Domain 6 Legal, Risk and Compliance

Question 1

Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contracts) for ending the contract at any point prior to the scheduled dated. This is best described as an example of _____

A. Favorable contract terms
B. Strong negotiation
C. IaaS
D. Vendor Lock In

Answer 1

D. Vendor Lock In

Explanation:
Vendor lock in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer.

These contract terms can be described as favorable only from the provider’s perspective; option D is preferable to option A for describing this situation

There was no description of negotiation included in the question; option B is incorrect

IaaS is a service model and doesnt really apply to anything in this context; option C is incorrect

Question 2

Cathy is developing an eDiscovery program to help her organization formalize its compliance with legal hold obligations. She would like to use an industry standard to guide her toward best practices. What standard should she consider using for this work?

A. ISO 27001
B. ISO 27002
C. ISO 27050
D. ISO 27701

Answer 2

C. ISO 27050

Explanation:
ISO 27050 is an industry standard that provides guidance for eDiscovery programs. ISO 27001 and ISO 27002 provide industry standard control objectives and control suggestions for cybersecurity. ISO 27701 provides industry standard guidance for information privacy programs

Question 3

In regard to most privacy guidance, the data processor is ___________

A. The individual described by the PII
B. The entity that collects or creates the PII
C. The entity that uses PII in behalf of the controller
D. The entity that regulates PII

Answer 3

C. The entity that uses PII in behalf of the controller

Explanation:
The entity that uses the data on behalf of the owner/controller is a data processor. The data subject is the person who the PII describes. The entity that collects or creates the PII is the data owner or controller.

Question 4

Your company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed forensic analysis on event logs that reflect the circumstances related to the case.

In order for your personnel to present the evidence they collected during forensic analysis as expert witnesses, you should ensure that _____

A. Their testimony is scripted, and they do not deviate from the script
B. They present only evidence that is favorable to your side of the case
C. They are trained and certified in the tools they used
D. They are paid for their time while they are appearing in the courtroom

Answer 4

C. They are trained and certified in the tools they used

Explanation:
In order to deliver credible, believable expert testimony, its important that your personnel have more than an amateur’s understanding and familiarity with any forensic tools they use to perform analysis. Formal training and certs are excellent methods for creating accountability

Question 5

After conducting a qualitative risk assessment of her organization, Pirsha decides to recommend adding a new module to the firewall that will filter out inbound malware. What type of risk response behavior is she recommending?

A. Accept
B. Transfer
C. Reduce
D. Reject

Answer 5

C. Reduce

Explanation:
Deploying a firewall is a risk mitigation strategy designed to reduce the likelihood or impact of the risk. If Prisha suggested that the organization simply to continue to function as is, that would be risk acceptance.

Question 6

Nora is an employee of Acme Widgets and works on a team of auditors who examine the organizationals financial controls. She is currently working on a project to evaluate whether payments to cloud providers are proper and will be reporting her results to management. What term best describes Noras role in this project?

A. Internal assessment
B. External audit
C. Internal Audit
D. External Audit

Answer 6

C. Internal Audit

Explanation:
Nora is an employee of the organization, so her work is clearly internal in nature

Question 7

Carla is assigned to manager her organizations’ privacy program and is working to communicate to customers about a change in the organizations’ privacy practices. She plans to send an email notifying customers of the change and allowing them to opt out of the use of their data. Which GAPP principle is not described in this scenario?

A. Notice
B. Management
C. Access
D. Choice and Consent

Answer 7

C. Access

Explanation:
Carla is assigned as the manager of her organizations privacy program. This assignment is an example of the GAPP principle of Management. She is communicating about a change in privacy practices to her customers, which is an example of Notice. She is also offering those customers the opp to opt out of the use if their data. The principle of Access says that individuals should be able to review and update their personal information. There is no description of Access in this scenario

Question 8

You’re a medical student at a private research university in the United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data or the data you work with as a student?

A. Sarbanes Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Education Rights and Privacy Act (FERPA)

Answer 8

A. Sarbanes Oxley Act (SOX)

Explanation:
SOX is only applicable to publicly traded corps, not all companies

Question 9

Rolando is a risk manager with a large scale cloud service provider. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolandos organization pursue?

A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance

Answer 9

D. Risk acceptance

Explanation:
In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk

Question 10

Yolanda is the chief privacy offier for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

A. GLBA
B. SOX
C. HIPAA
D. FERPA

Answer 10

A. GLBA

Explanation:
GLBA contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions

Question 11

Bill is conducting an audit of a cloud provider under SSAE and ISAE standards. During the audit, he discovers that some records required to complete one of his tests were accidentally destroyed and are not recoverable. There are no alternative tests available for this control objective. What action should Bill take?

A. Describe the limitation in the audit scope statement
B. Postpone the audit for one year until adequate records are available
C. Issue a failing audit report
D. Remove this test from the audit and test a different control objective

Answer 11

A. Describe the limitation in the audit scope statement

Explanation:
The proper course of action when records are not available is to write a statement of scope limitation that describes the issue and the impact on the audit. Bill could have avoided this by performing an alternative test of the same control objective, but the scenario says this is not possible

Question 12

Which of the following is not a way in which an entity located outside the EU can be allowed to gather and process privacy data belonging to EU citizens?

A. Be located in a country with a nationwide law that complies with the EU laws
B. Appeal to the EU High Court for permission
C. Create biding contractual language that complies with the EU laws
D. Join the Privacy Shield program in its own country

Answer 12

B. Appeal to the EU High Court for permission

Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy laws from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:

1. Their own country has nationwide laws that comply with EU laws
2. The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data
3. The entity voluntarily subscribes to its own nations Privacy Shield program

There is no process for the entity to appeal to the EU for permission to do so

Question 13

Which type of business impact assessment tool is the most appropriate when attempting to evaluate the impact of a failure on customer confidence?

A. Quantitative
B. Qualitative
C. Annualized Loss Expectancy
D. Reduction

Answer 13

B. Qualitative

Explanation:
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale and reputation

Question 14

An audit against the _______ will demonstrate that an organization has a holistic, comprehensive program of internal security controls

A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. Service Organization Control (SOC) 2, Type 2 report matrix
D. ISO 27001 certification requirements

Answer 14

D. ISO 27001 certification requirements

Explanation:
The ISO 27001 cert is for the information security management system (ISMS), the organizations entire security program

The SAS 70 and SSAE are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct

Question 15

An IT security audit is designed to reveal all of the following except _______

A. Financial fraud
B. Malfunctioning controls
C. Inadequate controls
D. Failure to meet target standards and guidelines

Answer 15

A. Financial fraud

Explanation:
An IT security audit is not intended to locate financial fraud; it may lead to such relevant unintentionally though

Question 16

During an IT audit, the CEO of a cloud provider demands regular updates on the testing process. How should auditors respond to this demand?

A. Refuse to provide the CEO with any information until the conclusion of the audit
B. Refer the matter to the clients Board of Directors
C. Provide the CEO with regular updates
D. Refer the matter to the audit firms partnership review board

Answer 16

C. Provide the CEO with regular updates

Explanation:
It is appropriate to engage stakeholders during the audit process. WHile the CEO may ne demanding information in a rude manner, that does not mean that they are not an important stakeholder

Question 17

Which of the following is a US audit standard often used to evaluate cloud providers?

A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770

Answer 17

C. SSAE 18

Explanation:
The Statement on Standards for Attestation Engagements 18 is the current AICPA (American Institute of Certified Public Accountants) audit standard

ISO 27001 is an internal audit standard

The

Question 18

Digital forensics investigators perform all of the following actions routinely except for securely ______ data

A. Collecting
B. Creating
C. Analyzing
D. Presenting

Answer 18

B. Creating

Explanation:
With rare exceptions, digital forensics does not include creation of data (other than the forensic reports regarding the analysis of data)

Question 19

A ____________ includes reviewing the organizations current position/performance as revealed by an audit against a given standard

A. Service Organization Control (SOC) report
B. Gap Analysis
C. Audit Scoping Statement
D. Federal Guideline

Answer 19

B. Gap Analysis

Explanation:
This is the definition of a gap analysis

The scoping statement is a pre audit function that aids both the organization and the auditor to determine what, specifically, will be audited

Question 20

Belinda is auditing the financial controls of a manufacturing company and learns that the financial systems are run on a major IaaS platform. She would like to gain assurance that the platform has appropriate security controls in place to assure the accuracy of her clients financial statements. What action should she take?

A. Perform an IT audit of the cloud provider
B. Obtain a SOC 1 Report
C. Obtain a SOC 2 report
D. Continue testing only control at the client and note the use of the cloud provider in her report

Answer 20

B. Obtain a SOC 1 Report

Explanation:
Belinda is obligated to gain assurance that the cloud provider has appropriate controls in place. It is unlikely that she will gain permission to audit those controls herself and, even if she gained these permissions, that would result in excessive and unnecessary costs. She should instead ask the cloud provider for the report of an independent audit. SOC 1 audits are designed specifically to test the controls covering customer financial statements and would be the appropriate audit type in this scenario. SOC 2 audits cover cybersecurity controls more broadly and would be unnecessary

Question 21

Tony is developing a business continuity plan and is having trouble prioritizing resources because of the difficult of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative or qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

Answer 21

D. Combination of quantitative and qualitative risk assessment

Explanation:
Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks

Question 22

What was the first international privacy standard specifically for cloud providers?

A. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37
B. Personal Information Protection and Electronic Documents Act
C. Payment Card Industry
D. ISO 27018

Answer 22

D. ISO 27018

Explanation:
ISO 27018 describes privacy requirements for cloud providers, including an annual audit mandate

Question 23

Which one of the following elements of information is not considered a direct identifier that would trigger most US state data breach laws?

A. Student identification number
B. Social security number
C. Drivers license number
D. Credit card number

Answer 23

A. Student identification number

Explanation:
Most state data breach notification laws are modeled after California’s data breach notification law, which covers all listed except student identification number

Question 24

Which of the following items, included in the contract between a cloud customer and cloud provider, can best aid in reducing vendor lock in?

A. Data format type and structure
B. Availability
C. Storage space
D. List of available OSs

Answer 24

A. Data format type and structure

Explanation:
When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock in

Question 25

Which of the following contract terms most incentivizes the cloud provider to meet the requirements listed in the SLA? A. Regulatory oversight B. Financial penalties C. Performance Details D. Desire to maintain customer satisfaction

Answer 25

B. Financial penalties Explanation: The contract usually stipulates what kind of financial penalties are imposed when the provider fails to meet the SLAs (for instance, waiver for payment of a given service term). This is a huge motivating element for the provider

Question 26

Fran recently conducted a review of the risk management program in her organization and developed an analysis of all of the risks facing the organization and their quantitative impact. What term best describes this analysis? A. Risk appetite B. Risk tolerance C. Risk Controls D. Risk Profile

Answer 26

D. Risk Profile Explanation: A quantitative analysis of all of the risks facing an organization and their potential impact is best described as the organizations risk profile. Risk appetite, or risk tolerance, is the amount of risk that an organization is willing to accept. Risk appetite is a conceptual target, whereas risk profile is an assessment of the actual situation. Risk controls are used to manage risks to an acceptable level

Question 27

Which of the following was the first international standard addressing the privacy aspects of cloud computing for consumers? A. USI 27001 B. ISO 27018 C. ISO 27002 D. GDPR

Answer 27

B. ISO 27018 Explanation: ISO/IEC 27018 addresses the privacy aspects of cloud computing for consumers and was the first international set of privacy controls in the cloud

Question 28

You are the security manager for a software company that uses platform as a service (PaaS0 in a public cloud service. Your company's general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue an _____ to all personnel and offices within your company A. Litigation B. Audit scoping letter C. Statement of Work D. Memorandum of agreement

Answer 28

A. Litigation Explanation: A litigation hold notice is required to prevent possible destruction of pertinent evidence that may be used in the case. An Audit scoping letter outlines the parameters for an audit engagement.

Question 29

Gwen is a cybersecurity professional for a financial services firm that maintains records of their customers. These records include personal information about each customer, including the customers name, social security number, date and place of bith and mothers maiden name. What category best describes these records? A. PHI B. Proprietary data C. PII D. EDI

Answer 29

C. PII Explanation: PII includes data that can be used to distinguish or trace that persons identity and also includes information like their medical, educational, financial and employment information

Question 30

Aaron is concerned about the possibility that a cloud vendor that his organization relies on may go out of business. What term best describes this risk? A. Vendor lock in B. Vendor viability C. Vendor lockout D. Vendor diversity

Answer 30

B. Vendor viability Explanation: Vendor viability is the risk that a vendor will not be able to continue operations and that a vendor shutdown will adversely impact customers.

Question 31

Mike recently implemented an IPS designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

Answer 31

C. Risk mitigation Explanation: Risk mitigation strategies attempt to low the probability and/or impact of a risk occurring. IPS attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation

Question 32

Viola is planning a user account audit to determine whether accounts have the appropriate level of permissions and that all permissions were approved through a formal process. The organization has approximately 50,000 user accounts and an annual employee turnover rate of 24 percent. Which one of the following sampling approaches would be the most effective use of her time when choosing records for manual review? A. Select all records that have been modified during the past month B. Ask access administrators to identify the accounts most likely to have issues and audit those C. Select a random sample of records, either from the entire population or from the population records that have been changed during the audit period D. Sampling is not effective in this situation, and all accounts should be audited

Answer 32

C. Select a random sample of records, either from the entire population or from the population records that have been changed during the audit period Explanation: Sampling should be done randomly to avoid human bias. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the user base. It is infeasible for a single person to review every single record.

Question 33

Which one of the following issues is not normally addressed in a SLA? A. Confidentiality of customer information B. Failover time C. Uptime D. Maximum consecutive downtime

Answer 33

A. Confidentiality of customer information Explanation: SLAs do not normally address issues of data confidentiality. Those provisions are normally in a NDA

Question 34

Elise is helping her organization prepare to evaluate and adopt a new cloud based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors? A. Compliance with all laws and regulations B. Handling information in the same manner the organization would C. Elimination of all identified security risks D. Compliance with the vendors own policies

Answer 34

B. Handling information in the same manner the organization would Explanation: The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendors security controls meet the organizations own standards. Compliance with laws and regulations should be included in that requirement and are a necessary but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendors policy may be weaker than the organizations own requirements

Question 35

HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services? A. Risk mitigation B. Risk Acceptance C. Risk transference D. Risk avoidance

Answer 35

D. Risk avoidance Explanation: HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance

Question 36

Who would normally conduct a review of security controls under SSAE 18? A. Security team B. External auditor C. Government regulator D. IT Leadership

Answer 36

B. External auditor Explanation: SSAE 18 is an audit standard for service organization controls (SOC) audits. These audits are conducted by independent, external audit firms

Question 37

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure? A. Impact B. RPO C. MTO D. Likelihood

Answer 37

D. Likelihood Explanation: Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack

Question 38

Which of the following statements about SSAE-18 is not correct? A. It mandates a specific control set B. It is an attestation standard C. It is used for external audits D. It uses a framework, including SOC 1, SOC 2 and SOC 3 reports

Answer 38

A. It mandates a specific control set Explanation: SSAE-18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2 and 3 reports.

Question 39

Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt's clients pursuant to a search warrant. Which of the following laws requires that communications service providers cooperate with law enforcement requests? A. ECPA B. CALEA C. Privacy Act D. HITECH

Answer 39

B. CALEA Explanation: The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order

Question 40

Tim's organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HIPAA D. GISRA

Answer 40

A. FISMA Explanation: The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA

Question 41

Katie is conducting a thorough review of all of the previous PII used by her organization. What term best describes this assessment? A. BIA B. BPA C. PPA D. PIA

Answer 41

D. PIA Explanation: Privacy Impact Assessments are used to review the appropriateness of all PII use by an organization.

Question 42

Kevin is reviewing and updating the security documentation used by his organization. He would like to document some best practices for securing cloud computing services that his team has implemented over the past year. The practices are generalized in nature and do not cover specific services. What type of document would be best for this purpose? A. Policy B. Standard C. Guideline D. Procedure

Answer 42

C. Guideline Explanation: It is possible that Kevin could use any of these documents. We should zero in on the portion of the question of where it indicates that these are best practices. This implies that the advice is not mandatory and therefore would not go into a policy or standard.

Question 43

Colin is conducting an audit of the internal information security management system (ISMS) of a cloud service provider. Which one of the following items would normally be outside the scope of this audit? A. Uses of customer data B. Accuracy of financial statements C. Network firewall protections D. Endpoint security

Answer 43

B. Accuracy of financial statements Explanation: An organization's ISMS is a broad program covering all aspects of cyber. This would include uses of customer data, network firewall protections, endpoint security and many other control types. It would not cover the accuracy of the organization's financial statements, would be within the scope of the financial audit.

Question 44

Which of the following is not an enforceable governmental request? A. Warrant B. Subpoena C. Court Order D. Affidavit

Answer 44

D. Affidavit Explanation: An affidavit is only a form of formal testimony present to the court. All the other options are enforceable governmental requests.

Question 45

Helen is assessing a cloud providers risk management methodology. Which one of the following documents would be least helpful to her in this effort? A. ISO 31000 B. NIST 800-37 C. COBIT D. PCI DSS

Answer 45

D. PCI DSS Explanation: PCI DSS is a set of cybersecurity controls required for organizations that process credit card data. It is not a risk management standard and there is no information

Question 46

Vincent is responsible for a privacy program that spans international borders. Of the following countries where his organization operates, which does not have a comprehensive national privacy law? A. United States B. France C. Canada D. Germany

Answer 46

A. United States Explanation: The United States does not have a comprehensive national privacy law. Instead, it has a patchwork of industry specific and subject specific legislation. France and Germany are both members of the EU and are subject to GDPR. Canada has a comprehensive law titled the Personal Information Protection and Electronic Documents Act (PIPEDA)

Question 47

Nitesh is conducting a global audit of a multinational cloud service provider and has a question about appropriate testing procedures. Which one of the following documents would be most applicable to his situation? A. ISAE 3402 B. ISAE 3410 C. SSAE 16 D. SSAE 18

Answer 47

A. ISAE 3402 Explanation: ISAE 3402 provides international guidance on the assessment of service providers and is the appropriate standard to use in this situation. SSAE 18 is the equivalent document for assessments performed within the US. SSAE 16 is an outdated version of that standard and has been superseded by SSAE 18. ISAE 3410 covers greenhouse gas emission statements and is completely irrelevant to this scenario

Question 48

Which of the following represents the legislation enacted to protect shareholders and the public from enterprise accounting errors and fradulent practices? A. PCI B. Gramm-Leach-Biley Act (GLBA) C. Sarbanes Oxley Act (SOX) D. HIPAA

Answer 48

C. Sarbanes Oxley Act (SOX) Explanation: SOX was enacted in response to the 2000 accounting scandal that caused the bankruptcy of Enron. At that time, top executives laid the claim that they were unaware of the accounting practices that led to the companies demise. SOX not only forces execs to oversee all accounting practices, but holds them accountable should such activity occur again

Question 49

Joes organization is considering expanding the geographic footprint of its datacenters to include facilities located in other countries. What is likely going to be the most serious complication introduced by this expansion? A. Multiple jurisdictions B. Different electric standards C. Internet connectivity and bandwidth D. Operating System Compatibility

Answer 49

A. Multiple jurisdictions Explanation: The most serious complication introduced by geographic expansion is the applicability of different laws and regulations from multiple jurisdictions

Question 50

FlyAway Travel has offices in both the EU and the US and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting their account be terminated. Under the GDPR, which requirement for processing personal information states that individual may request that their data no longer be disseminated or processed? A. The right to access B. Privacy by design C. The right to be forgotten D. The right of data portability

Answer 50

C. The right to be forgotten Explanation: The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure

Question 51

In most privacy regulations situations, which entity is most responsible for deciding how a particular privacy related data set will be used or processed? A. The data subject B. The data controller C. The data steward D. The data custodian

Answer 51

B. The data controller Explanation: The data controller makes the determination of purpose and scope of privacy related data sets. The other options are the names of other privacy related roles

Question 52

Which of the following is probably the most volatile form of data that might serve a forensic purpose in a virtualized environment? A. Virtual instance RAM B. Hardware RAM C. Hypervisor Logs D. Drive Storage

Answer 52

A. Virtual instance RAM Explanation: Because RAM is inherently volatile, and virtual resources are simulated only for limited time periods, virtual RAM is probably the most volatile data source

Question 53

Wanda is working with one of her organizations European Union business partners to facilitate the exchange of customer information. Wandas organization is located in the US. What would be the best method for Wanda to use to ensure GDPR compliance? A. Binding corporate rules B. Privacy Shield C. Standard Contractual Clauses D. Safe Harbor

Answer 53

C. Standard Contractual Clauses Explanation: The EU provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/US Privacy Shield was a safe harbor agreement that would previously have allowed the transfer but is no longer valid

Question 54

You are the CIO for an IT hardware manufacturer. Your company uses cloud based SaaS services, including email. You receive a legal request for data pertinent to a case. Your eDiscovery efforts will largely be dependent on A. The cloud provider B. Regulators C. The cloud customer D. Internal IT personnel

Answer 54

A. The cloud provider Explanation: In a SaaS model, the customer has little insight into event logs and traffic analysis useful for evidentiary purposes. The customer will largely be reliant on the cloud provider to locate, collect and deliver this information for eDiscovery

Question 55

Ben is responsible for the security of payment card information stored in a database. Policy direct that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to the policy and is seeking an appropriate compensating control to mitigate the risk. What would his best option be? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception

Answer 55

B. Encrypting the database contents Explanation: Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control

Question 56

James has been asked to lead a review of his organizations compliance with GAPP principles. What area will most directly fall into the scope of his assessment? A. Accounting B. Privacy C. Cybersecurity D. eDiscovery

Answer 56

B. Privacy Explanation: While all of these areas may be indirectly touched by a GAPP assessment, the assessment is primarily focused on privacy, as GAPP is the Generally Accepted Privacy Principles

Question 57

Brad recently learned that his organization will be subject to a new legal requirement due to an expansion of their work into a new industry. What type of analysis should Brad perform first? A. Business Impact Analysis B. Privacy Impact Analysis C. Gap Analysis D. Baseline Development

Answer 57

C. Gap Analysis Explanation: Brad should first perform a gap analysis to identify any areas where his organization is not compliant with the new regulation. This gap analysis can serve as the roadmap for remediation efforts

Question 58

Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan

Answer 58

B. Health and fitness application developer Explanation: A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business.

Question 59

Bella is working to develop a long term relationship with a consulting firm that will assist in her organizations cloud migration. She would like to create a contract that may govern the terms of many different projects. What type of document should she create? A. MSA B. BPA C. SOW D. MOU

Answer 59

A. MSA Explanation: A master services agreement is an umbrella document that governs many different projects conducted by the same provided, Each one of those projects is then described within a statement of work (SOW)

Question 60

What best describes the Cloud Security Alliance Cloud Controls Matrix? A. A set of regulatory requirements for cloud service providers B. A set of software development life cycle requirements for cloud service providers C. A security controls framework that provides mapping/cross relationships with the main industry accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA's COBIT and PCI DSS

Answer 60

C. A security controls framework that provides mapping/cross relationships with the main industry accepted security standards, regulations and controls frameworks such as the ISO 27001/27002, ISACA's COBIT and PCI DSS Explanation: The CCM cross-references may industry standards, laws and guidelines

Question 61

Gordons organization is considering using a new cloud vendor to handle their backups. He is conducting a risk assessment to determine the amount of damage that lost backups at the provider should be expected to cause each year. What metrics has Gordon identified? A. ALE B. ARO C. SLE D. EF

Answer 61

A. ALE Explanation: The ALE is the amount of damages that the organization expects to occur each year as the result of a given risk. The annualized rate of occurrence is the number of times the organization expects the risk to occur each year. The single loss expectancy (SLE) is the amount of damage that the organization expects to occur each time the risk materializes. The exposure factor (EF) is the percentage of the asset that will be damaged each time the risk materializes.

Question 62

Greg's company operates only in the US. They recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action? A. The breach laws of the jurisdiction where they are headquartered B. The breach laws of all jurisdictions where they do business C. The breach laws of the federal government only because this involves interstate commerce D. No breach laws would apply to this situation

Answer 62

B. The breach laws of all jurisdictions where they do business Explanation: In general, companies should be aware of the breach laws in any location where they do business. US states have a diverse collection of breach laws and requirements, meaning that in this case, Greg's company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the states residents

Question 63

________________ is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users clients and privacy data A. Due care B. Due diligence C. Liability D. Reciprocity

Answer 63

A. Due care Explanation: This is an example of due care. Due care is that youre taking the same care that an ordinary, reasonable person would take under the same circumstances. So when youre making day to day security decisions, youre making the same decisions that a reasonable security professional would take Due diligence, like due care, is all about doing the right things, but due dilligence is about prior planning.

Question 64

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his action? A. NERC/CIP B. PCI DSS C. HITECH D. GLBA

Answer 64

B. PCI DSS Explanation: PCI DSS governs the storage, processing and transmission of credit card information.

Question 65

You are considering adding a WAF to your public facing applications to reduce the risk of an attack. If you implement the firewall, what risk treatment action are you taking? A. Risk avoidance B. Risk acceptance C. Risk mitigation D. Risk transference

Answer 65

C. Risk mitigation Explanation: Installing a firewall reduces the likelihood of the risk materializing and is, therefore, a risk mitigation action. Risk avoidance would shut down the web services completely to avoid the associated risk

Question 66

You are conducting a risk assessment for a cloud service provider that will be operating infrastructure for an electric utility. What regulatory framework is most relevant to this organization? A. HIPAA B. HITECH C. NERC/CIP D. PCI DSS

Answer 66

C. NERC/CIP Explanation: The North American Electric Reliability Corporation Critical Infrastructure Program (NERC/CIP) provides security standards for electric utilities and other elements of critical infrastructure

Question 67

You are concerned that different virtual machines in your organization have different security configurations and would like to apply a standard configuration at the time they are built. What term describes this approach? A. Scanning B. Baselining C. Operationalizing D. Customizing

Answer 67

B. Baselining Explanation: The application of a consistent security standard at the time a virtual machine (or a physical machine for that matter) is built is called baselining. Standard configuration is known as a baseline

Question 68

You are the compliance officer for a medical device manufacturing firm. your company maintains a cloud based list of patients currently fitted with your devices for long term care and quality assurance purposes. The list is maintained in a database that cross references details about the hardware and some billing data. In this situation, who is likely to be considered the data custodian, under many privacy regulations and laws? A. You (the compliance officer) B. The cloud providers network security team C. Your company D. The database admin

Answer 68

D. The database admin Explanation: The custodian is usually that specific entity in charge of maintaining and securing the privacy related data on a daily basis, as an element of the datas use

Question 69

You are conducting an audit of a c loud service provider and are unsure about the types of tests that you should plan. What resource process the most definitive guidance? A. Client organization management B. Applicable audit standard C. Client organization chief audit executive D. Auditor organization management

Answer 69

B. Applicable audit standard Explanation: The most definitive source of guidance when conducting an audit is the standard under which the audit is being conducted. Auditors may consult other sources for guidance when interpreting standards, but the standard remains the definitive reference

Question 70

When a conflict of laws occurs, _____ determines the jurisdiction in which the dispute will be heard A. Tort Law B. Doctrine of Proper Law C. Common Law D. Criminal Law

Answer 70

B. Doctrine of Proper Law Explanation: The Doctrine of Proper Law is used when a dispute occurs over which jurisdiction, will hear a case. Tort Law refers to civil liability suits. Common law refers to laws regarding marriage, and criminal law refers to violations of state or federal criminal code

Question 71

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? A. His supply chain B. His vendor contractors C. His post purchase build process D. The original equipment manufacturer (OEM(

Answer 71

A. His supply chain Explanation: Supply chain management can help ensure the security of hardware, software, and service that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery

Question 72

Greg is evaluating a new vendor that will be supplying networking gear to his organization. Due to the nature of his organizations work; Greg is concerned that an attacker might attempt a supply chain exploit. Assuming that both Greg's organization and the vendor operate under reasonable security procedures, which one of the following activities likely poses the greatest supply chain risk to the equipment? A. Tampering by an unauthorized third party at the vendors site B. Interception of devices in transit C. Misconfiguration by an administrator after installation D. Tampering by an unauthorized third party at Gregs site

Answer 72

B. Interception of devices in transit Explanation: If the vendor operates with reasonable security procedures; it is unlikely that the devices will be tampered with at the vendors site. Similarly, if Gregs organization has reasonable security procedures, tampering at his site is also unliklely. Misconfiguration by an administration is always possible, but this is a post installation risk and not a supply chain risk. It is possible that devices will be intercepted and tampered with while in transit from the vendors to Gregs organization

Question 73

What is an accounting report on controls at a service organization that replaces older SAS 70 type reports? A. SOC 1 B. SSAE 16 C. GAAP D. SOC 2

Answer 73

A. SOC 1 Explanation: The correct answer is the SOC 1 report, which is designed to assess the controls primarily revolving around financial reporting, formerly found in the SAS 70. The SOC 2 is a report that provides information related to one or more of the AICPA five security principles

Question 74

In which of the following cases would it be most appropriate to engage an internal auditor? A. Confirming accuracy of financial statements B. Certifying against an international standard C. Investigating employee malfeasance D. Complying with PCI DSS requirements

Answer 74

C. Investigating employee malfeasance Explanation: Internal audit teams perform a variety of audits and assessments that are mainly used by internal customers. It is quite common for these teams to investigate employee malfeasance. Internal auditors are generally not used when the customer is exetrnal.

Question 75

Which one of the following frameworks if a US Federal law governing privacy? A. PCI DSS B. CCPA C. GDPR D. HIPAA

Answer 75

D. HIPAA Explanation: HIPAA is a US federal law governing the privacy of protected health information

Question 76

You operate a cloud service and would like to proviee potential customers with a report that confirms the effectiveness of your security controls and is appropriate for use by the general public. What type of audit would you conduct? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4

Answer 76

C. SOC 3 Explanation: SOC 2 audits cover the confidentiality, integrity and availability of information and are intended for internal audiences only because they contain sensitive information. SOC 2 audits should only be shared with customers under a NDA. SOC 3 audits cover the same controls as SOC 2 audits but are intended for a general audience. SOC 1 audits cover only the internal controls related to financial statements and reporting. SOC 4 audits do not exist

Question 77

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups and managing security policies? A. Data custodian B. Data owner C. Data user D. Auditor

Answer 77

A. Data custodian Explanation: The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner is typically a senior leader who delegates operational responsibility to a data custodian

Question 78

A _______ typically employs a set of methods, principles or rules for assessing risk based on absolute numerical values A. Qualitative assessment B. One sided assessment C. Vulnerability assessment D. Quantitative assessment

Answer 78

D. Quantitative assessment Explanation: A quantitative assessment employs a set of methods or rules much like a qualitative assessment, with the difference being the use of absolute numerical values. So instead of high medium and low, values such as 1 2 3 are used

Question 79

Nolan is a procurement officer for a US federal government agency and is selecting a cloud service provider. What program offers a set of prescreened cloud providers authorized for use in the federal government? A. FIPS 140-2 B. NIST 800-53 C. ISO 27017 D. FedRAMP

Answer 79

D. FedRAMP Explanation: The Federal Risk and Authorization Management Program (FedRAMP) provides a list or prescreenced cloud service providers authorized to work with the US government agencies. FIPS 140-2 is a security standard for cryptographic modules.

Question 80

What procedures should an organization follow when collecting evidence from a security incident that may be used in court? A. Digital Forensics B. ISO 27001 C. Common Law D. eDiscovery

Answer 80

A. Digital Forensics Explanation: Digital forensics procedures outline the process of collecting evidence in a manner that it may be used in court with reliability. eDiscovery may use forensic procedures, but it is specifically intended to ensure compliance with litigation hold obligations and is not used to collect evidence for security incidents. Common law is a set of legal principles derived from historic precedent.

Question 81

Which one of the following principles requires that organizations put governance structures in place to ensure they are meeting their obligations? A. Due diligence B. Separation of duties C. Due care D. Least privilege

Answer 81

A. Due diligence Explanation: Due diligence includes all of the prior planning done to create an environment where due care can succeed. This includes creating governance structures and frameworks

Question 82

You would like to ensure that your organization's insurance policy covers the damage resulting from a security incident sufficiently to allow you to resume operations. What asset validation technique should you use? A. Depreciated value B. Original costs C. Estimation D. Replacement costs

Answer 82

D. Replacement costs Explanation: The replacement cost technique values assets at the price it would take to replace them on the current market and is the most appropriate technique to use when looking to cover your costs. The original cost technique uses the purchase price of equipment. The depreciated value technique takes the original cost and reduces it over the expected life of the equipment. Estimation simply makes an informed guess of the asset value

Question 83

You are concerned that you may no longer have access to necessary source code if a cloud vendor ceases operations. What security control would best protect against this risk? A. Contractual terms B. Escrow C. SLA D. Litigation

Answer 83

B. Escrow Explanation: If your cloud vendor goes out of business, any legal and contractual terms you have with them will be essentially useless. Therefore, you should not rely upon contracts, SLAs or litigation to resolve this issue. Escrow places a copy of the code in the hands of an independent third party who will release it to customers if the vendor goes out of business.

Question 84

What is a type of assessment that employs a set of methods, principles or rules for assessing risk based on non-numerical categories or levels? A. Quantitative assessment B. Qualitative assessment C. Hybrid assessment D. SOC 2

Answer 84

B. Qualitative assessment Explanation: Qualitative assessment is a set of method or rules for assessing risk based on non mathematical or categories or levels. One that uses those mathematical categories or levels is called a quantitative assessment. There is no such thing as a hybrid assessment and an SOC 2 is an accounting report regarding control effectiveness.

Question 85

Which one of the following terms is not commonly found in cloud service provider contracts? A. Right to access facilities B. Right to audit C. Termination provisions D. Right to access data

Answer 85

A. Right to access facilities Explanation: Cloud vendor contracts typically provide customers with the right to either perform audits or receive the results of independent audits. They also normally include termination provisons and the right of the customer to access their own data. Cloud providers generally do not grant customers the right to access their facilities in order to ensure the security of data belonging to customers

Question 86

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs? A. ITIL B. ISO 27002 C. CCM D. PMBOK Guide

Answer 86

B. ISO 27002 Explanation: ISO 27002 is an international standard focused on information security and titled "Information technology - security techniques - code of practice for information security management

Question 87

When an organization uses a cloud service provider to handle protected health information, who is responsible for securing that data? A. Customer B. Cloud provider C. Both the customer and the cloud provider D. neither the customer nor the cloud provider

Answer 87

C. Both the customer and the cloud provider Explanation: Cloud services operate under a shared responsibility model. Depending on the nature of the cloud service and the terms of the contract, security responsibilities will be split between the customer and the service provider

Question 88

What term is used to describe an individual within an organization who has been delegated day to day responsibility for decision making about a category of information? A. Data owner B. Data custodian C. Data processor D. Data Steward

Answer 88

D. Data Steward Explanation: The data steward is an individual who has been delegated the responsibility by a data owner for particular categories of information. Data custodians are those responsible for handling and protecting information, such as IT pros. Data processors are third party organizations that handle info on behalf of an organization

Question 89

Ron is the CISO of a US company that is entering into a business partnership with a European firm. The European firm will be sending his company customer records to run through Ron's firm's proprietary credit scoring algorithm. Under GDPR, what role will Rons company have relative to the customer data? A. Data controller B. Data owner C. Data subject D. Data processor

Answer 89

D. Data processor Explanation: Rons company is a data processor in this instance, as it is receiving records from the European firm. The European firm is the data controller in this case, as they bear responsibility for the data. The individuals described in the records are the data subjects. Data owner

Question 90

Which of the following would normally be considered a supply chain risk? (Choose all) A. Adversary tampering with hardware prior to being shipped to the end customer B. Adversary hacking into a web server run by the organization in an IaaS environment C. Adversary using social engineering to compromise an employee of an SaaS vendor to gain access to customer accounts D. Adversary conducting a denial of service attack using a botnet

Answer 90

A. Adversary tampering with hardware prior to being shipped to the end customer C. Adversary using social engineering to compromise an employee of an SaaS vendor to gain access to customer accounts Explanation: Supply chain risks occurs when the adversary is interfering with the delivery of goods or services from a supplier to a customer. This might involve tampering with hardware before the customer receives it or using social engineering to compromise a vendor employee. Hacking into a web server run in an IaaS environment is not a supply chain risk because the web server is already under the control of the consumer. Using a botnet to conduct a denial or service attack does not involve any supply chain elements

Question 91

For questions 91-93, please refer to the following scenario: Henry is the risk manager for Atwood Cloud Services, an SaaS provider in the Midwestern US. The firm's main datacenter is located in northern Indiana, in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined the rebuilding and reconfiguring the datacenter would cost $10 million Henry consulted with tornado experts, datacenter specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologist determined that Atwoods facilities lies in an area where they are likely to experience a tornado once every 200 years. Based on the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landings datacenter? A. 10 percent B. 25 percent C. 50 percent D. 75 percent

Answer 91

C. 50 percent Explanation: The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50 percent

Question 92

Based on information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing's datacenter? A. 0.0025 B. 0.005 C. 0.01 D. 0.015

Answer 92

B. 0.005 Explanation: The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornadoes once every 200 years, or 0.005 times per year

Question 93

Based on the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landings datacenter? A. $25,000 B. $50,000 C. $250,000 D. $500,000

Answer 93

A. $25,000 Explanation: The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000 and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000

Question 94

Tamara recently decided to purchase cyber-liability insurance to cover her companys costs in the event of a data breach at a cloud service provider. What risk management strategy is she pursuing? A. Risk acceptance B. Risk mitigation C. Risk transference D. Risk avoidance

Answer 94

C. Risk transference Explanation: Risk transference involves shifting the impact of a potential risk from the organization incurring the risk to another organization. Insurance is a common example of risk transference

Question 95

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention? A. I B. II C. III D. IV

Answer 95

A. I Explanation: The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur

Question 96

Jim starts a new job as a system engineer, and he is reviewing a team documented titled "Forensic Response Guidelines for Cloud Services". Which one of the following statements is not true? A. Jim must comply with the information in this document B. The document contains information about forensic examinations C. Jim should read the document thoroughly D. The document is likely based on industry best practices

Answer 96

A. Jim must comply with the information in this document Explanation: Guidelines provide advice based on best practices developed throughout industry and organizations, but they are not compulsory. Compliance with guidelines is optional

Question 97

Which one of the following laws does not contain breach notification requirements? A. GLBA B. HIPAA/HITECH C. FERPA D. GDPR

Answer 97

C. FERPA Explanation: Most privacy laws include a breach reporting requirement. These provisions exists in the GLBA, HIPAA

Question 98

Which one of the following metrics would not commonly be found in an SLA? A. Network performance B. Compute capacity C. Help desk response time D. Number of security incidents

Answer 98

D. Number of security incidents Explanation: SLA generally include operational metrics, such as network performance, compute capacity, and help desk response times. They would generally not set standards for the number of security incidents because that metric would incentivize the service provider to cover up security incidents rather than openly share information

Question 99

You are the CISO for a major hospital system and preparing to sign a contract with a SaaS email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal? A. SOC 1 B. FISMA C. PCI DSS D. SOC 2

Answer 99

D. SOC 2 Explanation: The Service Organizations Control audit program includes business continuity controls in an SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital

Question 100

Which of the following is probably least suited for inclusion in the SLA between a cloud customer and cloud provider? A. Bandwidth B. Jurisdiction C. Storage space D. Availability

Answer 100

B. Jurisdiction Explanation: The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, numeric metrics. Jurisdiction is usually dictated by location instead, whbi