Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years.
Which of the following should Sara do to address the risk?
A. Accept the risk saving $10,000.
B. Ignore the risk saving $5,000.
C. Mitigate the risk saving $10,000.
D. Transfer the risk saving $5,000.
Correct Answer: D
Risk transference involves sharing some of the risk burden with someone else, such as an insurance company. The cost of the security breach over a period of 5 years would amount to $30,000 and it is better to save $5,000.
Incorrect Answers:
A: Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. In this case there is no saving and the risk already happened.
B: Ignoring the risk will not save you $5,000 since the system is due to be replaced within a 5 year period which will cost your company $30,000.
C: Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on. You should however address the security breach else there will be no saving.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 9
Question 532:
Which of the following defines a business goal for system restoration and acceptable data loss?
A. MTTR
B. MTBF
C. RPO
D. Warm site
Correct Answer: C
The recovery point objective (RPO) defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). This is an essential business goal insofar as system restoration and acceptable data loss is concerned.
Incorrect Answers:
A: The mean time to restore (MTTR) is the measurement of how long it takes to repair a system or component once a failure occurs. This means it has to do with TIME lost not data loss restoration per se.
B: The mean time between failures (MTBF) is the measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. This is thus also a TIME issue.
D: A warm site provides some of the capabilities of a hot site; it must provide computer systems and compatible media capabilities.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 9, 444
Question 533:
A software company has completed a security assessment. The assessment states that the company should implement fencing and lighting around the property. Additionally, the assessment states that production releases of their software should be digitally signed. Given the recommendations, the company was deficient in which of the following core security areas? (Select TWO).
A. Fault tolerance
B. Encryption
C. Availability
D. Integrity
E. Safety
F. Confidentiality
Correct Answer: DE
Aspects such as fencing, proper lighting, locks, CCTV, Escape plans Drills, escape routes and testing controls form part of safety controls. Integrity refers to aspects such as hashing, digital signatures, certificates and non-repudiation all of which has to do with data integrity.
Incorrect Answers:
A: Fault tolerance refers to the availability of resources to the users in the company in the event of a failure of any of those resources.
B: Encryption is a method of ensuring the confidentiality of data.
C: Availability is all about making sure that the data and systems are available for authorized users.
F: Confidentiality means preventing unauthorized users from accessing data.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 401, 414
Question 534:
Identifying residual risk is MOST important to which of the following concepts?
A. Risk deterrence
B. Risk acceptance
C. Risk mitigation
D. Risk avoidance
Correct Answer: B
Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. Residual risk is always present and will remain a risk thus it should be accepted (risk acceptance)
Incorrect Answers:
A: Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they cause harm to you.
C: Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on.
D: Risk Avoidance is the opposite of risk acceptance and involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk.
References:
D Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 3, 9, 10
Question 535:
A company is preparing to decommission an offline, non-networked root certificate server. Before sending the server's drives to be destroyed by a contracted company, the Chief Security Officer (CSO) wants to be certain that the data will not be accessed. Which of the following, if implemented, would BEST reassure the CSO? (Select TWO).
A. Disk hashing procedures
B. Full disk encryption
C. Data retention policies
D. Disk wiping procedures
E. Removable media encryption
Correct Answer: BD
B: Full disk encryption is when the entire volume is encrypted; the data is not accessible to someone who might boot another operating system in an attempt to bypass the computer's security. Full disk encryption is sometimes referred to as hard drive encryption.
D: Disk wiping is the process of overwriting data on the repeatedly, or using a magnet to alter the magnetic structure of the disks. This renders the data unreadable.
Incorrect Answers:
A: Hashing is used to protect the integrity of data as it will indicate whether the data was altered or not. It does not protect against unauthorized access.
C: Data Retention policies refer to the period that that should be kept and will thus not be helpful to the SCO to make sure that data will not be accessed.
E: The Server's drives are not removable media thus data can still be accessed.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 290, 386 https://wiki.archlinux.org/index.php/Securely_wipe_disk
Question 536:
An IT security manager is asked to provide the total risk to the business. Which of the following calculations would he security manager choose to determine total risk?
A. (Threats X vulnerability X asset value) x controls gap
B. (Threats X vulnerability X profit) x asset value
C. Threats X vulnerability X control gap
D. Threats X vulnerability X asset value
Correct Answer: D
Threats X vulnerability X asset value is equal to asset value (AV) times exposure factor (EF). This is used to calculate a risk.
Incorrect Answers: A: This formula would calculate the loss expectancy over a particular period of time.
B: Profit should first be realized prior to being incorporated into a formula to determine the total risk.
C: Total risk calculation is not synonymous with loss expected over a particular period of time.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 5
Question 537:
Which of the following risk mitigation strategies will allow Ann, a security analyst, to enforce least privilege principles?
A. User rights reviews
B. Incident management
C. Risk based controls
D. Annual loss expectancy
Correct Answer: A
A least privilege policy should be used when assigning permissions. Give users only the permissions and rights that they need to do their work and no more.
Incorrect Answers:
B: Incident management refers to the steps that are followed when events occur and is thus not a risk mitigation strategy.
C: Risk based controls is not the same as risk mitigation. Risk mitigation refers to the actual steps taken to reduce risk.
D: Annual Los Expectancy or ALE refers to the loss a company expects to lose in monetary value in a year.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 5, 10, 26, 413
Question 538:
A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning. Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall?
A. Mandatory vacations
B. Job rotation
C. Least privilege
D. Time of day restrictions
Correct Answer: C
A least privilege policy is to give users only the permissions that they need to do their work and no more. That is only allowing security administrators to be able to make changes to the firewall by practicing the least privilege principle.
Incorrect Answers:
A: A mandatory vacation policy requires all users to take time away from work to refresh.
B: Job rotation is used to supply redundancy insofar as abilities are concerned so that the company is not at risk of any one administrator. But in this case least privilege is the best practice that should be followed.
D: Time of Day restrictions allows you to configure an account to allow account validity for a set time period, but if the culprit is a network administrator then this configuration is within his/her account tights to modify. As the security administrator you should assign only the least privilege principle in this case.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 151-154
Question 539:
One of the system administrators at a company is assigned to maintain a secure computer lab. The administrator has rights to configure machines, install software, and perform user account maintenance. However, the administrator cannot add new computers to the domain, because that requires authorization from the Information Assurance Officer. This is an example of which of the following?
A. Mandatory access
B. Rule-based access control
C. Least privilege
D. Job rotation
Correct Answer: C
A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
Incorrect Answers:
A: Mandatory access control is used to control how information access is permitted. In a MAC environment, all access capabilities are predefined. Users can't share information unless their rights to share it are established by administrators. Consequently, administrators must make any changes that need to be made to such rights.
B: Rule-based access control is when the settings used are in the pre-configured security policies.
D: Job rotation is when one person fills in for another and vice versa so that there is redundancy in this regard.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 151, 152
Question 540:
Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks. Which of the following concepts would enforce this process?
A. Separation of Duties
B. Mandatory Vacations
C. Discretionary Access Control
D. Job Rotation
Correct Answer: A
Separation of duties means that users are granted only the permissions they need to do their work and no more.
Incorrect Answers:
B: A mandatory vacation policy requires all users to take time away from work to refresh.
C: Discretionary Access Control makes allowance for flexibility on access control within the company which is to be avoided in this scenario.
D: Rotating jobs would mean that all the employees will at any one time still have authority to sign checks.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 25, 151, 153
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.