SY0-401 (v.4) 6

A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering. Which of the following controls would BEST mitigate this risk?
Implement privacy policies
Enforce mandatory vacations
Implement a security policy
Enforce time of day restrictions
He Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action?
Create a single, shared user account for every system that is audited and logged based upon time of use.
Implement a single sign-on application on equipment with sensitive data and high-profile shares.
Enact a policy that employees must use their vacation time in a staggered schedule.
Separate employees into teams led by a person who acts as a single point of contact for observation purposes.
A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks. Which of the following practices is being implemented?
Mandatory vacations
Job rotation
Separation of duties
Least privilege
Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented?
Least privilege
Job rotation
Mandatory vacations
Separation of duties
In order to prevent and detect fraud, which of the following should be implemented?
Job rotation
Risk analysis
Incident management
Employee evaluations
The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future?
Job rotation
Separation of duties
Mandatory Vacations
Least Privilege
Separation of duties is often implemented between developers and administrators in order to separate which of the following?
More experienced employees from less experienced employees
Changes to program code and the ability to deploy to production
Upper level management users from standard development employees
The network access layer from the application access layer
A user in the company is in charge of various financial roles but needs to prepare for an upcoming audit. They use the same account to access each financial system. Which of the following security controls will MOST likely be implemented within the company?
Account lockout policy
Account password enforcement
Password complexity enabled
Separation of duties
Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks. Which of the following concepts would enforce this process?
Separation of Duties
Mandatory Vacations
Discretionary Access Control
Job Rotation
One of the system administrators at a company is assigned to maintain a secure computer lab. The administrator has rights to configure machines, install software, and perform user account maintenance. However, the administrator cannot add new computers to the domain, because that requires authorization from the Information Assurance Officer. This is an example of which of the following?
Mandatory access
Rule-based access control
Least privilege
Job rotation
A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning. Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall?
Mandatory vacations
Job rotation
Least privilege
Time of day restrictions
Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce least privilege principles?
User rights reviews
Incident management
Risk based controls
Annual loss expectancy
An IT security manager is asked to provide the total risk to the business. Which of the following calculations would he security manager choose to determine total risk?
(Threats X vulnerability X asset value) x controls gap B.
(Threats X vulnerability X profit) x asset value
Threats X vulnerability X control gap
Threats X vulnerability X asset value
A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server’s drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed. Which of the following, if implemented, would BEST reassure the CSO? (Select TWO).
Disk hashing procedures
Full disk encryption
Data retention policies
Disk wiping procedures
Removable media encryption
Identifying residual risk is MOST important to which of the following concepts?
Risk deterrence
Risk acceptance
Risk mitigation
Risk avoidance
A software company has completed a security assessment. The assessment states that the company should implement fencing and lighting around the property. Additionally, the assessment states that production releases of their software should be digitally signed. Given the recommendations, the company was deficient in which of the following core security areas? (Select TWO).
Fault tolerance
Encryption
Availability
Integrity
Safety
Confidentiality
Which of the following defines a business goal for system restoration and acceptable data loss?
MTTR
MTBF
RPO
Warm site
Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk?
Accept the risk saving $10,000.
Ignore the risk saving $5,000.
Mitigate the risk saving $10,000.
Transfer the risk saving $5,000.
Which of the following concepts are included on the three sides of the “security triangle”? (Select THREE).
Confidentiality
Availability
Integrity
Authorization
Authentication
Continuity
Elastic cloud computing environments often reuse the same physical hardware for multiple customers over time as virtual machines are instantiated and deleted. This has important implications for which of the following data security concerns?
Hardware integrity
Data confidentiality
Availability of servers
Integrity of data
The system administrator notices that their application is no longer able to keep up with the large amounts of traffic their server is receiving daily. Several packets are dropped and sometimes the server is taken offline. Which of the following would be a possible solution to look into to ensure their application remains secure and available?
Cloud computing
Full disk encryption
Data Loss Prevention
HSM
Users can authenticate to a company’s web applications using their credentials from a popular social media site. Which of the following poses the greatest risk with this integration?
Malicious users can exploit local corporate credentials with their social media credentials
Changes to passwords on the social media site can be delayed from replicating to the company
Data loss from the corporate servers can create legal liabilities with the social media site
Password breaches to the social media site affect the company application as well
Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding?
Budgetary considerations may not have been written into the MOU, leaving an entity to absorb more cost than intended at signing.
MOUs have strict policies in place for services performed between the entities and the penalties for compromising a partner are high.
MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.
MOUs between two companies working together cannot be held to the same legal standards as SLAs.
Which of the following describes the purpose of an MOU?
Define interoperability requirements
Define data backup process
Define onboard/offboard procedure
Define responsibilities of each party
A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data. Which of the following types of interoperability agreement is this?
ISA
MOU
SLA
BPA
Which of the following is the primary security concern when deploying a mobile device on a network?
Strong authentication
Interoperability
Data security
Cloud storage technique
A security administrator plans on replacing a critical business application in five years. Recently, there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take two months to implement. Which of the following should the security administrator do in regards to the application?
Avoid the risk to the user base allowing them to re-enable their own accounts
Mitigate the risk by patching the application to increase security and saving money
Transfer the risk replacing the application now instead of in five years
Accept the risk and continue to enable the accounts each month saving money
Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp’s debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party?
The data should be encrypted prior to transport
This would not constitute unauthorized data sharing
This may violate data ownership and non-disclosure agreements
Acme Corp should send the data to ABC Services’ vendor instead
An administrator wants to minimize the amount of time needed to perform backups during the week. It is also acceptable to the administrator for restoration to take an extended time frame. Which of the following strategies would the administrator MOST likely implement?
Full backups on the weekend and incremental during the week
Full backups on the weekend and full backups every day
Incremental backups on the weekend and differential backups every day
Differential backups on the weekend and full backups every day
A security administrator needs to update the OS on all the switches in the company. Which of the following MUST be done before any actual switch configuration is performed?
The request needs to be sent to the incident management team.
The request needs to be approved through the incident management process
The request needs to be approved through the change management process.
The request needs to be sent to the change management team.
Developers currently have access to update production servers without going through an approval process. Which of the following strategies would BEST mitigate this risk?
Incident management
Clean desk policy
Routine audits
Change management
Which of the following mitigation strategies is established to reduce risk when performing updates to business critical systems?
Incident management
Server clustering
Change management
Forensic analysis
The network administrator is responsible for promoting code to applications on a DMZ web server. Which of the following processes is being followed to ensure application integrity?
Application hardening
Application firewall review
Application change management
Application patch management
Which of the following MOST specifically defines the procedures to follow when scheduled system patching fails resulting in system outages?
Risk transference
Change management
Configuration management
Access control revalidation
A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO).
Patch Audit Policy
Change Control Policy
Incident Management Policy
Regression Testing Policy
Application Audit Policy
{"name":"SY0-401 (v.4) 6", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering. Which of the following controls would BEST mitigate this risk?, he Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action?, A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks. Which of the following practices is being implemented?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}
Powered by: Quiz Maker