Certified Cloud Security Professional Study Guide Chapter 10 Review Questions (Ben Masilow) Flashcards
What must be collected during the eDiscovery process?
A. Emails
B. Anything pertinent to the request
C. All documentation created during a specific time period
D. Anything that can provide forensic benefit
B. Anything pertinent to the request
Explanation:
eDiscovery must collect and produce any data pertinent to the legal request that initiated the process
Legal controls refer to which of the following?
A. Controls designed to comply with laws and regulations related to the cloud environment
B. PCI DSS
C. ISO 27001
D. NIST 800-53r4
A. Legal controls are those controls that are designed to comply with laws and regulations, whether they be local or international
Which of the following is not associated with cloud forensics?
A. Analysis
B. eDiscovery
C. Chain of custody
D. Plausibility
D. Plausibility
Explanation:
Plausibility, here, is a distractor and not specifically relevant to cloud forensics
Which of the following is not a component of contractual PII?
A. Scope of processing
B. Use of subcontractors
C. Location of data
D. Value of data
D. Value of data
Explanation:
The value of data itself has nothing to do with it being considered a part of contractual PII even though the data may have value
Which of the following is a primary component of regulated PII?
A. Items that should be implemented
B. Mandatory breach reporting
C. Audit rights of subcontractors
D. PCI DSS
B. Mandatory breach reporting
Explanation:
Mandatory breach reporting is the best example of regulated PII components
The rest are generally considered components of contractual PII
Which of the following is not associated with privacy?
A. Medical records
B. Personal hobbies
C. Birthdate
D. Participation in transaction
B. Personal hobbies
Explanation:
Personal hobbies are not an element of privacy laws/contracts anywhere in the world (yet)
Which of the following is the best advantage of external audits?
A. Independence
B. Oversight
C. Cheaper
D. Better results
A. Independence
Explanation:
The primary advantage of external audits based on the choices given would be that of independence
External audits are typically more independent and therefore lead to more trustworthy results
Which of the following laws results from a lack of independence in audit practices?
A. HIPAA
B. GLBA
C. SOX
D. ISO 27064
C. SOX
Explanation:
SOX was passed primarily to address the issues of audit independence, poor board oversight, and transparency of findings
Which of the following reports is no longer used?
A. SAS 70
B. SSAE 18
C. SOC 1
D. SOC 3
A. SAS 70
Explanation:
The SAS 70 was a report used in the past primarily for financial reporting and was oftentimes misused in the service provider context.
The SSAE 18 Standard and subsequent SOC reports are its successors
Which of the following report is most aligned with financial control audits?
A. SOC 1
B. SOC 2
C. SOC 3
D. SSAE 18
A. SOC 1
Explanation:
The SOC 1 report focuses primarily on controls associated with financial services
While IT controls are certainly part of most accounting systems today, the focus is on the controls around those financial systems
Which of the following is the primary purpose of a SOC 3 report?
A. Absolute assurance
B. Compliance with PCI/DSS
C. HIPAA compliance
D. Seal of approval
D. Seal of approval
Explanation:
The SOC 3 report is more of an attestation than a full evaluation of controls associated with a service provider
The Generally Accepted Accounting Principles are created and maintained by which organization?
A. ISO
B. ISO/IEC
C. PCI Council
D. AICPA
D. AICPA
Explanation:
The AICPA is the organization responsible for generating and maintaining what are known as the Generally Accepted Accounting Principles in the United States
Which statute addresses security and privacy matters in the US financial industry?
A. GLBA
B. FERPA
C. SOX
D. HIPAA
A. GLBA
Explanation:
GLBA deals with financial security and privacy
FERPA deals with data protection in thew academic industry, HIPAA in the medical industry, HIPAA in the medical industry
SOX is a distractor here
Which of the following is not an example of a highly regulated environment?
A. Healthcare
B. Financial services
C. Wholesale or distribution
D. Public companies
C. Wholesale or distribution
Explanation:
Wholesalers or distributors are generally not regulated, although the products they sell may be
Which of the following SOC report subtypes represents a point in time?
A. SOC 2
B. Type I
C. Type II
D. SOC 3
B. Type I
Explanation:
A SOC Type I report reviews a specific point in time as opposed to a report of effectiveness over a period of time