Domain 5 – Information Risk Assessment Flashcards
Official (ISC)2 Guide to the HCISPP CBK
How can a breach of protected health information (PHI) cause an adverse medical outcome due to integrity problems? Select the BEST response from the following:
A. When data is breached, an attacker may attempt to use the victim’s identity to obtain medical services. The victim’s medical record then has erroneous information about the attacker that may cause adverse medical outcomes.
B. When data is breached, a victim may attempt to use the attacker’s identity to obtain medial services. The attacker’s medical record then has erroneous information about the attacker that may cause adverse medical outcomes.
C. A breach by definition affects the integrity of the data being breached and can therefore lead to adverse medical outcomes.
D. Since PHI is considered low risk, there is no possibility of adverse medical outcomes due to breaches and resultant integrity problems.
A. When data is breached, an attacker may attempt to use the victim’s identity to obtain medical services. The victim’s medical record then has erroneous information about the attacker that may cause adverse medical outcomes.
An organization wishes to minimize risk throughout the organization after a risk assessment showed numerous high and moderate risks throughout the enterprise. Senior leadership wants to transfer as much risk as possible in the event of a breach. Which of the following BEST explains a risk transfer option?
A. The organization may transfer all risk to another party. The party will be responsible and held accountable for all facets of risk and recovery should a breach occur. The organization will suffer no impact should a breach occur.
B. The organization may not transfer any risk to another party. The organization is wholly responsible for all risk of information.
C. The organization may transfer certain risk such as financial risk, but other risk such as reputation risk must be managed by the organization.
D. The organization may transfer certain risk such as reputation risk, but financial risk must be managed by the organization.
C. The organization may transfer certain risk such as financial risk, but other risk such as reputation risk must be managed by the organization.
The U.S. HITECH Act requires covered entities to report breaches of people or more to the U.S. HHS Office of Civil Rights.
A. 1
B. 250
C. 500
D. 1000
C. 500
Which of the following roles is MOST responsible for:
- Determining the impact the information has on the mission of
the organization.
- Understanding the replacement cost of the information (if it can be replaced).
- Determining who in the organization or outside of it has a need for the information and under what circumstances the information should be released.
- Knowing when the information is inaccurate or no longer needed and should be destroyed.
A. Senior leadership
B. Information system security officer
C. System owner
D. Information owner/steward
D. Information owner/steward
Why should organizations use records retention schedules that mandate the destruction of information after a set date, period, or non-use trigger?
A. Storage costs are reduced; only relevant information is kept, and this can speed up searching and indexing; litigation holds and eDiscovery are less likely to encounter erroneous, pre-decisional, or deliberative information; and to meet compliance requirements.
B. Storage costs are increased; all information is kept, and this can speed up searching and indexing; litigation holds and eDiscovery is more likely to encounter erroneous, pre-decisional, or deliberative information; and minimize compliance requirements.
C.Storage costs are reduced; litigation holds and eDiscovery are less likely to encounter erroneous, pre-decisional, or deliberative information; and to meet compliance requirements.
D. Storage costs are reduced; only relevant information is kept, and this can speed up searching and indexing; and litigation holds and eDiscovery are less likely to encounter erroneous, pre-decisional, or deliberative information.
A. Storage costs are reduced; only relevant information is kept, and this can speed up searching and indexing; litigation holds and eDiscovery are less likely to encounter erroneous, pre-decisional, or deliberative information; and to meet compliance requirements.
A small practice of thirty-five individuals wants to start performing continuous monitoring and assessment. Considerable debate has risen as to the best approach for performing the assessment. Which of the following approaches provides the BEST approach for a risk assessment?
A. Have the organization’s information system owner conduct the assessment as they already know the most about the systems.
B. Have an external or operationally separate entity perform the assessment so bias is minimized.
C. Have the information system security officer conduct the assessment as they have the most knowledge of information security.
D. Have the information owner/steward perform the assessment.
B. Have an external or operationally separate entity perform the assessment so bias is minimized.
Information security and privacy is the responsibility of from below: in the organization. Please select the BEST answer
A. Everyone
B. Senior leadership
C. The information systems security officer
D. The practice lead
A. Everyone
Complete the following statement with the BEST response: Assessors who conduct vulnerability assessments must be experts in ________.
A. Penetration testing, malware reverse engineering, and incident response.
B. Properly reading, understanding, digesting, and presenting the information obtained from a vulnerability assessment and incident response.
C. Properly reading, understanding, digesting, and presenting the information obtained from a vulnerability assessment to a multidisciplinary, sometimes nontechnical audience.
D. Malware reverse engineering, incident response, and presenting the information obtained from a vulnerability assessment and incident response.
C. Properly reading, understanding, digesting, and presenting the information obtained from a vulnerability assessment to a multidisciplinary, sometimes nontechnical audience.
A rival healthcare provider has hired a hacker to illegally attempt to steal information from a healthcare organization. Which of the following BEST describes the hacker?
A. Risk
B. Likelihood
C. Vulnerability
D. Threat
D. Threat
A security management process is BEST described by which set of controls?
A. Administrative/managerial
B. Operational/physical
C. Technical
D. Detective
A. Administrative/managerial