Domain 2 - Regulatory Environment Flashcards
Official (ISC)2 Guide to the HCISPP CBK
An organization needs to use data flow modeling to develop a system that will boot securely, perform routine checks to ensure the system is still secure, and perform security checks based on certain activities. Which data flow model BEST describes this approach?
A. State Machine Model
B. Multilevel Lattice Model
C. Noninterference Model
D. Information flow Model
A. State Machine Model
The Bell-La Padula security model allows
.
A. Objects to read information from subjects at a similar classification level or at lower levels, but they are barred from reading any information from objects classified at a higher level of confidentiality.
B. Subjects to read information from objects at a higher classification level or at lower levels, but they are barred from reading any information from objects classified at a lower level of confidentiality.
C. Subjects to read information from objects at a similar classification level or at lower levels, but they are barred from reading any information from objects classified at a higher level of confidentiality.
D. Subjects to read information from objects at a similar classification level or at higher levels, but they are barred from reading any information from objects classified at a lower level of confidentiality
C. Subjects to read information from objects at a similar classification level or at lower levels, but they are barred from reading any information from objects classified at a higher level of confidentiality.
To avoid disclosure according to the “* property”, .
A. The subject would be able to write information to objects at a similar classification level or lower levels but would be barred from writing any information to objects classified at a higher level of confidentiality.
B. The object would be able to write information to subjects at a similar classification level or higher levels but would be barred from writing any information to subjects classified at a lower level of confidentiality.
C. The object would be able to write information to subjects at a similar classification level or lower levels but would be barred from writing any information to objects classified at a higher level of confidentiality.
D. The subject would be able to write information to objects at a similar classification level or higher levels but would be barred from writing any information to objects classified at a lower level of confidentiality.
D. The subject would be able to write information to objects at a similar classification level or higher levels but would be barred from writing any information to objects classified at a lower level of confidentiality
The biba simple integrity model ensures
.
A. The subject is prevented from reading from more accurate objects but can read from objects that are less accurate than the subject needs.
B. The object is prevented from reading from less accurate subjects but can read from subjects that are more accurate than the object needs.
C. The object is prevented from reading from more accurate subjects but can read from subjects that are less accurate than the object needs.
D. The subject is prevented from reading from less accurate objects but can read from objects that are more accurate than the subject needs.
D. The subject is prevented from reading from less accurate objects but can read from objects that are more accurate than the subject needs.
Which of the following models focuses on preventing conflict of interest when a given subject has access to objects with sensitive information associated with two competing parties?
A. Clark-Wilson
B. Brewer-Nash
C. Biba
D. Bell-LaPadula
B. Brewer-Nash
Which of the following is designed to protect the goodwill a merchant or vendor invests in its products by creating exclusive rights to the owner of markings that the public uses to identify various vendor or merchant products or goods?
A. Copyright
B. Criminal Law
C. Due Diligence
D. Trademark
D. Trademark
An organization wishes to use 1,500 patient health records for research. The organization operates in the United States and is subject to HIPAA. The organization has decided to remove eighteen personal identifiers from each record to de-identity the information in accordance with HIPAA. The act of removing the information in accordance with the law is BEST described as .
A. Safe Harbor
B. Expert Determination
C. Risk Transference
D. Risk Avoidance
A. Safe Harbor
A nurse working the floor is approached by an individual claiming to be a psychotherapy patient’s mother. The person requests access to the patient’s psychotherapy notes. According to HIPAA, which of the following responses BEST describes what the nurse can disclose?
A. Once the individual is verified as the patient’s mother, the nurse may disclose critical psychotherapy information pertinent to the care of the patient.
B. Nothing. The nurse may not disclose any information related to the psychotherapy information to anyone except the patient or the creator of the notes.
C. Once the individual is verified as the patient’s mother, the nurse must ask the mother to complete a non-disclosure agreement. After the agreement is completed, the nurse may provide the information.
D. Nothing. The nurse may not disclose any information related to the psychotherapy to anyone including the patient or the creator of the notes.
B. Nothing. The nurse may not disclose any information related to the psychotherapy information to anyone except the patient or the creator of the notes.
The U.S. Affordable Care Act requires .
A. Operating rules for each of the HIPAA covered transactions; a unique, standard Health Plan Identifier (HPID); and a standard and operating rules for Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) and PHI processing when performed within the law and scope of “public interest.”
B. Operating rules for each of the HIPAA covered transactions; a unique, standard Health Plan Identifier (HPID); and a standard and operating rules for Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) and claims attachments.
C. PHI processing when performed within the law and scope of “public interest” and a standard and operating rules for Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA).
D. Operating rules for each of the HIPAA covered transactions; PHI processing when performed within the law and scope of “public interest”; and a standard and operating rules for Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) and claims attachments
B. Operating rules for each of the HIPAA covered transactions; a unique, standard Health Plan Identifier (HPID); and a standard and operating rules for Electronic Funds Transfer (EFT) and Electronic Remittance Advice (ERA) and claims attachments.
An information security assessment has determined numerous controls are not in place to help protect an organization’s information system. The organization’s leader states they will differ acceptance of any risk but refuses to shut down or limit the operation of the affected systems. Can the leader do this?
A. Yes because she is the leader of the organization, and it is her decision to make.
B. Yes, major risk management frameworks such as ISO and NIST support not accepting risk while allowing system operation.
C. No, the organizational leader is not the ultimate authority for risk acceptance decisions.
D. No, it is not possible to be aware of risks due to system operation and not accept them by default if a system is running.
D. No, it is not possible to be aware of risks due to system operation and not accept them by default if a system is running.
