CASP CAS 003 Practice Questions
The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation.
The documentation shows that a single 24 hours downtime in a critical business function will
cost the business $2.3 million. Additionally, the business unit which depends on the critical
business function has determined that there is a high probability that a threat will materialize
based on historical data. The CIO's budget does not allow for full system hardware replacement
in case of a catastrophic failure, nor does it allow for the purchase of additional compensating
controls. Which of the following should the CIO recommend to the finance director to minimize
financial loss? Ans: The company should transfer the risk.
The latest independent research shows that cyber-attacks involving SCADA systems grew an
average of 15% per year in each of the last four years, but that this year's growth has slowed to
around 7%. Over the same time period, the number of attacks against applications has decreased
or stayed flat each year. At the start of the measure period, the incidence of PC boot loader or
BIOS based attacks was negligible. Starting two years ago, the growth in the number of PC boot
loader attacks has grown exponentially. Analysis of these trends would seem to suggest which of
the following strategies should be employed? Ans: Spending on SCADA security controls
should stay steady; application control spending should decrease slightly and spending on PC
boot loader protections should increase substantially
A security administrator has noticed that an increased number of employees' workstations are
becoming infected with malware. The company deploys an enterprise antivirus system as well as
a web content filter, which blocks access to malicious web sites where malware files can be
downloaded. Additionally, the company implements technical measures to disable external
storage. Which of the following is a technical control that the security administrator should
implement next to reduce malware infection? Ans: Block cloud-based storage software on the
company network
A security manager is looking into the following vendor proposal for a cloud-based SIEM
solution. The intention is that the cost of the SIEM solution will be justified by having reduced
the number of incidents and therefore saving on the amount spent investigating incidents.
Proposal: External cloud-based software as a service subscription costing $5,000 per month and
is expected to reduce the number of current incidents per annum by 50%. The company currently
has ten security incidents per annum at an average cost of $10,000 per incident. Which of the
following is the ROI for this proposal after three years? Ans: -$30,000
(50% Reduction; 5 incidents per year x $10,000 = $50,000 x 3 years = $150,000 (GAIN) $5,000
per month x 12 = $60,000 per year x 3 years = $180,000 (COST) ROI = $150,000 - $180,000 = -
$30,00)
The risk manager at a small bank wants to use quantitative analysis to determine the ALE of
running a business system at a location which is subject to fires during the year. A risk analyst
reports to the risk manager that the asset value of the business system is $120,000. Based on
industry data, the exposure factor to fires is only 20% due to the fire suppression system installed
,at the site. Fires occur in the area on average every four years. Which of the following is the
ALE? Ans: $6,000
(Single Loss Expectancy (SLE) is mathematically expressed as: Asset value (AV) x Exposure
Factor (EF) SLE = AV x EF = $120,000 x 20% = $ 24,000 (this is over 4 years) Thus ALE =
$24, = $6,000)
An infrastructure team is at the end of a procurement process and has selected a vendor. As part
of the final negotiations, there are a number of outstanding issues, including: -1. Indemnity
clauses have identified the maximum liability -2. The data will be hosted and managed outside of
the company's geographical location The number of users accessing the system will be small,
and no sensitive data will be hosted in the solution. As the security consultant on the project,
which of the following should the project's security consultant recommend as the NEXT step?
Ans: Require the solution owner to accept the identified risks and consequences
Two new technical SMB security settings have been enforced and have also become policies that
increase secure communications. Network Client: Digitally sign communication Network Server:
Digitally sign communication A storage administrator in a remote location with a legacy storage
array, which contains time-sensitive data, reports employees can no longer connect to their
department shares. Which of the following mitigation strategies should an information security
manager recommend to the data owner? Ans: Accept the risk, reverse the settings for the remote
location, and have the remote location file a risk exception until the legacy storage device can be
upgraded
An organization has employed the services of an auditing firm to perform a gap assessment in
preparation for an upcoming audit. As part of the gap assessment, the auditor supporting the
assessment recommends the organization engage with other industry partners to share
information about emerging attacks to organizations in the industry in which the organization
functions. Which of the following types of information could be drawn from such participation?
Ans: Exploit frameworks
The generalized format for expressing the security category, SC, of an information type is Ans:
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, HIGH
Following a security assessment, the Chief Information Security Officer (CISO) is reviewing the
results of the assessment and evaluating potential risk treatment strategies. As part of the CISO's
evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize
response actions, the CISO uses past experience to take into account the exposure factor as well
as the external accessibility of the weakness identified. Which of the following is the CISO
performing? Ans: Quantitative risk assessment
A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an
outside cybersecurity consultant. The gap analysis reviewed all procedural and technical controls
and found the following: High-impact controls implemented: 6 out of 10 Medium-impact
controls implemented: 409 out of 472 Low-impact controls implemented: 97 out of 1000 The
report includes a cost-benefit analysis for each control gap. The analysis yielded the following
, information: Average high-impact control implementation cost: $15,000; Probable ALE for each
high-impact control gap: $95,000 Average medium-impact control implementation cost: $6,250;
Probable ALE for each medium-impact control gap: $11,000 Due to the technical construction
and configuration of the corporate enterprise, slightly more than 50% of the medium-impact
controls will take two years to fully implement. Which of the following conclusions could the
CISO draw from the analysis? Ans: Because of the significant ALE for each high-risk
vulnerability, efforts should be focused on those controls
Management is reviewing the results of a recent risk assessment of the organization's policies
and procedures. During the risk assessment it is determined that procedures associated with
background checks have not been effectively implemented. In response to this risk, the
organization elects to revise policies and procedures related to background checks and use a
third-party to perform background checks on all new employees. Which of the following risk
management strategies has the organization employed? Ans: Mitigate
An organization is preparing to develop a business continuity plan. The organization is required
to meet regulatory requirements relating to confidentiality and availability, which are
welldefined. Management has expressed concern following initial meetings that the organization
is not fully aware of the requirements associated with the regulations. Which of the following
would be MOST appropriate for the project manager to solicit additional resources for during
this phase of the project? Ans: Gap assessment
Legal authorities notify a company that its network has been compromised for the second time in
two years. The investigation shows the attackers were able to use the same vulnerability on
different systems in both attacks. Which of the following would have allowed the security team
to use historical information to protect against the second attack? Ans: Key risk indicators
Company XYZ has purchased and is now deploying a new HTML5 application. The company
wants to hire a penetration tester to evaluate the security of the client and server components of
the proprietary web application before launch. Which of the following is the penetration tester
MOST likely to use while performing black box testing of the security of the company's
purchased application? (Select TWO). Ans: (1)Fuzzer (2)Local proxy
A human resources manager at a software development company has been tasked with recruiting
personnel for a new cyber defense division in the company. This division will require personnel
to have high technology skills and industry certifications. Which of the following is the BEST
method for this manager to gain insight into this industry to execute the task? Ans: Attend
conferences, webinars, and training to remain current with the industry and job requirements
A vulnerability scanner report shows that a client-server host monitoring solution operating in
the credit card corporate environment is managing SSL sessions with a weak algorithm which
does not meet corporate policy. Which of the following are true statements? (Select TWO) Ans:
(1)The client-server handshake is configured with a wrong priority. (2)The client-server
handshake could not negotiate strong ciphers.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Classroom. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.99. You're not tied to anything after your purchase.