Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp's debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party?
A. The data should be encrypted prior to transport
B. This would not constitute unauthorized data sharing
C. This may violate data ownership and non-disclosure agreements
D. Acme Corp should send the data to ABC Services' vendor instead
Correct Answer: C
With sending your data to a third party is already a risk since the third party may have a different policy than yours. Data ownership and non-disclosure is already a risk that you will have to accept since the data will be sent for debugging / troubleshooting purposes which will result in definite disclosure of the data.
Incorrect Answers:
A: Encrypting the data prior to transport will not negate the fact that the third party needs to send debug data to a third party for troubleshooting purposes.
B: The question mentions that the company has outsources proprietary business processes which means it is authorized data sharing in this case since the data is being sent to the third party for troubleshooting purposes.
D: ABC's vendor does not have the agreement with Acme Corp since it is an Acme Corp proprietary business process.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 419-420
Question 522:
A security administrator plans on replacing a critical business application in five years. Recently, there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take two months to implement. Which of the following should the security administrator do in regards to the application?
A. Avoid the risk to the user base allowing them to re-enable their own accounts
B. Mitigate the risk by patching the application to increase security and saving money
C. Transfer the risk replacing the application now instead of in five years
D. Accept the risk and continue to enable the accounts each month saving money
Correct Answer: D
This is a risk acceptance measure that has to be implemented since the cost of patching would be too high compared to the cost to keep the system going as is. Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices (i.e. risk deterrence, mitigation, transference or avoidance) exceeds the value of the harm that would occur if the risk came to fruition.
Incorrect Answers:
A: This is a business critical function and cannot be avoided, least of all by having the user base re-enable their own user accounts.
B: Patching the application amounts to risk mitigation methods and would be too costly.
C: Replacing the application in five years' time would still cost more than a monthly cost of having the IT department manually re-enable the user accounts each month even over 60 months.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 9-10
Question 523:
Which of the following is the primary security concern when deploying a mobile device on a network?
A. Strong authentication
B. Interoperability
C. Data security
D. Cloud storage technique
Correct Answer: C
Mobile devices, such as laptops, tablet computers, and smartphones, provide security challenges above those of desktop workstations, servers, and such in that they leave the office and this increases the odds of their theft which makes data security a real concern. At a bare minimum, the following security measures should be in place on mobile devices: Screen lock, Strong password, Device encryption, Remote Wipe or Sanitation, voice encryption, GPS tracking, Application control, storage segmentation, asses tracking and device access control.
Incorrect Answers:
A: Strong authentication is a risk avoidance technique and as such is not a security concern with mobile devices.
B: Mobile devices are designed to be interoperable with networks, etc.
D: Cloud storage is not a primary security concern regarding mobile devices.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 419 http://searchmobilecomputing.techtarget.com/guides/Mobile-device-protection-and-security- threat-measures
Question 524:
A company has decided to move large data sets to a cloud provider in order to limit the costs of new infrastructure. Some of the data is sensitive and the Chief Information Officer wants to make sure both parties have a clear understanding of the controls needed to protect the data.
Which of the following types of interoperability agreement is this?
A. ISA
B. MOU
C. SLA
D. BPA
Correct Answer: A
ISA/ Interconnection Security Agreement is an agreement between two organizations that have connected systems. The agreement documents the technical requirements of the connected systems.
Incorrect Answers:
B: MOU/ Memorandum of Understanding is a document is used in many settings in the information industry. It is a brief summary of which party is responsible for what portion of the work.
C: SLA/ Service-Level Agreement define the level of service to be provided. For example, with a company providing technical support, the SLA will determine the response time (for example, will a tech be on site within 4 hours? 8 hours?) and the level of response (will there be a replacement part if needed?).
D: BPO/ Blanket Purchase Order is usually applicable to government agencies. It is an Agreement between a government agency and a private company for ongoing purchases of goods or services.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 398
Question 525:
Which of the following describes the purpose of an MOU?
A. Define interoperability requirements
B. Define data backup process
C. Define onboard/offboard procedure
D. Define responsibilities of each party
Correct Answer: D
MOU or Memorandum of Understanding is a document outlining which party is responsible for what portion of the work.
Incorrect Answers:
A: The memorandum of understanding is a part of the interoperability agreement between the parties involved.
B: Data backup processes are part of data recovery and incidence response and are not the purpose of a memorandum of understanding.
C: Onboard and offboard procedures are not part of the MOU, it just refers to the transitioning phase that both parties have to engage in.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 398
Question 526:
Which of the following is the GREATEST security risk of two or more companies working together under a Memorandum of Understanding?
A. Budgetary considerations may not have been written into the MOU, leaving an entity to absorb more cost than intended at signing.
B. MOUs have strict policies in place for services performed between the entities and the penalties for compromising a partner are high.
C. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities.
D. MOUs between two companies working together cannot be held to the same legal standards as SLAs.
Correct Answer: C
The Memorandum of Understanding This document is used in many settings in the information industry. It is a brief summary of which party is responsible for what portion of the work. For example, Company A may be responsible for maintaining the database server and Company B may be responsible for telecommunications. MOUs are not legally binding but they carry a degree of seriousness and mutual respect, stronger than a gentlemen's agreement. Often, MOUs are the first steps towards a legal contract.
Incorrect Answers:
A: Budgetary concerns would be too much detail for a MOU.
B: MOUs are by no means a detailed description and strict policies.
D: MOUs are not legally binding but they carry a degree of seriousness and mutual respect, stronger than a gentlemen's agreement. Often, MOUs are the first steps towards a legal contract.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 398
Question 527:
Users can authenticate to a company's web applications using their credentials from a popular social media site. Which of the following poses the greatest risk with this integration?
A. Malicious users can exploit local corporate credentials with their social media credentials
B. Changes to passwords on the social media site can be delayed from replicating to the company
C. Data loss from the corporate servers can create legal liabilities with the social media site
D. Password breaches to the social media site affect the company application as well
Correct Answer: D
Social networking and having you company's application authentication `linked' to users' credential that they use on social media sites exposes your company's application exponentially more than is necessary. You should strive to practice risk avoidance.
Incorrect Answers:
A: One would assume that only the company's users would be able to authenticate to the company's application and you would be able to audit log on attempts.
B: Delays in password when changes are made is not such a sever security risk as a breach in passwords.
C: Data loss on your company servers does not pose as great a security risk as breach of passwords.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 364, 406
Question 528:
The system administrator notices that their application is no longer able to keep up with the large amounts of traffic their server is receiving daily. Several packets are dropped and sometimes the server is taken offline. Which of the following would be a possible solution to look into to ensure their application remains secure and available?
A. Cloud computing
B. Full disk encryption
C. Data Loss Prevention
D. HSM
Correct Answer: A
Cloud computing means hosting services and data on the Internet instead of hosting it locally. There is thus no issue when the company's server is taken offline.
Incorrect Answers:
B: Full disk encryption allows data that has been stolen to remain out of the eyes of intruders. This does not address availability issues.
C: Data Loss prevention systems are used to monitor the contents of workstations, servers and networks. Essentially it makes sure that key content is not deleted or removed by legitimate users.
D: Hierarchical storage management (HSM) provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and you can configure it to provide the closest version of an available real-time backup. This does not address the issues of the application to remain secure and available.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 17, 290 https://technet.microsoft.com/en-us/library/hh831630.aspx
Question 529:
Elastic cloud computing environments often reuse the same physical hardware for multiple customers over time as virtual machines are instantiated and deleted. This has important implications for which of the following data security concerns?
A. Hardware integrity
B. Data confidentiality
C. Availability of servers
D. Integrity of data
Correct Answer: B
Data that is not kept separate or segregated will impact on that data's confidentiality maybe being compromised. Be aware of the fact that your data is only as safe as the data with which it is integrated. For example, assume that your client database is hosted on a server that another company is also using to test an application that they are creating. If their application obtains root-level access at some point (such as to change passwords) and crashes at that point, then the user running the application could be left with root permissions and conceivably be to access data on the server for which they are not authorized, such as your client database. Data segregation is crucial; keep your data on secure servers.
Incorrect Answers:
A: Hardware integrity is not an issue for the customer when making use of cloud computing.
C: Making use of cloud computing is in essence providing availability of servers for the customers.
D: Data integrity is not at risk in this scenario.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 17-18
Question 530:
Which of the following concepts are included on the three sides of the "security triangle"? (Select THREE).
A. Confidentiality
B. Availability
C. Integrity
D. Authorization
E. Authentication
F. Continuity
Correct Answer: ABC
Confidentiality, integrity, and availability are the three most important concepts in security. Thus they form the security triangle.
Incorrect Answers:
D: Authorization policies are used to uphold confidentiality.
E: Authentication is the process of verifying that the sender is who they say they are. Authentication is used to uphold confidentiality.
F: Continuity is used to ensure availability.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 259, 261 2.1.10 Risks associated with Cloud Computing and Virtualization
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.