Chapter 1: Security and Risk Management (Domain 1) 325
- D. Wireshark is a protocol analyzer and may be used to eavesdrop on network
connections. Eavesdropping is an attack against confidentiality.
8 7. C. In reduction analysis, the security professional breaks the system down into five key
elements: trust boundaries, data flow paths, input points, privileged operations, and
details about security controls.
- The laws or industry standards match to the descriptions as follows:
- GLBA: A. A US law that requires covered financial institutions to provide their cus-
tomers with a privacy notice on a yearly basis. - PCI DSS: C. An industry standard that covers organizations that handle credit cards.
- HIPAA: D. A US law that provides data privacy and security requirements for medi-
cal information. - SOX: B. A US law that requires internal controls assessments including IT transac-
tion flows for publicly traded companies.
- GLBA: A. A US law that requires covered financial institutions to provide their cus-
- D. Of the states listed, Florida is the only one that is not shaded to indicate a serious risk
of a major earthquake. - C. Usernames are an identification tool. They are not secret, so they are not suitable for
use as a password. - B. Qualitative tools are often used in business impact assessment to capture the impact on
intangible factors such as customer confidence, employee morale, and reputation. - A. An organization pursuing a vital records management program should begin by
identifying all of the documentation that qualifies as a vital business record. This should
include all of the records necessary to restart the business in a new location should the
organization invoke its business continuity plan. - B. Security training is designed to provide employees with the specific knowledge they need
to fulfill their job functions. It is usually designed for individuals with similar job functions. - D. Awareness establishes a minimum standard of information security understanding. It
is designed to accommodate all personnel in an organization, regardless of their assigned
tasks. - C. Risks are the combination of a threat and a vulnerability. Threats are the external
forces seeking to undermine security, such as the malicious hacker in this case.
Vulnerabilities are the internal weaknesses that might allow a threat to succeed. In this
case, the missing patch is the vulnerability. In this scenario, if the malicious hacker (threat)
attempts a SQL injection attack against the unpatched server (vulnerability), the result is
website defacement. - C. The exposure factor is the percentage of the facility that risk managers expect will be
damaged if a risk materializes. It is calculated by dividing the amount of damage by the
asset value. In this case, that is $5 million in damage divided by the $10 million facility
value, or 50%.