Chapter 6: Domain 6: Legal, Risk and Compliance (Ben Malisow) Flashcards
Which of the following is a U.S. audit standard often used to evaluate cloud providers?
A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770
C. SSAE 18
Explanation:
The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA (American Institute of Certified Public Accountants) audit standard.
ISO 27001 is an international audit standard. The Sarbanes-Oxley Act (SOX) is a U.S. law pertaining to publicly traded corporations. There is no such thing as the IEC 43770 standard.
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program has _______________ tiers.
A. Two
B. Three
C. Four
D. Eight
B. Three
Explanation:
The STAR program has three tiers.
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program’s tier of self-assessment is which of the following?
A. Tier 1
B. Tier 2
C. Tier 5
D. Tier 8
A. Tier 1
Explanation:
Tier 1 is the lowest tier of the STAR program, involving only self-assessment.
Alice and Bob want to use the Internet to communicate privately. They each have their own asymmetric key pairs and want to use them to create temporary symmetric keys for each connection or session. Which of the following will enable them to do this?
A. Remote Authentication Dial-In User Service (RADIUS)
B. Rivest-Shamir-Adelman (RSA) encryption
C. Diffie-Hellman exchange
D. Terminal Access Controller Access-Control System (TACACS)
C. Diffie-Hellman exchange
Explanation:
The Diffie-Hellman key exchange process is designed to allow two parties to create a shared secret (symmetric key) over an untrusted medium. RADIUS is an outmoded access control service for remote users. RSA is an encryption scheme. TACACS is a network access protocol set used through a centralized server.
Under European Union (EU) law, a cloud customer who gives sensitive data to a cloud provider is still legally responsible for the damages resulting from a data breach caused by the provider; the EU would say that it is the cloud customer’s fault for choosing the wrong provider. This is an example of insufficient _______________.
A. Proof
B. Evidence
C. Due diligence
D. Application of reasonableness
C. Due diligence
Explanation:
A party who does not perform sufficient due diligence in choosing a contractor can be held accountable for the actions made by that contractor. In current privacy and data laws, this is usually the government’s perspective regarding wrongdoing on the part of cloud providers.
Which of the following is not an enforceable governmental request?
A. Warrant
B. Subpoena
C. Court order
D. Affidavit
D. Affidavit
Explanation:
An affidavit is only a form of formal testimony presented to the court. All the other options are enforceable governmental requests.
Which of the following is not a way of managing risk?
A. Mitigation
B. Acceptance
C. Avoidance
D. Streamlining
D. Streamlining
Explanation:
Streamlining is a nonsense term in this context. All the other options represent normal ways of addressing risk. Mitigation is the use of controls to attenuate the impact or likelihood (or both) of risk, acceptance is allowing the business to function with no further action, and avoidance is halting the business function.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
A. Amorphous curtailment principle
B. Collection limitation principle
C. State-based incorporation principle
D. Hard-copy instantiation principle
B. Collection limitation principle
Explanation:
The collection limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict data collection to only information that is necessary for the transaction, and only with the knowledge and permission of the individual. The other options are meaningless in this context.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
A. Data quality principle
B. Transformative neologism principle
C. Encryption matrices principle
D. Restful state principle
A. Data quality principle
Explanation:
The data quality principle requires any entity that gathers personally identifiable information (PII) about a person to ensure that the data remains valid and accurate and allows for corrections by the data subject. The other answers are meaningless in this context.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
A. Archipelago enhancement principle
B. Solidity restoration principle
C. Netherworking substrate principle
D. Purpose specification principle
D. Purpose specification principle
Explanation:
The purpose specification principle requires any entity that gathers personally identifiable information (PII) about a person to clearly state the explicit purpose for which the PII will be used. The other answers are meaningless in this context.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
A. Use limitation principle
B. Erstwhile substitution principle
C. Flatline cohesion principle
D. Airstream fluidity principle
A. Use limitation principle
Explanation:
The use limitation principle requires any entity that gathers personally identifiable information (PII) about a person to restrict the use of that PII to that which was permitted by the data subject and the reason given when it was collected. The other answers are meaningless in this context.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
A. Transient data principle
B. Security safeguards principle
C. Longtrack resiliency principle
D. Arbitrary insulation principle
B. Security safeguards principle
Explanation:
The security safeguards principle requires any entity that gathers personally identifiable information (PII) about a person to protect that data against unauthorized access and modification. The other answers are meaningless in this context.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
A. Volcanic principle
B. Inherency principle
C. Repository principle
D. Openness principle
D. Openness principle
Explanation:
The openness principle requires any entity that gathers personally identifiable information (PII) about a person to allow that person to access the information. The other answers are meaningless in this context.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. The OECD privacy principles influenced which lawmaking body and are readily apparent in the law(s) it created?
A. U.S. Congress
B. European Union (EU)
C. Politburo
D. International Standards Organization (ISO)
B. European Union (EU)
Explanation:
The EU crafted first the EU Data Directive and then the General Data Protection Regulation largely according to the OECD guidelines. The US Congress has (at the time of this writing) made no broad federal privacy law and instead has treated personal privacy on an industry-by-industry basis. The Politburo no longer exists. The ISO is not a lawmaking body.
Which of the following is not a way in which an entity located outside the European Union (EU) can be allowed to gather and process privacy data belonging to EU citizens?
A. Be located in a country with a nationwide law that complies with the EU laws.
B. Appeal to the EU High Court for permission.
C. Create binding contractual language that complies with the EU laws.
D. Join the Privacy Shield program in its own country.
B. Appeal to the EU High Court for permission.
Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met: Their own country has nationwide laws that comply with the EU laws. The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.
The entity voluntarily subscribes to its own nation’s Privacy Shield program. There is no process for the entity to appeal to the EU for permission to do so, however.
The Privacy Shield program is _______________.
A. Voluntary for non–European Union (EU) entities
B. Mandatory for all EU entities
C. Mandatory for all non-EU entities
D. Voluntary for all EU entities
A. Voluntary for non–European Union (EU) entities
Explanation:
The Privacy Shield program is for non-EU entities that also do not exist in a country with a nationwide privacy law; no entity is required to join the program, but those who don’t are prevented from collecting and processing EU citizen privacy data. Entities within the EU are already subject to the EU General Data Protection Regulation law and therefore are not eligible or benefited by the Privacy Shield program.
Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?
A. Canada
B. United States
C. Switzerland
D. Japan
B. United States
Explanation:
The United States does not have a general nationwide privacy law that complies with the EU privacy statutes; it instead has created industry-specific privacy laws. Canada has a law (Personal Information Protection and Electronic Documents Act) that conforms with the EU laws, as does Switzerland and Japan.
Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?
A. Argentina
B. Israel
C. Australia
D. Brazil
D. Brazil
Explanation:
Brazil does not yet have federal privacy laws sufficient to be considered acceptable for EU compliance. Israel, Australia, and Argentina all do.
In the United States, who manages the Privacy Shield program for voluntary compliance with European Union (EU) data privacy laws?
A. Department of State
B. Department of Interior
C. Department of Trade
D. Department of Commerce
D. Department of Commerce
Explanation:
The Department of Commerce manages the Privacy Shield program in the United States; the Departments of State and Interior do not. There is no Department of Trade.
You’re a sophomore at a small, private medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?
A. Sarbanes-Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Educational Rights and Privacy Act (FERPA)
A. Sarbanes-Oxley Act (SOX)
Explanation:
SOX is only applicable to publicly traded corporations, not all companies. HIPAA may be applicable to the data you work with as a medical student, if you work with patient data. Your payment and personal data is governed by PCI DSS. FERPA protects your personal student information.
U.S. federal entities are required to use cloud data centers within the borders of the United States only. Which law, standard, or requirement mandates this?
A. Federal Information Security Management Act (FISMA)
B. Federal Risk and Authorization Management Program (FedRAMP)
C. Organisation for Economic Cooperation and Development (OECD)
D. General Data Protection Regulation (GDPR)
B. Federal Risk and Authorization Management Program (FedRAMP)
Explanation:
The FedRAMP standard dictates that American federal agencies must retain their data within the boundaries of the United States, including data within cloud data centers. FISMA is the federal law requiring agencies to comply with National Institute of Standards and Technology (NIST) guidance; option A is broader than B, so B is better in this case.
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program includes a level of certification for cloud providers that acquire third-party assessments of their environment and controls. Which STAR level is this?
A. 1
B. 2
C. 3
D. 4
B. 2
Explanation:
Level 2 of the CSA STAR program requires third-party assessment of the provider. Level 1 is a self-assessment; option A is incorrect. Level 3 requires continual monitoring by a third party; option C is incorrect. There is no Level 4 of the STAR program.
_______________ is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users’ and clients’ privacy data.
A. Due care
B. Due diligence
C. Liability
D. Reciprocity
A. Due care
Explanation:
This is an example of due care. Due diligence is the processes and activities used to ensure that due care is maintained; option B is incorrect. Liability is the measure of responsibility an entity has for providing due care; option C is incorrect. Option D has no meaning in this context.
Under European Union law, what is the difference between a directive and a regulation?
A. A directive is enforced by the member states; a regulation is enforced by an international body.
B. A directive is put in place by statute; a regulation is put in place by precedent.
C. A directive is for local laws; a regulation is for laws dealing with matters outside the EU.
D. A directive allows member states to create their own laws; a regulation is applied to all member states.
D. A directive allows member states to create their own laws; a regulation is applied to all member states.
Explanation:
The CCSP candidate is probably most familiar with the European Union’s (EU’s) Data Directive and General Data Protection Regulation in this regard. The directive allows every member country to create its own law that is compliant with the directive; the regulation mandates that all countries comply with the regulation itself. Both directives and regulations can be enforced by either member states or EU international tribunals; option A is not correct. Both directives and regulations are statutory; option B is not correct. Both directives and regulations deal with both internal EU matters and those that extend outside Europe; option C is not correct.
You work for a European government agency providing tax counseling services to taxpayers. On your website home page, you include a banner with the following text: “As a visitor to this website, I agree that any information I disclose to the Tax Counseling Agency can be used for any and all purposes under the General Data Protection Regulation (GDPR).” This is followed by a button that says, “I Agree”: users have to click the button, or they are taken to a page that says, “Goodbye. Thank you for visiting the Tax Counseling Agency, and have a nice day.” This method of collecting personal information is _______________.
A. Illegal under the GDPR because it is electronic and needs to be in hard copy
B. Legal under the GDPR
C. Illegal under the GDPR because it doesn’t allow service if the visitor refuses
D. Illegal under the GDPR because it doesn’t ask the nationality of the visitor
C. Illegal under the GDPR because it doesn’t allow service if the visitor refuses
Explanation:
A government service provider is not allowed to refuse service if an individual refuses to participate in data collection. Option A is incorrect. There is no requirement for hardcopy. Option B is incorrect because the provider is a government agency. Option D is incorrect. The scenario in the question is illegal whether or not the visitor is asked about their nationality.
Administrative penalties for violating the General Data Protection Regulation (GDPR) can range up to _______________.
A. US$100,000
B. 500,000 euros
C. 20,000,000 euros
D. 1,000,000 euros
C. 20,000,000 euros
Explanation:
All the other options are incorrect
The European Union (EU) General Data Protection Regulation (GDPR) addresses performance by _______________.
A. Data subjects
B. Data controllers
C. Data processors
D. Data controllers and processors
D. Data controllers and processors
Explanation:
The GDPR describes requirements for data collection by and transfers to data controllers and processors. All the other options are incorrect.
You are the security manager for a mid-sized nonprofit organization. Your organization has decided to use a software as a service (SaaS) public cloud provider for its production environment. A service contract audit reveals that while your organization has budgeted for 76 user accounts, there are currently 89 active user accounts. Your organization is paying the contract price, plus a per-account fee for every account over the contracted number. This is an example of costs incurred by _______________.
A. Data breach
B. Shadow IT
C. Intrusions
D. Insider Threat
B. Shadow IT
Explanation:
This is the definition of shadow IT: unplanned costs from uncontrolled user activity. This does not constitute a data breach because no data has been disclosed to unauthorized entities; option A is incorrect. This is not an intrusion because no external entity has gained access to the environment; option C is incorrect. While shadow IT may be considered a particular kind of insider threat, we usually consider insider threats as malicious, and shadow IT is typically the result of benign intentions. Option B is better than option D.
An audit against the _______________ will demonstrate that an organization has a holistic, comprehensive security program.
A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. Service Organization Control (SOC) 2, Type 2 report matrix
D. ISO 27001 certification requirements
D. ISO 27001 certification requirements
Explanation:
The ISO 27001 certification is for the information security management system (ISMS), the organization’s entire security program.
The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct. The SOC reports are how SSAE 18 audits are conducted; option C is incorrect.
An audit against the _______________ reporting mechanism will demonstrate that an organization has an adequate security control design.
A. Service Organization Control (SOC) 1
B. SOC 2, Type 1
C. SOC 2, Type 2
D. SOC 3
B. SOC 2, Type 1
Explanation:
This is what a SOC 2, Type 1 report is for. The SOC 1 is for financial reporting; the SOC 2, Type 2 is to review the implementation (not design) of controls; and the SOC 3 is just an attestation that an audit was performed. All these options are incorrect.
A(n) _______________ includes reviewing the organization’s current position/performance as revealed by an audit against a given standard.
A. Service Organization Control (SOC) report
B. Gap analysis
C. Audit scoping statement
D. Federal guideline
B. Gap analysis
Explanation:
This is the definition of a gap analysis. SOC reports are specific kinds of audits; option A is incorrect. The scoping statement is a pre-audit function that aids both the organization and the auditor to determine what, specifically, will be audited. Option C is incorrect. Federal guidelines are government recommendations on how something should be done. Option D is incorrect.
An audit against the _______________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.
A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. ISO 27002 certification criteria
D.National Institute of Standards and Technology (NIST) Special Publication (SP)
800-53
C. ISO 27002 certification criteria
Explanation:
The 27002 standard contains sets of controls to be used in order to allow the organization to match the security program created for the organization with 27001. The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct.
NIST SP 800-53 allows the organization to craft a set of controls to meet the requirements created for and by the organization when using NIST SP 800-37; option D is incorrect.
An audit scoping statement might include constraints on all of the following aspects of an environment except _______________.
A. Time spent in the production space
B. Business areas and topics to be reviewed
C. Automated audit tools allowed in the environment
D. Not reviewing illicit activities that may be discovered
D. Not reviewing illicit activities that may be discovered
Explanation:
While the auditor is not a law enforcement entity, they will likely have an ethical, if not legal, requirement to report illicit activities discovered during the audit. All the other options are incorrect as they are all facets of audit scoping.