The Most Advanced Business Management MCQ Test

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Catherine Halcomb
C
Catherine Halcomb
Community Contributor
Quizzes Created: 1428 | Total Attempts: 5,897,934
Questions: 147 | Attempts: 406

SettingsSettingsSettings
The Most Advanced Business Management MCQ Test - Quiz

If you want to enhance your business management skills, then this quiz is for you. You can play this "Most Advanced Business Management MCQ Test" and check your knowledge. Your score will decide how well you are aware of the terms and skills of Advanced Business Management. You can get the perfect score just by answering the quiz questions. All the best for the best scores.


Questions and Answers
  • 1. 

    An information security policy does NOT usually include:

    • A.

      Guidelines for how to implement policy

    • B.

      Authority for information security department

    • C.

      Basis for data classification

    • D.

      Recognition of information as an asset of the organization

    Correct Answer
    A. Guidelines for how to implement policy
    Explanation
    An information security policy typically includes guidelines for how to implement policy, as it serves as a set of instructions and procedures for ensuring the security of information within an organization. However, it does not usually include the authority for the information security department, the basis for data classification, or the recognition of information as an asset of the organization. These elements may be addressed in separate documents or policies.

    Rate this question:

  • 2. 

    Which of the following is a realistic goal of every loss prevention program?

    • A.

      Permit losses that aren't very important.

    • B.

      Be 100% effective in preventing loss.

    • C.

      Reduce losses to a pre-defined level that management can tolerate.

    • D.

      Reduce losses to within 10% of a pre-defined level

    Correct Answer
    A. Permit losses that aren't very important.
    Explanation
    A realistic goal of every loss prevention program is to permit losses that aren't very important. This means that while it is not feasible to completely prevent all losses, the program aims to minimize and manage losses to a level that is acceptable and not significant. This approach recognizes that some losses may still occur, but the focus is on prioritizing and addressing the most critical and impactful losses, rather than trying to achieve a perfect prevention rate.

    Rate this question:

  • 3. 

    When is it acceptable for management not to take action on an identified risk?

    • A.

      When responsibility for the conditions that cause the risk to arise is outside their department

    • B.

      When the cost of taking action outweighs the potential cost of the risk being realized.

    • C.

      When risk reduction measures may affect the productivity of the business.

    • D.

      Never - action should always be taken to reduce or eliminate an identified risk.

    Correct Answer
    B. When the cost of taking action outweighs the potential cost of the risk being realized.
    Explanation
    Management may choose not to take action on an identified risk if the cost of taking action is higher than the potential cost of the risk being realized. In some cases, the cost of implementing risk reduction measures may be too high compared to the potential impact of the risk. This decision is based on a cost-benefit analysis, where management evaluates the potential consequences of the risk and the cost of mitigating it. If the cost of taking action is higher than the potential cost of the risk, it may be acceptable for management not to take immediate action.

    Rate this question:

  • 4. 

    Which of the following MOST clearly indicates whether specific risk reduction controls should be implemented?

    • A.

      Threat and vulnerability analysis

    • B.

      Risk evaluation

    • C.

      ALE calculation

    • D.

      Countermeasure cost/benefit analysis

    Correct Answer
    D. Countermeasure cost/benefit analysis
    Explanation
    Countermeasure cost/benefit analysis is the most appropriate method for determining whether specific risk reduction controls should be implemented. This analysis involves evaluating the potential costs associated with implementing the controls against the potential benefits they would provide in terms of risk reduction. By comparing the costs and benefits, organizations can make informed decisions about whether the controls are worth implementing or if alternative measures should be considered. This analysis helps ensure that resources are allocated effectively and that the most cost-effective controls are implemented to mitigate risks.

    Rate this question:

  • 5. 

    A newly assigned Risk Manager requests access to a file share containing corporate financial records. The access request is reviewed by the Chief Financial Officer who determines that access will be granted to only three files for one month. This principle is referred to as:

    • A.

      Job rotation

    • B.

      Least privilege

    • C.

      Special privilege

    • D.

      Separation of duties

    Correct Answer
    B. Least privilege
    Explanation
    The principle referred to in this scenario is "Least privilege." This principle ensures that individuals are granted access only to the resources and information necessary for them to perform their job duties. In this case, the Risk Manager is granted access to only three files for a limited period of time, indicating that they are given the minimum privileges required to fulfill their role. This principle helps to minimize the risk of unauthorized access or misuse of sensitive financial records.

    Rate this question:

  • 6. 

    One purpose of a security awareness program is to modify

    • A.

      Employee's attitude and behaviors

    • B.

      Management's approach

    • C.

      Attitudes of employees with sensitive data

    • D.

      Corporate attitudes about safeguarding data

    Correct Answer
    A. Employee's attitude and behaviors
    Explanation
    A security awareness program aims to change and improve the attitudes and behaviors of employees towards security. By educating employees about the importance of security measures and best practices, the program seeks to modify their mindset and actions, making them more conscious and responsible when handling sensitive data. This helps create a security-conscious culture within the organization and reduces the risk of security breaches caused by human error or negligence.

    Rate this question:

  • 7. 

    Which of the following assures alignment of security functions and the organization's goals, missions and objectives?

    • A.

      Governance oversight

    • B.

      System security oversight

    • C.

      Human resource oversight

    • D.

      Business service oversight

    Correct Answer
    A. Governance oversight
    Explanation
    Governance oversight ensures alignment of security functions with an organization's goals, missions, and objectives. It involves establishing and enforcing policies, procedures, and controls to ensure that security measures are implemented in line with the organization's strategic direction. This oversight helps to ensure that security decisions and actions are consistent with the overall objectives of the organization, promoting effective risk management and protection of assets. It involves monitoring and evaluating the effectiveness of security measures, making necessary adjustments, and providing guidance and direction to ensure that security functions support the organization's goals and objectives.

    Rate this question:

  • 8. 

    The concept of "least privilege" involves:

    • A.

      Individual accountability

    • B.

      Access authentication

    • C.

      Authorization levels

    • D.

      Identification of users

    Correct Answer
    C. Authorization levels
    Explanation
    The concept of "least privilege" refers to granting users the minimum level of access necessary to perform their job functions. By implementing authorization levels, organizations can ensure that users only have access to the resources and information that they need to carry out their tasks, reducing the risk of unauthorized access or misuse of sensitive data. This principle helps to enhance security by limiting the potential damage that can be caused by a compromised user account.

    Rate this question:

  • 9. 

    Which is the FIRST step that should be considered in a penetration test?

    • A.

      The approval of the change management control team

    • B.

      The development of a detailed test plan

    • C.

      The formulation of specific management objectives

    • D.

      The communication process among team members

    Correct Answer
    C. The formulation of specific management objectives
    Explanation
    The formulation of specific management objectives is the first step that should be considered in a penetration test. This involves defining clear goals and objectives for the test, such as identifying vulnerabilities, testing the effectiveness of security measures, or assessing the overall security posture of the system. By establishing specific management objectives, the penetration testing team can align their efforts and focus on achieving the desired outcomes. This step ensures that the test is conducted with a clear purpose and direction, guiding the subsequent phases of the penetration testing process.

    Rate this question:

  • 10. 

    Under the principle of negligence, executives can be held liable for losses that result from system breaches if

    • A.

      The company is a multi-national company

    • B.

      They have not exercised due care protecting computing resources

    • C.

      They have failed to properly insure computer resources against loss

    • D.

      The company does not prosecute the hacker that caused the breach

    Correct Answer
    B. They have not exercised due care protecting computing resources
    Explanation
    Under the principle of negligence, executives can be held liable for losses that result from system breaches if they have not exercised due care protecting computing resources. This means that if the executives have not taken reasonable steps to secure and protect the company's computer systems and data, they can be held responsible for any damages or losses that occur as a result of a breach. This includes implementing security measures, regularly updating and patching systems, and training employees on cybersecurity best practices. Failing to do so can be seen as a failure of their duty of care, making them liable for any resulting losses.

    Rate this question:

  • 11. 

    If a company has no written policy notifying employees of its right to monitor network activity, what must it do to be in compliance with certain privacy laws or principles?

    • A.

      Monitor only during off hours

    • B.

      Obtain a search warrant prior to any monitoring

    • C.

      Not capture any network traffic related to monitoring employee's activity

    • D.

      Apply for a waiver from Interpol before monitoring

    Correct Answer
    C. Not capture any network traffic related to monitoring employee's activity
    Explanation
    To be in compliance with certain privacy laws or principles, if a company has no written policy notifying employees of its right to monitor network activity, it must not capture any network traffic related to monitoring employee's activity. This means that the company should refrain from monitoring or recording any data or information about the employees' network activities without their knowledge or consent. This is important to protect the privacy rights of the employees and ensure compliance with privacy laws.

    Rate this question:

  • 12. 

    What are the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information related to?

    • A.

      Privacy

    • B.

      Secrecy

    • C.

      Availability

    • D.

      Reliability

    Correct Answer
    A. Privacy
    Explanation
    The rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information pertain to privacy. Privacy refers to the right of individuals to keep their personal information confidential and control its use. It involves protecting sensitive data from unauthorized access, ensuring the security and confidentiality of personal information, and obtaining consent before collecting or using personal data. Privacy rights also include the obligation to handle personal information responsibly and in compliance with applicable laws and regulations.

    Rate this question:

  • 13. 

    Under which one of the following situations would a trash can fire be considered a disaster?

    • A.

      The fire caused critical business systems to be disabled for longer than the Recovery Time Objective

    • B.

      The fire alarms went off and the building had to be evacuated.

    • C.

      The trash can contained company sensitive documents.

    • D.

      The fire spread beyond the trash can and the fire department had to be called.

    Correct Answer
    A. The fire caused critical business systems to be disabled for longer than the Recovery Time Objective
    Explanation
    A trash can fire would be considered a disaster when it causes critical business systems to be disabled for longer than the Recovery Time Objective. This means that the fire has disrupted the normal functioning of important systems within the company, leading to significant downtime and potentially impacting the organization's operations and productivity.

    Rate this question:

  • 14. 

    Which of the following is LEAST likely to be required to quantify the impact associated with a potential disaster to a commercial enterprise?

    • A.

      Identify the organization's key business functions

    • B.

      Identify the computer systems critical to the survival of the organization.

    • C.

      Estimate the financial impact a loss would have on the business based on how long an outage would last.

    • D.

      Acquire information from government agencies about the likelihood of a natural disaster occurring.

    Correct Answer
    D. Acquire information from government agencies about the likelihood of a natural disaster occurring.
    Explanation
    Acquiring information from government agencies about the likelihood of a natural disaster occurring is least likely to be required to quantify the impact associated with a potential disaster to a commercial enterprise. While it is important to be aware of the likelihood of a natural disaster, quantifying the impact would primarily involve identifying the organization's key business functions, identifying critical computer systems, and estimating the financial impact based on the duration of an outage. The likelihood of a natural disaster is relevant for disaster preparedness and mitigation, but not directly for quantifying the impact.

    Rate this question:

  • 15. 

    Which of the following would BEST help an organization to gain a common understanding of functions that are critical to survival?

    • A.

      Risk assessment

    • B.

      Emergency response plan

    • C.

      Disaster recovery plan

    • D.

      Business impact analysis

    Correct Answer
    D. Business impact analysis
    Explanation
    A business impact analysis would be the best option to help an organization gain a common understanding of critical functions for survival. This analysis involves identifying and evaluating the potential impact of disruptions on various business processes. By conducting a business impact analysis, the organization can determine which functions are crucial for its survival and prioritize them accordingly. This analysis helps in understanding the potential consequences of disruptions and enables the organization to develop strategies and plans to mitigate risks and ensure continuity.

    Rate this question:

  • 16. 

    Which of the following best defines a Business Impact Analysis (BIA)?

    • A.

      It is the process of analyzing all business functions to determine the impact of an outage.

    • B.

      It is the process of analyzing corporate functions, such as accounting, personnel, and legal to determine which functions must operate immediately following an outage.

    • C.

      It is the process of documenting procedures and capabilities to sustain organizational essential functions at an alternate site.

    • D.

      It is the process of documenting viable recovery options for each business unit in the event of an outage.

    Correct Answer
    A. It is the process of analyzing all business functions to determine the impact of an outage.
    Explanation
    A Business Impact Analysis (BIA) is the process of analyzing all business functions to determine the impact of an outage. This involves assessing the potential consequences and effects of a disruption or outage on various aspects of the organization, including operations, finances, reputation, and customer satisfaction. By conducting a BIA, organizations can identify critical processes and functions that need to be prioritized for recovery, develop appropriate contingency plans, and allocate resources effectively to minimize the impact of an outage on the business.

    Rate this question:

  • 17. 

    When conducting the business impact assessment, business processes are examined relative to all EXCEPT:

    • A.

      Customer interruption impacts

    • B.

      Embarassment of loss of confidence impacts

    • C.

      Executive management disruption impacts

    • D.

      Revenue loss potential impact

    Correct Answer
    C. Executive management disruption impacts
    Explanation
    During a business impact assessment, various aspects of a business are evaluated to determine the potential impact of an incident or disruption. This includes assessing the effects on customers, such as interruptions or loss of confidence, as well as the potential revenue loss. However, the assessment does not focus on the impacts on executive management disruption. This means that the evaluation does not consider how the disruption might affect the executives or their ability to perform their roles.

    Rate this question:

  • 18. 

    Which of the following defines the intent of a system security policy?

    • A.

      A description of the settings that will provide the highest level of security

    • B.

      A brief high-level statement defining what is and is not permitted in the operation of a system

    • C.

      A definition of those items that must be denied on the system

    • D.

      A listing of tools and applications that will be used to protect the system

    Correct Answer
    B. A brief high-level statement defining what is and is not permitted in the operation of a system
    Explanation
    The intent of a system security policy is to provide a brief high-level statement defining what is and is not permitted in the operation of a system. This statement helps to establish the boundaries and rules for the use and management of the system, ensuring that all users understand what actions are allowed and what actions are prohibited. It serves as a guiding document for implementing security measures and helps to maintain the overall security posture of the system.

    Rate this question:

  • 19. 

    An organizational information security strategy is incomplete without

    • A.

      Recommendations for salary improvement of security professionals

    • B.

      Addressing privacy and health care requirements of employees

    • C.

      Alignment with organizational audit and marketing plans

    • D.

      Incorporating input from organizational privacy and safety professionals

    Correct Answer
    D. Incorporating input from organizational privacy and safety professionals
    Explanation
    An organizational information security strategy is incomplete without incorporating input from organizational privacy and safety professionals. These professionals have the knowledge and expertise to identify potential risks and vulnerabilities in the organization's systems and processes. By involving them in the development of the security strategy, the organization can ensure that all aspects of privacy and safety are considered and addressed effectively. This collaboration also helps in creating a comprehensive and well-rounded security strategy that aligns with the organization's goals and objectives.

    Rate this question:

  • 20. 

    The organizational information security plan can

    • A.

      Assure protection of organizational data and information

    • B.

      Select the technology solutions to enhance organizational security effectiveness

    • C.

      Identify potential risks to organizational employee behavior

    • D.

      Align organizational data protection schemes to business goals

    Correct Answer
    D. Align organizational data protection schemes to business goals
    Explanation
    The correct answer is "Align organizational data protection schemes to business goals". This answer is the most appropriate because aligning data protection schemes to business goals ensures that the security measures implemented by the organization are in line with its overall objectives. It ensures that the organization's data protection efforts are focused on safeguarding the information that is critical to achieving its strategic goals. By aligning data protection schemes to business goals, the organization can prioritize its security efforts and allocate resources accordingly. This approach helps to ensure that the organization's data and information are protected in a way that supports its overall business objectives.

    Rate this question:

  • 21. 

    Which of these terms is MOST closely related to confidentiality?

    • A.

      Reliability

    • B.

      Need-to-know

    • C.

      Auditability

    • D.

      Trustworthiness

    Correct Answer
    B. Need-to-know
    Explanation
    Confidentiality is the principle of limiting access to sensitive information to authorized individuals only. The term "need-to-know" is closely related to confidentiality because it refers to the idea that access to confidential information should be granted only to individuals who have a legitimate need for that information to perform their job responsibilities. This helps to ensure that sensitive information is protected and not disclosed to unauthorized parties.

    Rate this question:

  • 22. 

    Which of these is the MOST important factor when considering the alignment between release a product and making it secure?

    • A.

      Service level agreements

    • B.

      Customer satisfaction

    • C.

      Policy

    • D.

      Profit

    Correct Answer
    A. Service level agreements
    Explanation
    When considering the alignment between releasing a product and making it secure, service level agreements are the most important factor. Service level agreements outline the specific security requirements and expectations that need to be met during the release process. These agreements ensure that proper security measures are implemented, such as encryption, access controls, and vulnerability testing, to protect the product and its users. By prioritizing service level agreements, organizations can ensure that the product is released securely and meets the necessary security standards.

    Rate this question:

  • 23. 

    Which statement is MOST accurate in the majority of organizational structures?

    • A.

      The Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete.

    • B.

      The Security Officer accepts the risk of system failures

    • C.

      The Security Officer reports to the Privacy Officer.

    • D.

      The Security Officer is responsible for protection of business information assets.

    Correct Answer
    A. The Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete.
    Explanation
    In the majority of organizational structures, the Security Officer is responsible for ensuring that recommendations to executive management are full, accurate, and complete. This indicates that the Security Officer plays a crucial role in providing comprehensive and accurate information to the top management, which helps in making informed decisions regarding security measures. This responsibility highlights the importance of the Security Officer in maintaining the integrity and effectiveness of the organization's security practices.

    Rate this question:

  • 24. 

    Governance involves ______

    • A.

      The regulations that affect a company within a state or country

    • B.

      The risk management processes and procedures within a company

    • C.

      The organizational structure that includes standards, procedures and policies

    • D.

      The organizational chart that describes who reports to whom as defined for a company

    Correct Answer
    C. The organizational structure that includes standards, procedures and policies
    Explanation
    Governance involves the organizational structure that includes standards, procedures, and policies. This means that governance encompasses the framework and framework of an organization, including the rules and guidelines that guide its operations. It includes the establishment of standards, the development of procedures, and the implementation of policies to ensure that the organization operates in a transparent, accountable, and ethical manner.

    Rate this question:

  • 25. 

    Which of these Intellectual Property Law concepts is NOT a part of Contract Law?

    • A.

      Commercial software

    • B.

      Shareware

    • C.

      Public domain

    • D.

      Freeware

    Correct Answer
    C. Public domain
    Explanation
    Public domain is not a part of Contract Law because it is a concept related to the availability of creative works that are not protected by intellectual property rights. When a work is in the public domain, it means that anyone can use, modify, or distribute it without the need for permission or a contract. In contrast, commercial software, shareware, and freeware are all concepts that involve the licensing and distribution of software under specific contractual terms.

    Rate this question:

  • 26. 

    In order to determine whether encrypted messages can be sent between any two particular countries, which resource should be consulted?

    • A.

      World Intellectual Property Office (WIPO)

    • B.

      International Traffic in Arms Reductions (ITAR) Agreements

    • C.

      Organization for Economic Cooperation and Development (OECD)

    • D.

      Wassenaar Arrangement

    Correct Answer
    C. Organization for Economic Cooperation and Development (OECD)
    Explanation
    The Organization for Economic Cooperation and Development (OECD) should be consulted to determine whether encrypted messages can be sent between any two particular countries. The OECD is an international organization that promotes economic growth, trade, and cooperation among its member countries. It provides guidelines and recommendations on various economic and policy issues, including encryption regulations. Therefore, consulting the OECD would provide relevant information on the regulations and restrictions regarding encrypted messages between countries.

    Rate this question:

  • 27. 

    Which of these is one of the Organization for Economic Cooperation and Development (OECD) guidelines on privacy?

    • A.

      Personal data should be relevant to the purpose for which they are to be used

    • B.

      Personal data might need to be protected by reasonable security safeguards as necessary

    • C.

      The use of personal data does not need to be disclosed at any time

    • D.

      There are no limits on the amount of personal data or the type of personal data that is collected.

    Correct Answer
    D. There are no limits on the amount of personal data or the type of personal data that is collected.
  • 28. 

    Which of the following definitions is correct?

    • A.

      RTO (Recovery Time Objective) is the amount of time it will take to recover all critical systems at an alternate site

    • B.

      RPO (Recovery Point Objective) is a measure of tolerable data loss

    • C.

      End of disaster is when all systems are recovered at the alternate site

    • D.

      End of disaster declaration occurs when the Security Manager determines that the activation was false alarm

    Correct Answer
    C. End of disaster is when all systems are recovered at the alternate site
  • 29. 

    What is essential to get from an employee or contractor when they leave an organization?

    • A.

      A non-disclosure agreement

    • B.

      Their passwords

    • C.

      His or her badge

    • D.

      Any clothing items with the company logo

    Correct Answer
    C. His or her badge
    Explanation
    When an employee or contractor leaves an organization, it is essential to retrieve their badge. This is important to ensure that the person no longer has access to the company's premises or resources. By collecting the badge, the organization can prevent unauthorized entry and protect sensitive information or assets. Additionally, it helps maintain security and control over the physical premises.

    Rate this question:

  • 30. 

    In risk analysis calculations, which of these statements is correct?

    • A.

      When exposure factor (EF) is unknown it should be assumed to be zero

    • B.

      Annual Rate of Occurrence (ARO) increases whenever Single Loss Expectancy (SLE) is greater than zero

    • C.

      ALE (Annual Loss Expectancy) equals Asset Value (AV) times EF times ARO

    • D.

      ALE equals AV times EF times SLE

    Correct Answer
    C. ALE (Annual Loss Expectancy) equals Asset Value (AV) times EF times ARO
    Explanation
    The correct answer is ALE (Annual Loss Expectancy) equals Asset Value (AV) times EF times ARO. ALE is a measure of the expected loss in a year, and it is calculated by multiplying the Asset Value (AV) by the Exposure Factor (EF) and the Annual Rate of Occurrence (ARO). This formula takes into account the potential loss value of an asset, the likelihood of an event occurring, and the extent of the potential loss if the event does occur. By multiplying these factors together, we can estimate the expected loss in a given year.

    Rate this question:

  • 31. 

    Which of these is NOT an example of social engineering?

    • A.

      Session hijacking

    • B.

      Shoulder surfing

    • C.

      Baiting

    • D.

      Tailgating

    • E.

      Option 5

    Correct Answer
    A. Session hijacking
  • 32. 

    Which of these statements is MOST likely to trigger a change in policy?

    • A.

      Lack of compliance by staff

    • B.

      Large number of approved exceptions

    • C.

      Policy is short

    • D.

      Policy contains metrics

    Correct Answer
    B. Large number of approved exceptions
    Explanation
    A large number of approved exceptions is most likely to trigger a change in policy because it indicates that the current policy is not effective in addressing certain situations. When there are numerous exceptions being approved, it suggests that the policy may not be practical or suitable for all scenarios. This could lead to a reassessment of the policy and the need for a change to ensure better compliance and alignment with the organization's goals and objectives.

    Rate this question:

  • 33. 

    A laptop with a medical database contains records of device sales, such as canes, walkers, braces and many sales are done during in-home visits. Recognizing that these items are covered under HIPAA, PIPEDA and other international equivalents what should be done to protect the company?

    • A.

      All data must be encrypted

    • B.

      Encryption is not required and due to the overhead of key management, is not warranted

    • C.

      Encryption of Patient Identification Information (PII) alone is required, and each sales person must have a unique key

    • D.

      Whole disk encryption is not required, but it is the easiest and safest solution

    Correct Answer
    D. Whole disk encryption is not required, but it is the easiest and safest solution
    Explanation
    Whole disk encryption is not required, but it is the easiest and safest solution. This means that while it is not mandatory to encrypt the entire disk, it is still recommended as it provides the highest level of security for the company's data. Encrypting the entire disk ensures that all sensitive information, including patient identification information (PII), is protected. It eliminates the need for individual key management and reduces the risk of unauthorized access to the data. Overall, whole disk encryption is a convenient and secure way to safeguard the company's medical database.

    Rate this question:

  • 34. 

    Which of these deals with international copyright agreements?

    • A.

      ISO 27000

    • B.

      The Wassenaar Arrangement

    • C.

      The Montreal Protocol

    • D.

      WIPO

    Correct Answer
    D. WIPO
    Explanation
    WIPO stands for World Intellectual Property Organization, which is an international organization that deals with intellectual property rights, including copyright agreements. It provides a forum for member countries to negotiate and establish international treaties and agreements related to copyright protection. WIPO's main goal is to promote and protect intellectual property rights worldwide, including copyright laws and agreements between countries. Therefore, WIPO is the correct answer for the question.

    Rate this question:

  • 35. 

    Closed-circuit camera feeds and recordings are commonly used as all of these EXCEPT for which of the following?

    • A.

      A deterrent control

    • B.

      A detective control

    • C.

      A corrective control

    • D.

      A preventive control

    Correct Answer
    C. A corrective control
    Explanation
    Closed-circuit camera feeds and recordings are commonly used as deterrent, detective, and preventive controls. These cameras are installed to deter potential criminals, detect any suspicious activities or incidents, and prevent crimes from happening. However, they are not typically used as a corrective control. Corrective controls are measures taken after an incident or breach has occurred to mitigate the damage and prevent a recurrence. Closed-circuit camera feeds and recordings are not directly involved in the corrective action process.

    Rate this question:

  • 36. 

    A compensating control is _____

    • A.

      A control put in place when another control is suspended or disabled

    • B.

      A control put in place to overcome the shortcomings of another control

    • C.

      A control put in place that automatically continues to protect the system when the primary control fails

    • D.

      A control that compensates for law enforcement or management's lack of technical skills

    Correct Answer
    B. A control put in place to overcome the shortcomings of another control
    Explanation
    A compensating control is a control put in place to overcome the shortcomings of another control. This means that when one control is not effective or disabled, a compensating control is implemented to ensure that the system or process remains secure. It acts as an alternative measure to mitigate risks and maintain the desired level of security.

    Rate this question:

  • 37. 

    Copyright protects ______

    • A.

      A symbol that represents an idea

    • B.

      A proprietary process or procedure

    • C.

      The expression of an idea

    • D.

      The idea itself

    Correct Answer
    C. The expression of an idea
    Explanation
    Copyright protects the expression of an idea. This means that the specific way in which an idea is presented or communicated, such as through writing, art, music, or other forms of creative expression, is protected by copyright law. It does not protect the idea itself, as ideas are considered to be in the public domain and can be freely used by anyone. However, the specific expression of that idea, such as a novel, painting, or song, is protected and cannot be copied or used without permission from the copyright holder.

    Rate this question:

  • 38. 

    As an employee of an investment bank, you have just completed programming on a highly profitable automated stock trading program. You decide to copy it onto a writable CD and then use the program at home for your friends and family, but do not charge anyone fees. Which of the following statements apply?

    • A.

      The employer owns the copyright since it is work for hire, but you may use it if you don't charge anyone for it, under fair use principles

    • B.

      The employer owns the copyright since it is work for hire so you many not use it under any circumstances without permission

    • C.

      As author you own the copyright and may use it any way you wish

    • D.

      You and the employer share the copyright and you may use it if you don't charge anyone for it

    Correct Answer
    B. The employer owns the copyright since it is work for hire so you many not use it under any circumstances without permission
    Explanation
    The correct answer is that the employer owns the copyright since it is work for hire, so you may not use it under any circumstances without permission. When you are an employee and create a work as part of your job, the copyright typically belongs to the employer, not the employee. Therefore, you cannot use the program without the employer's permission, even if you do not charge anyone for it.

    Rate this question:

  • 39. 

    What is the final step of a quantitative risk analysis?

    • A.

      Determine asset value.

    • B.

      Assess the annualized rate of occurrence.

    • C.

      Derive the annualized loss expectancy.

    • D.

      Conduct a cost/benefit analysis.

    Correct Answer
    D. Conduct a cost/benefit analysis.
    Explanation
    The final step of a quantitative risk analysis is to conduct a cost/benefit analysis. This involves weighing the potential costs of implementing risk mitigation measures against the potential benefits of reducing or eliminating the identified risks. By conducting a cost/benefit analysis, organizations can make informed decisions about which risk mitigation measures are most cost-effective and prioritize their implementation accordingly. This step helps to ensure that resources are allocated efficiently and effectively to manage risks in a way that maximizes the overall benefit to the organization.

    Rate this question:

  • 40. 

    Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an internet service provider after it receives a notification of infringement claim from a copyright holder?

    • A.

      Storage of information by a customer on a provider’s server

    • B.

      Caching of information by the provider

    • C.

      Transmission of information over the provider’s network by a customer

    • D.

      Caching of information in a provider search engine

    Correct Answer
    C. Transmission of information over the provider’s network by a customer
    Explanation
    The DMCA requires internet service providers to take prompt action when they receive a notification of infringement claim from a copyright holder. However, the transmission of information over the provider's network by a customer does not fall under the category of offenses that require prompt action. The other options, such as storage of information, caching of information by the provider, and caching of information in a provider search engine, may require prompt action by the internet service provider.

    Rate this question:

  • 41. 

    FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

    • A.

      The right to access

    • B.

      Privacy by design

    • C.

      The right to be forgotten

    • D.

      The right of data portability

    Correct Answer
    C. The right to be forgotten
    Explanation
    The correct answer is "The right to be forgotten." Under the General Data Protection Regulation (GDPR), individuals have the right to request that their personal data no longer be disseminated or processed by an organization. This means that FlyAway Travel, in this case, must comply with the customer's request to terminate their account and delete their personal information. This right allows individuals to have more control over their own data and ensures that organizations handle personal information responsibly.

    Rate this question:

  • 42. 

    Which one of the following is not one of the three common threat modeling techniques?

    • A.

      Focused on assets

    • B.

      Focused on attackers

    • C.

      Focused on software

    • D.

      Focused on social engineering

    Correct Answer
    D. Focused on social engineering
    Explanation
    The three common threat modeling techniques are focused on assets, focused on attackers, and focused on software. These techniques involve identifying and analyzing potential threats and vulnerabilities related to the assets, attackers, and software involved in a system or application. However, the technique focused on social engineering is not one of the three common techniques. Social engineering refers to the manipulation of individuals to gain unauthorized access or sensitive information, and while it is an important aspect to consider in security, it is not one of the primary techniques used in threat modeling.

    Rate this question:

  • 43. 

    Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?

    • A.

      Student identification number

    • B.

      Social Security number

    • C.

      Driver’s license number

    • D.

      Credit card number

    Correct Answer
    A. Student identification number
    Explanation
    A student identification number is not considered personally identifiable information that would trigger most U.S. state data breach laws. While social security number, driver's license number, and credit card number are all considered personally identifiable information and are protected by data breach laws, a student identification number typically does not contain enough personal information to be considered as such. It is often a randomly generated or assigned number that is used solely for identification purposes within an educational institution and does not reveal any sensitive personal details.

    Rate this question:

  • 44. 

    In 1991, the Federal Sentencing Guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?

    • A.

      Due diligence rule

    • B.

      Personal liability rule

    • C.

      Prudent man rule

    • D.

      Due process rule

    Correct Answer
    C. Prudent man rule
    Explanation
    The correct answer is the Prudent man rule. This rule, formalized in 1991 by the Federal Sentencing Guidelines, requires senior executives to take personal responsibility for information security matters. It implies that executives should act with the care, skill, and diligence that a prudent person would exercise in similar circumstances. This rule holds executives accountable for ensuring the security of information within their organizations.

    Rate this question:

  • 45. 

    Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication?

    • A.

      Username

    • B.

      Personal identification number (PIN)

    • C.

      Security question

    • D.

      Fingerprint scan

    Correct Answer
    D. Fingerprint scan
    Explanation
    A fingerprint scan provides an authentication mechanism that is appropriate for pairing with a password to achieve multifactor authentication. This is because a fingerprint scan is a biometric authentication method that verifies a person's unique fingerprint pattern, adding an additional layer of security to the traditional password authentication. By requiring both a password and a fingerprint scan, it becomes more difficult for unauthorized individuals to gain access to the system or device, enhancing the overall security and reducing the risk of unauthorized access.

    Rate this question:

  • 46. 

    What United States government agency is responsible for administering the terms of privacy shield agreements between the European Union and the United States under the EU GDPR?

    • A.

      Department of Defense

    • B.

      Department of the Treasury

    • C.

      State Department

    • D.

      Department of Commerce

    Correct Answer
    D. Department of Commerce
    Explanation
    The Department of Commerce is responsible for administering the terms of privacy shield agreements between the European Union and the United States under the EU GDPR. This agency oversees international trade and economic growth, making it the most suitable entity to handle the implementation and enforcement of privacy shield agreements. The Department of Defense, Department of the Treasury, and State Department do not have the specific jurisdiction or expertise in this area, making them unlikely choices for this responsibility.

    Rate this question:

  • 47. 

    Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

    • A.

      GLBA

    • B.

      SOX

    • C.

      HIPAA

    • D.

      FERPA

    Correct Answer
    A. GLBA
    Explanation
    GLBA, also known as the Gramm-Leach-Bliley Act, is the most likely law to apply to Yolanda's situation as the chief privacy officer for a financial institution researching privacy issues related to customer checking accounts. The GLBA requires financial institutions to explain their information-sharing practices to their customers and protect the privacy and security of customer information. It also requires institutions to have safeguards in place to protect against unauthorized access or use of customer information. Therefore, GLBA is the most relevant law in this context.

    Rate this question:

  • 48. 

    Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

    • A.

      FISMA

    • B.

      PCI DSS

    • C.

      HIPAA

    • D.

      GISRA

    Correct Answer
    A. FISMA
    Explanation
    FISMA, which stands for the Federal Information Security Management Act, is the most likely law that applies to the information systems involved in Tim's organization's government contract for sponsored research. FISMA is a United States federal law that establishes a framework for protecting the security of federal information and information systems. As a government contractor, Tim's organization is required to comply with FISMA regulations to ensure the security of the information systems used for the sponsored research. PCI DSS, HIPAA, and GISRA are not applicable in this context.

    Rate this question:

  • 49. 

    Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?

    • A.

      Memory chips

    • B.

      Office productivity applications

    • C.

      Hard drives

    • D.

      Encryption software

    Correct Answer
    D. Encryption software
    Explanation
    Encryption software is most likely to trigger export control regulations because it involves the protection of sensitive information and the prevention of unauthorized access. Many countries have strict regulations on the export of encryption software to prevent it from falling into the wrong hands or being used for illegal activities. The export of encryption software may require licenses or approvals from government authorities to ensure compliance with national security and export control laws.

    Rate this question:

  • 50. 

    Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

    • A.

      Spoofing

    • B.

      Repudiation

    • C.

      Tampering

    • D.

      Elevation of privilege

    Correct Answer
    D. Elevation of privilege
    Explanation
    In this scenario, the attacker exploited a system vulnerability to elevate the normal user account's privileges to administrative rights. This type of attack is known as "Elevation of privilege" under the STRIDE threat model. It involves an attacker gaining unauthorized access to higher levels of privileges or permissions than they should have, allowing them to perform actions that are typically restricted to administrators.

    Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 15, 2020
    Quiz Created by
    Catherine Halcomb
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.