Policy and Compliance Flashcards

1
Q

Joe is authoring a document that explains to system administrators one way that they might comply with the organization’s requirement to encrypt all laptops. What type of document is Joe writing?

A. Policy

B. Guideline

C. Procedure

D. Standard

A

Answer:

B. The key word in this scenario is “one way.” This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which one of the following statements is not true about compensating controls under PCI DSS?

A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.

B. Controls must meet the intent of the original requirement.

C. Controls must meet the rigor of the original requirement.

D. Compensating controls must provide a similar level of defense as the original requirement.

A

Answer:

A. PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What law creates cybersecurity obligations for healthcare providers and others in the health industry?

A. HIPAA

B. FERPA

C. GLBA

D. PCI DSS

A

Answer:

A. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?

A. Identify

B. Contain

C. Respond

D. Recover

A

Answer:

B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What ISO standard applies to information security management controls?

A. 9001

B. 27001

C. 14032

D. 57033

A

Answer:

B. The International Organization for Standardization (ISO) publishes ISO 27001, a standard document titled “Information technology—Security techniques—Information security management systems—Requirements.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which one of the following documents must normally be approved by the CEO or similarly high-level executive?

A. Standard

B. Procedure

C. Guideline

D. Policy

A

Answer:

D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?

A. Detective

B. Corrective

C. Deterrent

D. Preventive

A

Answer:

D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What law governs the financial records of publicly traded companies?

A. GLBA

B. SOX

C. FERPA

D. PCI DSS

A

Answer:

B. The Sarbanes–Oxley (SOX) Act applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of security policy often serves as a backstop for issues not addressed in other policies?

A. Account management

B. Data ownership

C. Code of conduct

D. Continuous monitoring

A

Answer:

C. The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which one of the following would not normally be found in an organization’s information security policy?

A. Statement of the importance of cybersecurity

B. Requirement to use AES-256 encryption

C. Delegation of authority

D. Designation of responsible executive

A

Answer:

B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Darren is updating the organization’s risk management process. What type of control is Darren creating?

A. Operational

B. Technical

C. Corrective

D. Managerial

A

Answer:

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples of managerial controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement?

A. COBIT

B. TOGAF

C. ISO 27001

D. ITIL

A

Answer:

D. The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise. ITIL covers five core activities: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What compliance obligation applies to merchants and service providers who work with credit card information?

A. FERPA

B. SOX

C. HIPAA

D. PCI DSS

A

Answer:

D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which one of the following policies would typically answer questions about when an organization should destroy records?

A. Data ownership policy

B. Account management policy

C. Password policy

D. Data retention policy

A

Answer:

D. The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

While studying an organization’s risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure?

A. Tier 1

B. Tier 2

C. Tier 3

D. Tier 4

A

Answer:

D. The description provided matches the definition of a Tier 4 (Adaptive) organization’s risk management practices under the NIST Cybersecurity Framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?

A. Policy

B. Standard

C. Procedure

D. Guideline

A

Answer:

D. Guidelines are the only element of the security policy framework that is optional. Compliance with policies, standards, and procedures is mandatory.

17
Q

Tina is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization’s network. What type of control is Tina designing?

A. Technical control

B. Physical control

C. Managerial control

D. Operational control

A

Answer:

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

18
Q

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing?

A. Policy

B. Standard

C. Guideline

D. Procedure

A

Answer:

B. Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.

19
Q

Which one of the following is not a common use of the NIST Cybersecurity Framework?

A. Describe the current cybersecurity posture of an organization.

B. Describe the target future cybersecurity posture of an organization.

C. Communicate with stakeholders about cybersecurity risk.

D. Create specific technology requirements for an organization.

A

Answer:

D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.

20
Q

Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?

A. Policy

B. Standard

C. Guideline

D. Procedure

A

Answer:

D. Procedures provide checklist-style sets of step-by-step instructions guiding how employees should react in a given circumstance. Procedures commonly guide the early stages of incident response.