A security analyst is evaluating the risk of a data breach. The asset value of the database is $100,000, and the exposure factor is 0.5. If the annual rate of occurrence is 0.2, what is the annualized loss expectancy (ALE)?
A company is migrating its critical application to a cloud provider. Which disaster recovery strategy provides the shortest recovery time objective (RTO) and recovery point objective (RPO)?
In a qualitative risk assessment, a risk with a likelihood rating of 'High' and an impact rating of 'Critical' would typically fall into which category?
In a quantitative risk analysis, if the single loss expectancy (SLE) is $15,000 and the annual rate of occurrence (ARO) is 0.5, what is the annualized loss expectancy (ALE)?
An organization is implementing a new access control system. The security team wants to ensure that users cannot deny having performed an action. Which security principle is being addressed?
A company uses a qualitative risk analysis matrix where likelihood ranges from 1 to 5 and impact ranges from 1 to 5. A risk with a likelihood of 4 and an impact of 5 would fall into which risk level if the matrix defines high risk as scores above 15, medium as 10-15, and low as below 10?
A security manager is calculating the annual loss expectancy (ALE) for a server valued at $50,000. The exposure factor (EF) is 40%, and the annual rate of occurrence (ARO) is 0.5. What is the ALE?
A healthcare organization covered by HIPAA wants to share protected health information (PHI) with a third-party billing service. What must be in place to comply with HIPAA?
A security auditor is reviewing an organization's governance framework. Which TWO of the following are commonly used frameworks for IT governance and security management?
A company is recovering from a ransomware attack. Which THREE of the following are key considerations when restoring data from backups to ensure integrity and minimal downtime?
An organization is implementing a new governance framework to align IT with business goals. Which framework is specifically designed for IT service management?
A security team is performing a quantitative risk analysis for a server valued at $100,000. The exposure factor is 0.4 and the annual rate of occurrence is 2. What is the annualized loss expectancy (ALE)?
A security analyst is evaluating risks using a qualitative matrix. The likelihood is rated as 'high' and the impact as 'medium'. What is the overall risk level typically assigned in a 3x3 matrix?
An organization has identified a risk with a high likelihood and high impact. Management decides to implement controls to reduce the likelihood. After controls, the risk is reassessed as medium likelihood and medium impact. What is the residual risk?
A security analyst is evaluating the risk of a data breach in a healthcare organization. The asset value of the patient database is $500,000, and the exposure factor is 0.2. The annual rate of occurrence is estimated at 0.1. What is the annualized loss expectancy (ALE)?
An organization is implementing a new access control system. They want to ensure that users are who they claim to be, that actions can be traced to individuals, and that access rights are managed appropriately. Which framework encompasses all three of these goals?
Under the GDPR, a data controller experiences a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. What is the maximum time frame within which the controller must notify the supervisory authority?
During a business impact analysis (BIA), which metric represents the maximum amount of time a business process can be disrupted before causing significant harm to the organization?
In qualitative risk analysis, a risk is assessed with a likelihood of 4 (on a scale of 1-5) and an impact of 5. The risk matrix defines scores of 15-25 as high. What is the risk rating?
An organization wants to avoid a particular risk entirely by not engaging in the activity that creates the risk. Which risk response strategy is being used?
A company is designing a disaster recovery plan. They need to recover critical systems within 4 hours and lose no more than 15 minutes of data. Which combination of RTO and RPO should be specified?
Which governance framework is specifically designed to help organizations manage and protect their information assets by providing a comprehensive set of controls based on a risk management approach?
In the context of business continuity planning, which THREE of the following are typically identified during a business impact analysis (BIA)? (Select THREE.)
A company is implementing a risk management program. They have identified a critical server with an asset value of $50,000. The exposure factor due to a potential threat is 40%, and the annual rate of occurrence is 2. What is the Annualized Loss Expectancy (ALE)?
During a Business Impact Analysis (BIA), the maximum amount of time a business process can be unavailable before causing significant harm is determined. Which metric represents this?
A security manager is evaluating risk responses for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk response strategy is most appropriate?
A company's disaster recovery plan includes an agreement with another company to provide backup computing facilities in case of a disaster. The agreement allows the second company to use the facilities for its own operations if needed. This arrangement is best described as: