Policy and Compliance

Question 1

Joe is authoring a document that explains to system administrators one way that they might comply with the organization’s requirement to encrypt all laptops. What type of document is Joe writing?

A. Policy

B. Guideline

C. Procedure

D. Standard

Answer 1

Answer:

B. The key word in this scenario is “one way.” This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.

Question 2

Which one of the following statements is not true about compensating controls under PCI DSS?

A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.

B. Controls must meet the intent of the original requirement.

C. Controls must meet the rigor of the original requirement.

D. Compensating controls must provide a similar level of defense as the original requirement.

Answer 2

Answer:

A. PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.

Question 3

What law creates cybersecurity obligations for healthcare providers and others in the health industry?

A. HIPAA

B. FERPA

C. GLBA

D. PCI DSS

Answer 3

Answer:

A. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses.

Question 4

Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?

A. Identify

B. Contain

C. Respond

D. Recover

Answer 4

Answer:

B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.

Question 5

What ISO standard applies to information security management controls?

A. 9001

B. 27001

C. 14032

D. 57033

Answer 5

Answer:

B. The International Organization for Standardization (ISO) publishes ISO 27001, a standard document titled “Information technology—Security techniques—Information security management systems—Requirements.”

Question 6

Which one of the following documents must normally be approved by the CEO or similarly high-level executive?

A. Standard

B. Procedure

C. Guideline

D. Policy

Answer 6

Answer:

D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.

Question 7

Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?

A. Detective

B. Corrective

C. Deterrent

D. Preventive

Answer 7

Answer:

D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.

Question 8

What law governs the financial records of publicly traded companies?

A. GLBA

B. SOX

C. FERPA

D. PCI DSS

Answer 8

Answer:

B. The Sarbanes–Oxley (SOX) Act applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.

Question 9

What type of security policy often serves as a backstop for issues not addressed in other policies?

A. Account management

B. Data ownership

C. Code of conduct

D. Continuous monitoring

Answer 9

Answer:

C. The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.

Question 10

Which one of the following would not normally be found in an organization’s information security policy?

A. Statement of the importance of cybersecurity

B. Requirement to use AES-256 encryption

C. Delegation of authority

D. Designation of responsible executive

Answer 10

Answer:

B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.

Question 11

Darren is updating the organization’s risk management process. What type of control is Darren creating?

A. Operational

B. Technical

C. Corrective

D. Managerial

Answer 11

Answer:

D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples of managerial controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices.

Question 12

Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement?

A. COBIT

B. TOGAF

C. ISO 27001

D. ITIL

Answer 12

Answer:

D. The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise. ITIL covers five core activities: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.

Question 13

What compliance obligation applies to merchants and service providers who work with credit card information?

A. FERPA

B. SOX

C. HIPAA

D. PCI DSS

Answer 13

Answer:

D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.

Question 14

Which one of the following policies would typically answer questions about when an organization should destroy records?

A. Data ownership policy

B. Account management policy

C. Password policy

D. Data retention policy

Answer 14

Answer:

D. The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.

Question 15

While studying an organization’s risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure?

A. Tier 1

B. Tier 2

C. Tier 3

D. Tier 4

Answer 15

Answer:

D. The description provided matches the definition of a Tier 4 (Adaptive) organization’s risk management practices under the NIST Cybersecurity Framework.

Question 16

Which one of the following security policy framework components does not contain mandatory guidance for individuals in the organization?

A. Policy

B. Standard

C. Procedure

D. Guideline

Answer 16

Answer:

D. Guidelines are the only element of the security policy framework that is optional. Compliance with policies, standards, and procedures is mandatory.

Question 17

Tina is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization’s network. What type of control is Tina designing?

A. Technical control

B. Physical control

C. Managerial control

D. Operational control

Answer 17

Answer:

A. Technical controls enforce confidentiality, integrity, and availability in the digital space. Examples of technical security controls include firewall rules, access control lists, intrusion prevention systems, and encryption.

Question 18

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. What type of document is Allan writing?

A. Policy

B. Standard

C. Guideline

D. Procedure

Answer 18

Answer:

B. Standards describe specific security controls that must be in place for an organization. Allan would not include acceptable mechanisms in a high-level policy document, and this information is too general to be useful as a procedure. Guidelines are not mandatory, so they would not be applicable in this scenario.

Question 19

Which one of the following is not a common use of the NIST Cybersecurity Framework?

A. Describe the current cybersecurity posture of an organization.

B. Describe the target future cybersecurity posture of an organization.

C. Communicate with stakeholders about cybersecurity risk.

D. Create specific technology requirements for an organization.

Answer 19

Answer:

D. The NIST Cybersecurity Framework is designed to help organizations describe their current cybersecurity posture, describe their target state for cybersecurity, identify and prioritize opportunities for improvement, assess progress, and communicate with stakeholders about risk. It does not create specific technology requirements.

Question 20

Shelly is writing a document that describes the steps that incident response teams will follow upon first notice of a potential incident. What type of document is she creating?

A. Policy

B. Standard

C. Guideline

D. Procedure

Answer 20

Answer:

D. Procedures provide checklist-style sets of step-by-step instructions guiding how employees should react in a given circumstance. Procedures commonly guide the early stages of incident response.