Governance, Risk, and Compliance (D486)

Correct Answer

D. MOU

Explanation

A Memorandum of Understanding (MOU) is a formal agreement between two or more parties that outlines their mutual intentions but is less binding than a traditional contract. It provides a framework for collaboration, ensuring all parties understand their roles and responsibilities while allowing flexibility. MOUs are commonly used in business partnerships, government agreements, and international relations.

Why Other Options Are Wrong

A. SLA (Service Level Agreement) is a legally binding contract that defines the level of service expected between a service provider and a customer. Unlike an MOU, SLAs include enforceable commitments regarding service performance.

B. BPA (Business Partnership Agreement) is a detailed and legally binding contract that governs business relationships, outlining responsibilities, financial terms, and operational procedures. It is more formal than an MOU.

C. ISA (Interconnection Security Agreement) is a formal agreement that defines security requirements for data shared between organizations. While important, it is a structured security document rather than a general-purpose agreement like an MOU.

Correct Answer

C. They cannot use interactive logins

Explanation

Service accounts are non-human accounts used by applications, scripts, or automated processes to perform system functions. A key security policy is to prevent these accounts from having interactive logins, as allowing interactive access can pose a security risk by enabling unauthorized access to system resources.

Why Other Options Are Wrong

A. They must be issued only to system administrators is incorrect because service accounts are typically assigned to applications, not individual administrators. Limiting service accounts to administrators would be too restrictive and unnecessary for many automated processes.

B. They must use multifactor authentication is incorrect because service accounts are often used by non-human processes, making MFA impractical or impossible to implement in many cases. Instead, strong password policies and restricted access controls are preferred.

D. All of the above is incorrect because not all the statements are true. While security best practices exist for service accounts, they are not necessarily limited to administrators, nor do they always require MFA.

Correct Answer

B. Prohibiting interactive logins

Explanation

Service accounts are non-human accounts used by applications, services, or automated tasks rather than individual users. To enhance security, organizations typically prohibit interactive logins for service accounts, preventing direct user access. This reduces the risk of unauthorized use, credential theft, or privilege escalation. Instead, service accounts should be restricted to automated processes and configured with minimal necessary permissions.

Why Other Options Are Wrong

A. Limiting login hours

Login hour restrictions are often applied to user accounts, but service accounts typically run 24/7 to support system operations. Restricting login hours could disrupt automated tasks.

C. Limiting login locations

While restricting login locations can enhance security, service accounts are often tied to internal systems or applications that operate across multiple environments, making this control impractical.

D. Implementing frequent password expiration

Frequent password changes can lead to service disruptions if applications rely on static credentials. Instead, organizations use long, complex passwords or certificate-based authentication to secure service accounts without frequent changes.

Correct Answer

A. Acceptable use policy

Explanation

An acceptable use policy (AUP) defines the permitted and prohibited uses of an organization’s technology resources. It ensures that employees understand the limitations of using company devices, networks, and software, reducing the risk of security threats, unauthorized data access, and potential legal liabilities. Implementing an AUP would directly address the issue of an employee misusing company systems for personal business activities.

Why Other Options Are Wrong

B. Clean desk policy

A clean desk policy requires employees to keep their workstations free of sensitive documents or electronic media when not in use. While it enhances security by minimizing the risk of information theft, it does not address unauthorized software installation or improper use of company computers.

C. Mandatory vacation policy

A mandatory vacation policy requires employees to take time off periodically, which helps uncover fraudulent activities or security risks that may go unnoticed. However, it does not prevent or restrict unauthorized use of company resources.

D. Job rotation policy

A job rotation policy involves periodically rotating employees into different roles to reduce the risk of fraud and improve skills. While it can help with security and accountability, it does not address the issue of an employee misusing company resources for personal gain.

Correct Answer

D. Data retention policy

Explanation

A data retention policy defines how long an organization stores data, the types of data retained, and when and how data should be archived or deleted. Since the auditor is analyzing backup and archiving policies, the data retention policy is the most relevant document to provide.

Why Other Options Are Wrong

A. Clean desk policy is incorrect because it focuses on securing sensitive information by ensuring that workspaces are free from confidential documents when unattended. It does not govern data storage or archiving.

B. Acceptable use policy is incorrect because it outlines how employees can use company resources, such as networks and devices. It does not cover backup or archiving policies.

C. Security policy is incorrect because it provides an overall framework for an organization's security practices but does not specifically address data backup and retention.

Correct Answer

C. Mitigation

Explanation

Mitigation is the process of reducing risk by implementing security measures, such as patching systems to protect against vulnerabilities. Applying patches promptly minimizes the window of opportunity for attackers to exploit known security flaws. Regular patching is a key part of a proactive cybersecurity strategy.

Why Other Options Are Wrong

A. Acceptance is incorrect because risk acceptance means acknowledging a risk without taking action to reduce it. Installing patches actively reduces risk rather than accepting it.

B. Avoidance is incorrect because avoidance involves eliminating a risk entirely, such as by decommissioning vulnerable systems. Patching does not remove the system but reduces its exposure.

D. Transference is incorrect because risk transference involves shifting risk to another party, such as through insurance or outsourcing security functions. Patching directly addresses the risk rather than transferring it.

Correct Answer

A. Internal

Explanation

Outdated software is an internal risk because it originates within the organization’s infrastructure. It is a security risk that results from an organization’s failure to update and maintain its systems, rather than an external threat like a cyberattack from outside entities. Addressing internal risks involves improving internal security controls, patching vulnerabilities, and ensuring software updates are regularly applied.

Why Other Options Are Wrong

B. Quantitative

Quantitative risk analysis involves assigning numerical values to risks, such as potential financial loss. While outdated software can be analyzed in a quantitative manner, the categorization of risk here is about its origin (internal vs. external), not its measurement.

C. Qualitative

Qualitative risk analysis focuses on descriptive, subjective assessments of risk (e.g., high, medium, low). While outdated software can be assessed qualitatively, the question is about categorization based on source, making "internal" the correct choice.

D. External

External risks come from outside the organization, such as hackers, natural disasters, or regulatory changes. Outdated software is a risk arising from within the company, not an external source.

Correct Answer

C. Due to regulations or laws

Explanation

A privacy notice is a legally required document that informs users about how their personal data is collected, used, stored, and protected. Many jurisdictions, such as the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other data privacy laws, require businesses to provide transparent privacy notices to users. Failure to comply with these regulations can lead to fines, penalties, or legal action.

Why Other Options Are Wrong

A. To warn attackers about security measures

Privacy notices are intended for users, not attackers. They describe data handling practices but do not include details about security measures, as revealing security details would create vulnerabilities.

B. To avoid lawsuits

While having a privacy notice can help reduce legal risks, the primary reason for including it is compliance with privacy laws, not simply to avoid lawsuits. A well-crafted privacy notice aligns with regulations and informs users, which indirectly helps in preventing legal issues.

D. None of the above

This option is incorrect because privacy notices are required by law in many countries, making option C the most accurate choice.

Correct Answer

A. Quantitative risk analysis requires detailed financial data

Explanation

Quantitative risk analysis relies on numerical data, financial figures, and statistical models to assess risk. This approach can be challenging because it requires detailed financial data, which may not always be readily available or accurate. Additionally, gathering precise financial impact estimates can be time-consuming and complex, making it a disadvantage compared to qualitative risk analysis, which relies more on subjective judgment.

Why Other Options Are Wrong

B. Quantitative risk analysis is sometimes subjective

This statement is more applicable to qualitative risk analysis, which relies on expert judgment and subjective assessments rather than hard data. Quantitative risk analysis, in contrast, is focused on objective, measurable data.

C. Quantitative risk analysis requires expertise on systems and infrastructure

While expertise is necessary for any risk analysis, this is not a unique disadvantage of quantitative risk analysis. Qualitative risk analysis also requires knowledge of systems, infrastructure, and threats to properly assess risks.

D. Quantitative risk provides clear answers to risk-based questions

This statement is an advantage of quantitative risk analysis, not a disadvantage. Since it uses measurable financial data, it provides concrete results rather than relying on subjective interpretation.