Policies and Procedures

Question 1

Defines the role of security in an organization and establishes the desired
end state of the security program

Answer 1

Policies

Question 2

Provide general direction and goals, a framework to meet the business
goals, and define the roles, responsibilities, and terms

Answer 2

Organizational Policies

Question 3

Address the security needs of a specific technology, application, network,
or computer system

Answer 3

System Specific Policies

Question 4

Built to address a specific security issue, such as email privacy, employee
termination procedures, or other specific issues

Answer 4

Issue Specific Policies

Question 5

Created as reference points which are documented for use as a method
of comparison during an analysis conducted in the future

Answer 5

Baseline

Question 6

Detailed step-by-step instructions that are created to ensure personnel
can perform a given action

Answer 6

Procedures

Question 7

Category based on the value to the organization and the sensitivity of the
information if it were to be disclosed

Answer 7

Data Classification

Question 8

Any information that can result in a loss of security, or loss of advantage
to a company, if accessed by unauthorized persons

Answer 8

Sensitives Data

Question 9

Has no impact to the company if released and is often posted in
the open-source environment.

Answer 9

Public Data

Question 10

• Contains data that should only be used within the organization

Answer 10

Private Data

Question 11

Highest classification level that contains items such as trade
secrets, intellectual property data, source code, and other types
that would seriously affect the business if disclosed

Answer 11

Confidential Data

Question 12

Items that wouldn’t hurt national security if released but could
impact those whose data is contained in it

Answer 12

Sensitive but Unclassified

Question 13

Data that could seriously affect the government if unauthorized
disclosure were to happen

Answer 13

Confidential Data

Question 14

Data that could seriously damage national security if disclosed

Answer 14

Secret Data

Question 15

Data that could gravely damage national security if it were known
to those who are not authorized for this level of information

Answer 15

Top Secret Data

Question 16

The process of identifying the person responsible for the confidentiality, integrity
availability and privacy of information assets

Answer 16

Data Ownership

Question 17

A senior (executive) role with ultimate responsibility for maintaining the
confidentiality, integrity and availability of the information asset

Answer 17

Data Owner

Question 18

A role focussed on the quality of the data and associated metadata

Answer 18

Data Steward

Question 19

A role responsible for handling the management of the system on which
the data assets are stored

Answer 19

Data Custodian

Question 20

A role responsible for the oversight of any PII/SPI/PHI assets managed by
the company

Answer 20

Privacy Officer

Question 21

A piece of data that can be used either by itself or in combination with
some other pieces of data to identify a single person

Answer 21

Personal Identifiable Information (PII)

Question 22

Affects U.S. government computer systems that collects, stores, uses, or
disseminates personally identifiable information

Answer 22

Privacy Act of 1974

Question 23

Affects healthcare providers, facilities, insurance companies, and medical
data clearing houses

Answer 23

Health Insurance Portability and Accountability Act (HIPAA)

Question 24

Affects publicly-traded U.S. corporations and requires certain accounting
methods and financial reporting requirements

Answer 24

Sarbanes-Oxley (SOX)

Question 25

Affects banks, mortgage companies, loan offices, insurance companies,
investment companies, and credit card providers

Answer 25

Gramm-Leach_Billey ACT (GLBA)

Question 26

equires each agency to develop, document, and implement an agencywide information systems security program to protect their data

Answer 26

o Federal Information Security Management (FISMA) Act of 2002

Question 27

Provides regulations that govern the security, confidentiality, and
integrity of the personal information collected, stored, or processed
during the election and voting process

Answer 27

Help America Vote Act (HAVA) of 2002

Question 28

Any type of information or asset should consider how a compromise of that
information can threaten the three core security attributes of the CIA Triad

Answer 28

Legal Requirements

Question 29

A data governance requirement that arises when collecting and
processing personal data to ensure the rights of the subject’s data

Answer 29

Privacy

Question 30

Personal data cannot be collected processed or retained without the
individual’s informed consent

Answer 30

General Data PRotection Regulation (GDPR)

Question 31

methods and technologies that remove identifying information from data
before it is distributed

Answer 31

Deidentification

Question 32

Deidentification Method where generic or placeholder labels are
substituted for real data while preserving the structure or format of the
original data

Answer 32

Data Masking

Question 33

A deidentification method where a unique token is substituted for real
data

Answer 33

Tokenization

Question 34

A deidentification technique where data is generalized to protect the
individuals involved

Answer 34

Aggregation/Banding

Question 35

An attack that combines a deidentification dataset with other data source
to discover how secure the deidentification method used is

Answer 35

Reidentification

Question 36

Defines the rules that restrict how a computer, network, or other systems
may be used

Answer 36

Acceptable Use Policy

Question 37

Defines the structured way of changing the state of a computer system,
network, or IT procedure

Answer 37

Change Management Policy

Question 38

Different users are trained to perform the tasks of the same position to
help prevent and identify fraud that could occur if only one employee
had the job

Answer 38

Job Rotation

Question 39

Dictates what type of things need to be done when an employee is hired,
fired, or quits

Answer 39

Onboarding and Offboarding Policy

Question 40

Ensuring that IT infrastructure risks are known and managed properly

Answer 40

Due Diligence

Question 41

Mitigation actions that an organization takes to defend against the risks
that have been uncovered during due diligence

Answer 41

Due Care

Question 42

A legal term that refers to how an organization must respect and
safeguard personnel’s rights

Answer 42

Due Process

Question 43

Agreement between two parties that defines what data is considered
confidential and cannot be shared outside of the relationship

Answer 43

Non Disclosure Agreement (NDA)

Question 44

A non-binding agreement between two or more organizations to detail
an intended common line of action

Answer 44

Memorandum of Understanding (MOU)

Question 45

An agreement concerned with the ability to support and respond to
problems within a given timeframe and continuing to provide the agreed
upon level of service to the user

Answer 45

Service Level Agreement (SLA)

Question 46

An agreement for the owners and operators of the IT systems to
document what technical requirements each organization must meet

Answer 46

Interconnection Security Agreement (ISA)

Question 47

Conducted between two business partners that establishes the
conditions of their relationship

Answer 47

Business Partnership Agreement (BPA)

Question 48

Exposes the hard drive to a powerful magnetic field which in turn causes
previously-written data to be wiped from the drive

Answer 48

Degaussing

Question 49

Act of removing data in such a way that it cannot be reconstructed using
any known forensic techniques

Answer 49

Purging (Sanitizing)

Question 50

Removal of data with a certain amount of assurance that it cannot be
reconstructed

Answer 50

Clearing

Question 51

A security framework that divides IT into four domains: Plan and
Organize, Acquire and Implement, Deliver and Support, and Monitor and
Evaluate

Answer 51

Control Objectives for Information and Related Technology (COBIT)

Question 52

Consensus-developed secure configuration guidelines for hardening
(benchmarks) and prescriptive, prioritized, and simplified sets of
cybersecurity best practices (configuration guides)

Answer 52

Center for Internet Security

Question 53

A process that integrates security and risk management activities into the
system development life cycle through an approach to security control
selection and specification that considers effectiveness, efficiency, and
constraints due to applicable laws, directives, Executive Orders, policies,
standards, or regulations

Answer 53

Risk Management Framework (RMF)

Question 54

A set of industry standards and best practices created by NIST to help
organizations manage cybersecurity risks

Answer 54

Cybersecurity Framework (CSF)

Question 55

An international standard that details requirements for establishing,
implementing, maintaining and continually improving an information
security management system (ISMS)

Answer 55

ISO 27001

Question 56

An international standard that provides best practice recommendations
on information security controls for use by those responsible for
initiating, implementing, or maintaining information security
management systems (ISMS)

Answer 56

ISO 27002

Question 57

An international standard that acts as a privacy extension to the ISO
27001 to enhance the existing Information Security Management System
(ISMS) with additional requirements in order to establish, implement,
maintain, and continually improve a Privacy Information Management
System (PIMS)

Answer 57

ISO 27701

Question 58

An international standard for enterprise risk management that provides a
universally recognized paradigm for practitioners and companies
employing risk management processes to replace the myriad of existing
standards, methodologies, and paradigms that differed between
industries, subject matters, and regions

Answer 58

ISO 31000

Question 59

A suite of reports produced during an audit which is used by service
organizations to issue validated reports of internal controls over those
information systems to the users of those services

Answer 59

System and Organization Controls (SOC)

Question 60

Designed to provide fundamental security principles to guide cloud
vendors and to assist prospective cloud customers in assessing the overall
security risk of a cloud provider

Answer 60

Cloud Security Alliance’s Cloud Control Matrix

Question 61

A methodology and a set of tools that enable security architects,
enterprise architects, and risk management professionals to leverage a
common set of solutions that fulfill their common needs to be able to
assess where their internal IT and their cloud providers are in terms of
security capabilities and to plan a roadmap to meet the security needs of
their business

Answer 61

Cloud Security Alliance’s Reference Architecture