Chapter 6: Domain 6: Legal, Risk and Compliance (Ben Malisow) Flashcards

Question 1

Q

Which of the following is a U.S. audit standard often used to evaluate cloud providers?

A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770

Answer

A

C. SSAE 18

Explanation:
The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA (American Institute of Certified Public Accountants) audit standard.
ISO 27001 is an international audit standard. The Sarbanes-Oxley Act (SOX) is a U.S. law pertaining to publicly traded corporations. There is no such thing as the IEC 43770 standard.

Question 2

Q

The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program has _______________ tiers.

A. Two
B. Three
C. Four
D. Eight

Answer

A

B. Three

Explanation:
The STAR program has three tiers.

Question 3

Q

The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program’s tier of self-assessment is which of the following?

A. Tier 1
B. Tier 2
C. Tier 5
D. Tier 8

Answer

A

A. Tier 1

Explanation:
Tier 1 is the lowest tier of the STAR program, involving only self-assessment.

Question 4

Q

Alice and Bob want to use the Internet to communicate privately. They each have their own asymmetric key pairs and want to use them to create temporary symmetric keys for each connection or session. Which of the following will enable them to do this?

A. Remote Authentication Dial-In User Service (RADIUS)
B. Rivest-Shamir-Adelman (RSA) encryption
C. Diffie-Hellman exchange
D. Terminal Access Controller Access-Control System (TACACS)

Answer

A

C. Diffie-Hellman exchange

Explanation:
The Diffie-Hellman key exchange process is designed to allow two parties to create a shared secret (symmetric key) over an untrusted medium. RADIUS is an outmoded access control service for remote users. RSA is an encryption scheme. TACACS is a network access protocol set used through a centralized server.

Question 5

Q

Under European Union (EU) law, a cloud customer who gives sensitive data to a cloud provider is still legally responsible for the damages resulting from a data breach caused by the provider; the EU would say that it is the cloud customer’s fault for choosing the wrong provider. This is an example of insufficient _______________.

A. Proof
B. Evidence
C. Due diligence
D. Application of reasonableness

Answer

A

C. Due diligence

Explanation:
A party who does not perform sufficient due diligence in choosing a contractor can be held accountable for the actions made by that contractor. In current privacy and data laws, this is usually the government’s perspective regarding wrongdoing on the part of cloud providers.

Question 6

Q

Which of the following is not an enforceable governmental request?

A. Warrant
B. Subpoena
C. Court order
D. Affidavit

Answer

A

D. Affidavit

Explanation:
An affidavit is only a form of formal testimony presented to the court. All the other options are enforceable governmental requests.

Question 7

Q

Which of the following is not a way of managing risk?

A. Mitigation
B. Acceptance
C. Avoidance
D. Streamlining

Answer

A

D. Streamlining

Explanation:
Streamlining is a nonsense term in this context. All the other options represent normal ways of addressing risk. Mitigation is the use of controls to attenuate the impact or likelihood (or both) of risk, acceptance is allowing the business to function with no further action, and avoidance is halting the business function.

Question 8

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

A. Amorphous curtailment principle
B. Collection limitation principle
C. State-based incorporation principle
D. Hard-copy instantiation principle

Answer

A

B. Collection limitation principle

Explanation:
The collection limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict data collection to only information that is necessary for the transaction, and only with the knowledge and permission of the individual. The other options are meaningless in this context.

Question 9

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

A. Data quality principle
B. Transformative neologism principle
C. Encryption matrices principle
D. Restful state principle

Answer

A

A. Data quality principle

Explanation:
The data quality principle requires any entity that gathers personally identifiable information (PII) about a person to ensure that the data remains valid and accurate and allows for corrections by the data subject. The other answers are meaningless in this context.

Question 10

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

A. Archipelago enhancement principle
B. Solidity restoration principle
C. Netherworking substrate principle
D. Purpose specification principle

Answer

A

D. Purpose specification principle

Explanation:
The purpose specification principle requires any entity that gathers personally identifiable information (PII) about a person to clearly state the explicit purpose for which the PII will be used. The other answers are meaningless in this context.

Question 11

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

A. Use limitation principle
B. Erstwhile substitution principle
C. Flatline cohesion principle
D. Airstream fluidity principle

Answer

A

A. Use limitation principle

Explanation:
The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected. The other answers are meaningless in this context.

Question 12

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

A. Transient data principle
B. Security safeguards principle
C. Longtrack resiliency principle
D. Arbitrary insulation principle

Answer

A

B. Security safeguards principle

Explanation:
The security safeguards principle requires any entity that gathers personally identifiable information (PII) about a person to protect that data against unauthorized access and modification. The other answers are meaningless in this context.

Question 13

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

A. Volcanic principle
B. Inherency principle
C. Repository principle
D. Openness principle

Answer

A

D. Openness principle

Explanation:
The openness principle requires any entity that gathers personally identifiable information (PII) about a person to allow that person to access the information. The other answers are meaningless in this context.

Question 14

Q

The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. The OECD privacy principles influenced which lawmaking body and are readily apparent in the law(s) it created?

A. U.S. Congress
B. European Union (EU)
C. Politburo
D. International Standards Organization (ISO)

Answer

A

B. European Union (EU)

Explanation:
The EU crafted first the EU Data Directive and then the General Data Protection Regulation largely according to the OECD guidelines. The US Congress has (at the time of this writing) made no broad federal privacy law and instead has treated personal privacy on an industry-by-industry basis. The Politburo no longer exists. The ISO is not a lawmaking body.

Question 15

Q

Which of the following is not a way in which an entity located outside the European Union (EU) can be allowed to gather and process privacy data belonging to EU citizens?

A. Be located in a country with a nationwide law that complies with the EU laws.
B. Appeal to the EU High Court for permission.
C. Create binding contractual language that complies with the EU laws.
D. Join the Privacy Shield program in its own country.

Answer

A

B. Appeal to the EU High Court for permission.

Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met: Their own country has nationwide laws that comply with the EU laws. The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.
The entity voluntarily subscribes to its own nation’s Privacy Shield program. There is no process for the entity to appeal to the EU for permission to do so, however.

Question 16

Q

The Privacy Shield program is _______________.

A. Voluntary for non–European Union (EU) entities
B. Mandatory for all EU entities
C. Mandatory for all non-EU entities
D. Voluntary for all EU entities

Answer

A

A. Voluntary for non–European Union (EU) entities

Explanation:
The Privacy Shield program is for non-EU entities that also do not exist in a country with a nationwide privacy law; no entity is required to join the program, but those who don’t are prevented from collecting and processing EU citizen privacy data. Entities within the EU are already subject to the EU General Data Protection Regulation law and therefore are not eligible or benefited by the Privacy Shield program.

Question 17

Q

Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?

A. Canada
B. United States
C. Switzerland
D. Japan

Answer

A

B. United States

Explanation:
The United States does not have a general nationwide privacy law that complies with the EU privacy statutes; it instead has created industry-specific privacy laws. Canada has a law (Personal Information Protection and Electronic Documents Act) that conforms with the EU laws, as does Switzerland and Japan.

Question 18

Q

Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?

A. Argentina
B. Israel
C. Australia
D. Brazil

Answer

A

D. Brazil

Explanation:
Brazil does not yet have federal privacy laws sufficient to be considered acceptable for EU compliance. Israel, Australia, and Argentina all do.

Question 19

Q

In the United States, who manages the Privacy Shield program for voluntary compliance with European Union (EU) data privacy laws?

A. Department of State
B. Department of Interior
C. Department of Trade
D. Department of Commerce

Answer

A

D. Department of Commerce

Explanation:
The Department of Commerce manages the Privacy Shield program in the United States; the Departments of State and Interior do not. There is no Department of Trade.

Question 20

Q

You’re a sophomore at a small, private medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?

A. Sarbanes-Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Educational Rights and Privacy Act (FERPA)

Answer

A

A. Sarbanes-Oxley Act (SOX)

Explanation:
SOX is only applicable to publicly traded corporations, not all companies. HIPAA may be applicable to the data you work with as a medical student, if you work with patient data. Your payment and personal data is governed by PCI DSS. FERPA protects your personal student information.

Question 21

Q

U.S. federal entities are required to use cloud data centers within the borders of the United States only. Which law, standard, or requirement mandates this?

A. Federal Information Security Management Act (FISMA)
B. Federal Risk and Authorization Management Program (FedRAMP)
C. Organisation for Economic Cooperation and Development (OECD)
D. General Data Protection Regulation (GDPR)

Answer

A

B. Federal Risk and Authorization Management Program (FedRAMP)

Explanation:
The FedRAMP standard dictates that American federal agencies must retain their data within the boundaries of the United States, including data within cloud data centers. FISMA is the federal law requiring agencies to comply with National Institute of Standards and Technology (NIST) guidance; option A is broader than B, so B is better in this case.

Question 22

Q

The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program includes a level of certification for cloud providers that acquire third-party assessments of their environment and controls. Which STAR level is this?

A. 1
B. 2
C. 3
D. 4

Answer

A

B. 2

Explanation:
Level 2 of the CSA STAR program requires third-party assessment of the provider. Level 1 is a self-assessment; option A is incorrect. Level 3 requires continual monitoring by a third party; option C is incorrect. There is no Level 4 of the STAR program.

Question 23

Q

_______________ is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users’ and clients’ privacy data.

A. Due care
B. Due diligence
C. Liability
D. Reciprocity

Answer

A

A. Due care

Explanation:
This is an example of due care. Due diligence is the processes and activities used to ensure that due care is maintained; option B is incorrect. Liability is the measure of responsibility an entity has for providing due care; option C is incorrect. Option D has no meaning in this context.

Question 24

Q

Under European Union law, what is the difference between a directive and a regulation?

A. A directive is enforced by the member states; a regulation is enforced by an international body.
B. A directive is put in place by statute; a regulation is put in place by precedent.
C. A directive is for local laws; a regulation is for laws dealing with matters outside the EU.
D. A directive allows member states to create their own laws; a regulation is applied to all member states.

Answer

A

D. A directive allows member states to create their own laws; a regulation is applied to all member states.

Explanation:
The CCSP candidate is probably most familiar with the European Union’s (EU’s) Data Directive and General Data Protection Regulation in this regard. The directive allows every member country to create its own law that is compliant with the directive; the regulation mandates that all countries comply with the regulation itself. Both directives and regulations can be enforced by either member states or EU international tribunals; option A is not correct. Both directives and regulations are statutory; option B is not correct. Both directives and regulations deal with both internal EU matters and those that extend outside Europe; option C is not correct.

Question 25

Q

You work for a European government agency providing tax counseling services to taxpayers. On your website home page, you include a banner with the following text: “As a visitor to this website, I agree that any information I disclose to the Tax Counseling Agency can be used for any and all purposes under the General Data Protection Regulation (GDPR).” This is followed by a button that says, “I Agree”: users have to click the button, or they are taken to a page that says, “Goodbye. Thank you for visiting the Tax Counseling Agency, and have a nice day.” This method of collecting personal information is _______________.

A. Illegal under the GDPR because it is electronic and needs to be in hard copy
B. Legal under the GDPR
C. Illegal under the GDPR because it doesn’t allow service if the visitor refuses
D. Illegal under the GDPR because it doesn’t ask the nationality of the visitor

Answer

A

C. Illegal under the GDPR because it doesn’t allow service if the visitor refuses

Explanation:
A government service provider is not allowed to refuse service if an individual refuses to participate in data collection. Option A is incorrect. There is no requirement for hardcopy. Option B is incorrect because the provider is a government agency. Option D is incorrect. The scenario in the question is illegal whether or not the visitor is asked about their nationality.

Question 26

Q

Administrative penalties for violating the General Data Protection Regulation (GDPR) can range up to _______________.

A. US$100,000
B. 500,000 euros
C. 20,000,000 euros
D. 1,000,000 euros

Answer

A

C. 20,000,000 euros

Explanation:
All the other options are incorrect

Question 27

Q

The European Union (EU) General Data Protection Regulation (GDPR) addresses performance by _______________.

A. Data subjects
B. Data controllers
C. Data processors
D. Data controllers and processors

Answer

A

D. Data controllers and processors

Explanation:
The GDPR describes requirements for data collection by and transfers to data controllers and processors. All the other options are incorrect.

Question 28

Q

You are the security manager for a mid-sized nonprofit organization. Your organization has decided to use a software as a service (SaaS) public cloud provider for its production environment. A service contract audit reveals that while your organization has budgeted for 76 user accounts, there are currently 89 active user accounts. Your organization is paying the contract price, plus a per-account fee for every account over the contracted number. This is an example of costs incurred by _______________.

A. Data breach
B. Shadow IT
C. Intrusions
D. Insider Threat

Answer

A

B. Shadow IT

Explanation:
This is the definition of shadow IT: unplanned costs from uncontrolled user activity. This does not constitute a data breach because no data has been disclosed to unauthorized entities; option A is incorrect. This is not an intrusion because no external entity has gained access to the environment; option C is incorrect. While shadow IT may be considered a particular kind of insider threat, we usually consider insider threats as malicious, and shadow IT is typically the result of benign intentions. Option B is better than option D.

Question 29

Q

An audit against the _______________ will demonstrate that an organization has a holistic, comprehensive security program.

A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. Service Organization Control (SOC) 2, Type 2 report matrix
D. ISO 27001 certification requirements

Answer

A

D. ISO 27001 certification requirements

Explanation:
The ISO 27001 certification is for the information security management system (ISMS), the organization’s entire security program.
The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct. The SOC reports are how SSAE 18 audits are conducted; option C is incorrect.

Question 30

Q

An audit against the _______________ reporting mechanism will demonstrate that an organization has an adequate security control design.

A. Service Organization Control (SOC) 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3

Answer

A

B. SOC 2, Type 1

Explanation:
This is what a SOC 2, Type 1 report is for. The SOC 1 is for financial reporting; the SOC 2, Type 2 is to review the implementation (not design) of controls; and the SOC 3 is just an attestation that an audit was performed. All these options are incorrect.

Question 31

Q

A(n) _______________ includes reviewing the organization’s current position/performance as revealed by an audit against a given standard.

A. Service Organization Control (SOC) report
B. Gap analysis
C. Audit scoping statement
D. Federal guideline

Answer

A

B. Gap analysis

Explanation:
This is the definition of a gap analysis. SOC reports are specific kinds of audits; option A is incorrect. The scoping statement is a pre-audit function that aids both the organization and the auditor to determine what, specifically, will be audited. Option C is incorrect. Federal guidelines are government recommendations on how something should be done. Option D is incorrect.

Question 32

Q

An audit against the _______________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.

A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. ISO 27002 certification criteria
D.National Institute of Standards and Technology (NIST) Special Publication (SP)  800-53

Answer

A

C. ISO 27002 certification criteria

Explanation:
The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001. The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct.
NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37; option D is incorrect.

Question 33

Q

An audit scoping statement might include constraints on all of the following aspects of an environment except _______________.

A. Time spent in the production space
B. Business areas and topics to be reviewed
C. Automated audit tools allowed in the environment
D. Not reviewing illicit activities that may be discovered

Answer

A

D. Not reviewing illicit activities that may be discovered

Explanation:
While the auditor is not a law enforcement entity, they will likely have an ethical, if not legal, requirement to report illicit activities discovered during the audit. All the other options are incorrect as they are all facets of audit scoping.

Question 34

Q

An audit scoping statement might include all of the following constraints except _______________.

A. Limitation on destructive techniques
B. Prohibition of all personnel interviews
C. Prohibition on access to the production environment
D. Mandate of particular time zone review

Answer

A

B. Prohibition of all personnel interviews

Explanation:
Auditors may find it necessary to speak to particular individuals in order to locate artifacts and understand the environment. Although there may be some limitation on particular points of contact and nature of interviews, there cannot be a total prohibition. All the other options are incorrect as they are all facets of audit scoping.

Question 35

Q

You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program, the Uptime Institute’s tier certification motif, and _______________.

A. The National Institute of Standards and Technology (NIST) Risk Management Framework (Special Publication [SP] 800-37)
B. The Federal Risk and Authorization Management Program (FedRAMP)
C. ISO 27034
D. The EuroCloud Star Audit (ECSA) program

Answer

A

D. The EuroCloud Star Audit (ECSA) program

Explanation:
The ECSA is designed as a cloud service certification motif for organizations located in Europe. NIST (which also administers FedRAMP) is designed specifically for federal agencies in the United States and is not applicable for European providers, so options A and B are incorrect. ISO 27034 deals with an organization’s use of security controls for software; while this may be pertinent to your organization, it is not a comprehensive view of cloud services and is not as beneficial or equivalent to the CSA STAR or Uptime Institute certifications. Option D is preferable to option C.

Question 36

Q

Who should perform the gap analysis following an audit?

A. The security office
B. The auditor
C. A department other than the audit target
D. An external audit body other than the original auditor

Answer

A

C. A department other than the audit target

Explanation:
Perspectives gained from people outside the audit target are invaluable because they may see possibilities and opportunities revealed by the audit, whereas the personnel in the target department may be constrained by habit and tradition. Options A and B are incorrect because this poses a conflict of interest. Option D is incorrect. Audits often reveal sensitive information that does not need to be shared with an external audit body that was not part of the original audit.

Question 37

Q

An IT security audit is designed to reveal all of the following except _______________.

A. Financial fraud
B. Malfunctioning controls
C. Inadequate controls
D. Failure to meet target standards and guidelines

Answer

A

A. Financial fraud

Explanation:
An IT security audit is not intended to locate financial fraud; it may, however, lead to such revelations unintentionally. There are specific other audits that exist for this purpose. All the other options are incorrect because they are intended goals for IT security audits.

Question 38

Q

What was the first international privacy standard specifically for cloud providers?

A. National Institute of Standards and Technology (NIST) Special Publication (SP)  800-37
B. Personal Information Protection and Electronic Documents Act
C. Payment Card Industry
D. ISO 27018

Answer

A

D. ISO 27018

Explanation:
ISO 27018 describes privacy requirements for cloud providers, including an annual audit mandate. Option A is incorrect because NIST SP 800-37 describes the Risk Management Framework and is not an international privacy standard.
The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. Option B is incorrect. Option C is incorrect because the PCI DSS is specifically for merchants who accept credit cards, not cloud providers (while cloud providers may process credit cards, and therefore must follow PCI DSS, option D is preferable, and a better answer).

Question 39

Q

Choose the entity that has not published a privacy principle document that includes recognizing a subject’s right to access any of their own privacy data; limitations on the use of privacy data collected from subjects; and security measures for privacy data.

A. Organisation for Economic Cooperation and Development (OECD)
B. American Institute of Certified Public Accountants (AICPA)
C. The European Union (EU) parliament
D. U.S. Congress

Answer

A

D. U.S. Congress

Explanation:
Aside from industry-specific legislation, the United States does not have any federal laws outlining how citizens’ privacy data should be treated.
All the other entities have published such guidance, and those options are therefore incorrect.

Question 40

Q

The field of digital forensics does not include the practice of securely _______________ data.

A. Collecting
B. Creating
C. Analyzing
D. Presenting

Answer

A

B. Creating

Explanation:
With rare exceptions, digital forensics does not include creation of data (other than the forensic reports regarding the analysis of data). While this could arguably be considered an aspect of digital forensics as well, the other options are more suited to describing digital forensics, so this is the best negative answer.

Question 41

Q

Which of the following is a legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violating laws in the latter?

A. Applicable law
B. Judgments
C. Criminal law
D. Extradition

Answer

A

D. Extradition

Explanation:
This is the definition of extradition. Applicable law is the regulation/legislation affecting a certain circumstance. Option A is incorrect.
Judgments are legal conclusions or decisions. Option B is incorrect. Option C is incorrect because criminal law is the body of law that pertains to crime.

Question 42

Q

In which court must the defendant be determined to have acted in a certain fashion according to the preponderance of the evidence?

A. Civil court
B. Criminal court
C .Religious court
D .Tribal court

Answer

A

A. Civil court

Explanation:
Civil courts (for example, in a breach of contract case) are held to the “preponderance of evidence” standard. All the other options are incorrect because they do not hold to the preponderance of the evidence requirement.

Question 43

Q

You are the security manager for a retail sales company that uses a software as a service (SaaS) public cloud service. One of your employees uploads sensitive information they were not authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefiting the administrator and causing harm to your organization. After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation.
If the jury determines that 25 percent of the evidence shows that the situation was your organization’s fault and 75 percent of the evidence shows that the situation was the cloud provider’s fault, what is the likely outcome?

A. Your organization owes the cloud provider $31,250.
B. The cloud provider owes your organization $93,750.
C. Neither side owes the other party anything.
D. The cloud provider owes your organization $125,000.

Answer

A

D. The cloud provider owes your organization $125,000.

Explanation:
Except in jurisdictions where contributory negligence is a factor in the proceedings, civil courts use a standard of “preponderance of evidence,” so the entity that has a simple majority of fault (51 percent or more) is responsible for the full weight of the breach. Because the question did not specify the case was in contributory negligence jurisdiction, option D is the best answer because it is the most likely outcome. Options A, B, and C are incorrect because they are 25%, 75% and 0% of the full weight of the breach.

Question 44

Q

You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft. The prosecutor can use the material you delivered because of _______________.

A. The doctrine of plain view
B. The silver platter doctrine
C. The General Data Protection Regulation (GDPR)
D. The Federal Information System Management Act (FISMA)

Answer

A

B. The silver platter doctrine

Explanation:
The silver platter doctrine allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without a warrant or a court order.
The doctrine of plain view allows law enforcement to act on probable cause when evidence of a crime is within their presence; option A is incorrect. The GDPR is a European Union (EU) privacy law and not applicable here; option C is incorrect. FISMA is the American law requiring federal agencies to adhere to National Institute of Standards and Technology (NIST) standards; option D is incorrect.

Question 45

Q

You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month. Which law is applicable in this instance?

A. Belgian law
B. The General Data Protection Regulation (GDPR)
C. National Institute of Standards and Technology (NIST) Special Publication (SP)  800-53
D. The Federal Information Systems Management Act (FISMA)

Answer

A

B. The General Data Protection Regulation (GDPR)

Explanation:
As of May 2018, the GDPR is the law throughout all EU member states, superseding any existing local laws.
Belgian law will be superseded at that point, and the GDPR has primacy over Belgian law. Option A is incorrect. Options C and D are an American standard and law, respectively, and are not applicable to companies in the European Union (EU), so they are therefore incorrect. It’s important to note that the GDPR covers all entities that are located and/or operate in the EU, regardless of other details such as where the business entity stores the data or where the customers are located.

Question 46

Q

You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue a(n) _______________ to all personnel and offices within your company.

A. Litigation hold notice
B. Audit scoping letter
C. Stop loss memo
D. Memorandum of agreement

Answer

A

A. Litigation hold notice

Explanation:
A litigation hold notice is required to prevent possible destruction of pertinent evidence that may be used in the case. An audit scoping letter outlines the parameters for an audit engagement; option B is incorrect. Options C and D do not have meaning in this context.

Question 47

Q

You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with _______________ as well as the lawsuit.

A. Spoliation
B. Fraud
C. Jurisdiction
D. Re-compositing

Answer

A

A. Spoliation

Explanation:
Spoliation is the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the grounds for another lawsuit. Destroying evidence is not fraud; fraud can be a crime or tort on its own, but option B is incorrect.
Jurisdiction describes the geographical area over which a court has power; option C is incorrect. Recompositing is a made-up word and has no meaning in this context. Option D is incorrect.

Question 48

Q

You are the chief information officer (CIO) for an IT hardware manufacturer. Your company uses cloud-based software as a service (SaaS) services, including email. You receive a legal request for data pertinent to a case. Your e-discovery efforts will largely be dependent on _______________.

A. The cloud provider
B. Regulators
C. The cloud customer
D. Internal IT personnel

Answer

A

A. The cloud provider

Explanation:
In an SaaS model, the customer has little insight into event logs and traffic analysis useful for evidentiary purposes. The customer will largely be reliant on the cloud provider to locate, collect, and deliver this information for e-discovery. Regulators do not take part in e-discovery; option B is incorrect. In this situation, your company is the cloud customer and will not have a great deal of access to event logs, which may be a crucial element of e-discovery; options C and D are incorrect.

Question 49

Q

You work for a company that operates a production environment in the cloud. Another company using the same cloud provider is under investigation by law enforcement for racketeering. Your company should be concerned about this because of the cloud characteristic of _______________.

A. Virtualization
B. Pooled resources
C. Elasticity
D. Automated self-service

Answer

A

B. Pooled resources

Explanation:
Multitenancy in the cloud is a direct result of sharing resources; many customers use the same underlying hardware infrastructure. A seizure of hardware assets by law enforcement investigating another cloud customer could conceivably result in the seizure of your company’s data because it happened to be residing on the same hardware when that hardware was seized. The other options are aspects of cloud computing but do not have anything to do with the risk of unauthorized disclosure due to seizure by law enforcement.

Question 50

Q

You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. What is one of the common practices used in your industry that will have to be halted until the resolution of the case?

A. Versioning
B. Patching
C. Threat modeling
D. Secure destruction

Answer

A

D. Secure destruction

Explanation:
Your company will not be allowed to destroy any data for the duration of the legal case because that might constitute tampering with potential evidence. All the other aspects of software development may continue as long as no destructive measures or methods are utilized; all the other options are incorrect.

Question 51

Q

Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going be very difficult to review for pertinence to the case. The senior executive at your firm who is making decisions about this case suggests handing over all data the company has archived for the time frame related to the case, whether or not it may be pertinent, in order to both allow the litigant to find the pertinent data and reduce the costs your company would incur if it performed the reform. What should be your response to the executive?

A. This is an excellent idea; it fulfills the company’s legal requirements and reduces the overall costs of the litigation.
B. This is a good idea; it may alleviate some of the costs associated with the court case.
C. This is a bad idea; the company might not realize the full cost savings that it expects.
D. This is a horrible idea; it could lead to extensive unauthorized disclosure and additional lawsuits.

Answer

A

D. This is a horrible idea; it could lead to extensive unauthorized disclosure and additional lawsuits.

Explanation:
While e-discovery may be a painful, monotonous, expensive process, a vast data dump of the organization’s entire data store would entail massive risk and liability.

Question 52

Q

Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going be very difficult to review for pertinence to the case. Which security control mechanism may also be useful in the e-discovery effort?

A. Trained and aware personnel
B. An egress monitoring solution (data loss prevention or data leak protection [DLP])
C. A digital rights management (DRM) solution
D. A multifactor authentication implementation

Answer

A

B. An egress monitoring solution (data loss prevention or data leak protection [DLP])

Explanation:
Courts can issue seizure orders for anything and everything. All the other options are either incorrect because they are too limited (A and B) or just absurd (D).

Question 53

Q

When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize _______________.

A. Electronic data
B. Hardware
C. Electronic data and the hardware on which it resides
D. Only data extracted from hardware

Answer

A

C. Electronic data and the hardware on which it resides

Explanation:
Courts can issue seizure orders for anything and everything. All the other options are either incorrect because they are too limited (A and B) or just absurd (D).

Question 54

Q

Your company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed forensic analysis on event logs that reflect the circumstances related to the case. In order for your personnel to present the evidence they collected during forensic analysis as expert witnesses, you should ensure that _______________.

A. Their testimony is scripted, and they do not deviate from the script
B. They present only evidence that is favorable to your side of the case
C. They are trained and certified in the tools they used
D. They are paid for their time while they are appearing in the courtroom

Answer

A

C. They are trained and certified in the tools they used

Explanation:
In order to deliver credible, believable expert testimony, it’s important that your personnel have more than an amateur’s understanding and familiarity with any forensic tools they use to perform analysis. Formal training and certification are excellent methods for creating credibility. Scripting testimony is usually frowned on by the court; coaching witnesses how to perform and what to expect in court is all right, but it does not lead to credibility. Option A is incorrect. Your expert witnesses are not allowed to withhold any evidence from their testimony if it is pertinent to the case, even if that evidence aids the other side. Option B is incorrect. You should pay your employees for their time, regardless of whether they’re performing on the job site or in a courtroom, but this has nothing to do with enhancing credibility. Option D is incorrect.

Question 55

Q

In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper _______________.

A. Training credential
B. License
C.Background check
D. Approved toolset

Answer

A

B. License

Explanation:
There are certain jurisdictions where forensic data/IT analysis requires licensure (the American states of Texas, Colorado, and Michigan, for example); it is important for you to determine whether this is the case in your jurisdiction before proceeding with any forensic efforts.
It is important for forensic investigators to have proper training, background checks, and approved tools in every jurisdiction, so all the other options are incorrect as they are not specific enough.

Question 56

Q

You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purposes, this makes the data _______________.

A. Inadmissible
B. Less believable, if the changes aren’t documented
C. Harder to control
D. Easily refutable

Answer

A

B. Less believable, if the changes aren’t documented

Explanation;
All forensics processes and activity should be documented with extreme scrutiny. It is very important for your actions to be documented and repeatable in order for them to remain credible. Evidence is only inadmissible if it has no probative value—that is, if it has no bearing on the case. Modified data is still admissible, as long as the modification process was documented and presented along with the evidence. Option A is incorrect. Option C is ambiguous as to its meaning and is therefore an incorrect choice for an answer. Option D is true if the data modification process is not documented and presented in detail.

Question 57

Q

You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title “Computer-related attack.” What may be the result of this situation?

A. A criminal trial
B. A civil case
C. Both criminal and civil proceedings
D. Federal racketeering charges

Answer

A

C. Both criminal and civil proceedings

Explanation:
The battery is a crime and may be prosecuted as such, and the act may also result in the victim suing the attacker for damages. Options A and B are not sufficient compared to C. Option D is a distractor in this case; battery is not a form of racketeering, unless linked to a larger pattern of crimes.

Question 58

Q

You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title “Computer-related attack.” In this circumstance, who would likely be prosecuted?

A. Your organization
B. The attacker
C. The victim
D. You, as the manager of both parties

Answer

A

B. The attacker

Explanation:
The attacker is the one who committed the crime and is therefore likely to be prosecuted (prosecuted denotes a criminal trial, as opposed to a civil suit). It is unlikely that the company would be prosecuted for causing the crime because the company did not engage in the wrongful behavior; in this case, there was a very specific attacker and victim. Option A is incorrect. The victim does not get prosecuted for crimes committed against them. Option C is incorrect. If you had ordered the attack, or somehow caused it to occur, you might be prosecuted, but this is not detailed in the question and is an unlikely circumstance; option D is incorrect.

Question 59

Q

_______________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.

A. Due care
B. Due diligence
C. Liability
D. Reciprocity

Answer

A

B. Due diligence

Explanation:
This is an example of due diligence. Due care is the duty owed by one entity to another, in terms of a reasonable expectation; option A is incorrect. Liability is the measure of responsibility an entity has for providing due care; option C is incorrect. Answer D has no meaning in this context; option D is incorrect.

Question 60

Q

Which of the following aspects of virtualization make the technology useful for evidence collection?

A. Hypervisors
B. Pooled resources
C. Snapshotting
D. Live Migration

Answer

A

C. Snapshotting

Explanation:
Snapshotting an entire virtual machine or memory device is an excellent method for capturing its current data and settings at a specific moment. Hypervisors do not particularly aid in evidence collection, although they may provide log data; option C is still preferable to option A. Pooled resources actually complicate evidence collection; option B is quite wrong. Live migration does not aid in evidence collection; option D is incorrect.

Question 61

Q

Which of the following practices can enhance both operational capabilities and forensic readiness?

A. Highly trained forensic personnel
B. Regular full backups
C. A highly secure data archive
D. Homomorphic encryption

Answer

A

B. Regular full backups

Explanation:
Backups can serve to provide excellent forensics about incidents that have already occurred and also serve to provide an operational reach-back capability for users that have accidentally lost data or modified it incorrectly.
While highly trained forensic personnel will be very useful in forensic activities, that is not usually an operational benefit. Option A is incorrect. The more secure the data archive, the less useful it is for operational purposes; option C is not as good as option B. Option D is wrong because homomorphic encryption is still theoretical and currently serves no actual purpose.

Question 62

Q

Which of the following practices can enhance both operational capabilities and configuration management efforts?

A. Regular backups
B. Constant uptime
C. Multifactor authentication
D. File hashes

Answer

A

D. File hashes

Explanation:
File hashes can serve as integrity checks for both configuration management (to determine which systems are not configured to the baseline) and audit purposes (as artifacts/common builds of systems for audit review).
Backups and constant uptime may aid in availability efforts for operational purposes, but they don’t really help in configuration management; options A and B are incorrect. Multifactor authentication provides neither configuration management nor forensic benefits; option C is wrong.

Question 63

Q

Which of the following is probably the most volatile form of data that might serve a forensic purpose?

A. Virtual instance
B. RAM Hardware
C. RAM Hypervisor logs
D. Drive storage

Answer

A

A. Virtual instance

Explanation:
Because RAM is inherently volatile, and virtual resources are simulated only for limited time periods, virtual RAM is probably the most volatile data store. Hardware RAM is probably as volatile as virtual RAM, but the virtualization aspect of option A may make it a more suitable answer for this particular question. Log data and drive storage should both be durable and not volatile at all, so options C and D are incorrect.

Question 64

Q

You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrongdoing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection/analysis. What should probably be your response?

A. Yes. You want it because it gives you the most granular and comprehensive view of the pertinent data.
B. Yes. You want to be able to inspect it before law enforcement has the opportunity to review it.
C. No. You don’t want the liability of possibly disclosing someone else’s privacy data.
D. No. You don’t want the liability of possibly damaging someone else’s property.

Answer

A

C. No. You don’t want the liability of possibly disclosing someone else’s privacy data.

Explanation:
In a multitenant environment, it is quite likely that any particular piece of hardware will contain data from many customers. In this case, your company may become liable for violating privacy laws for accessing privacy data belonging to another cloud customer, which would increase your company’s exposure (something that could be disastrous because the company is already under investigation).
None, some, or all of the other options might be true, however, the liability of possibly disclosing someone else’s privacy data is an overwhelming business risk; therefore, option C is the best answer.

Answer 65

A

C. The court

Explanation:
This is a very difficult question as all the options are correct. However, the ultimate recipient of all forensic evidentiary collection and analysis—the entity getting the reports—will be the court, in order to make a final determination of its merits and insights.

Answer 66

A

C. Alternative explanations

Explanation:
It’s important to present a full view of the evidence, including any alternative findings that were considered but eliminated through reason.
This serves many purposes, not the least of which is strengthening your case in the minds of those who hear your testimony. Your professional opinion is vital, but your personal opinion should not have bearing on the case; option A is incorrect. Option B is only incorrect because it limits the presentation to your side of the case, where C is broader and more accurate. Unless instructed by counsel, bringing up similar past activity is not germane to the current case; option D is incorrect.

Answer 67

A

A. The original

Explanation:
An integrity check comparing the copy to the original is essential so that the report can demonstrate that none of the data was lost or tampered with before analysis begins. All the other options are simply incorrect for integrity check purposes.

Answer 68

A

B. The evidence custodian

Explanation:
The evidence custodian is the person designated to maintain the chain of custody for the duration of the investigation. All the other options could be roles of people who are tasked with custodianship.

Answer 69

A

D. A write-blocker

Explanation:
It is important that any changes to the data only be made in purposeful, specific ways; a write-blocker helps to ensure that extraneous changes aren’t made to the data.
The other options are not necessary for accessing an electronic storage file for forensic purposes. Options A, B, and C are incorrect.

Answer 70

A

D. Tests should be tailored and customized for specific purposes.

Explanation:
You do not want to have unique testing techniques used in your analysis, because those may not be repeatable or accepted by other experts (or the court). All the other options are traits of forensic testing we do want our tests to include.

Answer 71

A

D. Mobile phone number

Explanation:
U.S. laws do not, for the most part, consider cell phone numbers an element of PII; in the EU, they are. All the other options are PII elements under both jurisdictions.

Answer 72

A

B. The EU General Data Protection Regulation (GDPR)

Explanation:
The GDPR contains the provisions under which the Privacy Shield program was implemented. All the other options are all U.S. law and therefore incorrect.

Answer 73

A

C. Privacy officials in Italy and Germany

Explanation:
The EU General Data Protection Regulation (GDPR) requires that multinationals using standard contractual clauses get those clauses approved by the privacy office in every EU member state where the company will operate. Italy and Germany are both EU member states; Brazil is not.

Answer 74

A

D. Processing

Explanation:
Processing includes any manipulation, use, movement, or alteration of data—pretty much anything that can be done with or to data is “processing” (including making and manipulating hard-copy versions of data). Storing data in the cloud is not illegal in most jurisdictions (as long as certain rules are followed, for specific industries and data sets); option A is incorrect. Storing often happens at or soon after the time of collection, but they are not the same function; option B is incorrect. Opt-in is the concept under which a data subject must give clear consent to personally identifiable information (PII) data collection and use; option C is incorrect.

Answer 75

A

C. Federal Trade Commission (FTC)

Explanation:
The FTC is in charge of the Privacy Shield program. The State Department is involved with controlling some exports, under the International Traffic in Arms Regulations (ITAR) regulations; option A is incorrect. There is no Privacy Protection Office; option B is meaningless term and is incorrect. HHS is in charge of managing the Health Information Portability and Accountability Act (HIPAA); option D is incorrect.

Answer 76

A

C. The Capability Maturity Model (CMM)

Explanation:
The CMM is a way of determining a target’s maturity in terms of process documentation and repeatability. The CSA STAR and EuroCloud Star programs are certifications based on applicable control sets and compliance with standards and regulations, not process maturity; options A and D are incorrect. The RMF is National Institute of Standards and Technology (NIST) guidance on how to assess risk in an environment; option B is incorrect.

Answer 77

A

C. Retained for internal use

Explanation:
SOC 2 reports were not designed for dissemination outside the target organization.

Answer 78

A

B. Nondisclosure agreement (NDA)

Explanation:
In order to protect extremely sensitive material that is discussed in the SOC 2, Type 2, the provider may request that you sign an NDA and limit distribution. The provider is the entity that should be seeking CSA STAR certification, not the customer; option C is incorrect. Be wary of any provider that asks for security deposits and/or acts of fealty; options A and D are incorrect.

Answer 79

A

A. The Organisation for Economic Cooperation and Development (OECD) and European Union (EU) General Data Protection Regulation (GDPR)

Explanation:
The AICPA, the OECD, and the EU have all outlined certain basic expectations for entities that are privacy data controllers; these expectations are extremely similar in the documentation produced by all three. All the other options are forms of legislation or regulators that do have some content that addresses privacy; however, option A is the most specific and preferable answer because the privacy principles of the AICPA, OECD, and EU are so very similar.

Answer 80

A

D. Over 200

Explanation:
The PCI DSS is extremely thorough and wide-reaching. All the other options are just wrong.

Answer 81

A

D. Number of transactions per year

Explanation:
The different merchant tiers are based on the number of transactions a specific merchant conducts annually. All the other options are incorrect.

Answer 82

A

B. Different amounts of audits each must conduct

Explanation:
Merchants at different tiers are required to have more or fewer audits in the same time frame as merchants in other tiers, depending on the tier.
All PCI DSS–compliant merchants must meet all the control and audit requirements of the standard; options A and C are incorrect. PCI DSS does not dictate costs of controls; option D is wrong.

Answer 83

A

D. U.S. federal agencies

Explanation:
U.S. federal entities are prohibited from using cryptosystems that are not compliant with FIPS 140-2. All the other options are incorrect because they are not related to FIPS 140-2.

Answer 84

A

A. Vendor lockout

Explanation:
Vendor lock-out can occur when your provider no longer offers the service for which you contracted; it is possible that a merger or acquisition of your provider might lead to this circumstance. All the other options are incorrect because they are not relevant in terms of the question.

Brainscape's Knowledge GenomeTM

Chapter 6: Domain 6: Legal, Risk and Compliance (Ben Malisow) Flashcards

Brainscape's Knowledge Genome^TM