Domain 6

Question 1

What occurs when a customer is dissuaded from leaving a provider even when it’s the best decision?

Answer 1

Vendor lock-in

Question 2

What’s an industry standard that provides guidance for eDiscovery programs?

Answer 2

ISO 27050

Question 3

What provides industry standard guidance for information privacy programs?

Answer 3

ISO 27701

Question 4

Who is the entity that uses the data on behalf of the owner/controller?

Answer 4

Data processor

Question 5

Who is the person the PII describes?

Answer 5

Data subject

Question 6

Who is the entity that creates the PII?

Answer 6

Data owner/controller

Question 7

Who are entities that regulate the use of PII?

Answer 7

Regulators

Question 8

Is it proper to script a testimony in court?

Answer 8

No, but coaching is okay

Question 9

Is deploying a firewall a risk mitigation strategy?

Answer 9

Yes

Question 10

________ is a strategy where an organization decides to accept the potential risks and associated outcomes of a particular security threat rather than avoiding or mitigating it

Answer 10

Risk acceptance

Question 11

What is a metric that indicates the degree to which your organization requires its information to be protected against confidentiality leaks or compromised data integrity?

Answer 11

Risk tolerance - how much risk you can tolerate

Question 12

What is when an org completely avoids the activity that carries the potential risk.

Answer 12

Risk avoidance

Question 13

This is when you transfer the risk to another party when accepting or avoiding the risk yourself is not feasible

Answer 13

Risk transfer

Question 14

If the risk then happens, the responsibility or loss will not fall solely on one party.

Answer 14

Risk sharing

Question 15

What is the act of adding extra resources, time, or personnel to mitigate the potential impact of a risk.

Answer 15

Risk buffering

Question 16

Involves creating a contingency plan or “Plan B” for certain risks.

Answer 16

Risk strategizing

Question 17

This is the performance of tests (usually many tests) to verify that a project is secure and functions as intended.

Answer 17

Risk testing

Question 18

This allows an organization to determine the potential financial implications of a risk event.

Answer 18

Risk quantification

Question 19

This is the implementation of risk controls to mitigate potential hazards or bad outcomes that may arise during a project or with an enterprise.

Answer 19

Risk reduction

Question 20

This uses digital tools and technologies to transform how businesses recognize, evaluate, control, and reduce risks.

Answer 20

Risk digitization

Question 21

What function tests the effectiveness of controls?

Answer 21

Audit

Question 22

This is when you communicate a change in privacy practices to customers.

Answer 22

Notice

Question 23

This is when you offer customers an opportunity to opt out of use of their data.

Answer 23

Choice and consent

Question 24

This principle says individuals should be able to review and update their personal information.

Answer 24

Access

Question 25

T/F: SOX is applicable to all companies.

Answer 25

False, only publicly traded companies

Question 26

What protects your personal student information?

Answer 26

FERPA

Question 27

What happens when an org decides that taking no action is the most beneficial route to managing a risk?

Answer 27

Risk acceptance

Question 28

What standard applies only to financial institutions but regulates privacy of customers financial info?

Answer 28

GLBA

Question 29

What’s the proper course of action when records are not available?

Answer 29

Write a statement of scope limitation that describes issue and impact on the audit.

Question 30

What prohibits entities w/in a country that has no nationwide privacy laws from gathering or processing privacy data belonging to EU citizens?

Answer 30

GDPR

Question 31

1. Their country has no laws that comply w/ EU laws
2. Entity creates contractual language that complies w/ EU laws and has language approved by each EU country from which the entity wishes to gather citizen data.
3. Entity voluntarily subscribes to its own nation’s privacy shield program

Answer 31

Conditions that allow gathering/processing privacy data for EU citizens for GDPR

Question 32

What’s used to capture the impact on intangible factors such as customer confidence, employee morale, and reputation in a BIA?

Answer 32

Qualitative tools

Question 33

What are audit standards for service providers?

Answer 33

SAS 70 and SSAE 18

Question 34

_________ are how SSAE 18 audits are conducted.

Answer 34

SOC reports

Question 35

What’s the way to verify that an organization is following some specific best practices before you outsource a business function to that organization.

Answer 35

SOC (service organization controls) report

Question 36

What report is based on the Trust Services Criteria (formerly known as the Trust Service Principles) established by the AICPA and focuses on:

Security
Availability
Processing integrity
Confidentiality
Privacy

Answer 36

SOC 2

Question 37

What report evaluates the management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over an extended period of time.

Answer 37

SOC2 Type2

Question 38

What report evaluates the management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time.

Answer 38

SOC2 Type1

Question 39

What is the current AICPA audit standard?

Answer 39

SSAE 18

Question 40

What law helps ensure public companies engage in non-deceptive business accounting practices.

Answer 40

SOX

Question 41

What requires publicly traded companies doing business in the U.S. to establish financial reporting standards, including safeguarding data, tracking attempted breaches, logging electronic records for auditing, and proving compliance.

Answer 41

SOX compliance

Question 42

Does digital forensics include creation of data?

Answer 42

No

Question 43

This includes reviewing the organization’s current position/performance as revealed by an audit against a given standard.

Answer 43

Gap analysis

Question 44

This is a method of assessing the performance of a business unit to determine whether business requirements or objectives are being met

Answer 44

Gap analysis

Question 45

What’s a good tool for analyzing financial risk?

Answer 45

Quantitative risk assessment

Question 46

What’s a good tool for intangible risks?

Answer 46

Qualitative risk assessment

Question 47

What describes privacy requirements for cloud providers, including annual audit mandate?

Answer 47

ISO 27018

Question 48

What does NIST SP 800-37 describe?

Answer 48

Risk management framework

Question 49

SSN, DL#, state ID#, credit/debit #, bank acct #, medical records, health insurance info are all covered by _____.

Answer 49

California’s data breach notification law

Question 50

What gives a customer better assurance of not being constrained to a given provider?

Answer 50

When the customer can ensure their data will not be ported to a proprietary data format or system

Question 51

T/F: A platform-agnostic data set is less portable and more subject to vendor lock in.

Answer 51

False, it’s more portable and less subject

Question 52

The ease and speed at which a customer can access their own data can influence:

Answer 52

How readily the data might be moved to another provider.

Question 53

What’s the greatest motivating factor for a provider to meet SLAs?

Answer 53

financial penalties

Question 54

What’s the quantitative analysis of all risks facing an organization and their potential impact?

Answer 54

Org’s risk profile

Question 55

What’s the amount of risk an org is willing to accept?

Answer 55

Risk appetite

Question 56

T/F: Risk appetite is a conceptual target, whereas risk profile is an assessment of the actual situation.

Answer 56

True

Question 57

What addresses the privacy aspect of cloud computing for consumers and was the first international set of privacy controls in the cloud?

Answer 57

ISO 27018

Question 58

What documents a relationship b/w two orgs?

Answer 58

memorandum of agreement

Question 59

What is required to prevent possible destruction of pertinent evidence?

Answer 59

litigation hold

Question 60

PHI is a form of PII that includes _____.

Answer 60

health info

Question 61

What’s the risk that a vendor will not be able to continue operations and a shutdown will adversely impact customers?

Answer 61

Vendor viability

Question 62

What is it called when a vendor prevents a customer from gaining access to their info?

Answer 62

vendor lockout

Question 63

What lowers the probability or impact of risk occuring?

Answer 63

Risk mitigation

Question 64

What addresses issues of data confidentiality?

Answer 64

NDAs

Question 65

Forbids the transfer of data to countries that lack adequate privacy protections

Answer 65

GDPR

Question 66

Requires CSPs to hand over data to aid in investigation of serious crimes, even if stored in another country.

Answer 66

Clarifying Lawful Overseas Use of Data (CLOUD) Act

Question 67

US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria.

Answer 67

Computer export controls

Question 68

Dept of Commerce details limitations on export of encryption products outside the US.

Answer 68

Encryption export controls

Question 69

The basis for privacy rights is in the Fourth Amendment to the U.S. Constitution.

Answer 69

Privacy US

Question 70

Legal rules that are created by government entities, such as legislatures/congress.

Answer 70

Laws

Question 71

Rules that are created by governmental agencies.

Answer 71

Regulations

Question 72

Dictate a reasonable level of performance. They can be created by an organization for its own purposes (internal) or come from industry bodies or trade groups (external).

Answer 72

Standards

Question 73

A set of guidelines helping organizations improve their security posture.

Answer 73

Frameworks

Question 74

7 articles of constitution

Answer 74

I - legislative
II - executive
III - judicial
IV - defines relationship b/w state/fed gov
V - amending constitution
VI - constitution is supreme law of land
VII - establishes federal gov

Question 75

Interpretations made by courts over time establish a body of law that other courts may refer to when making their own decisions.

Answer 75

case law

Question 76

Is a set of judicial precedents passed down as case law through many generations.

Answer 76

common law

Question 77

_____ means “responsible or answerable in law; legally obligated”.

Answer 77

Liable

Question 78

Occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.

Answer 78

Civil liability

Question 79

Civil cases are brought to court by one party, called the _____, who is accusing another party of a violation, called the _____.

Answer 79

claimant / respondent

Question 80

Are another form of civil violation that do not involve a contract but instead, involve harm to one party caused by the actions of another party.

Answer 80

torts

Question 81

Is a commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.

Answer 81

negligence

Question 82

The person accused of negligence must have an established responsibility to the accuser.

Answer 82

duty of care

Question 83

The basis for privacy rights is in the _____ to the U.S. Constitution.

Answer 83

Fourth Amendment

Question 84

Cuba, Iran, North Korea, Sudan, and Syria are all countries the ______.

Answer 84

US can’t export to

Question 85

_____ are the legal rules that are created by government entities, such as legislatures/congress.

Answer 85

Laws

Question 86

_____ are the rules that are created by governmental agencies.

Answer 86

Regulations

Question 87

_____ dictate a reasonable level of performance.

Answer 87

Standards - they can be internal or external

Question 88

_____ are a set of guidelines helping organizations improve their security posture.

Answer 88

Frameworks

Question 89

_____ policies, procedures, and regulations that govern the daily operations of government and government agencies.

Answer 89

Administrative law - HIPPA

Question 90

Article I establishes the _____ branch.

Answer 90

legislative

Question 91

Article II establishes the _____ branch.

Answer 91

executive

Question 92

Article III establishes the _____ branch.

Answer 92

judicial

Question 93

Article IV defines the relationship between the _____

Answer 93

federal government and state governments

Question 94

Article V creates a process for _____

Answer 94

amending the Constitution

Question 95

Article VI contains the supremacy clause, establishing that _____

Answer 95

the Constitution is the supreme law of the land.

Question 96

Article VII sets forth the process for _____

Answer 96

the initial establishment of the federal government.

Question 97

Treated as private disputes between parties and handled in civil court.

Answer 97

Contract law

Question 98

_____ occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.

Answer 98

Civil liability

Question 99

Civil cases are brought to court by one party, called the _____, who
is accusing another party of a violation, called the _____.

Answer 99

claimant / respondent

Question 100

Another form of civil violation that do not involve a contract but
instead, involve harm to one party caused by the actions of another party.

Answer 100

torts

Question 101

A commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.

Answer 101

negligence

Question 102

The accuser must have suffered some type of harm, be it financial, physical, emotional, or reputational.

Answer 102

damages

Question 103

A reasonable person must be able to conclude that the injury caused to the accuser must be a result of the breach of duty by the accused.

Answer 103

causation

Question 104

All of the following rest with:
Responsibility for compliance with laws and regulations
Researching and planning response in case of conflicting laws
Ensuring necessary audit and incident response data islogged and retained
Any additional due diligence and due care

Answer 104

the customer

Question 105

An international organization comprised of 38 member states from around the world, publishes guidelines on data privacy.

Answer 105

OECD - org for economic co-operation and development

Question 106

Comprised of 21 member economies in the Pacific Rim. Incorporates many standard privacy practices into their guidance, such as preventing harm, notice, consent, security, and accountability.

Answer 106

asia-pacific economic cooperation privacy framework

Question 107

Mandates privacy for individuals, defines companies’ duties to protect personal data, and prescribes punishments for companies violating these laws. Includes mandatory notification timelines in the event of data breach.

Answer 107

GDPR

Question 108

1996 U.S. law regulates the privacy and control of health information data.

Answer 108

HIPPA

Question 109

An industry standard for companies that accept, process, or receive payment card transactions.

Answer 109

PCI DSS

Question 110

Exists to solve the lack of an US equivalent to GDPR, which impacts rights and obligations around data transfer.

Answer 110

Privacy Shield

Question 111

Law was enacted in 2002 and sets requirements for U.S. public companies to protect financial data when stored and used.

Answer 111

SOX

Question 112

____ are required by law.

Answer 112

statutory requirements

Question 113

_____ may also be required by law but refer to rules issued by a regulatory body that is appointed by a government entity .

Answer 113

regulatory requirements

Question 114

_____ are required by a legal contract between private parties. These agreements often specify a set security controls or a compliance framework that must be implemented by a vendor

Answer 114

contractual requirements

Question 115

3 important considerations to include in maintaining ____ are 1) vendor selection, 2) architecture, 3) due care obligations

Answer 115

chain of custody

Question 116

When considering a cloud vendor, eDiscovery should be considered as a ____ during the selection and contract negotiation phases.

Answer 116

security requirement

Question 117

The burden of recording and preserving potential evidence is the responsibility of _____.

Answer 117

customer

Question 118

_____ provide guidance on best practices for collecting digital evidence and conducting forensics investigations in the cloud.

Answer 118

ISO/IEC and CSA

Question 119

Addresses common issues and solutions needed to address Digital Forensics and Incident Response (DFIR) in cloud environments.

Answer 119

NIST 8006

Question 120

Guide for digital evidence analysis.

Answer 120

ISO 27042

Question 121

Guide for incident investigation principles and processes

Answer 121

ISO 27043

Question 122

In any cloud computing environment, the legal responsibility for
data privacy and protection rests with _____

Answer 122

the cloud consumer

Question 123

• Transferring entity (the data owner) must ensure that the receiver of the data holds and processes it in accordance with the principles of Australian privacy law.
• Data owner (controller) is responsible for data privacy commonly achieved through contracts that require recipients to maintain or exceed the data owner’s privacy standards

Answer 123

Australian Privacy Act

Question 124

The ____ remains responsible for any data breaches by or on behalf of the recipient entities in Australia.

Answer 124

entity transferring the data out

Question 125

A national level law that restricts how commercial businesses may collect, use, and disclose personal information and covers information about an individual that is identifiable to that specific individual.

Answer 125

Personal Information Protection and Electronic Documents Act (PIPEDA)

Question 126

The right to be informed
The right of access
The right to rectification
The right to erasure (the right to be forgotten)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling

Answer 126

GDPR

Question 127

Deals with the handling of data while maintaining privacy and rights of an individual.It is international as it was created by the EU, which has 27 different countries as members, and applies to ANY company with customers in the EU. Includes a 72 hour notification deadline in the case of data breach

Answer 127

GDPR

Question 128

Focuses on services of banks, lenders, and insurance and severely limits services they can provide and the information they can share with each other

Answer 128

GLBA

Question 129

• The Financial Privacy Rule, which regulates the collection and disclosure of private financial information
• The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information
• The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false

Answer 129

3 main sections of GLBA

Question 130

An international agreement between the United States (U.S.) and the European Union that allows the transfer of personal data from the European Economic Area (EEA) to the U.S. by U.S. based companies.

Answer 130

Privacy Shield

Question 131

Notice
Choice
Security
Access
Accountability for onward transfer
Data integrity and purpose limitation
Recourse, enforcement, and liability

Answer 131

7 principles of privacy shield agreement

Question 132

Created privacy protection for electronic communications like email or other digital communications stored on the Internet and extends the Fourth Amendment of the U.S. Constitution to the electronic realm

Answer 132

The Stored Communication Act (SCA) of 1986

Question 133

Details the people’s “right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”

Answer 133

4th amendment

Question 134

Under HIPAA, PHI may be stored by cloud service providers as long as

Answer 134

the data is adequately protected

Question 135

• Aids in evidence collection in investigation of serious crimes
• Created in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.
• Requires U.S. based companies to respond to legal requests for data no matter where the data is physically located.

Answer 135

Clarifying Lawful Overseas Use of Data (CLOUD) Act

Question 136

• Was published in July 2014 as a component of the ISO 27001 standard.
• Adherence to these privacy requirements enables customer trust in the CSP.
• Major CSPs such as Microsoft, Google, and Amazon all maintain

Answer 136

ISO 27018

Question 137

Consent: Personal data obtained by a CSP may not be used for marketing purposes unless expressly permitted by the subject. A customer should be permitted to use a service without requiring this consent.
Control: Customers shall have explicit control of their own data and how that data is used by the CSP.
Transparency: CSPs must inform customers of where their data resides AND any subcontractors that may process personal data.
Communication: Auditing should be in place, and any incidents should be communicated to customers.
Audit: Companies (CSP, in this case) must subject themselves to an independent audit on an annual basis.

Answer 137

ISO 27018

Question 138

Widely incorporated into the SOC 2 framework as an optional criterion. Organizations that pursue a SOC 2 audit can include these privacy controls if appropriate. Similar to ISO 27018, which is an optional extension of the controls defined in ISO 27002. An audit of these controls results in a report that can be shared with customers or potential customers, who can use it to assess a service provider’s ability to protect sensitive data.

Answer 138

Generally Accepted Privacy Principles (GAPP)

Question 139

1. Management - The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
2. Notice - The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which personal information is collected, used, and retained.
3. Choice and consent - The organization describes the choices available to the individual, and secures implicit or explicit consent regarding the collection, use, and disclosure of the personal data.
4. Collection - Personal information is collected only for the purposes identified in the notice provided to the individual.
5. Use, retention, and disposal - The personal information is limited to the purposes identified in the notice the individual consented to.
6. Access - The organization provides individuals with access to their personal information for review or update.
7. Disclosure to third parties - Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
8. Security for privacy - Personal information is protected against both physical and logical unauthorized access.
9. Quality - The organization maintains accurate, complete, and relevant personal information that is necessary for the purposes identified.
10. Monitoring and enforcement - The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address privacy related complaints and disputes.

Answer 139

Generally Accepted Privacy Principles (GAPP)

Question 140

This is designed to identify the privacy data being collected, processed, or stored by a system, and assess the effects of a data breach

Answer 140

A privacy impact assessment (PIA)

Question 141

assessment scope, data collection methods, and plan for data retention

Answer 141

Things you need to define to conduct a PIA

Question 142

A methodical examination of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.

Answer 142

auditing

Question 143

Auditing is a _____ control.

Answer 143

detective

Question 144

Security audits and effectiveness reviews are key elements in displaying _____.

Answer 144

due care

Question 145

Acts as a “trusted advisor” to the organization on risk, educating stakeholders, assessing compliance

Answer 145

internal auditor

Question 146

Can provide more continuous monitoring of control effectiveness and policy compliance

Answer 146

internal audit

Question 147

Audits of controls over the hypervisor will usually be the purview of the _____

Answer 147

CSP

Question 148

VMs deployed on top of hardware are usually owned by the _____

Answer 148

customer

Question 149

This is a set of standards defined by the AICPA (American Institute of CPAs). Designed to enhance the quality and usefulness of System and Organization Control (SOC) reports. Includes audit standards and suggested report formats to guide and assist auditors.

Answer 149

SSAE 18

Question 150

Deals mainly with financial controls and are used primarily by CPAs auditing financial statements

Answer 150

SOC1

Question 151

Report that assesses the design of security processes at a specific point in time

Answer 151

SOC2Type1

Question 152

Assesses how effective those controls are over time by observing operations for at least six months. Often require an NDA due to sensitive contents.

Answer 152

SOC2Type2

Question 153

Contain only the auditor’s general opinions and non sensitive data, is publicly shareable

Answer 153

SOC3

Question 154

Who issues ISAE

Answer 154

International Auditing and Assurance Standards Board

Question 155

The ISAE 3402 standard is roughly equivalent to the _____ reports in the SSAE

Answer 155

SOC 2

Question 156

• Can be used by cloud service providers, cloud customers, or auditors and consultants
• Designed to demonstrate compliance to a desired level of assurance
• STAR consists of two levels of certification, which provide increasing levels of assurance

Answer 156

Security Trust Assurance and Risk (STAR) certification program comes from CSA

Question 157

This is a complimentary offering that documents the security controls provided by the CSP

Answer 157

STAR Level 1 self-assessment

Question 158

This requires the CSP to engage an independent auditor to evaluate the CSP’s controls against the CSA standard

Answer 158

STAR Level 2 third party audit

Question 159

Determining the scope of an audit is usually a joint activity performed by

Answer 159

the organization being audited and their auditor.

Question 160

Document and define audit program objectives
Gap analysis or readiness assessment
Define audit objectives and deliverables
Identifying auditors and qualifications

Answer 160

audit planning activities

Question 161

Audit fieldwork:
Audit reporting:
Audit follow up:

Answer 161

audit phases

Question 162

Quantify risk
Develop and execute risk mitigation strategies
Provide formal reporting on status of mitigation efforts

Answer 162

ISMS functions

Question 163

A process of matching applicable controls with the organization’s specific circumstances to which they apply.

Answer 163

Tailoring

Question 164

A set of standardized definitions for employees that describe how they are to make use of systems or data.

Answer 164

Functional policy

Question 165

Acceptable use
Email use
Passwords and access management
Incident response
Data classification
Network services
Vulnerability scanning
Patch management

Answer 165

Functional policies example

Question 166

Policies related to proper use of company resources, like expense reimbursements and travel

Answer 166

Organizational policies

Question 167

regulates organizations involved in power generation and distribution.

Answer 167

NERC/CIP - north american electric reliability corporation critical infrastructure protection

Question 168

the act of picking a subset of the system’s physical infrastructure to inspect.

Answer 168

sampling

Question 169

Whether a supplier has a risk management program in place, and if so whether the risks identified by that program are being adequately mitigated are primary focus areas in _____.

Answer 169

SCRM

Question 170

T/F: Unlike traditional risk management activities, SCRM in a CSP scenario often requires customers to take an indirect approach –reviewing audit reports.

Answer 170

True

Question 171

Describes the risk present in the organization based on all the identified risks and any associated mitigations in place.

Answer 171

Risk profile

Question 172

Describes the amount of risk an organization is willing to accept without mitigating.

Answer 172

Risk appetite

Question 173

Regulated industries will be more apt to:

Answer 173

mitigation , transference , and avoidance

Question 174

Smaller orgs and startups will be more apt to simply _____ risks to avoid cost of treatment.

Answer 174

accept

Question 175

Anyone who processes personal data on behalf of the data controller.

Answer 175

data processor

Question 176

The person or entity that controls processing of the data.

Answer 176

data controller

Question 177

Ensures the organization complies with data regulations.

Answer 177

data protection officer (dpo)

Question 178

The individual or entity that is the subject of the personal data.

Answer 178

data subject

Question 179

Usually a member of senior mgmt. CAN delegate some day
to day duties. CANNOT delegate total responsibility.

Answer 179

data owner

Question 180

Usually someone in the IT dept. DOES implement controls for data owner. DOES NOT decide what controls are needed.

Answer 180

data custodian

Question 181

It is a crime to destroy, change, or hide documents to prevent their use in official legal processes.

Answer 181

SOX Section 802

Question 182

Companies must keep audit related records for a minimum of five years.

Answer 182

SOX Section 804

Question 183

States that a data controller “must be able to demonstrate that personal data are processed in a manner transparent to the data subject.” The obligations for transparency begin at the data collection stage and apply “throughout the lifecycle of processing.” Stipulates that communication to data subjects must be “concise, transparent, intelligible and easily accessible, and use clear and plain language.”

Answer 183

GDPR Article 12

Question 184

The practice of modifying risk, usually to lower it. Typically begins with identifying and assessing risks by measuring the likelihood and impact. Risks most likely to occur and impactful would be prioritized.

Answer 184

risk treatment

Question 185

Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.

Answer 185

risk acceptance

Question 186

Cyber insurance is an example of _____

Answer 186

risk transference

Question 187

applying security controls is

Answer 187

risk mitigation

Question 188

Where the organization changes business practices to completely eliminate the potential that a risk will materialize.

Answer 188

risk avoidance

Question 189

Risk treatments for countering and minimizing loss or unavailability of services or apps due to vulnerabilities

Answer 189

security controls

Question 190

safeguards are _____, countermeasures are ______

Answer 190

proactive / reactive

Question 191

“Cloud Computing Synopsis and Recommendation

Answer 191

NIST 800-146

Question 192

____contains several standards related to building and running a risk management program.

Answer 192

ISO 31000

Question 193

Produces useful resources related to cloud specific risks that organizations should be aware of and plan for when designing cloud computing systems. This guide identifies various categories of risks and recommendations for organizations to consider when evaluating cloud computing. These include research recommendations to advance the field of cloud computing, legal risks, and security risks.

Answer 193

ENISA

Question 194

patching levels
time to deploy patches
intrusion attempts
mean time to detect (mttd)
mean time to contain (mttc)
mean time to resolve (mttr)

Answer 194

metrics for cyber risk management

Question 195

Metrics that deviate from expected parameters are _____ and should be reviewed

Answer 195

no longer effective

Question 196

Designing a supply chain risk management (SCRM) program to
assess CSP or vendor risks is a _____practice. Actually performing the assessment is an example of _____.

Answer 196

due diligence / due care

Question 197

Enables an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements. Assures customers that security products they purchase have been thoroughly tested by independent third-party testers and meets customer requirements. The certification of the product only certifies product capabilities.

Answer 197

ISO/IEC 15408-1

Question 198

defines how robust the security capabilities are in the evaluated product

Answer 198

evaluation assurance level (EAL) - associated with ISO 15408-1

Question 199

ENISA has published a standard for certifying the cybersecurity
practices present in cloud environments. The framework, _____ defines a set of evaluation criteria for various cloud service and deployment models. The goal is producing security evaluation results that allow comparison of the security posture across different cloud providers.

Answer 199

EU Cybersecurity Certification Scheme on Cloud Services (EUCS)

Question 200

supply chain
vendor mgmt
system integration

Answer 200

third party risks

Question 201

This is defined as any contract that two or more parties enter into as a service agreement that should address compliance and process requirements the customer is passing along to CSP

Answer 201

MSA

Question 202

Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations.

Answer 202

SLAs

Question 203

Are SLAs legally binding?

Answer 203

Yes

Question 204

Uptime guarantees
SLA violation penalties
SLA violation penalty exclusions and limitations
Suspension of service clauses
Provider liability
Data protection and management
Disaster recovery and recovery point objectives
Security and privacy notifications and timeframes

Answer 204

SLA terms

Question 205

Legal document usually created after an MSA has been executed and governs a specific unit of work. MSA may document services and prices, and this covers requirements, expectations, and deliverables for a project.

Answer 205

SoW

Question 206

MSA focus is ___, SOW focus is ___.

Answer 206

overall and ongoing / limited and specific

Question 207

In many cases, vendor management will include activities related to _____ risks.

Answer 207

operational

Question 208

Does security team conduct vendor viability assessment?

Answer 208

No, b/c it’s operational

Question 209

A _____ is a specific article of related information that specifies the agreement between the contracting parties.

Answer 209

contract clause

Question 210

This is an area where legal counsel must be consulted

Answer 210

litigation

Question 211

Any customer compliance requirements that flow to the provider must be _____.

Answer 211

documented and agreed upon in the contract.

Question 212

_____ is designed to help an organization reduce the financial impact of risk by transferring it to an insurance carrier.

Answer 212

Cyber risk insurance

Question 213

Investigation
Direct business losses
Recovery costs
Legal notifications
Lawsuits
Extortion
Food and related expenses

Answer 213

things cyber risk insurance covers

Question 214

Direct monetary losses associated with downtime or data recovery, overtime for employees, and, oftentimes, reputational damages to the organization.

Answer 214

Direct business losses

Question 215

These may include costs associated with replacing hardware or provisioning temporary cloud environments during contingency operations.

Answer 215

Recovery costs

Question 216

Provides a set of practices and guidance for managing cybersecurity risks in supplier relationships. This standard is particularly useful for organizations that use ISO 27001 for building an ISMS or ISO 31000 for risk management

Answer 216

ISO 27036:2021

Question 217

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Answer 217

NIST SP 800-161

Question 218

An overview of the ICT supply chain risks and challenges, and vision for the way forward, published in 2015

Answer 218

ENISA publication “Supply Chain Integrity”

Question 219

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

Answer 219

NIST IR 8276