Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CIPP-US COPY (exam style) > Ch 6 - Information Security & Data Breach Notification > Flashcards

Ch 6 - Information Security & Data Breach Notification Flashcards

1
Q

Which of the following is not one of the key attributes of the information security triad?

a. Applicability
b. Confidentiality
c. Integrity
d. None of the above

A

a. Applicability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is not one of the key attributes of the information security triad?

a. Availability
b. Confidentiality
c. Intelligent
d. None of the above

A

c. Intelligent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is not one of the types of security controls for preventing, detecting, or correcting a security incident?

a. Physical controls
b. Administrative controls
c. Technical controls
d. None of the above

A

d. None of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following involves the data subject’s right to control their data, including rights to notice and choice?

a. Information security
b. Information privacy
c. Privacy controls
d. All of the above

A

b. Information privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which law preempts the CA AB 1950 due to greater information security requirements?

a. Gramm-Leach Bliley Act
b. Right to Financial Privacy
c. The Privacy Act of 1974
d. None of the above

A

a. Gramm-Leach Bliley Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following laws preempts the CA AB 1950 information security requirements?

a. Right to Financial Privacy
b. Health Insurance Portability and Accountability Act
c. The Privacy Act of 1974
d. None of the above

A

b. Health Insurance Portability and Accountability Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following are sources that, when combined with an individual’s name, constitute personal information under California’s Assembly Bill 1950?

a. SSN, Driver’s License or ID Card number, financial account number
b. Health card ID number, gym membership number, employee ID number
c. Medical information, health insurance information, data collected from an automated license plate recognition system
d. Only a and c

A

d. Only a and c

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following states enacted the most prescriptive information security law in 2010 following the law enacted by CA in 2003?

a. New York
b. Washington
c. Massachusetts
d. Delaware

A

c. Massachusetts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following states enacted information security laws after CA enacted AG 1950?

a. New York
b. Massachusetts
c. Washington
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following states enacted the strictest information security law in 2017 following the law enacted by CA in 2003?

a. Washington
b. New York
c. Massachusetts
d. Delaware

A

b. New York

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is not one of the eight types of incidents listed by the Privacy Rights Clearinghouse?

a. Unintended disclosure
b. Hacking or malware
c. Phishing
d. Payment card fraud

A

c. Phishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following states enacted an information security law that mirrors some of the requirements of the Payment Card Industry Data Security Standard (PCI DSS)?

a. Minnesota
b. Nevada
c. Washington
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is not one of the eight types of incidents listed by the Privacy Rights Clearinghouse?

a. Identity theft
b. Insider
c. Physical loss
d. Portable device

A

a. Identity theft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is not one of the eight types of incidents listed by the Privacy Rights Clearinghouse?

a. Unintended disclosure
b. Stationary device
c. Elder abuse
d. Unknown or other

A

c. Elder abuse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is potential evidence that a data breach by attackers may have occurred?

a. Multiple failed log-in attempts
b. Sudden use of long-dormant access accounts
c. Use of information systems during off-hours
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should IT managers look for when a data breach by attackers is suspected?

a. Presence of unknown programs or files
b. Presence of unknown devices
c. Presence of unknown users
d. All of the above

A

d. All of the above

17
Q

When a U.S. company experiences a data breach of personal information belonging to EU customers, the GDPR requires notification:

a. Within 30 days of the date the company became aware of the breach
b. Within 72 hours of the time the company became aware of the breach
c. Within 10 days from the time the company became aware of the breach
d. Within a reasonable amount of time after the company became aware of the breach

A

b. Within 72 hours of the time the company became aware of the breach

18
Q

In the second step, containment and analysis, of a data breach incident:

a. Steps that need to be taken will vary depending on the type of incident
b. A full system audit should be performed to ensure discontinuance of any system vulnerabilities
c. A thorough analysis should be performed and documented
d. All of the above

A

d. All of the above

19
Q

The first step in incident management for data breaches is:

a. Containment and analysis of the incident
b. Notify affected parties
c. Determine whether a breach has occurred
d. Implement effective follow-up methods

A

c. Determine whether a breach has occurred

20
Q

In the third step, incident management, of a data breach incident:

a. Affected individuals and government authorities need to be notified
b. All applicable notification laws should be followed
c. All applicable terms of contractual agreements concerning breach notification should be followed
d. All of the above

A

d. All of the above

21
Q

Which of the following is not part of implementing effective follow-up methods in managing a breach incident?

a. Contents of notification letters should comply with applicable state, federal, or contractual requirements
b. Internal self-assessments and audits
c. Employee training
d. All of the above

A

a. Contents of notification letters should comply with applicable state, federal, or contractual requirements (this is part of the ‘incident management’ stage)

22
Q

Which of the following is an element of the OMB’s requirements for federal agencies preparing for and responding to breaches of personally identifiable information, which can be used as a best practice by an organization?

a. Designate a breach response team
b. Identify relevant privacy compliance documentation
c. Share information related to the breach to better understand the extent of the breach
d. All of the above

A

d. All of the above

23
Q

Which of the following is not a requirement of Connecticut’s substitute notice provision of their data breach notification law?

a. Notification via first class mail within 5 days of discovery of the breach
b. Email notice when the organization has an email address on file for the affected person
c. Conspicuous posting of the notice on the website of the organization
d. Notification to major state-wide media, including newspapers, radio and television

A

a. Notification via first class mail within 5 days of discovery of the breach

24
Q

Which of the following is not an exception for providing data breach notification?

a. In most states, an exception for entities that have their own breach notification procedures, as long as they are not incompatible with state laws
b. Entities subject to HIPAA or GLBA rules for data breach notification
c. Safe harbor for organizations using a model form for their breach notification
d. Safe harbor for data that was encrypted, redacted, unreadable or unusable

A

c. Safe harbor for organizations using a model form for their breach notification

25
Which of the following is an element of the OMB’s requirements for federal agencies preparing for and responding to breaches of personally identifiable information, which can be used as a best practice by an organization? a. Determine what reporting is required b. Assess the risk of harm for individuals potentially affected by the breach c. Mitigate the risk of harm for individuals potentially affected by the breach d. All of the above
d. All of the above
26
The encryption exception for notifying consumers of a breach of their personal information is only applicable when: a. The key has not been breached b. The key has been breached c. The key is locked in a secure place d. None of the above
a. The key has not been breached
27
For the encryption exception for notifying consumers of a breach of their personal information, state laws generally: a. Specify the technical requirements of encryption expectations b. Do not specify the level and type of encryption required c. Allow the organization to determine the encryption needed d. None of the above
b. Do not specify the level and type of encryption required
28
The Massachusetts Personal Information Security Regulation requires all parties that own or license personal information of Massachusetts residents encrypt all personal information: a. Stored on laptops b. Stored on portable devices c. Sent via wireless transmissions and transmissions over public networks d. All of the above
d. All of the above
29
There is a growing trend in state breach notification laws to: a. Provide safe harbor when any type of encryption is used for personal data b. Allow organizations to determine whether they deserve safe harbor c. Not provide the encryption safe harbor provision, or to require additional conditions d. None of the above
c. Not provide the encryption safe harbor provision, or to require additional conditions
30
Many state laws allow businesses to subcontract record destruction businesses: a. After due diligence is performed b. After a contract is signed c. Prior to reviewing references d. All of the above
a. After due diligence is performed
31
North Carolina’s reasonable measures for safeguarding against unauthorized access includes: a. Implementing and monitoring compliance with policies and procedures that require the destruction of papers so that no personal information can be read or reconstructed b. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media so that no personal information can be read or reconstructed c. Describing procedures related to the destruction or proper disposal of personal records as official written policy of the organization d. All of the above
d. All of the above
32
The FTC’s Disposal Rule contains requirements for proper disposal of: a. All documents that include personal information of consumers b. Consumer reports and information derived from consumer reports c. Documents that contain the personal information of any individual d. None of the above
b. Consumer reports and information derived from consumer reports

CIPP-US COPY (exam style) (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions