Governance, Risk, and Compliance Flashcards
Which of the following is not a control function?
Deter
Detect
Destroy
Destroy
The functions of controls are to prevent, detect, correct, deter, compensate, or physically protect
Which of the following are control categories? (Choose all that apply.)
Mitigation
Recovery
Operational
Managerial
Operational
Managerial
The three categories of controls are managerial, operational, and technical
You are implementing an organizational-wide risk management strategy, and you are using the NIST Risk Management Framework. You have just completed the RMF phase of categorizing your organization’s information systems. Which of the following steps should you complete next in the RMF sequence?
Assess security controls
Continuous monitoring
Select security controls
Select security controls
Step 3 of the RMF is selecting the security controls and is completed after information systems have been categorized
A client, an American department store chain, has called for support identifying and complying with their required guidance documents. Which of the following is the most likely guidance document the client needs to consider?
Payment Card Industry Data Security Standard (PCI DSS)
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
International Organization for Standardization (ISO) 27001
Payment Card Industry Data Security Standard (PCI DSS)
Because the client is a department store, it most likely processes payment cards and therefore is required to adhere to PCI DSS
Which of the following is widely used for cloud or managed services providers to provide a report to their current or prospective customers that provides assurance of their cybersecurity?
Payment Card Industry Data Security Standard (PCI DSS) certification
General Data Protection Regulation (GDPR) report
Service and Organization Controls (SOC) 2 report
Service and Organization Controls (SOC) 2 report
The Service and Organization Controls (SOC) 2 report is often used by organizations to assure current and potential customers of their cybersecurity posture
After a few incidents where customer data was transmitted to a third party, your organization is required to create and adhere to a policy that describes the distribution, protection, and confidentiality of customer data. Which of the following policies should your organization create?
Privacy
Due care
Acceptable use
Privacy
A privacy policy concerns the protection and distribution of private customer data. Any company, especially one engaged in online activities or e-commerce, has a responsibility to adopt and implement a policy for protecting the privacy of individually identifiable information
As a managed service provider responsible for Internet-based application services across several external clients, which of the following policies does your organization provide to clients as an agreement for service uptime?
Code of ethics
Privacy
SLA
SLA
A service level agreement (SLA) is an understanding between a supplier of services and the clients of those services that the service in question will be available for a specific percentage of time. In this case, your company might guarantee clients a 99.5 percent uptime of communications services
There is a suspicion that Tom, a systems administrator, is performing illegal activities on your company’s networks. To gather evidence about his activities, which of the following principles and techniques could you employ?
Password rotation
Mandatory vacation
Need-to-know
Mandatory vacation
When Tom is forced to take a vacation, his activities can be audited, and any suspicious behavior will be more likely to be noticed and detected because he is not there to prevent its discovery. You may also discover that the illegal activities completely cease while the user is away and then resume when he returns
You need to create an overall policy for your organization that describes how your users can properly make use of company communications services, such as web browsing, e-mail, and File Transfer Protocol (FTP) services. Which of the following policies should you implement?
Acceptable use policy
Due care
Privacy policy
Acceptable use policy
An acceptable use policy (AUP) establishes rules for the appropriate use of computer networks within your organization. The policy describes the terms, conditions, and rules of using the Internet and its various services within the company’s networks
As part of a risk analysis of a very large and extensive back-end database, you need to calculate the probability and impact of data corruption. Which of the following impact factors allows you to calculate your annualized losses due to data corruption?
SLA
ARO
ALE
ALE
ALE (annualized loss expectancy) describes how much money you expect to lose on an annual basis because of the impact of an occurrence of a specific risk. ALE is calculated by multiplying the annualized rate of occurrence (ARO) by the single loss expectancy (SLE)
As part of business continuity planning, it is discovered that the organization is processing PII unknowingly. Which of the following should be conducted?
Privacy implication assessment
Privacy processing assessment
Privacy impact assessment
Privacy impact assessment
A privacy impact assessment (PIA) is conducted when privacy data is being stored or processed; when conducted, the PIA determines what type of data is being stored, how it is being stored, where it is being stored, and what might trigger a privacy lapse. Systems that require a PIA should incorporate increased controls to mitigate the risks of processing and storing privacy data
AJ’s management tasks him with determining the right reliability factor to track for the company’s new engines. The management wants to know how long they can expect the engine to last before failure, with the expectation that it will then be replaced. What is the best reliability factor?
Recovery point objective (RPO)
Mean time to repair (MTTR)
Mean time between failures (MTBT)
Mean time between failures (MTBT)
When the management assumes that the engines will not be repaired and will be replaced, the mean time to failure (MTTF) is the best reliability factor to track
A(n) __________ tracks different types of data elements, most commonly risk factors and risk scenarios. It might also include data that describes different technical or management findings contributing to the risk, as well as threats, vulnerabilities, assets, likelihood, and impact data.
Acceptable use policy
Business continuity plan
Risk register
Risk register
A risk register tracks different types of data elements, most commonly risk factors and risk scenarios. It might also include data that describes different technical or management findings contributing to the risk. Additionally, threats, vulnerabilities, assets, likelihood, and impact data can be included in the risk register
Which of the following is not a standard classification for private or sensitive data?
Public
Confidential
Proprietary
Consensual
Consensual
Public, confidential, and proprietary are all examples of valid data types that should be considered when cataloging private and sensitive data within an organization
The __________ determines what data will be collected and how it will be used within an organization.
Data steward
Data controller
Data processor
Data controller
The data controller determines what data will be collected and how it will be used within an organization
