Posted inCybersecurity

Domain 5 – Governance, Risk, and Compliance

https://www.udemy.com/course/comptia-security-601-practice-exam-domain-1-5/learn/quiz/6105232

Domain 5 – Governance, Risk, and Compliance

Question 1

What is the purpose of a ==risk assessment== in an organization’s security strategy?

  • Identifying vulnerabilities

  • Determining compliance requirements

  • Assigning blame in case of a security incident

  • Evaluating the cost of security measures

Overall explanation

A) The primary purpose of a risk assessment is to identify potential threats, vulnerabilities, and their potential impact on an organization’s assets. It’s a fundamental step in developing effective security measures.

Incorrect answers:

B) Determining compliance requirements: While risk assessment contributes to understanding compliance needs, its primary aim is identifying risks, not determining specific compliance.

C) Assigning blame in case of a security incident: A risk assessment is not about assigning blame but rather about proactively identifying potential risks.

D) Evaluating the cost of security measures: Cost considerations might be part of risk assessment, but its primary purpose is identifying risks, not evaluating the cost of security measures.

Question 2

How does the principle of "==Clean Desk Space==" contribute to an organization’s security measures?

  • Reducing employee engagement by limiting personal desk items

  • Limiting access to certain work areas to specific employee roles

  • Ensuring employees regularly clean and organize their workstations

  • Preventing unauthorized access to sensitive documents left on desks

Overall explanation

D) The concept of a clean desk space involves ensuring sensitive information and documents are not left exposed, thus reducing the risk of unauthorized access to such materials.

Incorrect answers:

A) Unrelated to the security purpose of the clean desk policy.

B) More related to physical access controls rather than clean desk space policy.

C) While good practice, it’s not the primary objective of the clean desk policy.

Question 3

Why is "==Job Rotation==" considered a valuable security measure within organizations?

  • Preventing unauthorized access to company resources

  • Ensuring employees clean their desk spaces regularly

  • Limiting access to sensitive data through mandatory vacations

  • Mitigating risks by rotating employees through different job responsibilities

Overall explanation

D) Job Rotation helps reduce the risk of fraud, errors, and misuse by moving employees through various job roles, which provides cross-training and prevents potential abuse of access.

Incorrect answers:

A) Pertains more to access control measures than job rotation.

B) Relates to a clean desk policy, not specifically to job rotation.

C) Refers to a different security control (mandatory vacations) rather than job rotation.

Question 4

How does an "==Acceptable Use Policy==" contribute to an organization’s security framework?

  • Limiting access to specific work areas to certain employee roles

  • Outlining guidelines for appropriate use of company resources and systems

  • Implementing mandatory background checks for all employees

  • Rotating employees through different job roles periodically

Overall explanation

B) An Acceptable Use Policy defines acceptable behaviors regarding the use of company resources, systems, and information, reducing risks associated with improper use.

Incorrect answers:

A) Pertains more to physical security measures than to an Acceptable Use Policy.

C) Important but a different policy and procedure in security management.

D) Pertains to job rotation, not specifically related to an Acceptable Use Policy.

Question 5

In the context of security best practices, what does "==Separation of Duties==" aim to achieve?

  • Assigning multiple duties to a single individual to maximize productivity

  • Limiting an employee’s access to specific areas of the workplace

  • Restricting an employee’s access to sensitive data and systems

  • Dividing tasks among different individuals to prevent fraud and errors

Overall explanation

D) "Separation of Duties" ensures that critical functions are divided among multiple individuals to reduce the risk of fraud, errors, and misuse of power.

Incorrect answers:

A) Contradicts the principle of separation of duties, which aims to distribute tasks for checks and balances.

B) Pertains more to physical security measures than separation of duties.

C) Partially related to least privilege but not specific to separation of duties.

Question 6

What role do ==Preventive Controls== play in an organization’s security framework?

  • Correcting and mitigating the impact of security incidents

  • Identifying and alerting the presence of security incidents

  • Blocking potential security incidents from occurring

  • Establishing secure data backups and recovery plans

Overall explanation

C) Preventive Controls are measures or mechanisms put in place to avoid security incidents from happening or to reduce the likelihood of their occurrence.

Incorrect answers:

A) This aligns more with corrective controls, which focus on addressing incidents after they happen.

B) Falls under detective controls, which aim to identify security incidents rather than prevent them.

D) Primarily associated with recovery controls, ensuring systems can be restored after an incident.

Question 7

What is the primary purpose of ==Corrective Controls== in the realm of cybersecurity governance?

  • Preventing potential security incidents

  • Quickly responding to security incidents as they occur

  • Correcting and mitigating the impact of security incidents

  • Establishing robust access control measures

Overall explanation

C) Corrective Controls aim to correct and reduce the impact of security incidents after they’ve occurred, working to restore affected systems.

Incorrect answers:

A) More aligned with preventive controls rather than corrective measures.

B) Corrective Controls focus on correction and mitigation, not immediate response.

D) This aligns more with preventive controls than corrective measures.

Question 8

How do ==Deterrent Controls== contribute to an organization’s security strategy?

  • Providing immediate response to security incidents

  • Discouraging potential attackers from targeting the organization

  • Identifying and mitigating security vulnerabilities

  • Establishing secure data backups and recovery plans

Overall explanation

B) Deterrent Controls aim to dissuade potential attackers or threats from targeting the organization by creating visible deterrents.

Incorrect answers:

A) Deterrent Controls focus on discouraging attacks rather than responding to them.

C) This aligns more with preventive or corrective controls, not specifically deterrent measures.

D) Pertains more to recovery controls rather than the primary function of deterrent controls.

Question 9

In terms of risk management, what does the term "==Risk Appetite==" refer to?

  • The maximum risk level an organization is willing to accept

  • The likelihood of a security incident occurring

  • The overall risk exposure of the organization

  • The effectiveness of risk mitigation strategies

Overall explanation

A) Risk Appetite signifies the level of risk an organization is willing to accept or tolerate before taking action.

Incorrect answers:

B) Refers more to risk probability or likelihood rather than organizational tolerance.

C) Alludes to the total risk but doesn’t specifically address the maximum level an organization accepts.

D) Concentrates on the efficiency of risk reduction rather than the threshold of risk acceptance.

Question 10

What does the term "==Chain of Custody==" primarily refer to?

  • Documentation of evidence handling procedures

  • Tracking unauthorized access attempts

  • Cataloging software and hardware inventory

  • Maintaining system backups

Overall explanation

A) The "Chain of Custody" refers to a documented trail that records the chronological history of evidence handling, ensuring its integrity and admissibility in legal proceedings.

Incorrect answers:

B) More aligned with intrusion detection or monitoring rather than evidence handling procedures.

C) Not directly related to handling evidence, which is the primary focus of the Chain of Custody.

D) While essential, this isn’t the primary focus of the Chain of Custody, which relates to evidence documentation.

Question 11

Which term refers to a legal statement ensuring that two parties will keep specific information confidential?

  • Non-Disclosure Agreement (NDA)

  • Memorandum of Understanding (MOU)

  • Service Level Agreement (SLA)

  • Business Partnership Agreement

Overall explanation

A) An NDA is a legally binding contract between two or more parties, ensuring that specific information remains confidential and is not shared with others.

Incorrect answers:

B) Usually outlines broader terms of an agreement or understanding between parties but doesn’t primarily focus on confidentiality.

C) Concerns performance metrics and service commitments between service providers and customers rather than confidentiality.

D) Focuses on terms of a business relationship rather than confidentiality.

Question 12

What is the primary function of a ==Privacy Impact Assessment (PIA)==?

  • Assessing the financial impact of security breaches

  • Identifying potential risks to individual privacy

  • Evaluating the effectiveness of security controls

  • Analyzing the impact of data encryption methods

Overall explanation

B) A Privacy Impact Assessment primarily aims to identify and evaluate potential risks to individual privacy within a specific system or process.

Incorrect answers:

A) While crucial, this is not the main function of a PIA, which is focused on privacy risks.

C) PIAs are more concerned with privacy risks than the overall effectiveness of security controls.

D) Encryption is a security control; a PIA addresses broader privacy concerns beyond encryption impact.

Question 13

What is the purpose of a ==Security Risk Assessment==?

  • Identifying security controls

  • Evaluating the impact of a security breach

  • Measuring and managing potential risks

  • Testing the effectiveness of disaster recovery plans

Overall explanation

C) A Security Risk Assessment involves identifying, analyzing, and managing potential risks within an organization’s security landscape.

Incorrect answers:

A) While it could be a result of a risk assessment, the primary purpose is to assess risks, not identify controls.

B) Assessing the impact of a breach is different from a risk assessment.

D) Although important, this specifically deals with the effectiveness of disaster recovery, not the comprehensive risk assessment.

Question 14

Which term describes the process of ==quantifying the possible losses== from a particular risk?

  • Risk Analysis

  • Risk Mitigation

  • Risk Assessment

  • Risk Management

Overall explanation

A) Risk analysis involves the process of evaluating potential losses from a specific risk in terms of impact and likelihood.

Incorrect answers:

B) Risk Mitigation: Refers to the methods used to reduce, transfer, or avoid risks rather than quantifying the potential losses.

C) Risk Assessment: Involves evaluating risks, but it doesn’t directly quantify the potential losses associated with those risks.

D) Risk Management: Involves the overall process of identifying, assessing, and mitigating risks, rather than specifically quantifying potential losses.

Question 15

Which of the following is an essential component of a ==security policy framework== in an organization?

  • Conducting regular vulnerability assessments

  • Providing physical access controls

  • Establishing a business continuity plan

  • Configuring network firewalls

Overall explanation

C) A business continuity plan is vital for operations during and after a disaster or security breach.

Incorrect answers:

A) Important but not a policy framework component.

B) Pertains more to physical security than policy framework.

D) Important for security but a specific security control rather than a policy framework component.

Question 16

What is the primary ==goal of governance== in the context of information security?

  • Implementing technical controls

  • Establishing policies and procedures

  • Performing vulnerability assessments

  • Enforcing user training

Overall explanation

B) Governance in information security is primarily concerned with setting up a framework of policies, procedures, and controls to guide an organization’s security posture. These policies are designed to align with the organization’s objectives and ensure compliance.

Incorrect answers:

A) Implementing technical controls: Governance sets the rules and framework but doesn’t directly implement technical controls.

C) Performing vulnerability assessments: Vulnerability assessments are part of the risk management process, not governance.

D) Enforcing user training: Though training is a crucial aspect, governance focuses on establishing the guidelines rather than directly enforcing training.

Question 17

Which of the following is an example of a compliance standard relevant to the handling of payment card data?

HIPAA

Correct answer

PCI DSS

FERPA

ISO/IEC 27001

Overall explanation

B) PCI DSS (Payment Card Industry Data Security Standard). PCI DSS is specifically designed to ensure the secure handling of cardholder information. It applies to all organizations that handle credit card data.

Incorrect answers:

A) HIPAA: HIPAA deals with healthcare-related data privacy and security, not payment card data.

C) FERPA: FERPA relates to educational records’ privacy, not payment card data.

D) ISO/IEC 27001: While this is a general information security standard, it’s not specifically focused on payment card data but on information security management systems in general.

Question 18

What role does the CISO (Chief Information Security Officer) typically play in an organization’s security governance?

Developing software applications

Implementing firewalls and intrusion detection systems

Correct answer

Enforcing security policies and procedures

Managing HR operations

Overall explanation

C) The CISO is primarily responsible for establishing and enforcing security policies and procedures, aligning them with the organization’s objectives.

Incorrect answers:

A) Developing software applications: This responsibility typically belongs to software development teams, not the CISO.

B) Implementing firewalls and intrusion detection systems: Implementation is generally handled by security teams, not the CISO directly.

D) Managing HR operations: CISO focuses on security-related activities rather than HR functions.

Question 19

How does governance differ from compliance in the context of security management?

Governance deals with regulations, while compliance focuses on internal policies

Governance refers to policies, while compliance refers to risk assessment

Correct answer

Governance defines the rules, while compliance ensures adherence to those rules

Governance establishes procedures, while compliance dictates technology use

Overall explanation

C) Governance defines the rules, while compliance ensures adherence to those rules. Governance sets the framework, rules, and guidelines for security, while compliance is about conforming to those rules and standards.

Incorrect answers:

A) Governance deals with regulations, while compliance focuses on internal policies: Both governance and compliance involve rules and regulations, but their focus areas differ.

B) Governance refers to policies, while compliance refers to risk assessment: Compliance involves adherence to policies, but it’s not focused on risk assessment.

D) Governance establishes procedures, while compliance dictates technology use: Compliance ensures alignment with established rules, but it doesn’t dictate specific technology use.

Question 20

What is the main purpose of a compliance audit?

Identifying vulnerabilities

Correct answer

Ensuring conformity to established standards and regulations

Conducting risk assessments

Creating security policies

Overall explanation

B) A compliance audit verifies whether an organization is adhering to relevant laws, regulations, and internal policies regarding security measures.

Incorrect answers:

A) Compliance audits primarily focus on conformity rather than identifying vulnerabilities.

C) Risk assessments concentrate on identifying risks rather than ensuring compliance.

D) Compliance audits check adherence to policies rather than crafting them.

Question 21

How does risk acceptance differ from risk avoidance in risk management?

Risk acceptance involves mitigating identified risks, while risk avoidance ignores potential risks.

Correct answer

Risk acceptance is acknowledging the existence of a risk without taking action, while risk avoidance is actively working to eliminate risks.

Risk acceptance transfers identified risks to a third party, while risk avoidance mitigates risks within the organization.

Risk acceptance is embracing identified risks, while risk avoidance is eliminating the risk by investing in insurance.

Overall explanation

B) Risk acceptance means acknowledging the existence of a risk without taking actions to mitigate it, whereas risk avoidance involves active measures to eliminate or reduce the risk.

Incorrect answers:

A) Risk acceptance doesn’t involve mitigating risks; it’s about acknowledging their presence.

C) Risk acceptance and risk avoidance do not necessarily involve third-party transfers but rather the strategies applied within the organization.

D) Risk avoidance involves proactive measures to eliminate risks, not merely investing in insurance.

Question 22

What is the primary objective of a security policy in an organization?

Enforcing legal regulations

Providing technical guidance for IT professionals

Correct answer

Communicating management’s directives for security

Establishing penalties for security breaches

Overall explanation

C) Security policies in an organization communicate management’s directives and expectations for security measures to ensure alignment and compliance throughout the organization.

Incorrect answers:

A) Enforcing legal regulations: Security policies aim to guide an organization’s internal security measures, not enforce external legal regulations.

B) Providing technical guidance for IT professionals: While policies might include technical aspects, they are broader directives, not specifically technical guidelines.

D) Establishing penalties for security breaches: Policies guide behavior but don’t solely establish penalties; those are typically part of an incident response plan.

Question 23

What is the primary objective of a data classification policy in an organization’s security framework?

To define security measures for physical data storage

Correct answer

To categorize data based on sensitivity and define handling procedures

To outline procedures for disaster recovery

To encrypt all sensitive data

Overall explanation

B) A data classification policy establishes how data should be categorized based on sensitivity levels and outlines appropriate handling procedures for each category.

Incorrect answers:

A) Data classification policies are more focused on categorization and handling than on physical storage.

C) Disaster recovery policies primarily address recovery after an incident, not data categorization.

D) While encryption is a crucial part, the policy is broader and includes classification and handling guidelines.

Question 24

What is the primary focus of a change management process in an organization’s security governance?

Implementing security incident response plans

Reviewing security policies quarterly

Correct answer

Controlling modifications to systems and environments

Evaluating security awareness training effectiveness

Overall explanation

C) Change management in security governance primarily focuses on controlling and documenting modifications to systems, configurations, and environments to maintain security and reduce risks associated with changes.

Incorrect answers:

A) Incident response plans are for addressing security incidents, not the same as change management.

B) Policy reviews are part of governance but different from change management.

D) Training evaluation is essential but not the primary focus of change management.

Question 25

Which term refers to the maximum acceptable amount of time a system can be unavailable before it starts causing severe damage to the organization?

MTBF (Mean Time Between Failures)

RTO (Recovery Time Objective)

MTTR (Mean Time to Repair)

Correct answer

MTD (Maximum Tolerable Downtime)

Overall explanation

D) MTD is the maximum duration a system can be down before severe damage occurs to the organization.

Incorrect answers:

A) MTBF refers to the average time between failures, not the maximum allowable downtime.

B) RTO is the targeted duration for restoring services after an incident.

C) MTTR is the average time it takes to repair a failed system but doesn’t indicate maximum tolerable downtime.

Question 26

What is the primary purpose of a security awareness training program within an organization?

Implementing security controls

Identifying security incidents

Correct answer

Educating employees about security best practices

Responding to security breaches

Overall explanation

C) Security awareness training aims to educate employees about security best practices and potential threats.

Incorrect answers:

A) Training educates but doesn’t directly implement controls.

B) While training may help recognize incidents, it’s not the primary goal.

D) Training is preventive, not reactive in handling breaches.

Question 27

What is the primary objective of an IT audit of an organization’s security governance?

Ensuring all software is up-to-date

Correct answer

Verifying compliance with policies and regulations

Implementing new security protocols

Assessing user access controls

Overall explanation

B) An IT audit primarily aims to assess and ensure that the organization complies with established policies, regulations, and industry standards.

Incorrect answers:

A) Though important, ensuring software updates isn’t the primary objective of an IT audit in security governance.

C) IT audits typically assess adherence to existing protocols rather than introducing new ones.

D) While this can be a part of an audit, the primary focus is compliance with policies and regulations.

Question 28

Which regulation is specifically designed to protect the privacy of individuals’ personally identifiable information (PII)?

Correct answer

GDPR

SOX

GLBA

FERPA

Overall explanation

A) GDPR (General Data Protection Regulation) is specifically designed to protect the privacy of individuals’ personally identifiable information within the European Union and the European Economic Area.

Incorrect answers:

B) SOX (Sarbanes-Oxley Act) primarily focuses on financial reporting regulations for public companies in the United States.

C) GLBA (Gramm-Leach-Bliley Act) is focused on financial institutions’ requirements for safeguarding customers’ non-public personal information.

D) FERPA (Family Educational Rights and Privacy Act) is related to the privacy of student educational records, not specifically PII in a broader context.

Question 29

What type of risk is associated with the potential financial loss due to human errors, fraud, or intentional sabotage within an organization?

Compliance risk

Human error risk

Correct answer

Operational risk

Financial risk

Overall explanation

C) Operational risk involves potential financial loss resulting from human errors, fraud, or deliberate sabotage within an organization.

Incorrect answers:

A) Compliance risk involves potential financial loss due to the failure to comply with industry regulations or standards.

B) While human errors are a component, this term doesn’t capture fraud or deliberate sabotage.

D) Financial risk encompasses a broader range, not specifically limited to internal errors or fraud.

Question 30

What type of risk involves potential financial loss due to the inability to recover from a disaster or unexpected event?

Operational risk

Compliance risk

Correct answer

Business continuity risk

Legal risk

Overall explanation

C) Business continuity risk refers to the potential financial loss resulting from an organization’s inability to recover from a disaster or unexpected event.

Incorrect answers:

A) Operational risk involves the risk of loss due to failed internal processes, systems, or people.

B) Compliance risk refers to the potential of financial loss or damage to an organization’s reputation resulting from its failure to comply with laws and regulations.

D) Legal risk involves the potential financial loss resulting from legal actions, lawsuits, or regulatory sanctions.

Question 31

How does implementing account lockout policies contribute to credential security within an organization?

Encourages employees to use simple passwords

Correct answer

Prevents unauthorized access by limiting login attempts

Ensures continuous access to all user accounts

Allows unlimited login attempts without restriction

Overall explanation

B) Account lockout policies prevent unauthorized access by restricting the number of unsuccessful login attempts, enhancing credential security.

Incorrect answers:

A) Account lockout policies do not encourage the use of simple passwords, but rather discourage unauthorized access through repeated attempts.

C) Account lockout policies restrict access after multiple failed login attempts to prevent unauthorized entry.

D) This statement is incorrect; account lockout policies aim to limit the number of unsuccessful login attempts.

Question 32

Which type of System and Organization Controls (SOC) report is based on the design and suitability of controls at a specific point in time?

SSAE SOC 1 Type I

Correct answer

SSAE SOC 2 Type I

SSAE SOC 1 Type II

SSAE SOC 2 Type II

Overall explanation

B) SOC 2 Type I reports focus on the design and suitability of controls at a specific point in time.

Incorrect answers:

A) SSAE SOC 1 Type I: SOC 1 Type I reports focus on controls relevant to financial reporting and are not related to the design and suitability of controls at a specific time.

C) SSAE SOC 1 Type II: SOC 1 Type II reports concentrate on the operational effectiveness of controls over a specific time period rather than design.

D) SSAE SOC 2 Type II: SOC 2 Type II reports assess the operational effectiveness and suitability of controls over a specified period, not just the design.

Question 33

What should be included in a comprehensive third-party risk management plan?

Legal disclaimers for liability

Regular security audits of the organization

A process for onboarding new employees

Correct answer

Assessment of third-party access and controls

Overall explanation

D) A comprehensive third-party risk management plan should involve assessing third-party access levels and the controls in place to manage those access privileges.

Incorrect answers:

A) While legal disclaimers are important for contractual agreements, they are not directly related to risk management or security assessments.

B) While essential for the organization’s internal security, it doesn’t directly address third-party risk.

C) Onboarding processes for employees are not part of third-party risk management but rather internal HR procedures.

Question 34

How can "Phishing Campaigns" benefit an organization’s security preparedness?

By encouraging employees to share personal information to improve teamwork.

Correct answer

By identifying and educating employees on recognizing and avoiding phishing attempts.

By distributing email links for users to click and win prizes for engagement.

By implementing random system shutdowns to test employee response time.

Overall explanation

B) Phishing campaigns help in identifying vulnerable employees and educating them on spotting and avoiding phishing attempts, thereby strengthening security awareness.

Incorrect answers:

A) Contrary to the goal of security campaigns and poses a security risk.

C) Promotes unsafe behavior and disregards the risks associated with phishing attempts.

D) Unrelated to the purpose of phishing campaigns in educating employees on security threats.

Question 35

In the context of security training, what is the primary goal of a "Capture the Flag" exercise?

To capture sensitive information through network security breaches.

To engage employees in a competitive outdoor team-building exercise.

Correct answer

To simulate real-world cyber-attack scenarios for skill improvement.

To test physical security measures within the workplace.

Overall explanation

C) Capture the Flag exercises simulate real-world cyber-attack scenarios, helping participants improve their skills and responses.

Incorrect answers:

A) Misinterprets the exercise’s goal, as it’s about defensive learning, not actual hacking.

B) The exercise is related to cybersecurity, not outdoor team-building.

D) Capture the Flag exercises are specific to cyber scenarios, not physical security.

Question 36

How is "Asset Value" defined in a risk assessment?

The monetary value of a specific risk occurrence

Correct answer

The overall worth of an organization’s physical and digital resources

The probability of a risk’s impact on the organization

The total value of all potential annual losses within an organization

Overall explanation

B) Asset value refers to the total worth of an organization’s assets, both physical and digital, which are subject to risk.

Incorrect answers:

A) Represents Single-Loss Expectancy (SLE), not asset value.

C) Describes likelihood, not asset value.

D) Refers to Annualized Loss Expectancy (ALE), not asset value.

Question 37

What does "Annualized Loss Expectancy (ALE)" represent in a risk assessment?

The likelihood of occurrence of a specific risk over a year

Correct answer

The total potential loss from a specific risk in a year

The qualitative nature of a potential risk impact

The value assigned to a single occurrence of a potential risk

Overall explanation

B) ALE represents the total expected loss from a particular risk over a year, factoring in SLE and ARO.

Incorrect answers:

A) This refers to the Annualized Rate of Occurrence (ARO), not ALE.

C) Pertains to qualitative assessment, not ALE.

D) Defines Single-Loss Expectancy (SLE), not ALE.

Question 38

What is the primary goal of "Risk Control Self-Assessment" within an organization?

Determining the inherent risks of specific activities

Correct answer

Evaluating the effectiveness of control measures

Assessing the residual risks after implementing controls

Increasing employee awareness of workplace risks

Overall explanation

B) The primary goal of Risk Control Self-Assessment is to assess and gauge the effectiveness of control measures in place to manage risks within the organization.

Incorrect answers:

A) This is related to identifying inherent risk, not evaluating control effectiveness.

C) Pertains to residual risk assessment, not specifically risk control self-assessment.

D) Relates more to general risk awareness training rather than the specific aim of self-assessment.

Question 39

What does "Residual Risk" represent in the context of risk management?

Correct answer

The risk level after implementing risk controls

The initial risk level identified in a risk self-assessment

Employee awareness of potential risks in the workplace

The inherent risks associated with a particular activity

Overall explanation

A) Residual risk represents the remaining level of risk after all applicable controls, safeguards, and mitigations have been applied.

Incorrect answers:

B) This represents the inherent risk, not residual risk.

C) Pertains to risk awareness but not specifically residual risk.

D) Represents inherent risk, not residual risk.

Question 40

What is the primary aim of "Mandatory Vacation" within an organization’s security strategy?

Providing employees time off for relaxation and stress reduction

Limiting access to specific areas of the workplace to certain roles

Ensuring sensitive roles are temporarily filled by other staff

Correct answer

Preventing potential risks or fraud by requiring employees to take time off

Overall explanation

D) Mandatory vacations ensure that employees take time off, reducing the potential for fraud or errors by requiring others to cover their roles temporarily.

Incorrect answers:

A) While a benefit, this isn’t the primary purpose within the context of security.

B) More related to access controls than mandatory vacations.

C) This is a positive outcome but not the primary aim of mandatory vacations in security strategy.

Tags: