CompTIA Security Plus Mock Test Q1552

A chief information officer (CIO) is concerned about PII contained in the organization’s various data warehouse platforms. Since not all of the PII transferred to the organization is required for proper operation of the data warehouse application, the CIO requests the in needed PII data be parsed and securely discarded. Which of the following controls would be MOST appropriate in this scenario?

A. Execution of PII data identification assessments
B. Implementation of data sanitization routines
C. Encryption of data-at-rest
D. Introduction of education programs and awareness training
E. Creation of policies and procedures

Correct Answer: E
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1473

A chief privacy officer, Joe, is concerned that employees are sending emails to addresses outside of the company that contain PII. He asks that the security technician to implement technology that will mitigate this risk. Which of the following would be the best option?

A. DLP
B. HIDS
C. Firewall
D. Web content filtering

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q477

A security administrator is auditing a database server to ensure the correct security measures are in place to protect the data. Some of the fields consist of people’s first name, last name, home address, date of birth and mothers last name. Which of the following describes this type of data?

A. PII
B. PCI
C. Low
D. Public

Correct Answer: A
Section: Compliance and Operational Security

Explanation:
PII is any type of information/data and portion of data that can be used to trace back to a person and is usually data like personally identifiable information such as first names, last names, home address, date of birth, etc.

Incorrect Answers:
B: PCI refers to the payment card industry or even PCI adapters; certainly not personal information on a database.
C: Low data does not comprise of personally identifiable data.
D: Public data is not used to ensure the correct security measures to protect data on a database.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 113

CompTIA Security Plus Mock Test Q442

It is important to staff who use email messaging to provide PII to others on a regular basis to have confidence that their messages are not intercepted or altered during transmission. They are concerned about which of the following types of security control?

A. Integrity
B. Safety
C. Availability
D. Confidentiality


Correct Answer: A
Section: Compliance and Operational Security

Explanation:
Integrity means that the messages/ data is not altered. PII is personally identifiable information that can be used to uniquely identify an individual. PII can be used to ensure the integrity of data/messages.

Incorrect Answers:
B: Safety concerns would refer to the physical safety and aspect of security, measures such fences, lighting, locks, CCTV, escape plans, etc. is the focus.
C: Availability refers to the measures that are used to keep services and systems operational.
D: Confidentiality would refer to preventing unauthorized users from accessing the messages.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 401, 404, 413, 414

CompTIA Security Plus Mock Test Q376

Sara, a security analyst, is trying to prove to management what costs they could incur if their customer database was breached. This database contains 250 records with PII. Studies show that the cost per record for a breach is $300. The likelihood that their database would be breached in the next year is only 5%. Which of the following is the ALE that Sara should report to management for a security breach?

A. $1,500
B. $3,750
C. $15,000
D. $75,000

Correct Answer: B
Section: Compliance and Operational Security

Explanation:
SLE × ARO = ALE, where SLE is equal to asset value (AV) times exposure factor (EF); and ARO is the annualized rate of occurrence.
SLE = 250 x $300; ARO = 5%
$75000 x 0.05 = $3750

Incorrect Answers:
A: A $1500 amount assumes a breach likelihood of 2%.
C: A $15000 amount assumes that the likelihood of a breach is 20%.
D: $75000 would be the single loss expectancy.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 5-6

CompTIA Security Plus Mock Test Q322

Used in conjunction, which of the following are PII? (Select TWO).

A. Marital status
B. Favorite movie
C. Pet’s name
D. Birthday
E. Full name

Correct Answer: D,E
Section: Compliance and Operational Security

Explanation:
Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person’s name to a fingerprint (think biometrics), credit card number, or patient record. A birthday together with a full name makes it personally identifiable information.

Incorrect Answers:
A: Marital status can be shared and thus is not personally identifiable information.
B: Many people can share a like for the same movie.
C: Pet’s name is not personally identifiable information.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 404

CompTIA Security Plus Mock Test Q321

Which of the following policies is implemented in order to minimize data loss or theft?

A. PII handling
B. Password policy
C. Chain of custody
D. Zero day exploits



Correct Answer: A

Section: Compliance and Operational Security

Explanation:
Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. Personally identifiable information (PII) is a catchall for any data that can be used to uniquely identify an individual. This data can be anything from the person’s name to a fingerprint (think biometrics), credit card number, or patient record. Thus a PII handling policy can be used to protect data.

Incorrect Answers:
B: Password policy is usually implemented to control access to resources.
C: Chain of custody refers to a basic forensic procedure that is taken into account after an event occurred.
D: When a hole is found in a web browser or other software and attackers begin exploiting it the very day it is discovered by the developer (bypassing the one-to-two-day response time
that many software providers need to put out a patch once the hole has been found), it is known as a zero-day exploit.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 338, 404

Comptia Security Plus Mock Test Q122

A network administrator is asked to send a large file containing PII to a business associate. Which of the following protocols is the BEST choice to use?

A. SSH
B. SFTP
C. SMTP
D. FTP

Correct Answer: B
Section: Network Security

Explanation:

SFTP encrypts authentication and data traffic between the client and server by making use of SSH to provide secure FTP communications. As a result, SFTP offers protection for both the authentication traffic and the data transfer taking place between a client and server.

Incorrect Answers:
A: SSH is employed by SFTP.
C: SMTP is the email-forwarding protocol used on the Internet and intranets.
D: Standard FTP does not provide any confidentiality protection because it sends all data in the clear.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 49, 50