CYSA EXAM Questions AND Answers Verified 100%
Correct
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance
purposes. Who is authorized to complete one of these scans?
A. Any Employee of the Organization
B. An Approved Scanning Vendor
C. A PCI DSS Service Provider
D. Any Qualified Individual - ANSWER D: Any Qualified Individual. Internal scans
completed for PCI DSS compliance purposes may be conducted by any qualified
individual.
Which type of organization is the most likely to face a regulatory requirement to conduct
vulnerability scans?
A. Bank
B. Hospital
C. Government Agency
D. Doctor's Office - ANSWER C: Government Agency. The Federal Information
Security Management Act (FISMA) requires that government agencies conduct
vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not
include a vulnerability scanning requirement, nor does GLBA, which covers financial
institutions.
What minimum level of impact must a system have under FISMA before the
organization is required to determine what information about the system is discoverable
by adversaries? A. Low
B. Moderate
C. High
D. Severe - ANSWER C: High. Control enhancement number 4 requires that an
organization determine what information about the system is discoverable by
adversaries. This enhancement only applies to FISMA high systems.
What term describes an organization's willingness to tolerate risk in their comping
environment? A. Risk Landscape
B. Risk Appetite C.
Risk Level
D. Risk Adaptation - ANSWER B: Risk Appetite. The organization's risk appetite is it's
willingness to tolerate risk within the environment. If an organization is extremely risk
averse, it may choose to conduct scans more frequently to minimize the amount of time
between when a vulnerability comes into existence and when it is detected by a scan.
, Which one of the following factors is least likely to impact vulnerability scanning
schedules?
A. Regulatory Requirements
B. Technical Constraints
C. Business Constraints
D. Staff Availability - ANSWER D: Staff Availability. Scan schedules are most often
determined by the organization's risk appetite, regulatory requirements, technical
constraints, business constraints, and licensing limitations. Most scans are
automated and do not require staff availability.
Barry placed all of his organization's credit card processing systems on an isolated
network dedicated to card processing. He has implemented appropriate segmentation
controls to limit the scope of PCI DSS to those systems through the use of VLANs and
firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance
purposes, what systems must he scan?
A. Customer Systems
B. Systems on the Isolated Network
C. Systems on the General Enterprise Network
D. Both B and C - ANSWER B: Systems on the Isolated Network. If Barry is able to
limit the scope of his PCI DSS compliance efforts to the isolated network, then that
is the only network requirement that must be scanned for PCI DSS compliance
purposes.
Ryan is planning to conduct a vulnerability scan of a business critical system using
dangerous plug-ins. What would be the best approach for the initial scan? A. Run
the Scan Against Production Systems to Achieve the Most Realistic Results
Possible
B. Run the Scan During Business Hours
C. Run the Scan in a Test Environment
D. Do not Run the Scan to Avoid Disrupting the Business - ANSWER C: Run the Scan
in a Test Environment. Ryan should first run his scan against a test environment to
identify likely vulnerabilities and asses whether the scan itself might disrupt business
activities.
Which of the following activities is not part of the vulnerability management life cycle?
A. Detection
B. Remediation
C. Reporting
D. Testing - ANSWER C: Reporting. While reporting and communication are an
important part of vulnerability management, they are not included in the life cycle.
The three life-cycle phases are detection, remediation, and testing.
Correct
Bill would like to run an internal vulnerability scan on a system for PCI DSS compliance
purposes. Who is authorized to complete one of these scans?
A. Any Employee of the Organization
B. An Approved Scanning Vendor
C. A PCI DSS Service Provider
D. Any Qualified Individual - ANSWER D: Any Qualified Individual. Internal scans
completed for PCI DSS compliance purposes may be conducted by any qualified
individual.
Which type of organization is the most likely to face a regulatory requirement to conduct
vulnerability scans?
A. Bank
B. Hospital
C. Government Agency
D. Doctor's Office - ANSWER C: Government Agency. The Federal Information
Security Management Act (FISMA) requires that government agencies conduct
vulnerability scans. HIPAA, which governs hospitals and doctors' offices, does not
include a vulnerability scanning requirement, nor does GLBA, which covers financial
institutions.
What minimum level of impact must a system have under FISMA before the
organization is required to determine what information about the system is discoverable
by adversaries? A. Low
B. Moderate
C. High
D. Severe - ANSWER C: High. Control enhancement number 4 requires that an
organization determine what information about the system is discoverable by
adversaries. This enhancement only applies to FISMA high systems.
What term describes an organization's willingness to tolerate risk in their comping
environment? A. Risk Landscape
B. Risk Appetite C.
Risk Level
D. Risk Adaptation - ANSWER B: Risk Appetite. The organization's risk appetite is it's
willingness to tolerate risk within the environment. If an organization is extremely risk
averse, it may choose to conduct scans more frequently to minimize the amount of time
between when a vulnerability comes into existence and when it is detected by a scan.
, Which one of the following factors is least likely to impact vulnerability scanning
schedules?
A. Regulatory Requirements
B. Technical Constraints
C. Business Constraints
D. Staff Availability - ANSWER D: Staff Availability. Scan schedules are most often
determined by the organization's risk appetite, regulatory requirements, technical
constraints, business constraints, and licensing limitations. Most scans are
automated and do not require staff availability.
Barry placed all of his organization's credit card processing systems on an isolated
network dedicated to card processing. He has implemented appropriate segmentation
controls to limit the scope of PCI DSS to those systems through the use of VLANs and
firewalls. When Barry goes to conduct vulnerability scans for PCI DSS compliance
purposes, what systems must he scan?
A. Customer Systems
B. Systems on the Isolated Network
C. Systems on the General Enterprise Network
D. Both B and C - ANSWER B: Systems on the Isolated Network. If Barry is able to
limit the scope of his PCI DSS compliance efforts to the isolated network, then that
is the only network requirement that must be scanned for PCI DSS compliance
purposes.
Ryan is planning to conduct a vulnerability scan of a business critical system using
dangerous plug-ins. What would be the best approach for the initial scan? A. Run
the Scan Against Production Systems to Achieve the Most Realistic Results
Possible
B. Run the Scan During Business Hours
C. Run the Scan in a Test Environment
D. Do not Run the Scan to Avoid Disrupting the Business - ANSWER C: Run the Scan
in a Test Environment. Ryan should first run his scan against a test environment to
identify likely vulnerabilities and asses whether the scan itself might disrupt business
activities.
Which of the following activities is not part of the vulnerability management life cycle?
A. Detection
B. Remediation
C. Reporting
D. Testing - ANSWER C: Reporting. While reporting and communication are an
important part of vulnerability management, they are not included in the life cycle.
The three life-cycle phases are detection, remediation, and testing.
