Practice Test(DOMAIN1)

Domain 1 Exam.

A minimum of 70% is required to pass.



There may be content you haven’t seen yet.

#1. What is the typical audit duration for non-accounting security and other controls over a trustee company in SOC-2?

Service Organization Control (SOC) is a rule established by the American Institute of Certified Public Accountants (AICPA) to assure the internal control of the party contracted to perform services. Sometimes, work is contracted out to other firms. In order to guarantee the quality of its own work, the company that is contracted to perform the work must also have appropriate controls in place. For this reason, we check the internal control of the outsourcing company to which the work is outsourced.

  • SOC-1 (Internal Control over Financial Reporting (ICFR)) Audits the accounting of the trustee company.
    SOC-2 (Trust Services Criteria): Checks security and other controls other than accounting for the fiduciary company. Usually takes six months to complete.
    SOC-3 (Trust Services Criteria for General Use Report) Confirms security and other controls other than accounting for unspecified persons (users).

#2. There are several calculation methods used to evaluate the value of an asset. Which of the following is NOT used to determine the value of an asset?

〇:Level of insurance required to cover assets.

This question is about choosing what is not used. There are several ways to calculate asset value (AV, Asset Value): the market approach, which refers to similar assets in the market, the income approach, which measures it by the profit it will earn in the future, and the cost approach, which measures it by the cost spent on the asset. The level of insurance needed to cover an asset is a decision made after identifying the asset value and conducting an appropriate risk analysis, allowing the organization to more easily determine the level of insurance coverage to purchase for that asset. Therefore, the correct answer is “level of insurance required to cover the asset”.


×:Value of the asset in the external market.

The technique of referring to similar assets in the market is known as the market approach.


×:Initial costs and outlay for purchasing, licensing, and supporting the asset.

The method of measuring by the cost spent on an asset is known as the cost approach.


×:The value of the asset to the organization’s production operations.

The method of measuring by the profit that will be earned in the future is known as the revenue approach.

#3. Lee is the new security manager responsible for ensuring that his company complies with the European Union Principles on Privacy when interacting with its European partners. Which of the following laws or regulations contain a set of principles dealing with the transmission of data that is considered private?

〇:Data Protection Directive

In many cases, the European Union (EU) takes personal privacy more seriously than most other countries in the world and therefore adheres to strict laws regarding data considered personal information based on the European Union Principles for the Protection of Personal Data. This set of principles addresses the use and communication of information that is considered private in nature. These principles and how to comply with them are contained in the EU Data Protection Directive. All European states must comply with these principles, and all companies doing business with EU companies must follow this directive if their business involves the exchange of privacy-type data.


×:Organization for Economic Cooperation and Development (OECD)

Image B is incorrect because the Organization for Economic Cooperation and Development (OECD) is an international organization that brings together different governments to help address the economic, social, and governance challenges of a globalized economy. For this reason, the OECD has developed national guidelines to ensure that data is properly protected and that everyone adheres to the same kinds of rules.


×:Federal Private Sector Bill

The Federal Private Bill is incorrect. There is no official bill by this name.


×:Privacy Protection Act

The Privacy Protection Act is the wrong answer. There is no official legislation by this name.

#4. A business impact analysis is considered a functional analysis. Which of the following is NOT performed during a Business Impact Analysis?

〇:Parallel testing or full interruption testing

A Business Impact Analysis (BIA) is considered a functional analysis where the team gathers data through interviews and documentation sources. Document business functions, activities, and transactions. Develop a hierarchy of business functions. Finally, a classification scheme is applied that indicates the level of importance of each individual function. Parallel and full interruption tests are not part of the BIA. These tests are performed to ensure the ongoing effectiveness of the business continuity plan to accommodate the constantly changing environment. While full interruption testing involves shutting down the original site and resuming operations and processing at an alternate site, parallel testing is performed to ensure that a particular system will actually function properly at the alternate off-site function.


×:Application of a classification scheme based on criticality levels.

This is incorrect because it is performed during a BIA. This is done by identifying a company’s critical assets and mapping them to characteristics such as maximum allowable downtime, operational disruption and productivity, financial considerations, regulatory liability, and reputation.


×:Gathering information through interviews

This is not correct as it is done during the BIA. The BCP committee does not truly understand all business processes, the steps to be taken, or the resources and supplies those processes require. Therefore, the committee should collect this information from people in the know, which are department heads and specific employees within the organization.


×:Document business functions

This is incorrect because the BCP committee makes this part of the BIA. Business activities and transactions must be documented. This information can come from department managers and specific employees who are interviewed or surveyed. Once the information is documented, the BCP committee can conduct an analysis to determine which processes, equipment, or operational activities are most critical.

#5. Which of the following is true about digital forensics?

〇:It encompasses network and code analysis and is sometimes referred to as electronic data discovery.

Forensics is the analysis of electronic data that may have been affected by technology, authentication, and criminal activity requiring special techniques to ensure the preservation of information. It comes together of computer science, information technology and engineering in the legal system. When discussing digital forensics with others, it may be described as computer forensics, network forensics, electronic data discovery, cyber forensics, etc.


×:The study of computer technology.

Digital forensics is incorrect because it involves information technology rather than research. It encompasses the study of information technology, but also includes collecting and protecting evidence and working within specific legal systems.


×:A set of hardware-specific processes that must be followed in order for evidence to be admissible in court.

Digital forensics is incorrect because it does not refer to hardware or software. It is a set of specific processes related to computer usage, examination of residual data, technical analysis and description of technical characteristics of the data, and reconstruction of the authentication of data by computer usage that must be followed for the evidence to be admissible in court.


×:Before an incident occurs, digital forensics roles and responsibilities should be assigned to network administrators.

This is wrong because digital forensics must be done by people with the proper training and skill set who could not possibly be administrators or network administrators. Digital forensics can be fragile and must have been worked on properly. If someone reboots an attacked system or inspects various files, it could corrupt and change executable evidence, key file timestamps, and erase any footprints the criminal may have left behind.

#6. Which of the following is a correct action-directed defense?

〇:Regular training to change employee attitudes

Behavior-directed controls are intended to direct the behavior required of employees as part of organizational management. Regular training that changes employee awareness falls under the action-directed type. Therefore, the correct answer is “Regular training to change employee attitudes”.


×:Remotely directed defenses using drone audits

This falls under reinforcing (compensating) defensive measures.


×:Defensive measures to be behavioral psychological barriers due to physical barriers

This is a physical (physically) defensive measure.


×:Developing recurrence prevention measures to review certain actions

This is a corrective measure.

#7. Sue is charged with implementing several security controls to protect the company’s e-mail system, including antivirus and antispam software. What approach does her company take to address the risks posed by its systems?

〇:Risk Mitigation

Risk can be addressed in four basic ways: transfer, avoidance, mitigation, and acceptance. Sue reduces the risk posed by her e-mail system by implementing security controls such as antivirus and anti-spam software. This is also referred to as risk mitigation, where risk is reduced to a level considered acceptable. Risk can be mitigated by improving procedures, changing the environment, erecting barriers to threats, and implementing early detection techniques to stop threats when they occur and reduce damage.


×:Risk Acceptance

This is inappropriate because risk acceptance does not involve spending on protection or countermeasures such as anti-virus software. When accepting a risk, one should be aware of the level of risk faced and the potential damage costs and decide to keep it without implementing countermeasures. If the cost/benefit ratio indicates that the cost of countermeasures exceeds the potential losses, many companies will accept the risk.


×:Risk Avoidance

Wrong because it would mean discontinuing the activity that is causing the risk. In this case, Sue’s firm decides to continue using e-mail. A company may choose to terminate an activity that introduces risk if the risk outweighs the business needs of the activity. For example, a company may choose to block social media websites in some departments because of the risk to employee productivity.


×:Risk Transfer

This is incorrect because it involves sharing risk with other entities, as in the purchase of insurance to transfer some of the risk to the insurance company. Many types of insurance are available to firms to protect their assets. If a company determines that its total or excess risk is too high to gamble, it can purchase insurance.

#8. Management support is critical to the success of a business continuity plan. Which of the following is most important to provide to management in order to obtain support?

〇:Business Case

The most important part of establishing and maintaining a current continuity plan is management support. Management may need to be convinced of the need for such a plan. Therefore, a business case is needed to obtain this support. The business case should include current vulnerabilities, legal obligations, current status of the recovery plan, and recommendations. Management is generally most interested in cost-benefit issues, so preliminary figures can be gathered and potential losses estimated. Decisions about how a company should recover are business decisions and should always be treated as such.


×:Business Impact Analysis

Incorrect because the Business Impact Analysis (BIA) was conducted after the BCP team gained management’s support for its efforts. A BIA is conducted to identify areas of greatest financial or operational loss in the event of a disaster or disruption. It identifies the company’s critical systems required for survival and estimates the amount of downtime the company can tolerate as a result of a disaster or disruption.


×:Risk Analysis

Incorrect, as this is a method of identifying risks and assessing the potential damage that could be caused to justify security protection measures. In the context of BCP, risk analysis methods should be used in a BIA to identify which processes, devices, or operations are critical and should be recovered first.


×:Threat reports

The answer is wrong because it is unintended. However, it is important for management to understand what the actual threats are to the enterprise, the consequences of those threats, and the potential loss value for each threat. Without this understanding, management pays lip service to continuity planning and in some cases may be worse than if it did not plan because of the false awareness of security it creates.

#9. If you have little or no computer experience, but you have unauthorized access, what methods do you think the perpetrator is using? Which of the following comes closest?

〇:Shoulder Surfing Attacks

Shoulder surfing is a type of browsing attack in which an attacker looks over the shoulder of another person to see what is being typed on that person’s monitor items or keyboard. Of the attacks listed, this is the easiest to perform in that it requires no knowledge of the computer system. Therefore, the correct answer is a shoulder surfing attack.


×:Dictionary attack

A dictionary attack is an unauthorized login that targets users who use words as passwords.


×:Side-channel attack

A side-channel attack is an attack that eavesdrops on system data from physical information.


×:Timing Attacks

A timing attack is an attack in which various input information is given to a device that processes ciphers, and the cipher key or other information is deduced from the difference in processing time. If processing time is taken, it can be inferred as a rough indication that the process is proceeding normally as a process, and so on.

#10. Which of the following is close to the meaning of the basic concept of security measures: multi-layer defense?

Defense-in-Depth is the concept that protection should not be monolithic, but should be multi-layered in all aspects. The term “defense-in-depth” comes close to the alternative, as multiple layers of protection are required to protect against a single vulnerability.

#11. NIST defines best practices for creating a continuity plan. Which phases identify and prioritize critical functions and systems?

〇:Conduct business impact analysis

While no specific scientific equation must be followed to create a continuity plan, certain best practices have been proven over time. The National Institute of Standards and Technology (NIST) organization is responsible for developing and documenting many of these best practices so that they are readily available to all. NIST outlines seven steps in Special Publication 800-34 Rev 1, Continuity Planning Guide for Federal Information Systems. Conduct a business impact analysis. Identify preventive controls. Develop a contingency strategy. Develop an information systems contingency plan. Ensure testing, training, and exercises of the plan. Ensure the plan is maintained. Conduct a business impact analysis by identifying critical functions and systems and prioritize them as needed. It also includes identifying vulnerabilities and threats and calculating risks.


×:Identify preventive controls

Wrong because critical functions and systems are prioritized and preventive controls need to be identified after their vulnerabilities, threats, and identified risks (all of which are part of a business impact analysis). Conducting a business impact analysis involves step 2, which is to create a continuity plan, and step 3, which is to identify preventive controls.


×:Develop a Continuity Plan Policy Statement

This is incorrect because you need to create a policy that provides the guidance needed to develop a business continuity plan and assigns authority to the roles needed to perform these tasks. This is the first step in creating a business continuity plan and is done before identifying and prioritizing critical systems and functions that are part of the business impact analysis.


×:Create contingency strategies

Creating a contingency strategy is incorrect because it requires formulating a method to ensure that systems and critical functions are brought online quickly. Before this can be done, a business impact analysis must be performed to determine critical systems and functions and prioritize them during recovery.

#12. Which is the first step in a business impact analysis?

〇:Creating Data Collection Techniques

Of the steps listed, the first step in a Business Impact Analysis (BIA) is to create a data collection technique. The BCP committee will use questionnaires, surveys, and interviews to collect key person information on how different tasks are accomplished within the organization, along with any relevant dependencies of processes, transactions, or services. Process flow diagrams should be created from this data and used throughout the BIA and planning and development phases.


×:Risk calculations for each different business function

This is incorrect because the risk for each business function is calculated after the business function has been identified. And before that happens, the BCP team needs to collect data from key personnel. To calculate the risk for each business function, qualitative and quantitative impact information must be collected, properly analyzed, and interpreted. Once the data analysis is complete, it should be reviewed with the most knowledgeable people in the company to ensure that the results are relevant and to explain the actual risks and impacts facing the organization. This will flush out any additional data points that were not captured initially and allow for a full understanding of all possible business impacts.


×:Identifying Critical Business Functions

Image B is incorrect because the identification of critical business functions is done after the BCP committee has learned about the business functions that exist by interviewing and surveying key individuals. Once the data collection phase is complete, the BCP committee conducts an analysis to determine which processes, devices, or business activities are critical. If a system stands on its own, does not affect other systems, and is less critical, it can be classified as a Tier 2 or Tier 3 recovery step. In other words, these resources are not processed in the recovery phase until the most critical (Tier 1) resources are up and running.


×:Vulnerability and Threat Identification to Business Functions

This is not the first step and is incorrect because it identifies vulnerabilities and threats to business functions toward the end of the business impact analysis. It is the last of the steps listed in the answer. Threats can be man-made, natural, or technical. It is important to identify all possible threats and estimate their likelihood of occurring. When developing these plans, some issues may not be immediately apparent. These issues are best addressed by groups conducting scenario-based exercises. This ensures that when the threat becomes reality, the plan will have an impact on all business tasks, departments, and critical operations. The more issues that are planned for, the better prepared you will be should these events occur.

#13. Which of the following describes the relationship between COBIT and ITIL?

〇:COBIT defines IT goals, ITIL provides process-level procedures

COBIT is a framework developed by ISACA (formerly the Information Systems Audit and Controls) and the IT Governance Institute (ITGI). It defines goals for controls, not just security needs, to ensure that IT is properly managed and that IT is responsive to business needs. The IT Infrastructure Library (ITIL) is the de facto standard for IT service management best practices. A customizable framework, ITIL provides goals, the general activities required to achieve these goals, and the input and output values for each process required to achieve these determined goals. In essence, COBIT addresses “what needs to be accomplished” and ITIL addresses “how to accomplish”.


×:COBIT is a model of IT governance, ITIL is a model of corporate governance.

While COBIT can be used as a model for IT governance, ITIL is wrong because it is not a model for corporate governance. In fact, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model of corporate governance. COBIT is derived from the COSO framework. COBIT can be thought of as a way to accomplish many COSO goals, but only from an IT perspective. To achieve many of the goals addressed in COBIT, organizations can use ITIL, which provides process-level steps to achieve IT service management goals.


×:COBIT is a model for corporate governance, ITIL is customizable for IT service management.

As mentioned above, COBIT is incorrect because it can be used as a model for IT governance, not corporate governance. COSO is a model of corporate governance. The second half of the answer is correct. ITIL is a customizable framework and is available as either a series of books or online for IT service management.


×:COBIT provides a business objectives framework, ITIL provides an IT service level objectives framework.

This is inappropriate because COBIT defines the control objectives that should be used to properly manage IT, enabling IT to address business needs as well as IT security needs. ITIL provides steps to achieve IT service management goals related to business needs. ITIL was created because of the increased reliance on information technology to meet business needs.

#14. It is not uncommon for business continuity plans to become outdated. What should you do to ensure that your plan does not become outdated?

〇:Business Continuity Processes Integrate Change Management Processes

Unfortunately, business continuity plans can quickly become outdated. An outdated BCP can give a company a false sense of security, which can be fatal if a disaster actually occurs. One of the simplest, most cost-effective, and process-efficient ways to keep your plan current is to incorporate it into your organization’s change management process. Are new applications, equipment, and services documented? Are updates and patches documented? The change management process should be updated to incorporate fields and triggers that alert the BCP team when significant changes occur and provide a means to update recovery documentation. Ensure that the BCP is kept up-to-date, and other measures include maintaining personnel evaluations of the plan and conducting regular training on using the plan, such as making business continuity part of all business decisions.


×:Update hardware, software, and application changes

Wrong because hardware, software, and application changes occur frequently; unless the BCP is part of a change management process, these changes are not included in the BCP. The BCP should be updated when changes to the environment occur. If it is not updated after a change, it is out of date.


×:Infrastructure and Environment Change Updates

Incorrect because infrastructure and environment changes occur frequently. Unless the BCP is part of a change management process, as with software, hardware, and application changes, infrastructure and environment changes are unlikely to result in a transition to the BCP.


×:Personnel changes

Incorrect, as the plan may become obsolete. It is not uncommon for BCPs to be abandoned when the person or persons responsible for maintenance leave the company. These responsibilities must be reassigned. To ensure this, maintenance responsibilities must be built into job descriptions and properly monitored.

#15. Which international organizations are in place to help address the economic, social, and governance challenges of a globalized economy?

〇:Organization for Economic Cooperation and Development

Almost every country has its own set of rules regarding what constitutes private data and how it should be protected. With the advent of the digital and information age, these different laws have begun to adversely affect business and international trade. Thus, the Organization for Economic Cooperation and Development (OECD) created guidelines for different countries to ensure that data is properly protected and that everyone follows the same rules.



An organization that studies fraudulent financial reporting and which elements lead to them is fraudulent because the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was established in 1985. The acronym COSO refers to a model of corporate governance that addresses IT at the strategic level, corporate culture, and financial accounting principles.


×:COBIT (Control Objectives for Information and Related Technology)

Incorrect, as this framework defines control objectives to ensure that IT is properly managed and that IT is responsive to business needs. It is an international open standard that provides control and security requirements for sensitive data and reference frameworks.


×:International Organization for Standardization (ISO)

Incorrect because it is an international standards organization composed of representatives of national standards bodies. Its purpose is to establish global standardization. But its standardization goes beyond the privacy of data moving across international borders. For example, some standards address quality control; others address assurance and security.

#16. Would it make sense to measure marketing metrics from a security perspective?

〇:Yes. The same goal should be held because there is security in achieving corporate goals.

There are KPIs and other marketin indicators to achieve organizational goals. Developing a security function in the organization also exists to achieve these goals.


×:Yes. Marketing in the security industry is allowed to be risk-off.

By “marketing in the security industry,” I do not mean aligning the security function within the organization.


×:No. The division of labor should be strictly enforced and left to specialists.

While the division of labor in an organization is certainly important, all members of the organization need to be security conscious.


×:No. Security has nothing to do with confidential information that would be an executive decision.

Security should be addressed by the entire organization. It is not irrelevant.

#17. Which of the following is NOT a characteristic of a company with a security governance program?

〇:All security activities shall be conducted within the security department.

When all security activities are performed within the security department, security functions within a silo and is not integrated throughout the organization. In companies that have a security governance program in place, security responsibilities are pervasive throughout the organization, from senior management down the chain of command. A common scenario is executive management with the executive director of operations responsible for risk management activities for a particular business unit. Additionally, employees are responsible for malicious or accidental security breaches.


×:Officers will be updated quarterly on the company’s security status.

Incorrect. Security governance is providing strategic guidance, ensuring that goals are being met, risks are properly managed, and resources are used responsibly. Organizations with a security governance program have a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches.


×:Deploy security products, services, and consultants in an informed manner.

Security governance is incorrect because it is a cohesive system of integrated security components that includes products, people, training, and processes. Therefore, organizations that have a security governance program in place will assist consultants with security products, management services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost effective.


×:The organization establishes metrics and goals for improving security.

inaccurate because security governance requires performance measurement and oversight mechanisms. Organizations that have a security governance program in place are continually reviewing their processes, including security, with the goal of continuous improvement. On the other hand, an organization lacking a security governance program may proceed without analyzing its performance, thus repeating the same mistakes.

#18. Which of the following are effective methods that you as a software system administrator can implement to prevent significant damage?

〇:Regular software updates

You are the system administrator. As an administrator, what you should be doing is updating software on a regular basis. Therefore, the correct answer is “regular software updates.

There may be some that you should implement, but choosing the better of the two will also be tested in the actual exam.


×:Sophisticated product selection

In most cases, products that meet the requirements will be selected in accordance with the Request for Proposal (RFP) presented by the customer. Existing system administrators may be involved in some of these discussions, but this is not an appropriate response.


×:Early reporting to your supervisor

In all jobs, reporting to the supervisor is probably an essential part of the job. Here, however, it is more appropriate to focus on your position as a software system administrator.


×:Human resources to monitor the system

A resident system may allow you to deal with problems in a timely manner. However, here, it is more appropriate to focus on the position as a system administrator of the software.

#19. Which of the following is a core idea as a threat analysis by PASTA?

P.A.S.T.A. is a seven-step process to find ways to protect the value of your assets while analyzing your compliance and business. P.A.S.T.A. provides a roadmap. Threat management processes and policies can be discovered. The main focus is on finding threats, which is where risk-centric thinking and simulation come into play.

#20. Vender Inc. does not want its logo to be used without permission. Which of the following would protect the logo and prevent others from copying and using it?


Intellectual property can be protected by several different laws, depending on the type of resource. Trademarks are used to protect words, names, symbols, sounds, shapes, colors, or combinations of these, such as logos. The reason a company registers one of these trademarks, or a combination of these trademarks, is to represent their company (brand identity) to the world. Therefore, the correct answer is “trademark”.



A patent is a monopoly right to use a technology for something that is very difficult to invent, such as a medicine.



A copyright is a right to something that is not technical, such as music or a book, but something that is thought up and created.


×:Trade Secrets

Trade secrets are information that is useful and confidential as a business activity, such as customer information, product technology and manufacturing methods.