Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

HCISSP ISC2 > Domain 4 – Information Governance and Risk Management > Flashcards

Domain 4 – Information Governance and Risk Management Flashcards

Official (ISC)2 Guide to the HCISPP CBK

1
Q

An organization maintains Protected Health Information in the cloud, on local systems in its offices, and on paper records. Which form of information has the greatest impact on the organization if it is breached?

A. Paper based records
B. Cloud based records
C. Local system based records
D. The impact is the same regardless of media

A

D. The impact is the same regardless of media

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An oncology practice has outsourced its infrastructure to XYZ corporation. Due to no contract limitations, XYZ corporation has further sub-contracted the infrastructure work to another firm, ABC Group. The oncology practice’s infrastructure is responsible for processing, storing, and transmitting the PHI of oncology patients. In this scenario, which organization is affiliated with the information owner/steward who would be held accountable in a breach?

A. The oncology practice
B. XYZ corporation
C. ABC Group
D. None as the contracting relationship has created a transference of risk.

A

A. The oncology practice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The following represents four basic steps in managing risk. Place them in the correct sequential order:

  1. Monitoring risk - continuously monitor the risk environment
  2. Assessing risk – identify threats, vulnerabilities, impact, likelihood, and determine risk
  3. Framing risk - produce the risk strategy, identify risk tolerance, assumptions, and constraints
  4. Responding to risk – identify a consistent manner to respond to risk from an organization-wide perspective

A. 1, 2, 3, 4
B. 4, 3, 2, 1
C. 3, 2, 4, 1
D. 2, 1, 4, 3

A

C. 3, 2, 4, 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Organizational risk tolerance is BEST established by

A. Senior leadership.
B. Information system owner.
C. Information system security officer.
D. Information owner.

A

A. Senior leadership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An organization is reviewing their financial exposure should a breach occur. A senior penetration tester has determined in the past they have been breached two times a year, and each time it has cost the organization U.S. $100,000 to mitigate the breach and offer credit monitoring. What is the annual loss expectancy (ALE) for the organization?

A. U.S. $50,000
B. U.S. $25,000
C. U.S. $200,000
D. U.S. $250,000

A

C. U.S. $200,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Annual loss expectancy or ALE is a form of:

A. Qualitative risk assessment.
B. Quantitative risk assessment.
C. Qualitative and quantitative risk assessment.
D. Continuous monitoring.

A

B. Quantitative risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following classes of controls are primarily implemented and executed through mechanisms contained in the hardware, software, and firmware of the components of the system?

A. Technical Controls
B. Managerial Controls
C. Operational Controls
D. Physical Controls

A

A. Technical Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An organization has just completed a risk assessment. The assessment returned a single finding with a “low” risk to the organization. The cost to mitigate or transfer the risk would be U.S. $1.5 million dollars, and if the risk were exploited, no PHI or sensitive information would be lost, but the organization’s public website would be down for 10 to 15 seconds no more than twice a year. The organization earns about U.S. $1 million dollars of revenue every year. What is the BEST risk treatment approach?

A. Transfer risk
B. Avoid risk
C. Mitigate risk
D. Accept risk

A

D. Accept risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Consider the NIST risk management framework below: If an organization has adopted NIST as its risk management framework, which step is MOST important in ensuring proper risk management?

A. Continuous monitoring
B. Implement security controls
C. Authorize information system
D. Categorize information system

A

D. Categorize information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A remediation plan or plan of actions and milestones (POA&M) is MOST effective when it contains the following:

A. system downtime, resources required, responsible person, and a date for completion
B. list of activities, resources required, responsible person, and a date for completion
C. list of activities, system downtime, responsible person, and a date for completion
D. list of activities, resources required, responsible person, and system downtime

A

B. list of activities, resources required, responsible person, and a date for completion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

HCISSP ISC2 (56 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions