NOT one of the CIA triad opposite?

Options are :

  • Disclosure.
  • Destruction.
  • Alteration.
  • Aggregation. (Correct)

Answer : Aggregation.

Explanation The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality - We keep our data and secrets secret. Integrity - We ensure the data has not been altered. Availability - We ensure authorized people can access the data they need, when they need to.

We use the CIA triad as a logical model for IT Security and the protection profile our organization wants. What does the A stand for in the CIA triad?

Options are :

  • Accountability.
  • Availability. (Correct)
  • Authorization.
  • Authentication.

Answer : Availability.

Explanation The CIA (Confidentiality, Integrity, Availability) Triad: Availability - We ensure authorized people can access the data they need, when they need to.

Our organization has been court ordered to comply with the "Data Protection Directive" in the EU. What is one of the things we need to do in order to do that?

Options are :

  • Notify individuals about how their data is gathered and used. (Correct)
  • Gather as much personal information as they can to better sell products to the individuals.
  • Refuse to let individuals opt out of data sharing with 3rd party companies.
  • Transmit information out of the EU to countries with lower standards for storage.

Answer : Notify individuals about how their data is gathered and used.

Explanation EU Data Protection Directive: Very aggressive pro-privacy law. Organizations must notify individuals of how their data is gathered and used. Organizations must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing most sensitive data. No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor: optional between organization and EU.

CISSP Security Engineering Certification Practice Exam Set 10

We need to ensure we are compliant with all the laws and regulations of all the states, territories, and countries we operate in. How are the security breach notification laws in the US handled?

Options are :

  • Federal.
  • Handled by the individual states. (Correct)
  • Mandatory for states to have.
  • Handled by the individual organizations.

Answer : Handled by the individual states.

Explanation Security Breach Notification Laws. NOT Federal. 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many states have an encryption clause where lost encrypted data may not require disclosure.

We are wanting to strengthen our detective access controls. Which of these could be something we would want to implement?

Options are :

  • Encryption
  • IDS. (Correct)
  • Backups.
  • Patches.

Answer : IDS.

Explanation Detective: Controls that detect during or after an attack – IDS, CCTV, Alarms, anti-virus.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions