Domain 6

Question 1

IT Security Audit

Answer 1

These audits aim to evaluate security controls, identify vulnerabilities, and ensure compliance with regulatory requirements.

Question 2

Quantitative risk assessment

qualitative risk assessment

Answer 2

Quantitative risk assessment excels at analyzing financial risk,

while qualitative risk assessment is a good tool for intangible risks.

Combining the two techniques provides a well-rounded risk picture.

Question 3

ISO 27018

Answer 3

ISO 27018 describes privacy requirements for cloud providers

Question 4

Risk management standards

Answer 4

ISO 31000, NIST 800-37, and the Control Objectives for Information Technology (COBIT) are all relevant risk management standards.

Question 5

The Communications Assistance to Law Enforcement Act (CALEA)

Answer 5

The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.

Question 6

National privacy law

PIPEDA
GDPR

Answer 6

Canada:
has a comprehensive law titled the Personal Information Protection and Electronic Documents Act (PIPEDA).

France and Germany are both members of the European Union and are subject to the comprehensive General Data Protection Regulation (GDPR)

Question 7

ISAE 3402 : International Standard on Assurance Engagements
ISAE 3410 - Assurance Engagements on Greenhouse Gas Statements
SSAE 16 (US - Outdated)
SSAE 18 (US)

Answer 7

A. ISAE 3402 provides international guidance on the assessment of service providers and is the appropriate standard to use in this situation. SSAE 18 is the equivalent document for assessments performed within the United States. SSAE 16 is an outdated version of that standard and has been superseded by SSAE 18. ISAE 3410 covers greenhouse gas emission statements and is completely irrelevant to this scenario.

Question 8

Binding corporate rules
Privacy Shield
Standard contractual clauses
Safe harbor

Answer 8

Binding corporate rules:

If the data were being shared internally within a company, binding corporate rules would also be an option

Standard contractual clauses:

The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data.

Question 9

NERC/CIP

HIPAA

HITECH

PCI DSS

Answer 9

The North American Electric Reliability Corporation’s Critical Infrastructure Program (NERC/CIP) provides security standards for electric utilities and other elements of critical infrastructure.

The Health Insurance Portability and Accountability Act (HIPAA) and

the Health Information Technology for Electronic and Clinical Health (HITECH) Act govern personal health information.

The Payment Card Industry Data Security Standard (PCI DSS) governs credit and debit card records.

Question 10

Laws:
The Doctrine of Proper Law
Tort law
Common law
criminal law

Answer 10

The Doctrine of Proper Law is used when a dispute occurs over which jurisdiction will hear a case.

Tort law refers to civil liability suits.

Common law refers to laws regarding marriage, and

criminal law refers to violations of state or federal criminal code.