You have been tasked with auditing the vendor who provides a third-party billing server to a local healthcare provider. Which clause provides a legal pathway to verifying that the vendor maintains the agreed-upon standards?

A banking corporation is keen on gaining a competitive edge in the market by demonstrating its commitment to cybersecurity. They want an official attestation that their cybersecurity measures are robust and compliant with industry standards. What should it opt for to obtain this attestation?

Which type of reconnaissance involves tasks like DNS enumeration, public record searches, or social engineering tactics like phishing or pretexting?

Which type of detected behavior can indicate compromised accounts, risk of data infiltration, possible brute-force attempts, or the risk of malware infection or system compromise?

Identify the risk of detection and common techniques used for each type of penetration test by matching the penetration testing type in the left column to its corresponding risk of detection and common techniques.

Which phase in the penetration testing lifecycle involves the collection of as much information as possible about the target systems to find ways to infiltrate them?

A leading technology conglomerate recently conducted a security exercise. The goal was for the internal security team to defend against a series of simulated attacks from an external red team. While the red team launched attacks, the internal team’s objective was to detect, respond, and mitigate those threats. What type of penetration testing is employed for its internal security team?

Which of the following is included in the responsibilities of an internal audit committee?

How can an organization add a layer of scrutiny and accountability to the attestation process by assigning a top-level executive to the process?

A marketing company collects personal data from users and determines how and why that data will be processed. At the same time, they engage an external company, CloudSolutions, to store and manage this data. In this scenario, what role does the marketing company play in relation to data protection regulations?

A large enterprise is setting up a new automation system that will allow various teams, including development, operations, and QA, to provision and configure their own environments. The security team is concerned about potential misconfigurations or excessive permissions being granted. Which solution can be used within the automation to ensure security standards are met without limiting the agility of the teams?

Your firm takes corrective actions in response to compliance alerts. It implements more robust encryption protocols for customer data and revises its access control policies. Its automated platform documents these actions, showing a record of proactive measures taken over time to maintain compliance. Which process is being implemented in this scenario?

How does a PCI-DSS compliance report demonstrate adherence to payment card industry data security standards by detailing how customer payment information is protected?

Which metric, which is similar to MTBF, denotes the number of failures per billion hours of operation to help anticipate the frequency of potential failures?

How does mean time to repair (MTTR) help an organization understand the operational impact of repair times and guide the decision-making process?

A risk report often includes an executive summary, detailed findings, recommendations and an _______________.

Refer to the following IPS/IDS log example:

2023-09-23 13:45:32 ALERT SQL Injection detected from 192.168.1.4
2023-09-23 13:46:10 ALERT Brute-force attempt from 203.0.113.7

Which entry shows an attacker trying to get unauthorized access to the system?

Two detergent companies want to engage in a joint marketing campaign. Which written document specifies a cooperative relationship that outlines responsibilities for each party in a non-legally binding agreement?

A well-established technology company has been in the market for over 15 years. Recently, the board of directors decided that the company will pursue aggressive growth strategies by entering new, untested markets and launching cutting-edge products, even if these strategies come with significant risks. How would you classify the company’s risk appetite?

A retail company has assessed that a security breach might result in a loss of $1 million in sales. The company has determined that it can tolerate a loss of up to $500,000, but anything beyond that would severely impact operations. To cover the potential financial loss beyond its tolerance level, it decided to purchase cybersecurity insurance. Which of the following terms best describes the $500,000 figure?

A healthcare organization uses a software platform to manage patient records. A recent vulnerability assessment identified a potential exploit where an unauthorized individual might access 30% of stored patient data. Which of the following best describes this scenario?

The change management procedure starts with a change request. At what point is the change implemented in a controlled, non-production environment?

You want to determine how much an e-commerce web server’s downtime will cost your company annually. After gathering the required information, which risk assessment formula can be used to calculate the cost of downtime?

An organization experiences an inherent risk if the correct ___________ is not in place. (Fill in the blank.)

What are the key responsibilities of an owner in the governance structure?

A typical playbook begins with an incident identifications section. Which section comes next?

In order to implement and manage facility access, which physical security standard procedure should be in place requiring tracking and admittance rules?

Which of the following is an appropriate example of endpoint security policy?

Which policy rule enables employees to enter into an agreement acknowledging they understand that unauthorized data sharing is prohibited?

Which type of report alerts you to three large data transfers to an external IP address within a short time raising suspicions for potential data exfiltration?

Certain regulations and industries require longer retention times for vulnerability reports. What is the minimum period for retaining these reports?

Which type of metadata includes vital details required for a system to communicate or interact with a specific file and uphold the integrity of a digital file or object?