CYSA EXAM 2023 Questions AND SOLUTIONS

CYSA EXAM 2023 Questions AND SOLUTIONS What federal law requires the use of vulnerability scanning on information systems operated by federal government agencies? A. HIPAA B. GLBA C. FISMA D. FERPA - ANSWER C: FISMA. The Federal Information Security Management Act (FISMA) requires that federal agencies implement vulnerability management programs for federal information systems. Gary is the system administrator for a federal agency and is responsible for a variety of information systems. Which systems must be covered by vulnerability scanning programs? A. Only High-Impact Systems B. Only Systems Containing Classified Information C. High- or Moderate-Impact Systems D. High-, Moderate-, or Low-Impact Systems - ANSWER D: High-, Moderate-, or LowImpact Systems. The Federal Information Security Management Act (FISMA) requires vulnerability management programs for all federal information systems, regardless of their assigned impact rating. What tool can administrators use to help identify the systems present on a network prior too conducting vulnerability scans? A. Asset Inventory B. Web Application Assessment C. Router D. DLP - ANSWER A: Asset Inventory. An asset inventory supplements automated tools with other information to detect systems present on a network. The asset inventory provides critical information for vulnerability scans. Tonya is configuring vulnerability scans for a system that is subject to the PCI DSS compliance standard. What is the minimum frequency with which she must conduct scans? A. Daily B. Weekly C. Monthly D. Quarterly - ANSWER D: Quarterly. PCI DSS requires that organizations conduct vulnerability scans on at least a quarterly basis, although many organizations choose to conduct scans on a much more frequent basis. Which one of the following is not an example of a vulnerability scanning tool? A. QualysGuard B. Snort C. Nessus D. OpenVAS - ANSWER B: Snort. QualysGuard, Nessus, and OpenVAS are all examples of vulnerability scanning tools. Snort is an intrusion detection system. Bethany is the vulnerability management specialist for a large retail organization. She completed her last PCI DSS compliance scan in March. In April, the organization upgraded their point-of-sale system, and Bethany is preparing to conduct new scans. When must she complete the new scan? A. Immediately B. June C. December D. No Scans Are Required - ANSWER A: Immediately. PCI DSS requires that organizations conduct vulnerability scans quarterly, which should have Bethany's next regularly scheduled scan scheduled for June. However, the standard also requires scanning after any significant change in the payment card environment. This would include an upgrade to the point-of-sale system, so Bethany must complete anew compliance scan immediately. Renee is configuring her vulnerabilty management solution to perform credentialed scans of her network. What type of account should she provide to the scanner? A. Domain Administrator B. Local Administrator C. Root D. Read-Only - ANSWER D: Read-Only. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner. Jason is writing a report about a potential security vulnerability in a software product and wishes to use standardized product names to ensure that other security analysts understand the report. Which SCAP component can Jason turn to for assistance? A. CVSS B. CVE C. CPE D. OVAL - ANSWER C: CPE. Common Product Enumeration (CPE) is an SCAP component that provides standardized nomenclature for product names and versions. Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance purposes. Who is authorized to complete one of these scans? A. Any Employee of the Organization B. An Approved Scanning Vendor C. A PCI DSS Service Provider D. Any Qualified Individual - ANSWER D: Any Qualified Individual. Internal scans completed for PCI DSS compliance purposes may be conducted by any qualified individual. Which type of organization is the most likely to face a regulatory requirement to conduct vulnerability scans? A. Bank B. Hospital C. Government Agency D. Doctor's Office - ANSWER C: Government Agency. The Federal Information Security Management Act (FIS