Certified Cloud Security Professional Study Guide Chapter 10 Review Questions (Ben Masilow) Flashcards

1
Q

What must be collected during the eDiscovery process?

A. Emails
B. Anything pertinent to the request
C. All documentation created during a specific time period
D. Anything that can provide forensic benefit

A

B. Anything pertinent to the request

Explanation:
eDiscovery must collect and produce any data pertinent to the legal request that initiated the process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Legal controls refer to which of the following?

A. Controls designed to comply with laws and regulations related to the cloud environment
B. PCI DSS
C. ISO 27001
D. NIST 800-53r4

A

A. Legal controls are those controls that are designed to comply with laws and regulations, whether they be local or international

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not associated with cloud forensics?

A. Analysis
B. eDiscovery
C. Chain of custody
D. Plausibility

A

D. Plausibility

Explanation:
Plausibility, here, is a distractor and not specifically relevant to cloud forensics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not a component of contractual PII?

A. Scope of processing
B. Use of subcontractors
C. Location of data
D. Value of data

A

D. Value of data

Explanation:
The value of data itself has nothing to do with it being considered a part of contractual PII even though the data may have value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is a primary component of regulated PII?

A. Items that should be implemented
B. Mandatory breach reporting
C. Audit rights of subcontractors
D. PCI DSS

A

B. Mandatory breach reporting

Explanation:
Mandatory breach reporting is the best example of regulated PII components
The rest are generally considered components of contractual PII

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not associated with privacy?

A. Medical records
B. Personal hobbies
C. Birthdate
D. Participation in transaction

A

B. Personal hobbies

Explanation:
Personal hobbies are not an element of privacy laws/contracts anywhere in the world (yet)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is the best advantage of external audits?

A. Independence
B. Oversight
C. Cheaper
D. Better results

A

A. Independence

Explanation:
The primary advantage of external audits based on the choices given would be that of independence
External audits are typically more independent and therefore lead to more trustworthy results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following laws results from a lack of independence in audit practices?

A. HIPAA
B. GLBA
C. SOX
D. ISO 27064

A

C. SOX

Explanation:
SOX was passed primarily to address the issues of audit independence, poor board oversight, and transparency of findings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following reports is no longer used?

A. SAS 70
B. SSAE 18
C. SOC 1
D. SOC 3

A

A. SAS 70

Explanation:
The SAS 70 was a report used in the past primarily for financial reporting and was oftentimes misused in the service provider context.
The SSAE 18 Standard and subsequent SOC reports are its successors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following report is most aligned with financial control audits?

A. SOC 1
B. SOC 2
C. SOC 3
D. SSAE 18

A

A. SOC 1

Explanation:
The SOC 1 report focuses primarily on controls associated with financial services
While IT controls are certainly part of most accounting systems today, the focus is on the controls around those financial systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is the primary purpose of a SOC 3 report?

A. Absolute assurance
B. Compliance with PCI/DSS
C. HIPAA compliance
D. Seal of approval

A

D. Seal of approval

Explanation:
The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The Generally Accepted Accounting Principles are created and maintained by which organization?

A. ISO
B. ISO/IEC
C. PCI Council
D. AICPA

A

D. AICPA

Explanation:
The AICPA is the organization responsible for generating and maintaining what are known as the Generally Accepted Accounting Principles in the United States

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which statute addresses security and privacy matters in the US financial industry?

A. GLBA
B. FERPA
C. SOX
D. HIPAA

A

A. GLBA

Explanation:
GLBA deals with financial security and privacy
FERPA deals with data protection in thew academic industry, HIPAA in the medical industry, HIPAA in the medical industry
SOX is a distractor here

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is not an example of a highly regulated environment?

A. Healthcare
B. Financial services
C. Wholesale or distribution
D. Public companies

A

C. Wholesale or distribution

Explanation:
Wholesalers or distributors are generally not regulated, although the products they sell may be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following SOC report subtypes represents a point in time?

A. SOC 2
B. Type I
C. Type II
D. SOC 3

A

B. Type I

Explanation:
A SOC Type I report reviews a specific point in time as opposed to a report of effectiveness over a period of time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following SOC report subtypes spans a period of time?

A. SOC 2
B. SOC 3
C. SOC 1
D. Type II

A

D. Type II

Explanation:
A SOC Type II report reviews a period of time as opposed to a specific point in time

17
Q

The right to be forgotten refers to which of the following?

A. The right to no longer pay taxes
B. Erasing criminal history
C. The right to have all of a data subjects data erased
D. Masking

A

C. The right to have all of a data subjects data erased

Explanation:
THe right to be forgotten is about the individuals right to have data removed from a provider at any time per their request.
It is being tried in the EU at the moment but does not yet apply here in the US

18
Q

SOX was enacted because which of the following?

A. Poor band oversight
B. Lack of independent audits
C. Poor financial controls
D. All of the above

A

D. All of the above

Explanation:
Options A, B and C are reasons leading up to the creation and passage of SOX

19
Q

What is the primary component of the Graham-Leach-Bliley Act?

A. The right to be forgotten
B. EU Data Directives
C. The information security program
D. The right to audit

A

C. The information security program

Explanation:
The most important aspect of GLBA was the creation of a formal information security program

20
Q

Which of the following are not associated with HIPAA controls?

A. Administrative controls
B. Technical controls
C. Physical controls
D. Financial controls

A

D. Financial controls

Explanation:
Financial controls are not addressed by HIPAA