SACP EXAM questions well answered to
pass A+ rated
SACP - correct answer ✔✔Security Awareness and Culture Professional
Review Organization's Mission and Goals - correct answer ✔✔Conduct a series of interviews or
quick surveys to understand how different divisions, divisional leaders, and other demographic
groups view security, understand policy and best practices, and what they truly hold important
(TSA-253)
Can also help understand whether key execs are in alignment and/or political or logistical
hurdles you need to work through
Review Risk Assessment Reports - correct answer ✔✔Are there any deficiencies that need to be
improved?
"There is a gulf of difference between the most critical potential threats and the most likely
successful threats, and the difference matters more than everything else." (DDD-226)
"Risk assessment tries to predict what threats an organization is most likely to be exposed to in
the future. Any risk assessment assumes the risk that the predicted threats and risks might not
align to the actual risks and threats that occur in the future." (DDD-226)
It's almost a guarantee that any given risk assessment will never be 100% accurate
Risk tolerance level - correct answer ✔✔the measure of risk that can be lived with, or the
chance of failure that is at an acceptable level (understanding that zero risk is unachievable)
,Are there any deficiencies that need to be improved? (Risk Assessment) - correct answer ✔✔Is
threat intelligence accurate about the top current and future most likely successful threats?
Is threat detection of the top threats accurate?
Are there too many false negatives or false positives?
Are there some top threats that you are missing altogether?
Are emerging threats being seen and dealt with faster?
Review Risk Management Reports - correct answer ✔✔How can your security awareness
program play a role in implementing risk-aligned mitigation strategies against your org's biggest
threats? (DDD)
Are there any deficiencies that need to be improved?
(DDD-182)
Are root causes being identified and acted upon?
Are communications focusing on the right things and communicating them across the
organization?
Can all employees name the top successful threats?
Are the right mitigations being applied, and how do they succeed?
,Document and Validate Compliance Objectives - correct answer ✔✔Map your program to
established industry best practices (such as the NIST Cybersecurity Framework or the National
Association of Corporate Directors guidance on cybersecurity)
PCI DSS - correct answer ✔✔§12.6 - Make all employees aware of the importance of cardholder
information security.• Educate employees (for example, through posters, letters, memos,
meetings and promotions).• Require employees to acknowledge in writing that they have read
and understood the company's security policy and procedures.
Sarbanes-Oxley (SOX) - correct answer ✔✔§404(a).(a).(1) - The Commission shall prescribe rules
requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of
1934 (15 U.S.C 78m or 78o(d)) to contain an internal control report which shall - state the
responsibility of management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting. If you are planning to go public in the future,
start now with a security awareness training project
Health Insurance Portability & Accountability Act (HIPAA) - correct answer ✔✔§164.308.(a).(5).
(i) - Implement a security awareness and training program for all members of its workforce
(including management)
ISO/IEC 27001 & 27002 - correct answer ✔✔§ISO 27002 8.2.2 - All employees of the
organization and, where relevant, contractors and third party users should receive appropriate
awareness training and regular updates in organizational policies and procedures, as relevant
for their job function
FACTA - FTC Red Flags Rule - correct answer ✔✔Under the FACTA, which amends the Fair Credit
Reporting Act, the FTC created the Red Flags Rule. That rule requires training as part of an
Identity Theft Prevention Program. See 16 CFR 681.1(d)-(e). Employees should be trained about
the various red flags to look out for, and/or any other relevant aspect of the organization's
Identity Theft Prevention Program.
, Gramm-Leach Bliley Act - correct answer ✔✔§6801.(b).(1)-(3) - In furtherance of the policy in
subsection (a) of this section, each agency or authority described in section 6805(a) of this title
shall establish appropriate standards for the financial institutions subject to their jurisdiction
relating to administrative, technical and physical safeguards -
• To insure the security and confidentiality of customer records and information;
• To protect against any anticipated threats or hazards to the security or integrity of such
records;
• To protect against unauthorized access to or use of such records or information which could
result in substantial harm or inconvenience to any customer.
CobiT - correct answer ✔✔§PO7.4 Personnel Training - Provide IT employees with appropriate
orientation when hired and ongoing training to maintain their knowledge, skills, abilities,
internal controls and security awareness at the level required to achieve organizational goals.
§DS7 - Management of the process of Educate and train users that satisfies the business
requirement for IT of effectively and efficiently using applications and technology solutionsand
ensuring user compliance with policies and procedures is: [...] 3 Defined when a training and
education program is instituted and communicated, and employees and managers identify and
document training needs. Training and education processes are standardized and documented.
Budgets, resources, facilities and trainers are beingestablished to support the training and
education program. Formal classes are given to employees on ethical conduct and system
security awareness and practices. Most training and education processes are monitored, but
not all deviations are likely to be detected by management. Analysis of training and education
problems is only occasionally applied
Federal Information Security Management Act (FISMA) - correct answer ✔✔§3544.(b).(4).(A),
(B) - Securing awareness training to inform personnel, including contractors and other users of
information systems that support the operations and assets of the agency, of information
security risks associated with their activities; and their responsibilities in complying with agency
policies and procedures designed to reduce these risks.
pass A+ rated
SACP - correct answer ✔✔Security Awareness and Culture Professional
Review Organization's Mission and Goals - correct answer ✔✔Conduct a series of interviews or
quick surveys to understand how different divisions, divisional leaders, and other demographic
groups view security, understand policy and best practices, and what they truly hold important
(TSA-253)
Can also help understand whether key execs are in alignment and/or political or logistical
hurdles you need to work through
Review Risk Assessment Reports - correct answer ✔✔Are there any deficiencies that need to be
improved?
"There is a gulf of difference between the most critical potential threats and the most likely
successful threats, and the difference matters more than everything else." (DDD-226)
"Risk assessment tries to predict what threats an organization is most likely to be exposed to in
the future. Any risk assessment assumes the risk that the predicted threats and risks might not
align to the actual risks and threats that occur in the future." (DDD-226)
It's almost a guarantee that any given risk assessment will never be 100% accurate
Risk tolerance level - correct answer ✔✔the measure of risk that can be lived with, or the
chance of failure that is at an acceptable level (understanding that zero risk is unachievable)
,Are there any deficiencies that need to be improved? (Risk Assessment) - correct answer ✔✔Is
threat intelligence accurate about the top current and future most likely successful threats?
Is threat detection of the top threats accurate?
Are there too many false negatives or false positives?
Are there some top threats that you are missing altogether?
Are emerging threats being seen and dealt with faster?
Review Risk Management Reports - correct answer ✔✔How can your security awareness
program play a role in implementing risk-aligned mitigation strategies against your org's biggest
threats? (DDD)
Are there any deficiencies that need to be improved?
(DDD-182)
Are root causes being identified and acted upon?
Are communications focusing on the right things and communicating them across the
organization?
Can all employees name the top successful threats?
Are the right mitigations being applied, and how do they succeed?
,Document and Validate Compliance Objectives - correct answer ✔✔Map your program to
established industry best practices (such as the NIST Cybersecurity Framework or the National
Association of Corporate Directors guidance on cybersecurity)
PCI DSS - correct answer ✔✔§12.6 - Make all employees aware of the importance of cardholder
information security.• Educate employees (for example, through posters, letters, memos,
meetings and promotions).• Require employees to acknowledge in writing that they have read
and understood the company's security policy and procedures.
Sarbanes-Oxley (SOX) - correct answer ✔✔§404(a).(a).(1) - The Commission shall prescribe rules
requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of
1934 (15 U.S.C 78m or 78o(d)) to contain an internal control report which shall - state the
responsibility of management for establishing and maintaining an adequate internal control
structure and procedures for financial reporting. If you are planning to go public in the future,
start now with a security awareness training project
Health Insurance Portability & Accountability Act (HIPAA) - correct answer ✔✔§164.308.(a).(5).
(i) - Implement a security awareness and training program for all members of its workforce
(including management)
ISO/IEC 27001 & 27002 - correct answer ✔✔§ISO 27002 8.2.2 - All employees of the
organization and, where relevant, contractors and third party users should receive appropriate
awareness training and regular updates in organizational policies and procedures, as relevant
for their job function
FACTA - FTC Red Flags Rule - correct answer ✔✔Under the FACTA, which amends the Fair Credit
Reporting Act, the FTC created the Red Flags Rule. That rule requires training as part of an
Identity Theft Prevention Program. See 16 CFR 681.1(d)-(e). Employees should be trained about
the various red flags to look out for, and/or any other relevant aspect of the organization's
Identity Theft Prevention Program.
, Gramm-Leach Bliley Act - correct answer ✔✔§6801.(b).(1)-(3) - In furtherance of the policy in
subsection (a) of this section, each agency or authority described in section 6805(a) of this title
shall establish appropriate standards for the financial institutions subject to their jurisdiction
relating to administrative, technical and physical safeguards -
• To insure the security and confidentiality of customer records and information;
• To protect against any anticipated threats or hazards to the security or integrity of such
records;
• To protect against unauthorized access to or use of such records or information which could
result in substantial harm or inconvenience to any customer.
CobiT - correct answer ✔✔§PO7.4 Personnel Training - Provide IT employees with appropriate
orientation when hired and ongoing training to maintain their knowledge, skills, abilities,
internal controls and security awareness at the level required to achieve organizational goals.
§DS7 - Management of the process of Educate and train users that satisfies the business
requirement for IT of effectively and efficiently using applications and technology solutionsand
ensuring user compliance with policies and procedures is: [...] 3 Defined when a training and
education program is instituted and communicated, and employees and managers identify and
document training needs. Training and education processes are standardized and documented.
Budgets, resources, facilities and trainers are beingestablished to support the training and
education program. Formal classes are given to employees on ethical conduct and system
security awareness and practices. Most training and education processes are monitored, but
not all deviations are likely to be detected by management. Analysis of training and education
problems is only occasionally applied
Federal Information Security Management Act (FISMA) - correct answer ✔✔§3544.(b).(4).(A),
(B) - Securing awareness training to inform personnel, including contractors and other users of
information systems that support the operations and assets of the agency, of information
security risks associated with their activities; and their responsibilities in complying with agency
policies and procedures designed to reduce these risks.
