Domain 6 Legal, Risk and Compliance Flashcards
Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contracts) for ending the contract at any point prior to the scheduled dated. This is best described as an example of _____
A. Favorable contract terms
B. Strong negotiation
C. IaaS
D. Vendor Lock In
D. Vendor Lock In
Explanation:
Vendor lock in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer.
These contract terms can be described as favorable only from the provider’s perspective; option D is preferable to option A for describing this situation
There was no description of negotiation included in the question; option B is incorrect
IaaS is a service model and doesnt really apply to anything in this context; option C is incorrect
Cathy is developing an eDiscovery program to help her organization formalize its compliance with legal hold obligations. She would like to use an industry standard to guide her toward best practices. What standard should she consider using for this work?
A. ISO 27001
B. ISO 27002
C. ISO 27050
D. ISO 27701
C. ISO 27050
Explanation:
ISO 27050 is an industry standard that provides guidance for eDiscovery programs. ISO 27001 and ISO 27002 provide industry standard control objectives and control suggestions for cybersecurity. ISO 27701 provides industry standard guidance for information privacy programs
In regard to most privacy guidance, the data processor is ___________
A. The individual described by the PII
B. The entity that collects or creates the PII
C. The entity that uses PII in behalf of the controller
D. The entity that regulates PII
C. The entity that uses PII in behalf of the controller
Explanation:
The entity that uses the data on behalf of the owner/controller is a data processor. The data subject is the person who the PII describes. The entity that collects or creates the PII is the data owner or controller.
Your company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed forensic analysis on event logs that reflect the circumstances related to the case.
In order for your personnel to present the evidence they collected during forensic analysis as expert witnesses, you should ensure that _____
A. Their testimony is scripted, and they do not deviate from the script
B. They present only evidence that is favorable to your side of the case
C. They are trained and certified in the tools they used
D. They are paid for their time while they are appearing in the courtroom
C. They are trained and certified in the tools they used
Explanation:
In order to deliver credible, believable expert testimony, its important that your personnel have more than an amateur’s understanding and familiarity with any forensic tools they use to perform analysis. Formal training and certs are excellent methods for creating accountability
After conducting a qualitative risk assessment of her organization, Pirsha decides to recommend adding a new module to the firewall that will filter out inbound malware. What type of risk response behavior is she recommending?
A. Accept
B. Transfer
C. Reduce
D. Reject
C. Reduce
Explanation:
Deploying a firewall is a risk mitigation strategy designed to reduce the likelihood or impact of the risk. If Prisha suggested that the organization simply to continue to function as is, that would be risk acceptance.
Nora is an employee of Acme Widgets and works on a team of auditors who examine the organizationals financial controls. She is currently working on a project to evaluate whether payments to cloud providers are proper and will be reporting her results to management. What term best describes Noras role in this project?
A. Internal assessment
B. External audit
C. Internal Audit
D. External Audit
C. Internal Audit
Explanation:
Nora is an employee of the organization, so her work is clearly internal in nature
Carla is assigned to manager her organizations’ privacy program and is working to communicate to customers about a change in the organizations’ privacy practices. She plans to send an email notifying customers of the change and allowing them to opt out of the use of their data. Which GAPP principle is not described in this scenario?
A. Notice
B. Management
C. Access
D. Choice and Consent
C. Access
Explanation:
Carla is assigned as the manager of her organizations privacy program. This assignment is an example of the GAPP principle of Management. She is communicating about a change in privacy practices to her customers, which is an example of Notice. She is also offering those customers the opp to opt out of the use if their data. The principle of Access says that individuals should be able to review and update their personal information. There is no description of Access in this scenario
You’re a medical student at a private research university in the United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data or the data you work with as a student?
A. Sarbanes Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Education Rights and Privacy Act (FERPA)
A. Sarbanes Oxley Act (SOX)
Explanation:
SOX is only applicable to publicly traded corps, not all companies
Rolando is a risk manager with a large scale cloud service provider. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolandos organization pursue?
A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance
D. Risk acceptance
Explanation:
In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk
Yolanda is the chief privacy offier for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA
A. GLBA
Explanation:
GLBA contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions
Bill is conducting an audit of a cloud provider under SSAE and ISAE standards. During the audit, he discovers that some records required to complete one of his tests were accidentally destroyed and are not recoverable. There are no alternative tests available for this control objective. What action should Bill take?
A. Describe the limitation in the audit scope statement
B. Postpone the audit for one year until adequate records are available
C. Issue a failing audit report
D. Remove this test from the audit and test a different control objective
A. Describe the limitation in the audit scope statement
Explanation:
The proper course of action when records are not available is to write a statement of scope limitation that describes the issue and the impact on the audit. Bill could have avoided this by performing an alternative test of the same control objective, but the scenario says this is not possible
Which of the following is not a way in which an entity located outside the EU can be allowed to gather and process privacy data belonging to EU citizens?
A. Be located in a country with a nationwide law that complies with the EU laws
B. Appeal to the EU High Court for permission
C. Create biding contractual language that complies with the EU laws
D. Join the Privacy Shield program in its own country
B. Appeal to the EU High Court for permission
Explanation:
The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy laws from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:
- Their own country has nationwide laws that comply with EU laws
- The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data
- The entity voluntarily subscribes to its own nations Privacy Shield program
There is no process for the entity to appeal to the EU for permission to do so
Which type of business impact assessment tool is the most appropriate when attempting to evaluate the impact of a failure on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized Loss Expectancy
D. Reduction
B. Qualitative
Explanation:
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale and reputation
An audit against the _______ will demonstrate that an organization has a holistic, comprehensive program of internal security controls
A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. Service Organization Control (SOC) 2, Type 2 report matrix
D. ISO 27001 certification requirements
D. ISO 27001 certification requirements
Explanation:
The ISO 27001 cert is for the information security management system (ISMS), the organizations entire security program
The SAS 70 and SSAE are audit standards for service providers and include some review of security controls but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct
An IT security audit is designed to reveal all of the following except _______
A. Financial fraud
B. Malfunctioning controls
C. Inadequate controls
D. Failure to meet target standards and guidelines
A. Financial fraud
Explanation:
An IT security audit is not intended to locate financial fraud; it may lead to such relevant unintentionally though
During an IT audit, the CEO of a cloud provider demands regular updates on the testing process. How should auditors respond to this demand?
A. Refuse to provide the CEO with any information until the conclusion of the audit
B. Refer the matter to the clients Board of Directors
C. Provide the CEO with regular updates
D. Refer the matter to the audit firms partnership review board
C. Provide the CEO with regular updates
Explanation:
It is appropriate to engage stakeholders during the audit process. WHile the CEO may ne demanding information in a rude manner, that does not mean that they are not an important stakeholder
Which of the following is a US audit standard often used to evaluate cloud providers?
A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770
C. SSAE 18
Explanation:
The Statement on Standards for Attestation Engagements 18 is the current AICPA (American Institute of Certified Public Accountants) audit standard
ISO 27001 is an internal audit standard
The
Digital forensics investigators perform all of the following actions routinely except for securely ______ data
A. Collecting
B. Creating
C. Analyzing
D. Presenting
B. Creating
Explanation:
With rare exceptions, digital forensics does not include creation of data (other than the forensic reports regarding the analysis of data)
A ____________ includes reviewing the organizations current position/performance as revealed by an audit against a given standard
A. Service Organization Control (SOC) report
B. Gap Analysis
C. Audit Scoping Statement
D. Federal Guideline
B. Gap Analysis
Explanation:
This is the definition of a gap analysis
The scoping statement is a pre audit function that aids both the organization and the auditor to determine what, specifically, will be audited
Belinda is auditing the financial controls of a manufacturing company and learns that the financial systems are run on a major IaaS platform. She would like to gain assurance that the platform has appropriate security controls in place to assure the accuracy of her clients financial statements. What action should she take?
A. Perform an IT audit of the cloud provider
B. Obtain a SOC 1 Report
C. Obtain a SOC 2 report
D. Continue testing only control at the client and note the use of the cloud provider in her report
B. Obtain a SOC 1 Report
Explanation:
Belinda is obligated to gain assurance that the cloud provider has appropriate controls in place. It is unlikely that she will gain permission to audit those controls herself and, even if she gained these permissions, that would result in excessive and unnecessary costs. She should instead ask the cloud provider for the report of an independent audit. SOC 1 audits are designed specifically to test the controls covering customer financial statements and would be the appropriate audit type in this scenario. SOC 2 audits cover cybersecurity controls more broadly and would be unnecessary
Tony is developing a business continuity plan and is having trouble prioritizing resources because of the difficult of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative or qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
Explanation:
Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks
What was the first international privacy standard specifically for cloud providers?
A. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37
B. Personal Information Protection and Electronic Documents Act
C. Payment Card Industry
D. ISO 27018
D. ISO 27018
Explanation:
ISO 27018 describes privacy requirements for cloud providers, including an annual audit mandate
Which one of the following elements of information is not considered a direct identifier that would trigger most US state data breach laws?
A. Student identification number
B. Social security number
C. Drivers license number
D. Credit card number
A. Student identification number
Explanation:
Most state data breach notification laws are modeled after California’s data breach notification law, which covers all listed except student identification number
Which of the following items, included in the contract between a cloud customer and cloud provider, can best aid in reducing vendor lock in?
A. Data format type and structure
B. Availability
C. Storage space
D. List of available OSs
A. Data format type and structure
Explanation:
When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock in
Which of the following contract terms most incentivizes the cloud provider to meet the requirements listed in the SLA?
A. Regulatory oversight
B. Financial penalties
C. Performance Details
D. Desire to maintain customer satisfaction
B. Financial penalties
Explanation:
The contract usually stipulates what kind of financial penalties are imposed when the provider fails to meet the SLAs (for instance, waiver for payment of a given service term). This is a huge motivating element for the provider
Fran recently conducted a review of the risk management program in her organization and developed an analysis of all of the risks facing the organization and their quantitative impact. What term best describes this analysis?
A. Risk appetite
B. Risk tolerance
C. Risk Controls
D. Risk Profile
D. Risk Profile
Explanation:
A quantitative analysis of all of the risks facing an organization and their potential impact is best described as the organizations risk profile. Risk appetite, or risk tolerance, is the amount of risk that an organization is willing to accept. Risk appetite is a conceptual target, whereas risk profile is an assessment of the actual situation. Risk controls are used to manage risks to an acceptable level
Which of the following was the first international standard addressing the privacy aspects of cloud computing for consumers?
A. USI 27001
B. ISO 27018
C. ISO 27002
D. GDPR
B. ISO 27018
Explanation:
ISO/IEC 27018 addresses the privacy aspects of cloud computing for consumers and was the first international set of privacy controls in the cloud
You are the security manager for a software company that uses platform as a service (PaaS0 in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue an _____ to all personnel and offices within your company
A. Litigation
B. Audit scoping letter
C. Statement of Work
D. Memorandum of agreement
A. Litigation
Explanation:
A litigation hold notice is required to prevent possible destruction of pertinent evidence that may be used in the case. An Audit scoping letter outlines the parameters for an audit engagement.
Gwen is a cybersecurity professional for a financial services firm that maintains records of their customers. These records include personal information about each customer, including the customers name, social security number, date and place of bith and mothers maiden name.
What category best describes these records?
A. PHI
B. Proprietary data
C. PII
D. EDI
C. PII
Explanation:
PII includes data that can be used to distinguish or trace that persons identity and also includes information like their medical, educational, financial and employment information
Aaron is concerned about the possibility that a cloud vendor that his organization relies on may go out of business. What term best describes this risk?
A. Vendor lock in
B. Vendor viability
C. Vendor lockout
D. Vendor diversity
B. Vendor viability
Explanation:
Vendor viability is the risk that a vendor will not be able to continue operations and that a vendor shutdown will adversely impact customers.
Mike recently implemented an IPS designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
C. Risk mitigation
Explanation:
Risk mitigation strategies attempt to low the probability and/or impact of a risk occurring. IPS attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation
Viola is planning a user account audit to determine whether accounts have the appropriate level of permissions and that all permissions were approved through a formal process. The organization has approximately 50,000 user accounts and an annual employee turnover rate of 24 percent. Which one of the following sampling approaches would be the most effective use of her time when choosing records for manual review?
A. Select all records that have been modified during the past month
B. Ask access administrators to identify the accounts most likely to have issues and audit those
C. Select a random sample of records, either from the entire population or from the population records that have been changed during the audit period
D. Sampling is not effective in this situation, and all accounts should be audited
C. Select a random sample of records, either from the entire population or from the population records that have been changed during the audit period
Explanation:
Sampling should be done randomly to avoid human bias. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the user base. It is infeasible for a single person to review every single record.
Which one of the following issues is not normally addressed in a SLA?
A. Confidentiality of customer information
B. Failover time
C. Uptime
D. Maximum consecutive downtime
A. Confidentiality of customer information
Explanation:
SLAs do not normally address issues of data confidentiality. Those provisions are normally in a NDA
Elise is helping her organization prepare to evaluate and adopt a new cloud based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?
A. Compliance with all laws and regulations
B. Handling information in the same manner the organization would
C. Elimination of all identified security risks
D. Compliance with the vendors own policies
B. Handling information in the same manner the organization would
Explanation:
The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendors security controls meet the organizations own standards. Compliance with laws and regulations should be included in that requirement and are a necessary but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendors policy may be weaker than the organizations own requirements
HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?
A. Risk mitigation
B. Risk Acceptance
C. Risk transference
D. Risk avoidance
D. Risk avoidance
Explanation:
HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance
Who would normally conduct a review of security controls under SSAE 18?
A. Security team
B. External auditor
C. Government regulator
D. IT Leadership
B. External auditor
Explanation:
SSAE 18 is an audit standard for service organization controls (SOC) audits. These audits are conducted by independent, external audit firms
Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?
A. Impact
B. RPO
C. MTO
D. Likelihood
D. Likelihood
Explanation:
Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack
Which of the following statements about SSAE-18 is not correct?
A. It mandates a specific control set
B. It is an attestation standard
C. It is used for external audits
D. It uses a framework, including SOC 1, SOC 2 and SOC 3 reports
A. It mandates a specific control set
Explanation:
SSAE-18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2 and 3 reports.
Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt’s clients pursuant to a search warrant. Which of the following laws requires that communications service providers cooperate with law enforcement requests?
A. ECPA
B. CALEA
C. Privacy Act
D. HITECH
B. CALEA
Explanation:
The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order
Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA
A. FISMA
Explanation:
The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA