Governance, Risk, and Compliance (D486)

Correct Answer

B. Using a nonadministrative account for activities

Explanation

Using a nonadministrative account limits the permissions available to malware in case of infection. If malware executes within an account that lacks administrative privileges, it is less likely to perform system-level changes, reducing the risk of severe damage. This is a fundamental security best practice for mitigating malware-related risks.

Why Other Options Are Wrong

A. Implement host-based antimalware can detect and remove some malware, but it is not foolproof. Advanced malware can evade detection, and relying solely on antimalware software does not address the risk of malware gaining administrative privileges.

C. Implementing full-disk encryption (FDE) protects data at rest, meaning it secures information when the device is powered off. However, it does not prevent malware from executing or spreading if an account with administrative access is compromised.

D. Making certain the operating systems are patched is crucial for overall security but does not specifically mitigate the risk of malware gaining administrative access. While patches close vulnerabilities, they do not restrict a compromised user’s permissions.

Correct Answer

C. Single point of failure

Explanation

A single point of failure (SPOF) occurs when a critical component in a system has no redundancy, meaning that if it fails, the entire system or service is disrupted. In this scenario, since all internet traffic depends on a single connection, if that connection goes down, the organization loses internet access, making it a single point of failure.

Why Other Options Are Wrong

A. Cloud computing

Cloud computing involves delivering computing resources over the internet. While an organization may rely on the cloud for services, having a single internet connection is not the definition of cloud computing.

B. Load balancing

Load balancing distributes network traffic across multiple servers or connections to improve performance and reliability. Since this scenario describes a single connection without redundancy, load balancing is not in place.

D. Virtualization

Virtualization refers to creating virtual environments (such as virtual machines or networks) on a single physical system. The issue described here is a lack of redundancy in an internet connection, not virtualization.

Correct Answer

B. Gamification

Explanation

Gamification involves incorporating game-like elements, such as points, rewards, and challenges, into non-game activities like security training. By using points for correct answers and deductions for mistakes, Gary is engaging employees in a competitive and interactive learning experience. Gamification makes security awareness training more engaging and effective.

Why Other Options Are Wrong

A. Capture the flag

Capture the flag (CTF) is a hands-on cybersecurity challenge that often involves solving security puzzles or exploiting vulnerabilities to "capture" virtual flags. Gary’s training does not involve such a competitive hacking environment.

C. Phishing campaigns

A phishing campaign involves sending simulated phishing emails to employees to test their ability to recognize and report phishing attempts. While Gary's training is related to phishing, it is structured as a game rather than a direct phishing test.

D. Role-based training

Role-based training tailors security training to specific job functions within an organization. While Gary’s application provides phishing awareness, it is not tailored to specific roles but rather uses an interactive game format.

Correct Answer

B. Pseudonymization requires additional data to reidentify the data subject

Explanation

Pseudonymization replaces personal identifiers with pseudonyms or artificial identifiers while still allowing reidentification if additional data is available. In contrast, anonymization permanently removes all identifying information, making it impossible to link data back to an individual.

Why Other Options Are Wrong

A. Anonymization uses encryption

Encryption does not equal anonymization because encrypted data can still be decrypted. True anonymization removes all identifiers permanently.

C. Anonymization can be reversed using a hash

Anonymization is not reversible. Hashing, while often used for security, does not always guarantee full anonymization.

D. Pseudonymization uses randomized tokens

While pseudonymization may involve randomized tokens, the key difference is that it allows reidentification if additional data is available, which is why option B is the best choice.

Correct Answer

D. Preventive administrative control

Explanation

A preventive administrative control is a policy or procedure that helps prevent security incidents by managing human behavior. Security awareness training and system testing fall into this category because they aim to reduce the likelihood of security breaches through proactive education and structured security protocols.

Why Other Options Are Wrong

A. Detective technical control

A detective technical control identifies security events after they have occurred, such as an IDS or audit logs. Security training and testing do not detect incidents but rather prevent them.

B. Preventive technical control

A preventive technical control involves technology-based solutions like firewalls and encryption, which proactively block threats. Security training and policies are not technical in nature.

C. Detective administrative control

A detective administrative control is a policy or process used to detect security issues, such as security audits. Security awareness training and system testing are preventive measures rather than detective ones.

Correct Answer

C. Onboarding

Explanation

Onboarding is the process of integrating new employees into an organization by setting up their accounts, providing access to systems, and assigning necessary resources like mobile devices. It ensures they can perform their job duties securely and efficiently.

Why Other Options Are Wrong

A. Offboarding

Offboarding is the opposite process—it involves removing access, deactivating accounts, and collecting company devices when an employee leaves the organization.

B. System owner

A system owner is responsible for managing a specific IT system, including security policies and maintenance, but does not perform onboarding tasks.

D. Executive user

An executive user is a high-level employee with privileged access, but this is not related to the process of creating user accounts for new hires.

Correct Answer

A. Quantitative risk assessment

Explanation

A quantitative risk assessment evaluates risks using numerical data, such as financial costs, probabilities, and expected losses. By considering cost, the security manager is using measurable data to determine whether mitigating a risk is financially justifiable. This approach helps prioritize risk management efforts based on cost-effectiveness.

Why Other Options Are Wrong

B. Qualitative risk assessment is incorrect because it relies on subjective judgment and categories like "high," "medium," or "low" rather than numerical values. It does not focus on cost but rather on perceived risk levels.

C. Business impact analysis focuses on assessing the potential consequences of disruptions to business operations. While it may consider financial aspects, it is broader in scope and does not directly determine which risks to mitigate based on cost.

D. Threat assessment involves identifying and analyzing potential threats that could harm an organization. It does not specifically address the financial aspect of risk mitigation, which is a key feature of quantitative risk assessment.

Correct Answer

C. Antivirus software

Explanation

Physical security controls are designed to protect the physical infrastructure, assets, and personnel from threats such as theft, unauthorized access, or environmental hazards. Antivirus software is not a physical security control because it focuses on digital protection against malware and cyber threats. Instead of securing a physical location, it safeguards systems from software-based attacks.

Why Other Options Are Wrong

A. Motion detector is a physical security control because it detects movement within a secured area, helping to prevent unauthorized access. It is commonly used in alarm systems to trigger alerts when unexpected motion is detected.

B. Fence is a classic physical security measure used to create a barrier around a property or sensitive area. It helps prevent unauthorized access by establishing a physical boundary.

D. Closed-circuit television (CCTV) is a physical security control used for surveillance and monitoring. It allows security personnel to track activity in a specific area, helping to deter and investigate security incidents.

Correct Answer

C. Job rotation

Explanation

Job rotation is a security and operational control where employees periodically switch roles to increase knowledge, reduce fraud risk, and ensure no single individual maintains excessive control over critical functions. This practice helps organizations detect irregularities and prevents employees from engaging in fraudulent activities for extended periods. Additionally, job rotation promotes cross-training, ensuring continuity in operations when an employee leaves or is unavailable.

Why Other Options Are Wrong

A. Separation of duties is incorrect because it refers to dividing responsibilities among multiple individuals to prevent fraud or errors. While job rotation may contribute to security, it is distinct from separating duties within a process.

B. Mandatory vacation requires employees to take time off so that irregularities in their work can be detected in their absence. Unlike job rotation, it does not involve regularly switching roles but instead ensures others review the employee’s work.

D. Onboarding refers to the process of integrating a new employee into an organization. It involves training, familiarization with company policies, and job responsibilities, which is unrelated to switching roles periodically.