






































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A set of questions and answers related to the sped120 06 security program integration professional exam. It covers key concepts such as integrating security disciplines, risk management frameworks, holistic security programs, threat and vulnerability analysis, contingency planning, personnel security, and compliance with dod standards. The material is designed to test and reinforce understanding of security principles and practices.
Typology: Exams
1 / 46
This page cannot be seen from the preview
Don't miss anything!







































Question 1. What is the primary goal of integrating security disciplines within an organization? A) To silo security functions for specialized focus B) To unify security efforts to provide comprehensive protection C) To reduce security budget through consolidation D) To limit access to sensitive information only to security personnel Answer: B Explanation: Integration aims to unify various security functions to create a holistic approach, ensuring comprehensive protection of assets across personnel, physical, information, and industrial security domains. Question 2. Which component is essential in a risk management framework for security? A) Ignoring vulnerabilities to focus on threats B) Identifying threats, assessing vulnerabilities, and implementing countermeasures C) Conducting only physical security assessments D) Relying solely on existing security policies without assessment Answer: B Explanation: A risk management framework involves identifying threats, assessing vulnerabilities, and implementing appropriate countermeasures to mitigate risks effectively. Question 3. What does a holistic security program aim to achieve? A) Focus solely on physical security measures B) Combine personnel, physical, industrial, and information security to address diverse threats C) Concentrate only on cyber threats and ignore physical threats D) Simplify security by reducing the number of security layers Answer: B Explanation: A holistic security program integrates multiple security disciplines to provide a comprehensive defense against a wide range of threats. Question 4. Which activity is part of conducting a threat and vulnerability analysis? A) Implementing security measures without assessment B) Identifying potential threats and weaknesses within the organization C) Ignoring external threats and focusing only on internal risks D) Conducting financial audits unrelated to security Answer: B Explanation: Threat and vulnerability analysis involves identifying potential threats and weaknesses to understand and mitigate security risks effectively. Question 5. Why is contingency planning crucial for security programs? A) To prepare for a single type of incident only B) To develop responses for multiple security incidents like natural disasters and cyberattacks C) To eliminate the need for physical security measures D) To replace security training programs Answer: B Explanation: Contingency planning prepares organizations to respond effectively to various incidents, including natural, physical, and cyber threats, ensuring resilience.
Question 6. What is the purpose of continuous vetting in personnel security? A) To evaluate cleared personnel periodically for insider threats B) To replace initial background checks C) To limit security awareness training D) To evaluate contractor performance unrelated to security Answer: A Explanation: Continuous vetting ensures that personnel with security clearances are regularly evaluated for insider threats or security risks, maintaining ongoing security assurance. Question 7. How does FOCI (Foreign Ownership, Control, or Influence) impact security clearance decisions? A) It simplifies the clearance process B) It introduces additional scrutiny to mitigate foreign influence risks C) It has no impact on security evaluations D) It automatically disqualifies individuals from clearance Answer: B Explanation: FOCI concerns require additional evaluation and mitigation to prevent foreign influence from compromising security, affecting clearance decisions. Question 8. What is an essential element of security training and awareness programs? A) Providing generic training without role-specific content B) Ensuring training is tailored to different employee roles and security disciplines C) Limiting training to only new hires D) Focusing solely on physical security procedures Answer: B Explanation: Effective security training is tailored to specific roles and disciplines to ensure personnel understand their responsibilities and security protocols. Question 9. Why is subcontractor and visitor management critical in personnel security? A) To allow unrestricted access to all visitors B) To ensure secure access and protect classified information C) To reduce security screening procedures D) To eliminate the need for security badges Answer: B Explanation: Managing subcontractors and visitors ensures that only authorized individuals access secure areas, safeguarding sensitive information. Question 10. How does applying the Risk Management Framework (RMF) benefit physical and information security? A) It creates separate security processes for physical and digital assets B) It ensures a consistent approach to security authorization across physical and information systems C) It focuses only on physical security controls D) It replaces the need for security assessments Answer: B Explanation: RMF provides a standardized process for assessing and authorizing security controls, ensuring consistency across physical and digital security measures.
B) Allocating personnel, budget, and technology efficiently to support security objectives C) Reducing resources to cut costs regardless of security needs D) Only focusing on physical security resources Answer: B Explanation: Resource management involves strategic allocation of personnel, budget, and technology to effectively support the security program’s goals. Question 17. Why is effective communication vital in security program management? A) To keep security issues confidential from stakeholders B) To inform leadership and stakeholders about security status and ensure coordinated responses C) To minimize reporting requirements and oversight D) To avoid discussing security incidents publicly Answer: B Explanation: Clear communication ensures leadership and stakeholders are informed, enabling coordinated decision-making and responses to security issues. Question 18. What is a primary challenge when developing security policies compliant with DoD standards? A) Ensuring policies are flexible and non-specific B) Aligning policies with complex national security requirements while maintaining clarity C) Avoiding stakeholder input to expedite development D) Implementing policies without periodic review Answer: B Explanation: Developing compliant policies requires balancing detailed security standards with clarity and practicality, often involving complex requirements. Question 19. Which approach best supports a security program’s continuous improvement? A) Conducting regular audits and updates based on assessments and new threats B) Relying solely on initial security measures C) Avoiding changes to security policies after initial implementation D) Waiting for incidents before making improvements Answer: A Explanation: Continuous improvement relies on regular audits, assessments, and updates to adapt to evolving threats and vulnerabilities. Question 20. How does an integrated security approach enhance incident response? A) By compartmentalizing security functions and preventing information sharing B) By enabling coordinated actions across disciplines for effective response C) By focusing only on physical security during incidents D) By delaying communication until after incident resolution Answer: B Explanation: Integration facilitates coordinated, swift responses by ensuring all security disciplines work together, improving incident management. Question 21. What is an essential element of a comprehensive threat assessment? A) Focusing solely on internal threats B) Considering both external and internal threats and their potential impact
C) Ignoring emerging threats from new technologies D) Conducting assessments only after an incident occurs Answer: B Explanation: A thorough threat assessment evaluates both external and internal threats to understand and mitigate risks proactively. Question 22. How does industrial security integration differ from personnel security? A) It solely concerns physical security of manufacturing facilities B) It involves managing security protocols related to industrial processes and personnel security together C) It excludes personnel security considerations D) It only applies to cybersecurity measures Answer: B Explanation: Industrial security integration involves managing physical, personnel, and process security collectively to protect industrial assets and information. Question 23. What is the role of security awareness training for employees? A) To inform employees about organizational policies and security best practices B) To replace physical security controls C) To test employees' physical fitness D) To serve as a one-time orientation only for new hires Answer: A Explanation: Security awareness training educates employees on policies, threats, and best practices, enhancing overall security posture. Question 24. Why is visitor management crucial in safeguarding sensitive areas? A) To provide unrestricted access for all visitors B) To track and control visitor access, reducing risks of unauthorized entry C) To replace security personnel with automated systems D) To minimize security documentation requirements Answer: B Explanation: Proper visitor management ensures only authorized individuals access secure areas, reducing potential security breaches. Question 25. What is a key benefit of applying the Risk Management Framework across physical and information security? A) It simplifies security processes by ignoring specific controls B) It promotes a standardized approach for assessing and authorizing security controls C) It eliminates the need for security audits D) It focuses only on cybersecurity controls Answer: B Explanation: RMF provides a structured, standardized process for assessing, authorizing, and continuously monitoring security controls across all domains. Question 26. How do physical security controls contribute to information security? A) They do not impact information security B) They restrict unauthorized physical access, preventing data theft or tampering
Answer: B Explanation: Clear, timely communication allows for coordinated incident response, minimizing damage and improving recovery efforts. Question 32. What is a key consideration when integrating personnel security with industrial security? A) Managing personnel screening and industrial process controls together to prevent insider threats and industrial sabotage B) Separating personnel security from industrial controls for clarity C) Focusing only on physical security of industrial facilities D) Ignoring insider threat programs in industrial environments Answer: A Explanation: Integrating personnel screening with industrial controls helps mitigate insider threats and safeguard industrial processes. Question 33. Which element is essential for effective security training programs? A) One-size-fits-all training for all roles without customization B) Role-specific content tailored to employee responsibilities and security disciplines C) Training only during onboarding and never revisited D) Focus solely on physical security procedures Answer: B Explanation: Tailoring training to roles ensures personnel understand their specific security responsibilities and procedures. Question 34. Why is visitor management an ongoing process rather than a one-time event? A) Because visitor credentials expire and access needs regular review B) Because visitors only require access during initial visits C) Because physical security controls do not require updates D) Because visitor management is unrelated to security policies Answer: A Explanation: Ongoing management ensures visitor access remains authorized, credentials are current, and security risks are minimized. Question 35. How does applying the RMF improve security control assessments? A) It eliminates the need for assessments altogether B) It provides a structured process for evaluating and authorizing security controls systematically C) It focuses only on cybersecurity controls D) It simplifies security by ignoring vulnerabilities Answer: B Explanation: RMF offers a systematic approach for assessing, authorizing, and monitoring security controls, enhancing overall security posture. Question 36. What is the primary purpose of a combined physical and information security audit? A) To verify compliance with multiple standards and detect weaknesses across domains B) To audit only cybersecurity controls C) To review only physical security measures D) To replace the need for ongoing security training Answer: A
Explanation: Combined audits assess both physical and digital controls, ensuring comprehensive compliance and identifying vulnerabilities. Question 37. Which is a critical component of incident response planning? A) Establishing clear procedures for detection, containment, eradication, and recovery B) Ignoring incident detection to focus on prevention C) Relying solely on external agencies to handle incidents D) Delaying response until after the incident escalates Answer: A Explanation: Well-defined procedures enable timely and effective response to incidents, minimizing impact. Question 38. How does resource management support security policy enforcement? A) By ensuring sufficient personnel, technology, and funding are available for policy implementation B) By reducing resources to cut costs regardless of security needs C) By focusing only on physical security resources D) By avoiding updates to resource allocations over time Answer: A Explanation: Proper resource management ensures policies are effectively enforced through adequate personnel, technology, and funding. Question 39. Why is stakeholder communication essential in security program administration? A) To ensure all parties are informed about security status and can make informed decisions B) To limit information sharing to avoid security risks C) To avoid transparency and maintain secrecy D) To delegate security responsibilities without oversight Answer: A Explanation: Transparent communication keeps stakeholders informed, facilitating coordinated efforts and informed decision-making. Question 40. Which best describes the role of security policies in compliance with national standards? A) They serve as guidelines that are optional to follow B) They establish mandatory security controls and procedures aligned with standards C) They are informal suggestions with no enforcement D) They focus only on physical security without considering other disciplines Answer: B Explanation: Security policies define mandatory controls and procedures ensuring compliance with national and organizational standards. Question 41. How does effective incident management reduce future security risks? A) By analyzing incidents to identify root causes and improve controls B) By ignoring past incidents and focusing on new threats C) By solely relying on external audits without internal analysis D) By delaying fixes until after multiple incidents occur Answer: A Explanation: Incident analysis helps identify vulnerabilities and improve controls, reducing the likelihood of recurrence.
B) It is unrelated to the operational effectiveness of controls C) Resources should be minimized to reduce expenses, even if controls are compromised D) Only technology resources are relevant, personnel are secondary Answer: A Explanation: Adequate resources are critical for implementing, maintaining, and monitoring security controls effectively. Question 48. What role does communication play during a security incident? A) It is essential for coordinating response efforts and keeping stakeholders informed B) It should be delayed until the incident is fully resolved C) It is unnecessary if security personnel are handling the incident internally D) It should only occur after external agencies are involved Answer: A Explanation: Effective communication ensures coordinated response efforts, minimizes confusion, and facilitates timely resolution. Question 49. Why is a risk-based approach important in security program design? A) It prioritizes resources and controls based on the likelihood and impact of threats B) It ignores threat likelihood to focus solely on vulnerabilities C) It applies uniform controls regardless of risk levels D) It minimizes resource allocation to lower-impact threats only Answer: A Explanation: A risk-based approach ensures resources are focused on the most significant threats, optimizing security effectiveness. Question 50. How does integrating personnel security with industrial controls enhance security? A) By reducing insider threats that could compromise industrial processes B) By creating unnecessary complexity in security procedures C) By focusing only on physical barriers and ignoring personnel evaluations D) By isolating personnel security from industrial operations Answer: A Explanation: Integration helps prevent insider threats from compromising industrial processes, enhancing overall security. Question 51. Which element is critical in developing an effective security awareness program? A) Tailoring content to specific roles and responsibilities B) Providing generic training to all employees without customization C) Delivering training only once during onboarding D) Focusing exclusively on physical security procedures Answer: A Explanation: Tailoring content ensures employees understand their specific security responsibilities, increasing effectiveness. Question 52. What is the primary purpose of conducting vulnerability assessments? A) To identify weaknesses that could be exploited by threats B) To verify compliance with security policies only C) To evaluate financial performance of security programs
D) To replace physical security controls with digital ones Answer: A Explanation: Vulnerability assessments identify weaknesses that potential adversaries could exploit, allowing mitigation. Question 53. How does a comprehensive security policy support incident response? A) By providing clear procedures and responsibilities for handling incidents B) By limiting communication during incidents to only security personnel C) By allowing employees to handle incidents without escalation D) By focusing only on preventing physical breaches, ignoring cyber incidents Answer: A Explanation: Well-defined policies clarify roles and procedures, enabling effective incident response. Question 54. What is the significance of conducting periodic security control assessments? A) To ensure controls remain effective and compliant over time B) To eliminate the need for ongoing security training C) To verify only physical security controls periodically D) To replace initial security design with ad hoc measures Answer: A Explanation: Regular assessments ensure controls adapt to evolving threats and maintain compliance. Question 55. Why is resource management important for personnel security? A) To ensure background checks, ongoing evaluations, and training are adequately funded and staffed B) To reduce personnel security efforts to save costs C) To limit personnel evaluations to initial screening only D) To focus only on physical security measures for staff Answer: A Explanation: Proper resource allocation supports comprehensive personnel security, including vetting and training. Question 56. How do physical security controls complement cybersecurity measures? A) By preventing unauthorized physical access that could lead to cyber compromises B) By replacing the need for cybersecurity controls C) By limiting access to only physical assets and ignoring digital assets D) By serving only as a secondary layer after cyber controls fail Answer: A Explanation: Physical controls prevent unauthorized access, reducing the risk of cyber threats originating from physical breaches. Question 57. Which component is essential in a contingency plan for natural disasters? A) Evacuation procedures and communication protocols B) Ignoring natural hazards to focus on cyber threats C) Relying solely on external agencies for response D) Limiting the plan to physical security measures only Answer: A Explanation: Contingency plans must include evacuation and communication to ensure safety and operational continuity.
B) To provide data solely for regulatory compliance without actionable insights C) To compile reports for external auditors only D) To monitor only physical security controls regularly Answer: A Explanation: Metrics help evaluate security performance and identify areas for improvement. Question 64. How does physical access control enhance information security? A) By preventing unauthorized individuals from entering sensitive areas and accessing systems B) By replacing the need for cybersecurity measures C) By restricting only external visitors but not employees D) By solely relying on security personnel without technological support Answer: A Explanation: Physical controls restrict access, reducing the risk of physical threats to information assets. Question 65. Why is it important to conduct security awareness training periodically? A) To update personnel on new threats and reinforce security best practices B) To replace initial onboarding training C) To train only new hires and ignore existing staff D) To focus solely on physical security procedures Answer: A Explanation: Regular training keeps staff informed of evolving threats and maintains security vigilance. Question 66. What is the benefit of integrating insider threat programs with personnel vetting? A) To detect and mitigate risks posed by current or former employees with malicious intent B) To replace background checks with ongoing evaluations only C) To isolate insider threats from personnel management D) To focus only on external threats, ignoring insiders Answer: A Explanation: Combining vetting and insider threat programs enhances detection and prevention of insider risks. Question 67. How does industrial security management differ from general security management? A) It emphasizes protecting industrial processes, assets, and proprietary information from sabotage or espionage B) It focuses solely on physical access controls C) It ignores personnel security considerations D) It only involves cybersecurity measures Answer: A Explanation: Industrial security addresses specific threats to industrial operations and assets, often involving specialized controls. Question 68. What is a key consideration when developing security policies for subcontractors? A) Defining clear security requirements and access controls for subcontractors B) Granting unlimited access without screening C) Excluding subcontractors from security training D) Ignoring subcontractor security risks to streamline operations Answer: A
Explanation: Clear policies and controls mitigate risks associated with subcontractor access to sensitive information. Question 69. How does a risk-based approach influence resource allocation? A) Resources are directed toward the most significant threats and vulnerabilities B) Resources are distributed equally regardless of threat level C) Less critical threats receive priority over high-impact risks D) Resources are reduced to minimize expenses regardless of security needs Answer: A Explanation: A risk-based approach ensures resources address the highest risks, optimizing security effectiveness. Question 70. Why is a comprehensive security audit important after implementing controls? A) To verify that controls are functioning correctly and remain compliant with standards B) To replace the need for ongoing security training C) To focus solely on physical security measures D) To document controls without assessing their effectiveness Answer: A Explanation: Audits confirm controls are effective and compliant, identifying areas for improvement. Question 71. What role does communication play in coordinating security during crises? A) It ensures all relevant parties share information promptly for coordinated response B) It delays reporting to avoid panic C) It limits communication to only security managers D) It focuses solely on internal communication, excluding external agencies Answer: A Explanation: Timely communication is essential for effective coordination and minimizing incident impact. Question 72. How does integrating information security with physical security controls benefit an organization? A) It ensures consistent protection of digital and physical assets B) It complicates security management unnecessarily C) It replaces the need for cybersecurity controls D) It focuses only on physical assets, ignoring digital risks Answer: A Explanation: Integration fosters a unified security posture, safeguarding all organizational assets cohesively. Question 73. What is the main purpose of establishing security performance metrics? A) To evaluate the effectiveness of security controls and identify improvement areas B) To create reports solely for compliance without operational use C) To measure only physical security effectiveness D) To monitor employee productivity unrelated to security Answer: A Explanation: Metrics provide insights into security performance, guiding enhancements and resource allocation.
D) Automating physical security controls only Answer: A Explanation: SIEM systems provide real-time threat detection and centralized data for analysis. Question 80. Why is incident documentation important? A) It provides a record for post-incident analysis and reporting B) It is unnecessary once the incident is resolved C) It only serves legal purposes and is rarely used internally D) It should be avoided to protect sensitive information Answer: A Explanation: Proper documentation supports analysis, compliance, and improvement of security measures. Question 81. How does a security awareness program influence insider threat mitigation? A) It educates personnel about risks and encourages vigilance B) It replaces the need for background checks C) It assumes insiders are always trustworthy D) It focuses only on external threats and ignores insiders Answer: A Explanation: Awareness programs foster vigilance, reducing insider risks through education. Question 82. How does a comprehensive risk assessment assist in security planning? A) It identifies threats, vulnerabilities, and impacts to prioritize controls B) It simplifies security planning by ignoring certain threats C) It replaces the need for security controls altogether D) It focuses only on physical threats, ignoring cyber risks Answer: A Explanation: Risk assessments guide resource allocation and control implementation based on prioritized threats. Question 83. Why is it crucial to manage third-party vendors carefully? A) Vendors can introduce security vulnerabilities if not properly vetted and monitored B) Vendors do not impact organizational security C) Managing vendors only requires contractual agreements, not security controls D) Vendors are always trustworthy and need no oversight Answer: A Explanation: Vendors often access organizational data and systems, so proper vetting and oversight reduce security risks. Question 84. What is the primary focus of industrial security controls? A) Protecting critical infrastructure and industrial processes from sabotage and espionage B) Managing only physical access to industrial facilities C) Focusing exclusively on cybersecurity measures D) Limiting security to only personnel screening Answer: A Explanation: Industrial security aims to safeguard processes, assets, and information from targeted threats.
Question 85. How does effective security training contribute to compliance? A) It ensures personnel understand and adhere to policies and standards B) It replaces the need for formal policies C) It is only necessary for new hires D) It is optional and not critical for compliance Answer: A Explanation: Training reinforces policies, helping personnel comply with security standards and regulations. Question 86. What is the benefit of conducting tabletop exercises? A) To simulate security incidents and test response procedures in a low-risk environment B) To replace actual incident response planning C) To evaluate only physical security measures D) To train employees in non-security related skills Answer: A Explanation: Tabletop exercises facilitate practice and evaluation of response plans without real-world consequences. Question 87. Why is data classification important in information security? A) It guides appropriate handling, access, and protection based on data sensitivity B) It is only useful for labeling documents physically stored in filing cabinets C) It is an unnecessary administrative step D) It applies only to digital data, not physical documents Answer: A Explanation: Data classification ensures sensitive information receives appropriate security controls. Question 88. How does implementing access controls improve security? A) By restricting system and physical access to authorized individuals only B) By allowing open access to all personnel at all times C) By focusing solely on cybersecurity without physical access restrictions D) By reducing the number of security layers to simplify management Answer: A Explanation: Access controls limit entry, reducing the risk of unauthorized access and data breaches. Question 89. What is the primary purpose of security audits? A) To assess effectiveness, compliance, and identify vulnerabilities in security controls B) To document controls without evaluating their performance C) To replace ongoing security monitoring D) To focus only on physical security infrastructure Answer: A Explanation: Audits evaluate whether controls are effective and compliant, guiding improvements. Question 90. How does a layered security approach help in threat mitigation? A) It provides multiple defenses, reducing the likelihood of successful attacks B) It complicates security by overlapping controls unnecessarily C) It focuses only on physical security, ignoring cyber threats D) It simplifies security to a single control point
B) To record physical assets only for financial purposes C) To eliminate the need for security controls on unlisted assets D) To comply solely with auditing requirements without operational benefits Answer: A Explanation: Asset inventories help ensure all critical assets are protected and properly managed. Question 97. How does security awareness training reduce insider threats? A) By educating employees about risks, policies, and reporting suspicious activities B) By replacing background checks C) By assuming all insiders are trustworthy and not providing training D) By focusing solely on external threat prevention Answer: A Explanation: Awareness training fosters vigilance and accountability among staff. Question 98. Why is a comprehensive disaster recovery plan necessary? A) To restore operations quickly after disruptive events B) To replace security controls in preventing incidents C) To document response procedures for external audits only D) To focus exclusively on cyber incidents, ignoring physical disruptions Answer: A Explanation: Disaster recovery plans ensure rapid resumption of critical functions post-incident. Question 99. What role does encryption play in information security? A) Protects data confidentiality during storage and transmission B) Replaces the need for physical security controls C) Is only relevant for online banking applications D) Is unnecessary if access controls are in place Answer: A Explanation: Encryption safeguards sensitive data from unauthorized access during storage and transfer. Question 100. How does access control logging support security investigations? A) By providing records of access attempts and activities for audit and analysis B) By replacing the need for other security measures C) By documenting only failed access attempts D) By limiting visibility into user activities to maintain privacy Answer: A Explanation: Logs support forensic analysis and help detect unauthorized or suspicious activities. Question 101. Why is supply chain security important? A) To prevent vulnerabilities introduced by third-party vendors and products B) To focus only on physical delivery of supplies C) To eliminate the need for internal security controls D) To streamline procurement processes without security considerations Answer: A Explanation: Securing the supply chain minimizes risks associated with compromised components or vendors.
Question 102. How does security incident analysis improve future security measures? A) By identifying root causes and updating controls accordingly B) By solely documenting incidents without acting on findings C) By focusing only on external threats, ignoring internal vulnerabilities D) By delaying response efforts until after multiple incidents occur Answer: A Explanation: Incident analysis informs improvements, reducing similar future incidents. Question 103. What is the purpose of a security baseline? A) To establish minimum security controls and standards for systems and environments B) To serve as an optional guideline for security practices C) To document only physical security measures D) To be updated only after a security breach occurs Answer: A Explanation: Baselines define minimum controls, ensuring consistency and compliance. Question 104. Why should organizations implement incident detection systems? A) To identify security events promptly and initiate response procedures B) To replace the need for manual monitoring and analysis C) To focus only on cyber threats, ignoring physical events D) To document incidents after they have occurred without real-time alerts Answer: A Explanation: Early detection systems enable swift response, minimizing damage. Question 105. How does establishing security roles and responsibilities support security governance? A) Clarifies accountability and ensures consistent security practices across the organization B) Delegates all security responsibilities to external agencies C) Eliminates the need for security policies and procedures D) Focuses only on management-level responsibilities, ignoring operational staff Answer: A Explanation: Clear roles prevent gaps and promote accountability in security operations. Question 106. What is the primary purpose of performing security risk assessments? A) To identify potential threats, vulnerabilities, and impacts to inform decision-making B) To verify only compliance with regulations without addressing actual risks C) To document assets without considering threats or vulnerabilities D) To replace the need for ongoing security controls and monitoring Answer: A Explanation: Risk assessments provide a foundation for prioritizing security efforts based on threat likelihood and impact. Question 107. Why are security controls important in protecting organizational assets? A) They mitigate risks by reducing vulnerabilities and preventing unauthorized access B) They eliminate the need for security awareness training C) They are only necessary for compliance audits with no operational impact D) They focus solely on physical barriers like fences and guards