1. You are a cybersecurity analyst assigned to participate in a test of the organization's cybersecurity posture. You are to monitor intrusion detection systems for indicators of an attack during the exercise. Which team are you most likely assigned to?

2. You are formulating a privacy policy and desire to include policy elements that will protect your company in the event of a regulatory audit. The primary information your company collects that would be considered sensitive is PII. Which of the following policy elements would you need to include in your policy to ensure that you are authorized to request this information from individuals per law or regulation?

3. Which of the following data types would be considered for the highest protection levels according to an organization's data sensitivity policy?

4. Adam is a cybersecurity analyst who is performing a risk assessment on a system. His supervisor insists that once the organization understands its threats, risk can be understood as well. Which elements of risk should Adam tell his supervisor that risk is derived from?

5. You are a cybersecurity analyst who has been assigned the task of recommending controls that have been determined as deficient during a recent risk assessment. Your organization uses effective technical encryption methods on the network, but there is no direction that states which encryption method must be used and how it must be used. This written direction must be developed for compliance purposes. Which of the following control categories and written directions should be developed to dictate what the requirements are for use of encryption within the organization?

6. You're a cybersecurity analyst who works for a large financial organization based in the U.S. You are working in a customer information database and must determine which data elements in the database are considered privacy information. Which of the following would be considered privacy data?

7. Tina is a cybersecurity analyst who works at Acme Industries. She is in charge of protecting sensitive employee information regarding financial compensation. She has been directed to configure access to that information such that only certain workstations in the human resources and accounting departments can be used to log in to the database containing sensitive employee financial data. Which of the following technical controls is Tina implementing to protect sensitive data?

8. Which of the following is the practice of replacing sensitive data elements with a unique number to identify them in the record without disclosing sensitive data?

9. Sarah has been tasked with identifying internal risk factors that could increase the risk to a critical system. Which of the following would be considered an internal factor that increases system risk?

10. Greg is a cybersecurity analyst who must select a risk assessment methodology to use within the organization's cyber risk management program. He needs a methodology that considers all of the basic risk elements. Which of the following elements must be included in the methodology?

11. Shawn is a cybersecurity analyst who has just written the organization's audit policy. Which of the following should he ensure is included in the policy?

12. Charles has been tasked with writing policies for an organization that has never really had any formalized internal governance structure. He needs to write a policy that covers the requirements for getting an administrative account since the organization wants to reduce the number of users with administrative accounts in the organization. Which of the following policies should he write to address this issue?

13. Quiana is writing a report for customers for whom she has just completed a risk assessment. She is describing controls that are ineffective or missing, and she is making recommendations for controls the customers could implement if they cannot implement ideal controls due to resource constraints. Which of the following describes the types of controls Quiana is suggesting in place of the preferred controls that could also help reduce risk?