Governance and Compliance Flashcards
5.1 - Summarize elements of effective security governance 5.4 - Summarize elements of effective security compliance
1
Q
Which of the following are key aspects of effective security governance? (Choose Three)
A. Risk Management
B. Strategic Alignment
C. Employee Satisfaction
D. Performance Measurement
A
Answer: A, B, D
Explanation:
A. Risk Management: Governance involves identifying, assessing, and managing risks to ensure organizational security.
B. Strategic Alignment: Governance ensures that IT strategies align with the organization’s overall business objectives.
D. Performance Measurement: Governance includes mechanisms to monitor and measure the performance of IT processes.
C. Employee Satisfaction: While important, this is not a primary focus of governance frameworks.
2
Q
Which of the following best describes the role of governance in an organization?
A. Governance focuses solely on technical IT infrastructure.
B. Governance establishes a strategic framework for managing IT resources and aligning them with business goals.
C. Governance is only concerned with compliance with laws and regulations.
D. Governance does not influence organizational policies or procedures.
A
Answer: B
Explanation:
B. Governance establishes a strategic framework for managing IT resources and aligning them with business goals. This is the primary role of governance, as it ensures that IT operations support the organization’s objectives.
A, C, D: These options are incorrect because governance is broader than just technical infrastructure or compliance and directly influences policies and procedures.
3
Q
Which of the following governance structures is responsible for setting the strategic direction of an organization?
A. Committees
B. Government Entities
C. Boards of Directors
D. Centralized Structures
A
Answer: C
Explanation:
C. Boards of Directors: They are responsible for setting the strategic direction and making significant decisions for the organization.
A. Committees: These are typically responsible for specific tasks or areas but not overall strategic direction.
B. Government Entities: These are external bodies that may influence governance but do not set internal strategic direction.
D. Centralized Structures: These refer to organizational structures, not decision-making bodies.
4
Q
Which of the following is NOT a key element of governance frameworks?
A. Risk Management
B. Resource Management
C. Employee Training
D. Performance Measurement
A
Answer: C
Explanation:
C. Employee Training: While important, it is not a core element of governance frameworks.
A, B, D: These are all key elements of governance, as they involve managing risks, resources, and performance.
5
Q
Which of the following are reasons why compliance is important for an organization? (Choose Three)
A. Legal Obligations
B. Employee Satisfaction
C. Trust and Reputation
D. Data Protection
A
Answer: A, C, D
Explanation:
A. Legal Obligations: Compliance ensures adherence to laws and regulations, avoiding penalties like fines and sanctions.
C. Trust and Reputation: Compliance enhances an organization’s reputation and fosters trust among customers and partners.
D. Data Protection: Compliance helps prevent data breaches and protects sensitive information.
B. Employee Satisfaction: While important, it is not a primary reason for compliance.
6
Q
Which of the following policies outlines steps to ensure an organization can continue operations during and after a disruption?
A. Acceptable Use Policy (AUP)
B. Business Continuity Policy
C. Change Management Policy
D. Software Development Lifecycle (SDLC) Policy
A
Answer: B
Explanation:
B. Business Continuity Policy: This policy focuses on ensuring the organization can continue operations during and after disruptions.
A. Acceptable Use Policy (AUP): This defines acceptable use of IT resources.
C. Change Management Policy: This governs how changes to IT systems are managed.
D. Software Development Lifecycle (SDLC) Policy: This outlines processes for software development.
7
Q
Which of the following is an example of a global governance consideration?
A. A local city ordinance prohibiting certain types of businesses
B. A state regulation on consumer data privacy
C. A national law requiring accessibility for people with disabilities
D. A European regulation affecting data collection practices worldwide
A
Answer: D
Explanation:
D. A European regulation affecting data collection practices worldwide: This is a global consideration because it impacts organizations beyond the region where the regulation was created.
A, B, C: These are local, state, or national considerations, not global.
8
Q
Which of the following is a consequence of non-compliance? (Choose Two)
A. Fines and Sanctions
B. Employee Bonuses
C. Reputational Damage
D. Increased Customer Trust
A
Answer: A, C
Explanation:
A. Fines and Sanctions: Non-compliance can lead to legal penalties.
C. Reputational Damage: Non-compliance can harm an organization’s reputation.
B, D: These are not consequences of non-compliance.
9
Q
Which of the following is a high-level guideline that outlines an organization’s commitment to data protection?
A. Password Standards
B. Information Security Policy
C. Change Management Procedures
D. Playbooks
A
Answer: B
Explanation:
B. Information Security Policy: This is a high-level guideline that outlines the organization’s commitment to protecting data.
A. Password Standards: These are specific rules, not high-level guidelines.
C. Change Management Procedures: These are step-by-step instructions, not high-level guidelines.
D. Playbooks: These are detailed guides for specific tasks, not high-level policies.
10
Q
Which of the following standards ensures that only authorized individuals can access specific resources?
A. Password Standards
B. Access Control Standards
C. Physical Security Standards
D. Encryption Standards
A
Answer: B
Explanation:
B. Access Control Standards: These ensure that only authorized individuals can access specific resources.
A. Password Standards: These govern the creation and management of passwords.
C. Physical Security Standards: These focus on securing physical assets.
D. Encryption Standards: These govern the use of encryption to protect data.
11
Q
Which of the following procedures involves disabling access to systems and conducting exit interviews?
A. Onboarding
B. Offboarding
C. Change Management
D. Playbooks
A
Answer: B
Explanation:
B. Offboarding: This procedure involves tasks like disabling access and conducting exit interviews when an employee leaves the organization.
A. Onboarding: This involves setting up access for new employees.
C. Change Management: This governs changes to IT systems.
D. Playbooks: These are guides for specific tasks or scenarios.
12
Q
Which of the following concepts involves ensuring that an organization has taken reasonable steps to comply with regulations?
A. Due Diligence
B. Attestation
C. Automation
D. Acknowledgment
A
Answer: A
Explanation:
A. Due Diligence: This involves taking reasonable steps to ensure compliance with regulations.
B. Attestation: This is a formal declaration of compliance.
C. Automation: This refers to using tools to streamline compliance processes.
D. Acknowledgment: This is a general term and not specific to compliance.
13
Q
Which of the following is a benefit of using automation in compliance processes?
A. Increased manual errors
B. Reduced efficiency
C. Streamlined monitoring and reporting
D. Higher costs
A
Answer: C
Explanation:
C. Streamlined monitoring and reporting: Automation helps streamline compliance processes, making them more efficient and accurate.
A, B, D: These are not benefits of automation.
14
Q
Which of the following best describes the role of governance in an organization’s IT infrastructure?
A. Governance focuses solely on technical IT operations.
B. Governance establishes a strategic framework to align IT with business objectives and regulatory requirements.
C. Governance is only concerned with compliance with laws and regulations.
D. Governance does not influence the creation of policies or procedures.
A
Answer: B
Explanation:
B. Governance establishes a strategic framework to align IT with business objectives and regulatory requirements. This is the primary role of governance, as it ensures that IT operations support the organization’s goals and comply with regulations.
A, C, D: These options are incorrect because governance is broader than just technical operations or compliance and directly influences policies and procedures.
15
Q
Which of the following are key components of the GRC triad? (Choose Three)
A. Governance
B. Risk Management
C. Compliance
D. Employee Training
A
Answer: A, B, C
Explanation:
A. Governance: This involves strategic leadership and decision-making to align IT with business objectives.
B. Risk Management: This involves identifying, assessing, and managing risks to the organization.
C. Compliance: This ensures adherence to laws, regulations, and standards.
D. Employee Training: While important, it is not part of the GRC triad.
16
Q
Which of the following is a primary purpose of governance in an organization?
A. To manage employee salaries and benefits
B. To establish a strategic framework that aligns IT with business objectives and regulatory requirements
C. To focus solely on technical IT infrastructure
D. To replace the need for compliance
A
Answer: B
Explanation:
B. To establish a strategic framework that aligns IT with business objectives and regulatory requirements. This is the primary purpose of governance.
A, C, D: These options are incorrect because governance does not focus on employee salaries, technical infrastructure alone, or replace compliance.
17
Q
Which of the following does governance directly influence? (Choose Three)
A. Guidelines
B. Policies
C. Employee Satisfaction
D. Procedures
A
Answer: A, B, D
Explanation:
A. Guidelines: Governance provides recommended approaches for handling situations.
B. Policies: Governance drives the development of high-level guidelines outlining organizational commitments.
D. Procedures: Governance ensures that procedures align with organizational objectives.
C. Employee Satisfaction: While important, this is not directly influenced by governance.
18
Q
Which of the following is an example of how governance adapts to changes in the industry?
A. Ignoring new regulations to save costs
B. Updating policies and procedures to address new technologies, regulations, or cultural shifts
C. Eliminating compliance requirements to streamline operations
D. Focusing solely on technical IT infrastructure without considering business objectives
A
Answer: B
Explanation:
B. Updating policies and procedures to address new technologies, regulations, or cultural shifts. Governance must adapt to changes to remain effective.
A, C, D: These options are incorrect because governance does not ignore regulations, eliminate compliance, or focus solely on technical infrastructure.
19
Q
Which of the following is a key responsibility of governance in risk management?
A. Ignoring potential risks to focus on business growth
B. Identifying, assessing, and managing potential risks to the organization
C. Delegating risk management entirely to IT teams
D. Eliminating all risks to ensure zero vulnerabilities
A
Answer: B
Explanation:
B. Identifying, assessing, and managing potential risks to the organization. This is a key responsibility of governance in risk management.
A, C, D: These options are incorrect because governance does not ignore risks, delegate risk management entirely, or aim to eliminate all risks (which is impossible).
20
Q
Which of the following is an example of governance influencing standards?
A. Creating high-level guidelines for ethical conduct
B. Defining mandatory rules for password complexity
C. Providing step-by-step instructions for onboarding new employees
D. Conducting employee satisfaction surveys
A
Answer: B
Explanation:
B. Defining mandatory rules for password complexity. Standards are specific, mandatory rules that must be followed to adhere to policies.
A. Creating high-level guidelines for ethical conduct: This is an example of policy development, not standards.
C. Providing step-by-step instructions for onboarding new employees: This is an example of procedures, not standards.
D. Conducting employee satisfaction surveys: This is unrelated to governance influencing standards.
21
Q
Which of the following is a reason why governance must adapt to changes in technology, regulations, and industry culture?
A. To avoid monitoring and revision of the governance framework
B. To ensure the governance framework remains effective and relevant
C. To eliminate the need for compliance
D. To focus solely on technical IT infrastructure
A
Answer: B
Explanation:
B. To ensure the governance framework remains effective and relevant. Governance must adapt to changes to address gaps or weaknesses and maintain effectiveness.
A, C, D: These options are incorrect because governance requires monitoring and revision, does not eliminate compliance, and is broader than just technical infrastructure.
22
Q
Which of the following is an example of governance influencing procedures?
A. Creating a high-level policy on data protection
B. Defining mandatory encryption standards
C. Providing step-by-step instructions for secure remote access
D. Conducting risk assessments
A
Answer: C
Explanation:
C. Providing step-by-step instructions for secure remote access. Procedures are detailed steps to accomplish specific tasks, influenced by governance.
A. Creating a high-level policy on data protection: This is an example of policy development, not procedures.
B. Defining mandatory encryption standards: This is an example of standards, not procedures.
D. Conducting risk assessments: This is part of risk management, not procedures.
23
Q
Which of the following is a key activity in monitoring governance effectiveness?
A. Ignoring changes in technology and regulations
B. Regularly reviewing and assessing the governance framework
C. Eliminating compliance requirements
D. Delegating governance entirely to external consultants
A
Answer: B
Explanation:
B. Regularly reviewing and assessing the governance framework. Monitoring involves evaluating the effectiveness of governance and identifying gaps or weaknesses.
A, C, D: These options are incorrect because governance requires active monitoring, does not eliminate compliance, and is not delegated entirely to external consultants.
24
Q
Which of the following best describes the role of a board of directors in an organization?
A. Managing day-to-day operations of the organization
B. Setting the organization’s strategic direction and making significant decisions
C. Enforcing laws and regulations for compliance
D. Focusing solely on technical IT infrastructure
A
Answer: B
Explanation:
B. Setting the organization’s strategic direction and making significant decisions. This is the primary role of a board of directors.
A. Managing day-to-day operations: This is the responsibility of management, not the board.
C. Enforcing laws and regulations: This is the role of government entities, not the board.
D. Focusing solely on technical IT infrastructure: This is not the board’s role.
25
Which of the following are examples of committees within a board of directors? (Choose Two)
A. Audit Committee
B. Marketing Team
C. Governance Committee
D. IT Support Team
Answer: A, C
Explanation:
A. Audit Committee: Oversees financial reporting and compliance.
C. Governance Committee: Ensures the board functions effectively and adheres to governance principles.
B. Marketing Team: This is not a committee within a board of directors.
D. IT Support Team: This is not a committee within a board of directors.
26
Which of the following is a key characteristic of a centralized governance structure?
A. Decision-making authority is distributed throughout the organization.
B. Decision-making authority is concentrated at the top levels of management.
C. It allows for quick responses to local or departmental needs.
D. It often leads to inconsistencies in decision-making.
Answer: B
Explanation:
B. Decision-making authority is concentrated at the top levels of management. This is a key characteristic of centralized governance.
A. Decision-making authority is distributed throughout the organization: This describes a decentralized structure.
C. It allows for quick responses to local or departmental needs: This is a characteristic of decentralized structures.
D. It often leads to inconsistencies in decision-making: This is a characteristic of decentralized structures.
27
Which of the following is an example of a government entity that impacts organizational governance?
A. A company’s board of directors
B. The Federal Trade Commission (FTC)
C. A cybersecurity committee
D. A decentralized IT department
Answer: B
Explanation:
B. The Federal Trade Commission (FTC): This is a government entity that enforces laws related to consumer protection and competition, impacting organizational governance.
A. A company’s board of directors: This is an internal governance structure, not a government entity.
C. A cybersecurity committee: This is an internal committee, not a government entity.
D. A decentralized IT department: This is an internal organizational structure, not a government entity.
28
Which of the following are advantages of a decentralized governance structure? (Choose Two)
A. Consistent decision-making across the organization
B. Quicker decision-making at local or departmental levels
C. Clear lines of authority at the top levels of management
D. Greater responsiveness to local or departmental needs
Answer: B, D
Explanation:
B. Quicker decision-making at local or departmental levels: Decentralized structures allow for faster decision-making.
D. Greater responsiveness to local or departmental needs: Decentralized structures are more adaptable to local needs.
A. Consistent decision-making across the organization: This is an advantage of centralized structures.
C. Clear lines of authority at the top levels of management: This is an advantage of centralized structures.
29
Which of the following is a key responsibility of an audit committee within a board of directors?
A. Setting the organization’s strategic direction
B. Overseeing the organization’s financial reporting process
C. Managing cybersecurity risks
D. Enforcing consumer protection laws
Answer: B
Explanation:
B. Overseeing the organization’s financial reporting process: This is the primary responsibility of an audit committee.
A. Setting the organization’s strategic direction: This is the responsibility of the board of directors, not the audit committee.
C. Managing cybersecurity risks: This is the responsibility of a cybersecurity committee.
D. Enforcing consumer protection laws: This is the responsibility of government entities, not the audit committee.
30
Which of the following is a disadvantage of a centralized governance structure?
A. Inconsistent decision-making across the organization
B. Slow response to local or departmental needs
C. Lack of clear lines of authority
D. Difficulty in enforcing compliance with regulations
Answer: B
Explanation:
B. Slow response to local or departmental needs: Centralized structures can be slower to respond to local needs due to the concentration of decision-making authority at the top.
A. Inconsistent decision-making across the organization: This is a disadvantage of decentralized structures.
C. Lack of clear lines of authority: Centralized structures have clear lines of authority.
D. Difficulty in enforcing compliance with regulations: This is not a specific disadvantage of centralized structures.
31
Which of the following is an example of a decentralized governance structure?
A. A large corporation with consistent policies across all departments
B. A tech startup that encourages innovation and agility
C. A government entity enforcing consumer protection laws
D. A board of directors setting strategic direction
Answer: B
Explanation:
B. A tech startup that encourages innovation and agility: Decentralized structures are often used in startups to allow for quick decision-making and adaptability.
A. A large corporation with consistent policies across all departments: This describes a centralized structure.
C. A government entity enforcing consumer protection laws: This is unrelated to governance structures within an organization.
D. A board of directors setting strategic direction: This is part of governance but not specific to decentralized structures.
32
Which of the following is a key function of a governance committee within a board of directors?
A. Overseeing financial reporting
B. Ensuring the board functions effectively and adheres to governance principles
C. Managing cybersecurity risks
D. Enforcing consumer protection laws
Answer: B
Explanation:
B. Ensuring the board functions effectively and adheres to governance principles: This is the primary function of a governance committee.
A. Overseeing financial reporting: This is the responsibility of an audit committee.
C. Managing cybersecurity risks: This is the responsibility of a cybersecurity committee.
D. Enforcing consumer protection laws: This is the responsibility of government entities.
33
Which of the following is a key difference between centralized and decentralized governance structures?
A. Centralized structures have distributed decision-making authority, while decentralized structures concentrate authority at the top.
B. Centralized structures are more responsive to local needs, while decentralized structures are slower to respond.
C. Centralized structures concentrate decision-making authority at the top, while decentralized structures distribute authority throughout the organization.
D. Centralized structures often lead to inconsistencies, while decentralized structures ensure consistency.
Answer: C
Explanation:
C. Centralized structures concentrate decision-making authority at the top, while decentralized structures distribute authority throughout the organization. This is the key difference between the two structures.
A, B, D: These options incorrectly describe the characteristics of centralized and decentralized structures.
34
Which of the following best describes the purpose of an Acceptable Use Policy (AUP)?
A. To outline the steps for recovering IT systems after a disaster
B. To define appropriate and prohibited use of an organization’s IT systems and resources
C. To govern how changes to IT systems are implemented
D. To ensure the confidentiality, integrity, and availability of data
Answer: B
Explanation:
B. To define appropriate and prohibited use of an organization’s IT systems and resources. This is the primary purpose of an AUP.
A. To outline the steps for recovering IT systems after a disaster: This describes a Disaster Recovery Policy.
C. To govern how changes to IT systems are implemented: This describes a Change Management Policy.
D. To ensure the confidentiality, integrity, and availability of data: This describes Information Security Policies.
35
Which of the following are key areas covered by Information Security Policies? (Choose Three)
A. Data Classification
B. Access Control
C. Employee Satisfaction
D. Encryption
Answer: A, B, D
Explanation:
A. Data Classification: Information Security Policies define how data is classified and protected.
B. Access Control: These policies specify who can access sensitive data and systems.
D. Encryption: Information Security Policies often require encryption to protect data in transit and at rest.
C. Employee Satisfaction: This is not a focus of Information Security Policies.
36
Which of the following policies focuses on ensuring an organization can continue critical operations during and after a disruption?
A. Acceptable Use Policy (AUP)
B. Business Continuity Policy
C. Disaster Recovery Policy
D. Incident Response Policy
Answer: B
Explanation:
B. Business Continuity Policy: This policy focuses on continuing critical operations during and after disruptions.
A. Acceptable Use Policy (AUP): This defines appropriate use of IT resources.
C. Disaster Recovery Policy: This focuses on recovering IT systems and data after a disaster.
D. Incident Response Policy: This outlines steps for handling security incidents.
37
Which of the following is a key component of a Disaster Recovery Policy?
A. Defining acceptable use of IT resources
B. Outlining steps for data backup and restoration
C. Governing how changes to IT systems are implemented
D. Ensuring employee satisfaction
Answer: B
Explanation:
B. Outlining steps for data backup and restoration: This is a key component of a Disaster Recovery Policy.
A. Defining acceptable use of IT resources: This is part of an AUP.
C. Governing how changes to IT systems are implemented: This is part of a Change Management Policy.
D. Ensuring employee satisfaction: This is not related to Disaster Recovery.
38
Which of the following policies includes steps for detecting, reporting, and responding to security incidents?
A. Business Continuity Policy
B. Incident Response Policy
C. Software Development Lifecycle (SDLC) Policy
D. Change Management Policy
Answer: B
Explanation:
B. Incident Response Policy: This policy outlines steps for handling security incidents, including detection, reporting, and response.
A. Business Continuity Policy: This focuses on continuing operations during disruptions.
C. Software Development Lifecycle (SDLC) Policy: This guides software development processes.
D. Change Management Policy: This governs changes to IT systems.
39
Which of the following is a key focus of a Software Development Lifecycle (SDLC) Policy?
A. Ensuring high-quality, secure software through secure coding practices
B. Defining acceptable use of IT resources
C. Outlining steps for data backup and restoration
D. Governing how changes to IT systems are implemented
Answer: A
Explanation:
A. Ensuring high-quality, secure software through secure coding practices: This is a key focus of an SDLC Policy.
B. Defining acceptable use of IT resources: This is part of an AUP.
C. Outlining steps for data backup and restoration: This is part of a Disaster Recovery Policy.
D. Governing how changes to IT systems are implemented: This is part of a Change Management Policy.
40
Which of the following policies governs how changes to IT systems and processes are handled?
A. Acceptable Use Policy (AUP)
B. Business Continuity Policy
C. Change Management Policy
D. Incident Response Policy
Answer: C
Explanation:
C. Change Management Policy: This policy governs how changes to IT systems and processes are implemented.
A. Acceptable Use Policy (AUP): This defines appropriate use of IT resources.
B. Business Continuity Policy: This focuses on continuing operations during disruptions.
D. Incident Response Policy: This outlines steps for handling security incidents.
41
Which of the following is a key benefit of having an Incident Response Policy?
A. Ensuring high-quality software development
B. Minimizing damage and downtime during security incidents
C. Defining acceptable use of IT resources
D. Outlining steps for data backup and restoration
Answer: B
Explanation:
B. Minimizing damage and downtime during security incidents: This is a key benefit of an Incident Response Policy.
A. Ensuring high-quality software development: This is a focus of an SDLC Policy.
C. Defining acceptable use of IT resources: This is part of an AUP.
D. Outlining steps for data backup and restoration: This is part of a Disaster Recovery Policy.
42
Which of the following policies would specify that sensitive data must be encrypted both in transit and at rest?
A. Acceptable Use Policy (AUP)
B. Information Security Policy
C. Business Continuity Policy
D. Change Management Policy
Answer: B
Explanation:
B. Information Security Policy: This policy outlines how sensitive data is protected, including encryption requirements.
A. Acceptable Use Policy (AUP): This defines appropriate use of IT resources.
C. Business Continuity Policy: This focuses on continuing operations during disruptions.
D. Change Management Policy: This governs changes to IT systems.
43
Which of the following policies would include procedures for requesting, approving, and implementing changes to IT systems?
A. Acceptable Use Policy (AUP)
B. Business Continuity Policy
C. Change Management Policy
D. Incident Response Policy
Answer: C
Explanation:
C. Change Management Policy: This policy includes procedures for handling changes to IT systems.
A. Acceptable Use Policy (AUP): This defines appropriate use of IT resources.
B. Business Continuity Policy: This focuses on continuing operations during disruptions.
D. Incident Response Policy: This outlines steps for handling security incidents.
44
Which of the following best describes the purpose of password standards?
A. To define who has access to specific resources within an organization
B. To ensure robust and secure passwords that resist brute force attacks
C. To govern physical security measures like surveillance systems
D. To enforce encryption algorithms for data protection
Answer: B
Explanation:
B. To ensure robust and secure passwords that resist brute force attacks. Password standards dictate password complexity and management to enhance security.
A. To define who has access to specific resources within an organization: This describes access control standards.
C. To govern physical security measures like surveillance systems: This describes physical security standards.
D. To enforce encryption algorithms for data protection: This describes encryption standards.
45
Which of the following are common requirements included in password standards? (Choose Three)
A. Minimum password length of 8 to 12 characters
B. Use of a mix of uppercase and lowercase letters, numbers, and special characters
C. Regular password changes every 60 to 90 days
D. Use of biometric scanners for authentication
Answer: A, B, C
Explanation:
A. Minimum password length of 8 to 12 characters: This is a common requirement in password standards.
B. Use of a mix of uppercase and lowercase letters, numbers, and special characters: This enhances password complexity.
C. Regular password changes every 60 to 90 days: This ensures passwords are updated regularly to reduce risks.
D. Use of biometric scanners for authentication: This is part of physical security standards, not password standards.
46
Which of the following access control models assigns access based on roles within an organization?
A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Rule-Based Access Control
Answer: C
Explanation:
C. Role-Based Access Control (RBAC): This model assigns access based on user roles within the organization.
A. Discretionary Access Control (DAC): This allows the owner of the resource to decide access.
B. Mandatory Access Control (MAC): This uses labels or classifications to determine access.
D. Rule-Based Access Control: This enforces access based on predefined rules, not roles.
47
Which of the following principles ensures that users only have the minimal levels of access required to perform their duties?
A. Separation of Duties
B. Least Privilege
C. Mandatory Access Control (MAC)
D. Discretionary Access Control (DAC)
Answer: B
Explanation:
B. Least Privilege: This principle ensures users have only the minimal access necessary for their roles.
A. Separation of Duties: This prevents any single individual from having complete control over a critical process.
C. Mandatory Access Control (MAC): This is an access control model, not a principle.
D. Discretionary Access Control (DAC): This is an access control model, not a principle.
48
Which of the following are examples of physical security standards? (Choose Three)
A. Perimeter security measures like fences and gates
B. Surveillance systems like CCTV
C. Password hashing and salting
D. Access control mechanisms like biometric scanners
Answer: A, B, D
Explanation:
A. Perimeter security measures like fences and gates: These are physical security controls.
B. Surveillance systems like CCTV: These are part of physical security standards.
D. Access control mechanisms like biometric scanners: These are physical security measures.
C. Password hashing and salting: This is part of password standards, not physical security.
49
Which of the following encryption standards is commonly used for securing data at rest?
A. RSA
B. AES
C. SHA-256
D. MD5
Answer: B
Explanation:
B. AES (Advanced Encryption Standard): This is widely used for encrypting data at rest due to its strong security and efficient performance.
A. RSA: This is commonly used for secure communication, not data at rest.
C. SHA-256: This is a hashing algorithm, not an encryption standard.
D. MD5: This is an outdated and insecure hashing algorithm.
50
Which of the following is a key focus of access control standards?
A. Ensuring robust password complexity
B. Defining who has access to specific resources within an organization
C. Enforcing encryption algorithms for data protection
D. Governing physical security measures like surveillance systems
Answer: B
Explanation:
B. Defining who has access to specific resources within an organization: This is the primary focus of access control standards.
A. Ensuring robust password complexity: This is part of password standards.
C. Enforcing encryption algorithms for data protection: This is part of encryption standards.
D. Governing physical security measures like surveillance systems: This is part of physical security standards.
51
Which of the following is an example of an environmental control in physical security standards?
A. Password hashing and salting
B. Fire suppression systems
C. Role-Based Access Control (RBAC)
D. Advanced Encryption Standard (AES)
Answer: B
Explanation:
B. Fire suppression systems: These are environmental controls under physical security standards.
A. Password hashing and salting: This is part of password standards.
C. Role-Based Access Control (RBAC): This is an access control model.
D. Advanced Encryption Standard (AES): This is an encryption standard.
52
Which of the following encryption standards is commonly used for secure communication due to its public key infrastructure nature?
A. AES
B. RSA
C. SHA-256
D. MD5
Answer: B
Explanation:
B. RSA: This is commonly used for secure communication due to its public key infrastructure.
A. AES: This is used for encrypting data at rest.
C. SHA-256: This is a hashing algorithm, not an encryption standard.
D. MD5: This is an outdated and insecure hashing algorithm.
53
Which of the following principles prevents any single individual from having complete control over a critical process or system?
A. Least Privilege
B. Separation of Duties
C. Mandatory Access Control (MAC)
D. Discretionary Access Control (DAC)
Answer: B
Explanation:
B. Separation of Duties: This principle ensures that no single individual has complete control over a critical process, reducing the risk of insider threats.
A. Least Privilege: This ensures users have minimal access necessary for their roles.
C. Mandatory Access Control (MAC): This is an access control model, not a principle.
D. Discretionary Access Control (DAC): This is an access control model, not a principle.
54
Which of the following best describes the purpose of change management procedures?
A. To ensure that changes are implemented smoothly with minimal disruption to operations
B. To integrate new employees into the organization
C. To provide step-by-step instructions for responding to cybersecurity incidents
D. To manage the transition of employees leaving the organization
Answer: A
Explanation:
A. To ensure that changes are implemented smoothly with minimal disruption to operations. This is the primary purpose of change management procedures.
B. To integrate new employees into the organization: This describes onboarding procedures.
C. To provide step-by-step instructions for responding to cybersecurity incidents: This describes playbooks.
D. To manage the transition of employees leaving the organization: This describes offboarding procedures.
55
Which of the following are key stages of change management procedures? (Choose Three)
A. Identifying the need for change
B. Conducting exit interviews
C. Developing a plan for implementation
D. Post-change review
Answer: A, C, D
Explanation:
A. Identifying the need for change: This is the first stage of change management.
C. Developing a plan for implementation: This is a critical stage to ensure smooth execution.
D. Post-change review: This stage assesses the success of the change and identifies lessons learned.
B. Conducting exit interviews: This is part of offboarding procedures, not change management.
56
Which of the following tasks are included in onboarding procedures?
A. Retrieving company property
B. Providing orientation and training to new employees
C. Conducting exit interviews
D. Disabling access to systems
Answer: B
Explanation:
B. Providing orientation and training to new employees: This is a key part of onboarding procedures.
A. Retrieving company property: This is part of offboarding procedures.
C. Conducting exit interviews: This is part of offboarding procedures.
D. Disabling access to systems: This is part of offboarding procedures.
57
Which of the following tasks are included in offboarding procedures? (Choose Two)
A. Providing orientation and training to new employees
B. Retrieving company property
C. Disabling access to systems
D. Developing a plan for change implementation
Answer: B, C
Explanation:
B. Retrieving company property: This is a key task in offboarding procedures.
C. Disabling access to systems: This ensures security when an employee leaves.
A. Providing orientation and training to new employees: This is part of onboarding procedures.
D. Developing a plan for change implementation: This is part of change management procedures.
58
Which of the following best describes a playbook?
A. A systematic approach to managing organizational changes
B. A checklist of actions for detecting and responding to specific incidents
C. A process for integrating new employees into the organization
D. A procedure for managing employee transitions
Answer: B
Explanation:
B. A checklist of actions for detecting and responding to specific incidents. Playbooks provide step-by-step instructions for handling specific tasks or incidents.
A. A systematic approach to managing organizational changes: This describes change management procedures.
C. A process for integrating new employees into the organization: This describes onboarding procedures.
D. A procedure for managing employee transitions: This describes offboarding procedures.
59
Which of the following is a key benefit of using playbooks in an organization?
A. Ensuring smooth implementation of organizational changes
B. Providing consistent and efficient execution of specific tasks
C. Integrating new employees into the organization
D. Managing the transition of employees leaving the organization
Answer: B
Explanation:
B. Providing consistent and efficient execution of specific tasks. Playbooks ensure that tasks are performed consistently and efficiently, regardless of who is performing them.
A. Ensuring smooth implementation of organizational changes: This is a benefit of change management procedures.
C. Integrating new employees into the organization: This is a benefit of onboarding procedures.
D. Managing the transition of employees leaving the organization: This is a benefit of offboarding procedures.
60
Which of the following is an example of a situation where a playbook might be used?
A. Implementing a new software system
B. Responding to a cybersecurity incident
C. Conducting an exit interview
D. Providing orientation to new employees
Answer: B
Explanation:
B. Responding to a cybersecurity incident: Playbooks are often used in situations requiring consistent and rapid responses, such as cybersecurity incidents.
A. Implementing a new software system: This is part of change management procedures.
C. Conducting an exit interview: This is part of offboarding procedures.
D. Providing orientation to new employees: This is part of onboarding procedures.
61
Which of the following is a key component of onboarding procedures?
A. Retrieving company property
B. Providing training and integration activities for new employees
C. Disabling access to systems
D. Conducting a post-change review
Answer: B
Explanation:
B. Providing training and integration activities for new employees: This is a key component of onboarding procedures.
A. Retrieving company property: This is part of offboarding procedures.
C. Disabling access to systems: This is part of offboarding procedures.
D. Conducting a post-change review: This is part of change management procedures.
62
Which of the following is a key component of offboarding procedures?
A. Providing orientation to new employees
B. Retrieving company property and disabling access to systems
C. Developing a plan for change implementation
D. Conducting a post-change review
Answer: B
Explanation:
B. Retrieving company property and disabling access to systems: These are key tasks in offboarding procedures.
A. Providing orientation to new employees: This is part of onboarding procedures.
C. Developing a plan for change implementation: This is part of change management procedures.
D. Conducting a post-change review: This is part of change management procedures.
63
Which of the following is a key benefit of change management procedures?
A. Ensuring consistent and efficient execution of specific tasks
B. Minimizing disruptions during organizational changes
C. Integrating new employees into the organization
D. Managing the transition of employees leaving the organization
Answer: B
Explanation:
B. Minimizing disruptions during organizational changes. Change management procedures ensure that changes are implemented smoothly with minimal disruption.
A. Ensuring consistent and efficient execution of specific tasks: This is a benefit of playbooks.
C. Integrating new employees into the organization: This is a benefit of onboarding procedures.
D. Managing the transition of employees leaving the organization: This is a benefit of offboarding procedures.
64
Which of the following best describes regulatory considerations in governance?
A. Adherence to industry-specific standards and best practices
B. Compliance with laws and regulations that vary by industry and location
C. Managing legal risks such as litigation and contract disputes
D. Navigating local, regional, and national zoning laws
Answer: B
Explanation:
B. Compliance with laws and regulations that vary by industry and location. Regulatory considerations focus on adhering to laws and regulations, such as data protection and labor laws.
A. Adherence to industry-specific standards and best practices: This describes industry considerations.
C. Managing legal risks such as litigation and contract disputes: This describes legal considerations.
D. Navigating local, regional, and national zoning laws: This describes geographical considerations.
65
Which of the following are examples of regulatory considerations? (Choose Two)
A. Compliance with the General Data Protection Regulation (GDPR)
B. Adherence to Agile methodologies in software development
C. Ensuring compliance with labor laws such as minimum wage and overtime
D. Managing intellectual property disputes
Answer: A, C
Explanation:
A. Compliance with the General Data Protection Regulation (GDPR): This is a regulatory consideration related to data protection.
C. Ensuring compliance with labor laws such as minimum wage and overtime: This is a regulatory consideration related to employment.
B. Adherence to Agile methodologies in software development: This is an industry consideration.
D. Managing intellectual property disputes: This is a legal consideration.
66
Which of the following is a key legal consideration for organizations?
A. Adopting industry-specific best practices
B. Ensuring compliance with environmental standards
C. Managing litigation risks such as breach of contract or employment disputes
D. Complying with local zoning laws
Answer: C
Explanation:
C. Managing litigation risks such as breach of contract or employment disputes: This is a key legal consideration.
A. Adopting industry-specific best practices: This is an industry consideration.
B. Ensuring compliance with environmental standards: This is a regulatory consideration.
D. Complying with local zoning laws: This is a geographical consideration.
67
Which of the following is an example of an industry consideration?
A. Compliance with the California Consumer Privacy Act (CCPA)
B. Adherence to Agile methodologies in software development
C. Ensuring accessibility under the Americans with Disabilities Act (ADA)
D. Managing data protection under the General Data Protection Regulation (GDPR)
Answer: B
Explanation:
B. Adherence to Agile methodologies in software development: This is an industry-specific best practice.
A. Compliance with the California Consumer Privacy Act (CCPA): This is a regional regulatory consideration.
C. Ensuring accessibility under the Americans with Disabilities Act (ADA): This is a national regulatory consideration.
D. Managing data protection under the General Data Protection Regulation (GDPR): This is a global regulatory consideration.
68
Which of the following is a geographical consideration for organizations?
A. Adopting Agile methodologies for project management
B. Complying with the General Data Protection Regulation (GDPR) for EU citizens' data
C. Ensuring compliance with labor laws such as minimum wage
D. Managing intellectual property disputes
Answer: B
Explanation:
B. Complying with the General Data Protection Regulation (GDPR) for EU citizens' data: This is a global geographical consideration.
A. Adopting Agile methodologies for project management: This is an industry consideration.
C. Ensuring compliance with labor laws such as minimum wage: This is a regulatory consideration.
D. Managing intellectual property disputes: This is a legal consideration.
69
Which of the following is a consequence of non-compliance with regulations? (Choose Two)
A. Competitive disadvantage in the industry
B. Fines and sanctions
C. Damage to the organization’s reputation
D. Increased customer trust
Answer: B, C
Explanation:
B. Fines and sanctions: Non-compliance can result in legal penalties.
C. Damage to the organization’s reputation: Non-compliance can harm an organization’s reputation.
A. Competitive disadvantage in the industry: This is a consequence of not adhering to industry considerations, not regulatory non-compliance.
D. Increased customer trust: This is not a consequence of non-compliance.
70
Which of the following is an example of a local geographical consideration?
A. Compliance with the General Data Protection Regulation (GDPR)
B. Adherence to zoning laws in a specific city
C. Ensuring accessibility under the Americans with Disabilities Act (ADA)
D. Managing data protection under the California Consumer Privacy Act (CCPA)
Answer: B
Explanation:
B. Adherence to zoning laws in a specific city: This is a local geographical consideration.
A. Compliance with the General Data Protection Regulation (GDPR): This is a global consideration.
C. Ensuring accessibility under the Americans with Disabilities Act (ADA): This is a national consideration.
D. Managing data protection under the California Consumer Privacy Act (CCPA): This is a regional consideration.
71
Which of the following is a key challenge related to geographical considerations in governance?
A. Adopting industry-specific best practices
B. Navigating conflicts of laws between different jurisdictions
C. Managing litigation risks such as breach of contract
D. Ensuring compliance with labor laws
Answer: B
Explanation:
B. Navigating conflicts of laws between different jurisdictions: This is a key challenge in geographical considerations.
A. Adopting industry-specific best practices: This is an industry consideration.
C. Managing litigation risks such as breach of contract: This is a legal consideration.
D. Ensuring compliance with labor laws: This is a regulatory consideration.
72
Which of the following is an example of a national geographical consideration?
A. Compliance with the California Consumer Privacy Act (CCPA)
B. Adherence to zoning laws in a specific city
C. Ensuring accessibility under the Americans with Disabilities Act (ADA)
D. Managing data protection under the General Data Protection Regulation (GDPR)
Answer: C
Explanation:
C. Ensuring accessibility under the Americans with Disabilities Act (ADA): This is a national consideration in the United States.
A. Compliance with the California Consumer Privacy Act (CCPA): This is a regional consideration.
B. Adherence to zoning laws in a specific city: This is a local consideration.
D. Managing data protection under the General Data Protection Regulation (GDPR): This is a global consideration.
73
Which of the following is a key reason for organizations to adopt industry-specific standards and best practices?
A. To avoid fines and sanctions for non-compliance
B. To maintain a competitive advantage and meet stakeholder expectations
C. To manage litigation risks such as breach of contract
D. To comply with local zoning laws
Answer: B
Explanation:
B. To maintain a competitive advantage and meet stakeholder expectations. Adopting industry standards helps organizations stay competitive and meet customer, partner, and regulator expectations.
A. To avoid fines and sanctions for non-compliance: This is a reason for regulatory compliance, not industry considerations.
C. To manage litigation risks such as breach of contract: This is a legal consideration.
D. To comply with local zoning laws: This is a geographical consideration.
74
Which of the following best describes the purpose of compliance reporting?
A. To identify and mitigate compliance risks
B. To collect and present data demonstrating adherence to compliance requirements
C. To automate data collection and monitoring processes
D. To conduct third-party audits of organizational operations
Answer: B
Explanation:
B. To collect and present data demonstrating adherence to compliance requirements. Compliance reporting involves systematically gathering and presenting data to show compliance with laws, regulations, and internal policies.
A. To identify and mitigate compliance risks: This describes compliance monitoring.
C. To automate data collection and monitoring processes: This describes the role of automation in compliance.
D. To conduct third-party audits of organizational operations: This describes external monitoring.
75
Which of the following are types of compliance reporting? (Choose Two)
A. Internal Compliance Reporting
B. Due Diligence Reporting
C. External Compliance Reporting
D. Attestation Reporting
Answer: A, C
Explanation:
A. Internal Compliance Reporting: This involves ensuring adherence to internal policies and procedures.
C. External Compliance Reporting: This involves demonstrating compliance to external entities such as regulators or auditors.
B. Due Diligence Reporting: This is not a type of compliance reporting; it is part of compliance monitoring.
D. Attestation Reporting: This is not a type of compliance reporting; it is part of compliance monitoring.
76
Which of the following is an example of internal compliance reporting?
A. Submitting a report to the FDA detailing adherence to good manufacturing practices
B. Generating a report on transactions reviewed by a compliance officer
C. Conducting a third-party audit for ISO 9001 compliance
D. Attesting to the use of data security protocols in software development
Answer: B
Explanation:
B. Generating a report on transactions reviewed by a compliance officer: This is an example of internal compliance reporting, as it involves adherence to internal policies.
A. Submitting a report to the FDA detailing adherence to good manufacturing practices: This is an example of external compliance reporting.
C. Conducting a third-party audit for ISO 9001 compliance: This is an example of external monitoring.
D. Attesting to the use of data security protocols in software development: This is an example of attestation in compliance monitoring.
77
Which of the following best describes due diligence in compliance monitoring?
A. Mitigating identified compliance risks
B. Conducting a thorough review to identify potential compliance risks
C. Formally declaring that an organization’s processes are compliant
D. Recognizing and accepting compliance requirements
Answer: B
Explanation:
B. Conducting a thorough review to identify potential compliance risks. Due diligence involves identifying risks through exhaustive reviews.
A. Mitigating identified compliance risks: This describes due care.
C. Formally declaring that an organization’s processes are compliant: This describes attestation.
D. Recognizing and accepting compliance requirements: This describes acknowledgement.
78
Which of the following is an example of due care in compliance monitoring?
A. Researching foreign business laws before expanding operations
B. Training employees on new regulations to ensure compliance
C. Formally declaring adherence to data security protocols
D. Conducting a third-party audit for ISO 9001 compliance
Answer: B
Explanation:
B. Training employees on new regulations to ensure compliance. This is an example of due care, as it involves taking steps to mitigate compliance risks.
A. Researching foreign business laws before expanding operations: This is an example of due diligence.
C. Formally declaring adherence to data security protocols: This is an example of attestation.
D. Conducting a third-party audit for ISO 9001 compliance: This is an example of external monitoring.
79
Which of the following best describes attestation in compliance monitoring?
A. Identifying potential compliance risks through a thorough review
B. Formally declaring that an organization’s processes and controls are compliant
C. Recognizing and accepting compliance requirements
D. Conducting third-party reviews to verify compliance
Answer: B
Explanation:
B. Formally declaring that an organization’s processes and controls are compliant. Attestation involves a formal declaration of compliance by a responsible party.
A. Identifying potential compliance risks through a thorough review: This describes due diligence.
C. Recognizing and accepting compliance requirements: This describes acknowledgement.
D. Conducting third-party reviews to verify compliance: This describes external monitoring.
80
Which of the following is an example of internal monitoring in compliance?
A. Submitting a report to the FDA detailing adherence to good manufacturing practices
B. Regularly reviewing production processes to ensure compliance with internal quality standards
C. Conducting a third-party audit for ISO 9001 compliance
D. Attesting to the use of data security protocols in software development
Answer: B
Explanation:
B. Regularly reviewing production processes to ensure compliance with internal quality standards. This is an example of internal monitoring, as it involves reviewing operations for adherence to internal policies.
A. Submitting a report to the FDA detailing adherence to good manufacturing practices: This is an example of external compliance reporting.
C. Conducting a third-party audit for ISO 9001 compliance: This is an example of external monitoring.
D. Attesting to the use of data security protocols in software development: This is an example of attestation.
81
Which of the following is a key benefit of automation in compliance?
A. Conducting thorough reviews to identify compliance risks
B. Streamlining data collection and improving accuracy
C. Formally declaring adherence to compliance requirements
D. Recognizing and accepting compliance requirements
Answer: B
Explanation:
B. Streamlining data collection and improving accuracy. Automation helps streamline compliance processes, making them more efficient and accurate.
A. Conducting thorough reviews to identify compliance risks: This describes due diligence.
C. Formally declaring adherence to compliance requirements: This describes attestation.
D. Recognizing and accepting compliance requirements: This describes acknowledgement.
82
Which of the following is an example of external monitoring in compliance?
A. Regularly reviewing production processes to ensure compliance with internal quality standards
B. Conducting a third-party audit for ISO 9001 compliance
C. Training employees on new regulations to ensure compliance
D. Formally declaring adherence to data security protocols
Answer: B
Explanation:
B. Conducting a third-party audit for ISO 9001 compliance. This is an example of external monitoring, as it involves a third-party review of compliance with external standards.
A. Regularly reviewing production processes to ensure compliance with internal quality standards: This is an example of internal monitoring.
C. Training employees on new regulations to ensure compliance: This is an example of due care.
D. Formally declaring adherence to data security protocols: This is an example of attestation.
83
Which of the following is a key component of compliance monitoring? (Choose Three)
A. Due Diligence
B. Attestation
C. Internal Compliance Reporting
D. External Monitoring
Answer: A, B, D
Explanation:
A. Due Diligence: This involves identifying compliance risks through thorough reviews.
B. Attestation: This involves formally declaring compliance with processes and controls.
D. External Monitoring: This involves third-party reviews to verify compliance with external regulations.
C. Internal Compliance Reporting: This is part of compliance reporting, not monitoring.
84
Which of the following is a consequence of non-compliance with laws and regulations in the IT and cybersecurity world?
A. Increased customer trust
B. Fines and monetary penalties
C. Improved company reputation
D. Enhanced business operations
Answer: B
Explanation:
B. Fines and monetary penalties: Non-compliance can result in significant fines imposed by regulatory bodies.
A. Increased customer trust: Non-compliance typically damages trust, rather than increasing it.
C. Improved company reputation: Non-compliance harms a company’s reputation, rather than improving it.
D. Enhanced business operations: Non-compliance disrupts business operations, rather than enhancing them.
85
Which of the following are examples of sanctions for non-compliance? (Choose Two)
A. Monetary fines
B. Restrictions on business operations
C. Improved stock prices
D. Increased customer loyalty
Answer: A, B
Explanation:
A. Monetary fines: Sanctions can include financial penalties.
B. Restrictions on business operations: Sanctions can limit or halt business activities.
C. Improved stock prices: Non-compliance typically harms stock prices, rather than improving them.
D. Increased customer loyalty: Non-compliance damages customer trust and loyalty, rather than increasing it.
86
Which of the following is an example of reputational damage due to non-compliance?
A. A company receiving a fine for a data breach
B. A company’s stock price dropping by more than 30% after a data breach
C. A company losing its license to operate
D. A company being sued for breach of contract
Answer: B
Explanation:
B. A company’s stock price dropping by more than 30% after a data breach: This is an example of reputational damage, as it reflects a loss of trust and confidence in the company.
A. A company receiving a fine for a data breach: This is an example of a financial penalty, not reputational damage.
C. A company losing its license to operate: This is an example of loss of license, not reputational damage.
D. A company being sued for breach of contract: This is an example of contractual impacts, not reputational damage.
87
Which of the following is a consequence of non-compliance in regulated industries?
A. Increased customer trust
B. Loss of license to operate
C. Improved stock prices
D. Enhanced business operations
Answer: B
Explanation:
B. Loss of license to operate: In regulated industries, non-compliance can lead to the revocation of a company’s license.
A. Increased customer trust: Non-compliance typically damages trust, rather than increasing it.
C. Improved stock prices: Non-compliance harms stock prices, rather than improving them.
D. Enhanced business operations: Non-compliance disrupts business operations, rather than enhancing them.
88
Which of the following is an example of contractual impacts due to non-compliance?
A. A company being fined for a data breach
B. A company’s stock price dropping after a data breach
C. A client terminating a contract due to non-compliance with data protection regulations
D. A company losing its license to operate
Answer: C
Explanation:
C. A client terminating a contract due to non-compliance with data protection regulations: This is an example of contractual impacts, as non-compliance can lead to contract termination.
A. A company being fined for a data breach: This is an example of fines, not contractual impacts.
B. A company’s stock price dropping after a data breach: This is an example of reputational damage, not contractual impacts.
D. A company losing its license to operate: This is an example of loss of license, not contractual impacts.
89
Which of the following are ways companies can avoid the consequences of non-compliance? (Choose Three)
A. Ignoring regulatory requirements to save costs
B. Implementing robust cybersecurity measures
C. Regularly reviewing and updating compliance programs
D. Understanding and adhering to relevant laws and regulations
Answer: B, C, D
Explanation:
B. Implementing robust cybersecurity measures: This helps ensure compliance with data protection and security regulations.
C. Regularly reviewing and updating compliance programs: This ensures that compliance measures remain effective and up-to-date.
D. Understanding and adhering to relevant laws and regulations: This is essential for avoiding non-compliance.
A. Ignoring regulatory requirements to save costs: This increases the risk of non-compliance and its consequences.
90
Which of the following is an example of fines for non-compliance?
A. A company’s stock price dropping after a data breach
B. A company being fined 183 million pounds for a data breach
C. A client terminating a contract due to non-compliance
D. A company losing its license to operate
Answer: B
Explanation:
B. A company being fined 183 million pounds for a data breach: This is an example of fines imposed for non-compliance.
A. A company’s stock price dropping after a data breach: This is an example of reputational damage, not fines.
C. A client terminating a contract due to non-compliance: This is an example of contractual impacts, not fines.
D. A company losing its license to operate: This is an example of loss of license, not fines.
91
Which of the following is a key consequence of non-compliance in the IT and cybersecurity world?
A. Increased customer loyalty
B. Loss of license to operate
C. Improved company reputation
D. Enhanced business operations
Answer: B
Explanation:
B. Loss of license to operate: Non-compliance can lead to the revocation of a company’s license, especially in regulated industries.
A. Increased customer loyalty: Non-compliance typically damages customer trust and loyalty, rather than increasing it.
C. Improved company reputation: Non-compliance harms a company’s reputation, rather than improving it.
D. Enhanced business operations: Non-compliance disrupts business operations, rather than enhancing them.
92
Which of the following is an example of sanctions for non-compliance?
A. A company being fined for a data breach
B. A company’s operations being restricted by a regulatory body
C. A company’s stock price dropping after a data breach
D. A client terminating a contract due to non-compliance
Answer: B
Explanation:
B. A company’s operations being restricted by a regulatory body: This is an example of sanctions, which can include restrictions on business activities.
A. A company being fined for a data breach: This is an example of fines, not sanctions.
C. A company’s stock price dropping after a data breach: This is an example of reputational damage, not sanctions.
D. A client terminating a contract due to non-compliance: This is an example of contractual impacts, not sanctions.
93
Which of the following is a key reason for companies to prioritize compliance?
A. To increase the risk of fines and sanctions
B. To avoid reputational damage and loss of customer trust
C. To ignore regulatory requirements and save costs
D. To disrupt business operations
Answer: B
Explanation:
B. To avoid reputational damage and loss of customer trust. Prioritizing compliance helps protect a company’s reputation and maintain customer trust.
A. To increase the risk of fines and sanctions: This is the opposite of prioritizing compliance.
C. To ignore regulatory requirements and save costs: Ignoring compliance increases risks and costs in the long term.
D. To disrupt business operations: Compliance ensures smooth operations, rather than disrupting them.
94
A company is planning to migrate its data to a new cloud service provider. Before signing the agreement, the IT manager investigates the provider’s security policies, compliance certifications, and data protection measures. Which of the following best describes this action?
Options:
Due Diligence
Due Care
Risk Avoidance
Incident Response
Correct Answer: 1. Due Diligence
Explanation:
1. Due Diligence: Correct. Investigating the cloud provider's security policies and certifications is part of identifying potential risks and ensuring the provider meets the company’s security requirements. This is a preparatory step, which aligns with due diligence.
2. Due Care: Incorrect. Due care involves implementing measures after risks are identified, such as applying security controls or monitoring systems, not investigating beforehand.
3. Risk Avoidance: Incorrect. Risk avoidance involves deciding not to take an action due to high risk. In this case, the company hasn’t yet decided to avoid using the provider.
4. Incident Response: Incorrect. Incident response deals with reacting to a security event, which is unrelated to this scenario.
95
After conducting a risk assessment on their IT systems, a company implements multi-factor authentication (MFA) for all employees to secure sensitive accounts. Which concept does this action represent?
Options:
Due Diligence
Due Care
Compliance Audit
Risk Assessment
Correct Answer: 2. Due Care
Explanation:
1. Due Diligence: Incorrect. Due diligence involves identifying risks or conducting assessments, but implementing MFA occurs after risks are identified.
2. Due Care: Correct. The company is taking proactive steps to protect its systems after identifying vulnerabilities, which aligns with due care.
3. Compliance Audit: Incorrect. While compliance audits may suggest implementing MFA, this is not directly linked to applying a specific control.
4. Risk Assessment: Incorrect. Risk assessment is part of due diligence and involves identifying potential issues, not addressing them.
96
Your organization is working with a new third-party vendor to handle payroll services. Before starting the partnership, you ensure the vendor complies with GDPR, ISO 27001, and other data protection standards. What is this process called?
Options:
Due Diligence
Risk Mitigation
Due Care
Vendor Management
Correct Answer: 1. Due Diligence
Explanation:
1. Due Diligence: Correct. Evaluating the vendor’s compliance with industry standards and regulations before entering into a partnership is an example of due diligence.
2. Risk Mitigation: Incorrect. Risk mitigation involves taking actions to reduce risks, which happens after risks are identified.
3. Due Care: Incorrect. Due care refers to ongoing actions to ensure security after a relationship is established.
4. Vendor Management: Incorrect. While vendor management is a broader concept that includes working with third parties, the specific process of assessing compliance is due diligence.
97
An IT department regularly applies security patches to operating systems, monitors logs for unusual activity, and reviews firewall configurations. Which term best describes these activities?
Options:
Risk Analysis
Due Diligence
Incident Response
Due Care
Correct Answer: 4. Due Care
Explanation:
1. Risk Analysis: Incorrect. Risk analysis is part of due diligence, where risks are identified and evaluated, not ongoing actions like patching systems.
2. Due Diligence: Incorrect. Due diligence involves preparatory actions like research and assessments, not regular maintenance activities.
3. Incident Response: Incorrect. Incident response deals with reacting to a security breach or incident, not proactive maintenance.
4. Due Care: Correct. Regularly applying patches and monitoring activity demonstrates the organization's ongoing effort to protect systems, which aligns with due care.
98
A company discovers that an employee’s weak password was used in a phishing attack. The company decides to implement a new password policy requiring strong passwords and regular password changes. What does this action represent?
Options:
Due Diligence
Incident Response
Due Care
Threat Intelligence
Correct Answer: 3. Due Care
Explanation:
1. Due Diligence: Incorrect. Due diligence involves identifying risks before they occur, not addressing issues after a breach.
2. Incident Response: Incorrect. Incident response includes handling the immediate consequences of a breach, such as containing the phishing attack, not implementing new policies.
3. Due Care: Correct. Introducing a new password policy is an ongoing security measure to address and prevent future risks, which is due care.
4. Threat Intelligence: Incorrect. Threat intelligence involves gathering information about potential threats, which is unrelated to creating a password policy.
99
Which of the following best represents the role of governance in the scenario provided?
Options:
Ensuring customer data is encrypted using AES-256 encryption.
Setting a strategic goal to improve customer trust by securing data.
Conducting internal audits to confirm adherence to GDPR.
Reporting data breaches to regulators within 72 hours.
Correct Answer: 2. Setting a strategic goal to improve customer trust by securing data.
Explanation of Options:
Incorrect – Ensuring AES-256 encryption is a technical standard, not governance.
Correct – Governance involves setting high-level strategic goals, such as improving customer trust through data protection.
Incorrect – Internal audits are part of compliance, not governance.
Incorrect – Reporting breaches falls under regulations, not governance.
100
Which of the following is an example of a policy in the given scenario?
Options:
Multi-factor authentication (MFA) must be enabled for all employees accessing sensitive systems.
Customer data must be protected in transit and at rest using encryption technologies.
The company must comply with GDPR and report breaches within 72 hours.
AES-256 encryption must be used for customer data.
Correct Answer: 2. Customer data must be protected in transit and at rest using encryption technologies.
Explanation of Options:
Incorrect – This is a standard, as it specifies a technical requirement.
Correct – Policies outline high-level guidelines, such as the need to protect customer data in transit and at rest.
Incorrect – This describes regulatory requirements, not a policy.
Incorrect – This is a standard because it specifies a precise encryption method.
101
Which of the following best describes the purpose of standards in the scenario?
Options:
Standards define specific technical requirements to enforce policies.
Standards ensure the company complies with external regulations like GDPR.
Standards outline the strategic objectives for securing customer trust.
Standards demonstrate the company's adherence to compliance requirements.
Correct Answer:
Standards define specific technical requirements to enforce policies.
Explanation of Options:
Correct – Standards provide specific details, such as requiring AES-256 encryption, to ensure policies are effectively implemented.
Incorrect – Compliance with regulations is a separate process from defining standards.
Incorrect – Strategic objectives are part of governance, not standards.
Incorrect – Compliance demonstrates adherence to policies, standards, and regulations, but standards themselves are about technical requirements.
102
Which of the following is an example of compliance in the given scenario?
Options:
Conducting internal audits to ensure adherence to GDPR requirements.
Encrypting customer data using AES-256 encryption.
Creating a Data Protection Policy for securing customer information.
Setting a strategic goal to enhance customer trust through data security.
Correct Answer:
Conducting internal audits to ensure adherence to GDPR requirements.
Explanation of Options:
Correct – Compliance involves verifying that the organization is adhering to policies, standards, and regulations through processes like audits.
Incorrect – Encrypting data is part of implementing standards, not compliance.
Incorrect – Creating policies is a step under governance, not compliance.
Incorrect – Setting strategic goals is part of governance.
103
Which of the following demonstrates a regulatory requirement in the scenario?
Options:
Customer data must be encrypted using AES-256 encryption.
The company must report data breaches to regulators within 72 hours.
Internal audits are conducted to verify adherence to policies.
Multi-factor authentication (MFA) is required for all employees accessing sensitive systems.
Correct Answer: 2. The company must report data breaches to regulators within 72 hours.
Explanation of Options:
Incorrect – This is a standard, as it specifies a technical requirement.
Correct – Reporting data breaches within 72 hours is a regulatory requirement under GDPR.
Incorrect – Internal audits fall under compliance, not regulations.
Incorrect – MFA is a standard, not a regulation.
104
Which of the following statements best illustrates the relationship between governance, policies, standards, and compliance?
Options:
Governance ensures strategic goals are met, while policies, standards, and compliance focus on technical requirements.
Policies define high-level goals, standards provide technical details, and compliance ensures adherence to regulations.
Standards dictate compliance requirements, which are monitored by governance through policies.
Compliance replaces governance as the primary driver of regulatory adherence.
Correct Answer: 2. Policies define high-level goals, standards provide technical details, and compliance ensures adherence to regulations.
Explanation of Options:
Incorrect – While governance sets strategic goals, policies and standards are not limited to technical requirements.
Correct – This answer accurately describes how policies, standards, and compliance interact under the governance framework.
Incorrect – Standards don’t dictate compliance requirements; they support policies.
Incorrect – Compliance doesn’t replace governance; it works under governance.
