c. Substitutes for primary control that cannot be implemented Compensating controls are alternative measures put in place to meet a security requirement when the primary control cannot be implemented effectively.

The primary security concern with 'Data in Transit' is **c. Interception and tampering**. This refers to the risk that data being transmitted over networks can be intercepted by unauthorized parties or altered during transmission, potentially leading to breaches of confidentiality and integrity.

c. MBR Virus An MBR (Master Boot Record) virus specifically targets and infects the master boot record of a storage device, which is crucial for the booting process of an operating system.

The main purpose of a 'baseline' in security documentation is: **b. Sets minimum acceptable security levels** A baseline establishes the minimum standards and requirements for security measures within an organization, helping to ensure compliance and consistency in security practices.

The control framework known for the publication SP 800-53 is **c. NIST** (National Institute of Standards and Technology).

The correct answer is **b. Data Custodian**. The Data Custodian is typically responsible for implementing access controls according to the specifications set by the Data Owner.

In STRIDE threat modeling, 'S' stands for **Spoofing**.

c. Risk Management ISO 31000 is a standard that provides guidelines on risk management principles and processes. It is designed to help organizations manage risks effectively and is applicable to any organization regardless of size, industry, or sector.

c. Detective Detective controls are designed to identify and detect security breaches or incidents after they have occurred.

c. Operational

In quantitative risk analysis, 'SLE' stands for **b. Single Loss Expectancy**.

c. Ransomware

The correct answer is **c. Stealth Virus**. Stealth viruses are designed to camouflage themselves by intercepting and modifying system requests, thereby hiding their presence from antivirus software and users.

c. Fraud and misuse Separation of duties is primarily designed to prevent fraud and misuse by ensuring that no single individual has control over all aspects of a financial transaction or critical system process. By dividing responsibilities among multiple individuals, organizations can reduce the risk of errors and intentional wrongdoing.

The correct answer is **a. Security awareness training**. Deterrent controls are designed to discourage security violations before they occur. Security awareness training helps inform users about security policies and risks, thus acting as a deterrent to malicious or negligent behavior. The other options serve different purposes: - **b. Antivirus software** is a preventive control aimed at detecting and stopping malware. - **c. Backups** are

The purpose of a 'guideline' in a security documentation framework is primarily to: c. Suggest best practices Guidelines provide recommendations and best practices that can help organizations implement security measures effectively, though they are not mandatory like policies or controls.

c. Data Owner The Data Owner is typically responsible for classifying organizational data, as they have the authority and knowledge about the data's sensitivity, value, and compliance requirements.

The term that describes a technique that uses a vulnerability to perform an attack is **a. Exploit**.