CHP 14

Question 1

Policies

Answer 1

rules. The framework for operations, decision-making, and behaviors, setting the rules for a compliant and ethical corporate culture.

Question 2

SDLC

Answer 2

SDLC policies govern software development within an organization.

Question 3

ISO/IEC 27001

Answer 3

An international standard that provides an information security management system (ISMS) framework to ensure adequate and proportionate security controls are in place.

Question 3

CDE

Answer 3

The Cardholder Data Environment (CDE) refers to the network of people, processes, and technologies that store, process, or transmit cardholder data.

Question 4

ISO/IEC 27002

Answer 4

This is a companion standard to ISO 27001 and provides detailed guidance on specific controls to include in an ISMS.

Question 5

ISO/IEC 27017

Answer 5

An extension to ISO 27001 and specific to cloud services.

Question 6

ISO/IEC 27018

Answer 6

Another addition to ISO 27001, and specific to protecting personally identifiable information (PII) in public clouds.

Question 7

FIPS

Answer 7

FIPS (Federal Information Processing Standards) —FIPS are standards and guidelines developed by NIST for federal computer systems in the United States that specify requirements for cryptography.

Question 8

SOX

Answer 8

the Sarbanes-Oxley Act (SOX) mandates the implementation of risk assessments, internal controls, and audit procedures.

Question 9

FISMA

Answer 9

Federal Information Security Management Act (FISMA)
FISMA, or the Federal Information Security Management Act, is a United States law enacted in 2002 to protect government information and operations against threats.

Question 10

GLBA

Answer 10

a United States federal law that mandates financial institutions to protect the privacy of consumers’ personal financial information.

Question 11

PIPEDA

Answer 11

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.

Question 12

Healthcare

Answer 12

Health Insurance Portability and Accountability Act (HIPAA) (United States)
The General Data Protection Regulation (GDPR) (European Union)

Question 13

Financial Services

Answer 13

Gramm-Leach-Bliley Act (GLBA) (United States)
Payment Card Industry Data Security Standard (PCI DSS ) (Contractual obligation)

Question 14

Telecommunications

Answer 14

Communications Assistance for Law Enforcement Act (CALEA ) (United States )
“Allows LE to tap phones”

Question 15

Energy

Answer 15

North American Electric Reliability Corporation (NERC) (United States and Canada)

Question 15

Education & Children

Answer 15

Family Educational Rights and Privacy Act (FERPA) (United States)
Children’s Internet Protection Act (CIPA) (United States)
Children’s Online Privacy Protection Act (COPPA) (United States )

Question 16

Government

Answer 16

Federal Information Security Modernization Act (FISMA) (United States )
Criminal Justice Information Services (CJIS ) Security Policy (United States )
The Government Security Classifications (GSC) (United Kingdom)

Question 17

Several mission-essential applications stopped working the morning after implementing a mandatory security update. As a result, implementing the security updates introduced several instabilities in existing software. What could have prevented this from occurring?

A.Stakeholders
B.Change management
C.Dependencies
D.Request for change

Answer 17

B

Question 18

A properly implemented change plan helps keep business operations moving forward. Restarts, dependencies, and downtime go hand-in-hand with change management. When is the BEST time to implement changes? (Select the two best options.)

A.After the workday
B.Off-peak times
C.Peak times
D.Maintenance windows

Answer 18

B D

Question 19

A healthcare provider’s IT manager wants to automate routine tasks within its network security management. This automation will free up IT staff time and enhance system defenses. Potential risks are a concern, and the manager wants to implement automation securely. What strategies should the IT manager prioritize to achieve secure automation, considering both efficiency and potential risks?

A.Implementing a manual approval process for all automated tasks
B.Utilizing automation tools with built-in security features and compliance monitoring
C.Introducing a proprietary system for automation without collaboration with security experts
D.Outsourcing the development of automation scripts to a specialized cybersecurity firm

Answer 19

B

Question 20

A manager reprimands an IT employee because the employee did not follow instructions on the server build. Each server’s configuration was different, including different software and settings. What should the employee have followed to build the server correctly?

A.Standards
B.Access control models
C.Policy
D.Guidelines

Answer 20

A

Question 21

An IT manager prepares a proposal to implement change management. Before being able to start the program, the manager needs support from key personnel within every department. What key personnel does the manager need support from?

A.Controller
B.Owner
C.Stakeholders
D.Processor

Answer 21

C