1. A Chief Information Security Officer has decided that purchasing insurance when the ALE of expected incidents exceeds $1 million is the most cost-effective approach. Which of the following does the $1 million represent?
A. Risk indicator
B. Risk tolerance
C. Risk threshold Correct
D. Risk exposure
Explanation
The $1 million is the specific point at which the organization decides the risk level is no longer acceptable without transferring it through insurance. This value is a defined risk threshold that triggers a specific risk response action. Risk tolerance is broader and represents the overall level of risk the organization is willing to accept.
2. After creating a contract for IT contractors, the human resources department changed several clauses. The contract has gone through three revisions. Which of the following processes should the human resources department follow to track revisions?
A. Version validation
B. Version changes
C. Version updates
D. Version control Correct
Explanation
Version control is the formal process of tracking and managing changes to documents, code, or contracts over time. It ensures that every revision is logged, who made the change is recorded, and previous versions can be retrieved if needed. This prevents confusion and maintains an audit trail.
3. A Chief Information Officer wants to ensure that network devices cannot connect to the public Internet and the local network to directly perform firmware updates. The IT team must manually perform the update process by using a portable device. Which of the following architecture types best fits this description?
A. Microservices
B. Air-gapped Correct
C. Software-defined networking
D. Serverless
Explanation
An air-gapped system is physically isolated from external networks and requires manual intervention (such as using a USB drive) to transfer data or updates. This isolation prevents remote attacks and unauthorized firmware updates. It is a common high-security architecture for critical infrastructure.
4. Which of the following is a common data removal option for companies that want to wipe sensitive data from hard drives in a repeatable manner but allow the hard drives to be reused?
A. Sanitization Correct
B. Formatting
C. Degaussing
D. Defragmentation
Explanation
Sanitization uses software-based overwriting techniques (e.g., DoD 5220.22-M) to securely erase data while leaving the drive functional for reuse. Formatting only removes the file system pointers, and degaussing renders magnetic drives permanently unusable. Sanitization meets NIST SP 800-88 guidelines for media reuse.
5. A security officer observes that a software development team is not complying with its corporate security policy on encrypting confidential data. Which of the following categories refers to this type of non-compliance?
A. External
B. Standard
C. Regulation
D. Internal Correct
Explanation
Corporate security policies are internal requirements created by the organization itself. Non-compliance with them is classified as internal non-compliance. External non-compliance would involve violations of laws, regulations, or contractual obligations.