The Most Advanced Business Management MCQ Test

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Catherine Halcomb
Catherine Halcomb
Community Contributor
Quizzes Created: 1442 | Total Attempts: 6,630,300
| Attempts: 494
SettingsSettings
Please wait...
  • 1/147 Questions

    Which of the following defines the intent of a system security policy?

    • A description of the settings that will provide the highest level of security
    • A brief high-level statement defining what is and is not permitted in the operation of a system
    • A definition of those items that must be denied on the system
    • A listing of tools and applications that will be used to protect the system
Please wait...
About This Quiz

If you want to enhance your business management skills, then this quiz is for you. You can play this "Most Advanced Business Management MCQ Test" and check your knowledge. Your score will decide how well you are aware of the terms and skills of Advanced Business Management. You can get the perfect score just by answering the quiz questions. All the best for the best scores.

The Most Advanced Business Management MCQ Test - Quiz

Quiz Preview

  • 2. 

    Which statement is MOST accurate in the majority of organizational structures?

    • The Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete.

    • The Security Officer accepts the risk of system failures

    • The Security Officer reports to the Privacy Officer.

    • The Security Officer is responsible for protection of business information assets.

    Correct Answer
    A. The Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete.
    Explanation
    In the majority of organizational structures, the Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete. This indicates that the Security Officer plays a crucial role in providing comprehensive and accurate information to the top management, which helps in making informed decisions regarding security measures. This responsibility highlights the importance of the Security Officer in maintaining the integrity and effectiveness of the organization's security practices.

    Rate this question:

  • 3. 

    What law provides intellectual property protection to the holders of trade secrets?

    • Copyright Law

    • Lanham Act

    • Glass-Steagall Act

    • Economic Espionage Act

    Correct Answer
    A. Economic Espionage Act
    Explanation
    The Economic Espionage Act provides intellectual property protection to the holders of trade secrets. This law makes it illegal to steal, copy, or distribute trade secrets for economic benefit. It aims to protect businesses from espionage and theft of valuable information that gives them a competitive advantage in the market. By criminalizing these actions, the Economic Espionage Act helps safeguard the intellectual property rights of trade secret holders and promotes innovation and economic growth.

    Rate this question:

  • 4. 

    Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

    • Banks

    • Defense contractors

    • School districts

    • Hospitals

    Correct Answer
    A. Defense contractors
    Explanation
    Defense contractors are most likely to be covered by the provisions of FISMA because they often handle sensitive government information and are involved in national security projects. FISMA, which stands for the Federal Information Security Management Act, is a U.S. federal law that establishes guidelines and standards for securing federal information systems. As defense contractors work closely with government agencies and handle classified information, they are subject to FISMA regulations to ensure the protection of sensitive data and maintain the overall security of government systems.

    Rate this question:

  • 5. 

    Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

    • Integrity

    • Availability

    • Confidentiality

    • Denial

    Correct Answer
    A. Integrity
    Explanation
    Beth is enforcing the principle of integrity. Integrity in information security refers to the accuracy, consistency, and reliability of data. By testing the code to ensure that students cannot alter their own grades, Beth is ensuring the integrity of the student information system. This means that the data remains unchanged and trustworthy, preventing unauthorized modifications or tampering.

    Rate this question:

  • 6. 

    Users in the two offices would like to access each other’s file servers over the internet. What control would provide confidentiality for those communications?

    • Digital signatures

    • Virtual private network

    • Virtual LAN

    • Digital content management

    Correct Answer
    A. Virtual private network
    Explanation
    A virtual private network (VPN) would provide confidentiality for the communications between the two offices' file servers over the internet. A VPN creates a secure and encrypted connection between the two networks, ensuring that the data transmitted between them remains confidential and protected from unauthorized access. This allows users in both offices to securely access each other's file servers without the risk of interception or eavesdropping.

    Rate this question:

  • 7. 

    HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?

    • Risk mitigation

    • Risk acceptance

    • Risk transference

    • Risk avoidance

    Correct Answer
    A. Risk avoidance
    Explanation
    HAL Systems pursued a risk avoidance strategy with respect to its NTP services. By deciding to stop offering public NTP services, they are actively avoiding the risk of their NTP servers being used in amplification DDoS attacks. This strategy involves completely eliminating the potential risk by not engaging in the activity that could lead to the risk.

    Rate this question:

  • 8. 

    Who is the ideal person to approve an organization’s business continuity plan?

    • Chief information officer

    • Chief executive officer

    • Chief information security officer

    • Chief operating officer

    Correct Answer
    A. Chief executive officer
    Explanation
    The ideal person to approve an organization's business continuity plan is the Chief executive officer. As the highest-ranking executive in the organization, the CEO has the authority and responsibility to make strategic decisions that impact the entire organization. Approving the business continuity plan ensures that it aligns with the organization's overall goals and objectives and that it receives the necessary resources and support for successful implementation.

    Rate this question:

  • 9. 

    Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?

    • FERPA

    • GLBA

    • HIPAA

    • HITECH

    Correct Answer
    A. GLBA
    Explanation
    The correct answer is GLBA. The Gramm-Leach-Bliley Act (GLBA) is a law that requires financial institutions to send privacy notices to their customers, like Gary, explaining their information-sharing practices. This law aims to protect the privacy of individuals' personal and financial information held by financial institutions. FERPA, HIPAA, and HITECH are all different laws related to privacy, but they do not specifically require financial institutions to send privacy notices.

    Rate this question:

  • 10. 

    80. Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?

    • Purchasing insurance

    • Encrypting the database contents

    • Removing the data

    • Objecting to the exception

    Correct Answer
    A. Encrypting the database contents
    Explanation
    Encrypting the database contents would be Ben's best option as a compensating control to mitigate the risk of storing payment card information. Encryption would ensure that even if unauthorized individuals gain access to the database, they would not be able to read or use the sensitive information without the decryption key. This helps to protect the confidentiality and integrity of the payment card information, reducing the risk of data breaches and unauthorized use.

    Rate this question:

  • 11. 

    Which one of the following is the first step in developing an organization’s vital records program?

    • Identifying vital records

    • Locating vital records

    • Archiving vital records

    • Preserving vital records

    Correct Answer
    A. Identifying vital records
    Explanation
    The first step in developing an organization's vital records program is to identify vital records. This involves determining which records are critical to the functioning and continuity of the organization. By identifying these vital records, the organization can prioritize their preservation and ensure that they are properly managed and protected.

    Rate this question:

  • 12. 

    Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding?

    • Training

    • Education

    • Indoctrination

    • Awareness

    Correct Answer
    A. Awareness
    Explanation
    Awareness is the correct answer because it refers to a security program that aims to establish a minimum standard common denominator of security understanding. Awareness programs are designed to educate individuals about potential security risks, threats, and best practices in order to enhance their knowledge and minimize vulnerabilities. These programs typically focus on increasing the overall understanding and consciousness of security measures among individuals within an organization or community.

    Rate this question:

  • 13. 

    Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million. Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years. Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s data center?

    • 0.0025

    • 0.005

    • 0.01

    • 0.015

    Correct Answer
    A. 0.005
    Explanation
    The annualized rate of occurrence for a tornado at Atwood Landing's data center is 0.005. This is calculated by dividing the average frequency of tornadoes (once every 200 years) by the total number of years in a period (1). Therefore, 1 divided by 200 equals 0.005.

    Rate this question:

  • 14. 

    A compensating control is _____

    • A control put in place when another control is suspended or disabled

    • A control put in place to overcome the shortcomings of another control

    • A control put in place that automatically continues to protect the system when the primary control fails

    • A control that compensates for law enforcement or management's lack of technical skills

    Correct Answer
    A. A control put in place to overcome the shortcomings of another control
    Explanation
    A compensating control is a control put in place to overcome the shortcomings of another control. This means that when one control is not effective or disabled, a compensating control is implemented to ensure that the system or process remains secure. It acts as an alternative measure to mitigate risks and maintain the desired level of security.

    Rate this question:

  • 15. 

    51. Which one of the following is not normally included in business continuity plan documentation?

    • Statement of accounts

    • Statement of importance

    • Statement of priorities

    • Statement of organizational responsibility

    Correct Answer
    A. Statement of accounts
    Explanation
    The statement of accounts is not normally included in business continuity plan documentation. A business continuity plan typically focuses on outlining procedures and strategies to ensure the continuation of critical business operations in the event of a disruption or disaster. The statement of accounts, which typically includes financial information such as income, expenses, and balances, is not directly related to the planning and execution of business continuity measures.

    Rate this question:

  • 16. 

    Which one of the following is not normally considered a business continuity task?

    • Business impact assessment

    • Emergency response guidelines

    • Electronic vaulting

    • Vital records program

    Correct Answer
    A. Electronic vaulting
    Explanation
    Electronic vaulting is not normally considered a business continuity task because it is a specific method of data backup and recovery, rather than a broader task related to planning and preparing for business disruptions. Business impact assessment involves identifying potential risks and evaluating their potential impact on the organization. Emergency response guidelines provide instructions for responding to and managing emergencies. Vital records program focuses on identifying and protecting critical records necessary for the organization's operations. In contrast, electronic vaulting specifically refers to the process of regularly backing up data to an offsite location for safekeeping, which is a more specific and technical task.

    Rate this question:

  • 17. 

    James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization’s primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?

    • Purchase cost

    • Depreciated cost

    • Replacement cost

    • Opportunity cost

    Correct Answer
    A. Replacement cost
    Explanation
    In this situation, the most appropriate asset valuation method would be replacement cost. This method considers the cost of replacing the servers in the data center in the event they are damaged or destroyed. It takes into account the current market value of the servers and ensures that sufficient funds are available to rebuild the data center to its original state. This method is ideal for organizations that prioritize the ability to recover from a disaster and ensure business continuity.

    Rate this question:

  • 18. 

    Which one of the following is not a requirement for an invention to be patentable?

    • It must be new.

    • It must be invented by an American citizen.

    • It must be nonobvious.

    • It must be useful.

    Correct Answer
    A. It must be invented by an American citizen.
    Explanation
    The requirement for an invention to be patentable is that it must be new, nonobvious, and useful. However, there is no requirement that the invention must be invented by an American citizen. Patentability is determined by the novelty, nonobviousness, and utility of the invention, regardless of the nationality of the inventor.

    Rate this question:

  • 19. 

    90. Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

    • Password

    • Retinal scan

    • Username

    • Token

    Correct Answer
    A. Username
    Explanation
    A username is most often used for identification purposes as it helps to uniquely identify a user within a system. It is not suitable for use as an authenticator because it is not a secret or personal piece of information that can verify the identity of the user. Instead, it is typically a public or easily guessable identifier that is used in combination with a password or another form of authentication to verify the user's identity.

    Rate this question:

  • 20. 

    If a company has no written policy notifying employees of its right to monitor network activity, what must it do to be in compliance with certain privacy laws or principles?

    • Monitor only during off hours

    • Obtain a search warrant prior to any monitoring

    • Not capture any network traffic related to monitoring employee's activity

    • Apply for a waiver from Interpol before monitoring

    Correct Answer
    A. Not capture any network traffic related to monitoring employee's activity
    Explanation
    To be in compliance with certain privacy laws or principles, if a company has no written policy notifying employees of its right to monitor network activity, it must not capture any network traffic related to monitoring employee's activity. This means that the company should refrain from monitoring or recording any data or information about the employees' network activities without their knowledge or consent. This is important to protect the privacy rights of the employees and ensure compliance with privacy laws.

    Rate this question:

  • 21. 

    What are the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information related to?

    • Privacy

    • Secrecy

    • Availability

    • Reliability

    Correct Answer
    A. Privacy
    Explanation
    The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information pertain to privacy. Privacy refers to the right of individuals to keep their personal information confidential and control its use. It involves protecting sensitive data from unauthorized access, ensuring the security and confidentiality of personal information, and obtaining consent before collecting or using personal data. Privacy rights also include the obligation to handle personal information responsibly and in compliance with applicable laws and regulations.

    Rate this question:

  • 22. 

    Which of the following is LEAST likely to be required to quantify the impact associated with a potential disaster to a commercial enterprise?

    • Identify the organization's key business functions

    • Identify the computer systems critical to the survival of the organization.

    • Estimate the financial impact a loss would have on the business based on how long an outage would last.

    • Acquire information from government agencies about the likelihood of a natural disaster occurring.

    Correct Answer
    A. Acquire information from government agencies about the likelihood of a natural disaster occurring.
    Explanation
    Acquiring information from government agencies about the likelihood of a natural disaster occurring is least likely to be required to quantify the impact associated with a potential disaster to a commercial enterprise. While it is important to be aware of the likelihood of a natural disaster, quantifying the impact would primarily involve identifying the organization's key business functions, identifying critical computer systems, and estimating the financial impact based on the duration of an outage. The likelihood of a natural disaster is relevant for disaster preparedness and mitigation, but not directly for quantifying the impact.

    Rate this question:

  • 23. 

    Which of the following best defines a Business Impact Analysis (BIA)?

    • It is the process of analyzing all business functions to determine the impact of an outage.

    • It is the process of analyzing corporate functions, such as accounting, personnel, and legal to determine which functions must operate immediately following an outage.

    • It is the process of documenting procedures and capabilities to sustain organizational essential functions at an alternate site.

    • It is the process of documenting viable recovery options for each business unit in the event of an outage.

    Correct Answer
    A. It is the process of analyzing all business functions to determine the impact of an outage.
    Explanation
    A Business Impact Analysis (BIA) is the process of analyzing all business functions to determine the impact of an outage. This involves assessing the potential consequences and effects of a disruption or outage on various aspects of the organization, including operations, finances, reputation, and customer satisfaction. By conducting a BIA, organizations can identify critical processes and functions that need to be prioritized for recovery, develop appropriate contingency plans, and allocate resources effectively to minimize the impact of an outage on the business.

    Rate this question:

  • 24. 

    Governance involves ______

    • The regulations that affect a company within a state or country

    • The risk management processes and procedures within a company

    • The organizational structure that includes standards, procedures and policies

    • The organizational chart that describes who reports to whom as defined for a company

    Correct Answer
    A. The organizational structure that includes standards, procedures and policies
    Explanation
    Governance involves the organizational structure that includes standards, procedures, and policies. This means that governance encompasses the framework and framework of an organization, including the rules and guidelines that guide its operations. It includes the establishment of standards, the development of procedures, and the implementation of policies to ensure that the organization operates in a transparent, accountable, and ethical manner.

    Rate this question:

  • 25. 

    What is essential to get from an employee or contractor when they leave an organization?

    • A non-disclosure agreement

    • Their passwords

    • His or her badge

    • Any clothing items with the company logo

    Correct Answer
    A. His or her badge
    Explanation
    When an employee or contractor leaves an organization, it is essential to retrieve their badge. This is important to ensure that the person no longer has access to the company's premises or resources. By collecting the badge, the organization can prevent unauthorized entry and protect sensitive information or assets. Additionally, it helps maintain security and control over the physical premises.

    Rate this question:

  • 26. 

    Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an internet service provider after it receives a notification of infringement claim from a copyright holder?

    • Storage of information by a customer on a provider’s server

    • Caching of information by the provider

    • Transmission of information over the provider’s network by a customer

    • Caching of information in a provider search engine

    Correct Answer
    A. Transmission of information over the provider’s network by a customer
    Explanation
    The DMCA requires internet service providers to take prompt action when they receive a notification of infringement claim from a copyright holder. However, the transmission of information over the provider's network by a customer does not fall under the category of offenses that require prompt action. The other options, such as storage of information, caching of information by the provider, and caching of information in a provider search engine, may require prompt action by the internet service provider.

    Rate this question:

  • 27. 

    Which one of the following is not one of the three common threat modeling techniques?

    • Focused on assets

    • Focused on attackers

    • Focused on software

    • Focused on social engineering

    Correct Answer
    A. Focused on social engineering
    Explanation
    The three common threat modeling techniques are focused on assets, focused on attackers, and focused on software. These techniques involve identifying and analyzing potential threats and vulnerabilities related to the assets, attackers, and software involved in a system or application. However, the technique focused on social engineering is not one of the three common techniques. Social engineering refers to the manipulation of individuals to gain unauthorized access or sensitive information, and while it is an important aspect to consider in security, it is not one of the primary techniques used in threat modeling.

    Rate this question:

  • 28. 

    Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?

    • Student identification number

    • Social Security number

    • Driver’s license number

    • Credit card number

    Correct Answer
    A. Student identification number
    Explanation
    A student identification number is not considered personally identifiable information that would trigger most U.S. state data breach laws. While social security number, driver's license number, and credit card number are all considered personally identifiable information and are protected by data breach laws, a student identification number typically does not contain enough personal information to be considered as such. It is often a randomly generated or assigned number that is used solely for identification purposes within an educational institution and does not reveal any sensitive personal details.

    Rate this question:

  • 29. 

    You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?

    • Implement new security controls to reduce the risk level.

    • Design a disaster recovery plan.

    • Repeat the business impact assessment.

    • Document your decision-making process.

    Correct Answer
    A. Document your decision-making process.
    Explanation
    After completing the business continuity planning effort and deciding to accept a risk, the next step should be to document the decision-making process. This is important for several reasons. Firstly, it provides a record of the rationale behind accepting the risk, which can be useful for future reference or audits. Secondly, it ensures that the decision is communicated to relevant stakeholders and helps in maintaining transparency. Lastly, documenting the decision-making process allows for better accountability and helps in monitoring the effectiveness of the decision in the long run.

    Rate this question:

  • 30. 

    Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

    • Quantitative risk assessment

    • Qualitative risk assessment

    • Qualitative risk assessment

    • Combination of quantitative and qualitative risk assessment

    Correct Answer
    A. Combination of quantitative and qualitative risk assessment
    Explanation
    The most effective risk assessment approach for Tony to use would be a combination of quantitative and qualitative risk assessment. This approach would allow him to consider both tangible and intangible assets in his prioritization of resources. Quantitative risk assessment involves assigning numerical values to risks based on probability and impact, while qualitative risk assessment involves a more subjective evaluation of risks based on expert judgment and experience. By combining these two approaches, Tony can gather a comprehensive understanding of the risks involved and make informed decisions about resource allocation in his business continuity plan.

    Rate this question:

  • 31. 

    Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?

    • Due diligence

    • Separation of duties

    • Due care

    • Least privilege

    Correct Answer
    A. Due care
    Explanation
    Due care is a principle that imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances. It requires individuals to take reasonable measures to prevent harm or injury to others and to act in a manner that is in line with accepted standards and practices. This principle applies to various fields, including law, business, and healthcare, and it serves as a benchmark for determining whether an individual has acted responsibly and reasonably in a given situation.

    Rate this question:

  • 32. 

    When developing a business impact analysis, the team should first create a list of assets. What should happen next?

    • Identify vulnerabilities in each asset.

    • Determine the risks facing the asset.

    • Develop a value for each asset.

    • Identify threats facing each asset.

    Correct Answer
    A. Develop a value for each asset.
    Explanation
    After creating a list of assets, the next step in developing a business impact analysis is to determine the value of each asset. This involves assessing the importance and worth of each asset to the organization. By assigning a value to each asset, the team can prioritize their efforts and focus on protecting the most critical assets. Identifying vulnerabilities, determining risks, and identifying threats would come later in the process, after the value of each asset has been established.

    Rate this question:

  • 33. 

    Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

    • Risk acceptance

    • Risk avoidance

    • Risk mitigation

    • Risk transference

    Correct Answer
    A. Risk mitigation
    Explanation
    Mike is pursuing a risk mitigation strategy by implementing an intrusion prevention system. Risk mitigation involves taking proactive measures to reduce the impact or likelihood of risks. In this case, Mike is implementing a system that can identify and block common network attacks, thereby reducing the risk of these attacks affecting his organization. This strategy aims to minimize potential damages and protect the organization's assets.

    Rate this question:

  • 34. 

    The International Information Systems Security Certification Consortium uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection may it use to protect its rights in this logo?

    • Copyright

    • Patent

    • Trade secret

    • Trademark

    Correct Answer
    A. Trademark
    Explanation
    The International Information Systems Security Certification Consortium may use trademark protection to protect its rights in the logo. A trademark is a form of intellectual property that provides exclusive rights to use a particular logo, symbol, or design in connection with a specific product or service. By registering the logo as a trademark, the consortium can prevent others from using a similar logo that may cause confusion among consumers and dilute the consortium's brand identity. Trademark protection helps to establish and maintain the consortium's reputation and distinguish its services from others in the market.

    Rate this question:

  • 35. 

    32. What government agency is responsible for the evaluation and registration of trademarks?

    • USPTO

    • Library of Congress

    • TVA

    • NIST

    Correct Answer
    A. USPTO
    Explanation
    The correct answer is USPTO. USPTO stands for the United States Patent and Trademark Office, which is a government agency responsible for evaluating and registering trademarks. The USPTO plays a crucial role in protecting intellectual property rights by granting trademark registrations to qualified applicants. They ensure that trademarks are unique and not infringing on existing trademarks, allowing businesses to differentiate their products and services in the market.

    Rate this question:

  • 36. 

    Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?

    • Data custodian

    • Data owner

    • User

    • Auditor

    Correct Answer
    A. Data custodian
    Explanation
    The data custodian is typically responsible for fulfilling the operational data protection responsibilities delegated by senior management. This includes tasks such as validating data integrity, testing backups, and managing security policies. The data custodian is responsible for the day-to-day management and protection of the data, ensuring its availability, confidentiality, and integrity. They work closely with the data owner, who is responsible for determining the overall data strategy and making decisions regarding data access and usage. The user is the individual who interacts with the data, while the auditor is responsible for assessing and evaluating the effectiveness of data protection measures.

    Rate this question:

  • 37. 

    Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?

    • United States Code

    • Supreme Court rulings

    • Code of Federal Regulations

    • Compendium of Laws

    Correct Answer
    A. Code of Federal Regulations
    Explanation
    Florian should go to the Code of Federal Regulations to find the text of the new administrative law. The Code of Federal Regulations is a collection of all the rules and regulations created by federal agencies in the United States. It is organized by subject matter and provides a comprehensive and up-to-date source of administrative law. The United States Code contains the general and permanent laws of the United States, but it does not include the specific regulations issued by federal agencies. Supreme Court rulings are decisions made by the highest court in the United States and may not necessarily provide the text of the specific administrative law Florian is looking for. A Compendium of Laws is not a specific legal source and may not contain the text of the new administrative law.

    Rate this question:

  • 38. 

    The following graphic shows the NIST risk management framework with step 4 missing. What is the missing step?

    • Assess security controls.

    • Determine control gaps.

    • Remediate control gaps.

    • Evaluate user activity.

    Correct Answer
    A. Assess security controls.
    Explanation
    The missing step in the NIST risk management framework is "Assess security controls." This step involves evaluating the effectiveness of the implemented security controls to determine if they are adequately protecting the system and data. It helps identify any weaknesses or vulnerabilities in the controls and provides insights into the overall security posture. This assessment is crucial for making informed decisions about mitigating risks and implementing necessary improvements in the security controls.

    Rate this question:

  • 39. 

    Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?

    • ITIL

    • ISO 27002

    • CMM

    • PMBOK Guide

    Correct Answer
    A. ISO 27002
    Explanation
    ISO 27002 is the best framework for Ben's needs because it is widely accepted globally and specifically focuses on information security controls. ITIL is a framework for IT service management, CMM is a framework for software development, and PMBOK Guide is a framework for project management. None of these frameworks specifically focus on information security controls like ISO 27002 does.

    Rate this question:

  • 40. 

    Which one of the following stakeholders is not typically included on a business continuity planning team?

    • Core business function leaders

    • Information technology staff

    • CEO

    • Support departments

    Correct Answer
    A. CEO
    Explanation
    The CEO is not typically included on a business continuity planning team because their role is to oversee the entire organization and make strategic decisions, rather than being directly involved in the day-to-day operations or specific functions. The business continuity planning team usually consists of core business function leaders who have a deep understanding of their respective areas, information technology staff who can assess and address technological risks, and support departments who can provide necessary resources and support during a crisis. The CEO's involvement may be limited to providing guidance and approval for the overall business continuity plan.

    Rate this question:

  • 41. 

    The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?  

    • I

    • II

    • III

    • IV

    Correct Answer
    A. I
    Explanation
    The risks that require the most immediate attention are located in quadrant I. This is because quadrant I represents the risks that have a high likelihood of occurring and would have a severe impact on the organization if they were to occur. Therefore, these risks should be addressed and mitigated as soon as possible to prevent any potential harm or negative consequences to the organization.

    Rate this question:

  • 42. 

    Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?

    • Risk avoidance

    • Risk mitigation

    • Risk transference

    • Risk acceptance

    Correct Answer
    A. Risk mitigation
    Explanation
    The organization pursued a risk mitigation strategy by evaluating the risk of California mudslides and determining that the cost of responding outweighed the benefits of implementing controls. This means that instead of avoiding the risk or transferring it to another party, the organization chose to take action to reduce or mitigate the potential impact of the risk.

    Rate this question:

  • 43. 

    Helen is the owner of a website that provides information for middle and high school students preparing for exams. She is concerned that the activities of her site may fall under the jurisdiction of the Children’s Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?

    • 13

    • 15

    • 17

    • 18

    Correct Answer
    A. 13
    Explanation
    The cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA is 13. COPPA requires websites to obtain parental consent before collecting personal information from children under the age of 13.

    Rate this question:

  • 44. 

    Which one do you like?

    • Option 1

    • Option 2

    • Option 3

    • Option 4

    Correct Answer
    A. Option 1
  • 45. 

    Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks?

    • Awareness

    • Training

    • Education

    • Indoctrination

    Correct Answer
    A. Training
    Explanation
    Training is the correct answer because it is a security program designed to equip employees with the necessary knowledge and skills to carry out their specific work tasks. Training programs focus on teaching employees about security protocols, procedures, and best practices relevant to their job roles. This helps employees understand potential risks and how to mitigate them, ensuring they can effectively contribute to maintaining a secure work environment.

    Rate this question:

  • 46. 

    John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?

    • Spoofing

    • Repudiation

    • Information disclosure

    • Elevation of privilege

    Correct Answer
    A. Information disclosure
    Explanation
    John uncovered an attack that involved the attacker finding comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. This type of attack is known as information disclosure, as it involves the unauthorized disclosure of sensitive information that can be used to exploit vulnerabilities in a system.

    Rate this question:

  • 47. 

    100. Which one of the following is an administrative control that can protect the confidentiality of information?

    • Encryption

    • Nondisclosure agreement

    • Firewall

    • Fault tolerance

    Correct Answer
    A. Nondisclosure agreement
    Explanation
    A nondisclosure agreement is an administrative control that can protect the confidentiality of information. This agreement is a legal contract between two or more parties, where they agree not to disclose certain confidential information to any third party. By signing this agreement, individuals or organizations commit to keeping sensitive information confidential, thereby preventing unauthorized access or disclosure. Unlike encryption, firewall, or fault tolerance, which are technical controls, a nondisclosure agreement focuses on the human aspect of information security, ensuring that individuals are legally bound to maintain confidentiality.

    Rate this question:

  • 48. 

    STRIDE, PASTA, and VAST are all examples of what type of tool?

    • Risk assessment methodologies

    • Control matrices

    • Threat modeling methodologies

    • Awareness campaign tools

    Correct Answer
    A. Threat modeling methodologies
    Explanation
    STRIDE, PASTA, and VAST are all examples of threat modeling methodologies. Threat modeling is a process used to identify and prioritize potential threats and vulnerabilities in a system or application. STRIDE, PASTA, and VAST are specific methodologies that provide structured approaches to threat modeling, helping organizations systematically analyze and address potential threats. These methodologies help in identifying and mitigating security risks by considering various factors such as system components, potential attackers, and possible attack vectors. Therefore, the correct answer is threat modeling methodologies.

    Rate this question:

  • 49. 

    Which of the following is a realistic goal of every loss prevention program?

    • Permit losses that aren't very important.

    • Be 100% effective in preventing loss.

    • Reduce losses to a pre-defined level that management can tolerate.

    • Reduce losses to within 10% of a pre-defined level

    Correct Answer
    A. Permit losses that aren't very important.
    Explanation
    A realistic goal of every loss prevention program is to permit losses that aren't very important. This means that while it is not feasible to completely prevent all losses, the program aims to minimize and manage losses to a level that is acceptable and not significant. This approach recognizes that some losses may still occur, but the focus is on prioritizing and addressing the most critical and impactful losses, rather than trying to achieve a perfect prevention rate.

    Rate this question:

Quiz Review Timeline (Updated): Mar 21, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 15, 2020
    Quiz Created by
    Catherine Halcomb
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.