Policy and Compliance Flashcards
Joe is authoring a document that explains to system administrators one way that they might comply with the organization’s requirement to encrypt all laptops. What type of document is Joe writing?
A. Policy
B. Guideline
C. Procedure
D. Standard
Answer:
B. The key word in this scenario is “one way.” This indicates that compliance with the document is not mandatory, so Joe must be authoring a guideline. Policies, standards, and procedures are all mandatory.
Which one of the following statements is not true about compensating controls under PCI DSS?
A. Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
B. Controls must meet the intent of the original requirement.
C. Controls must meet the rigor of the original requirement.
D. Compensating controls must provide a similar level of defense as the original requirement.
Answer:
A. PCI DSS compensating controls must be “above and beyond” other PCI DSS requirements. This specifically bans the use of a control used to meet one requirement as a compensating control for another requirement.
What law creates cybersecurity obligations for healthcare providers and others in the health industry?
A. HIPAA
B. FERPA
C. GLBA
D. PCI DSS
Answer:
A. The Health Insurance Portability and Accountability Act (HIPAA) includes security and privacy rules that affect healthcare providers, health insurers, and health information clearinghouses.
Which one of the following is not one of the five core security functions defined by the NIST Cybersecurity Framework?
A. Identify
B. Contain
C. Respond
D. Recover
Answer:
B. The five security functions described in the NIST Cybersecurity Framework are identify, protect, detect, respond, and recover.
What ISO standard applies to information security management controls?
A. 9001
B. 27001
C. 14032
D. 57033
Answer:
B. The International Organization for Standardization (ISO) publishes ISO 27001, a standard document titled “Information technology—Security techniques—Information security management systems—Requirements.”
Which one of the following documents must normally be approved by the CEO or similarly high-level executive?
A. Standard
B. Procedure
C. Guideline
D. Policy
Answer:
D. Policies require approval from the highest level of management, usually the CEO. Other documents may often be approved by other managers, such as the CISO.
Greg recently conducted an assessment of his organization’s security controls and discovered a potential gap: the organization does not use full-disk encryption on laptops. What type of control gap exists in this case?
A. Detective
B. Corrective
C. Deterrent
D. Preventive
Answer:
D. The use of full-disk encryption is intended to prevent a security incident from occurring if a device is lost or stolen. Therefore, this is a preventive control gap.
What law governs the financial records of publicly traded companies?
A. GLBA
B. SOX
C. FERPA
D. PCI DSS
Answer:
B. The Sarbanes–Oxley (SOX) Act applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records.
What type of security policy often serves as a backstop for issues not addressed in other policies?
A. Account management
B. Data ownership
C. Code of conduct
D. Continuous monitoring
Answer:
C. The code of conduct is often used as a backstop for employee behavior issues that are not addressed directly by another policy.
Which one of the following would not normally be found in an organization’s information security policy?
A. Statement of the importance of cybersecurity
B. Requirement to use AES-256 encryption
C. Delegation of authority
D. Designation of responsible executive
Answer:
B. Security policies do not normally contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm. This type of detail would normally be found in a security standard.
Darren is updating the organization’s risk management process. What type of control is Darren creating?
A. Operational
B. Technical
C. Corrective
D. Managerial
Answer:
D. Managerial controls are procedural mechanisms that focus on the mechanics of the risk management process. Examples of managerial controls include periodic risk assessments, security planning exercises, and the incorporation of security into the organization’s change management, service acquisition, and project management practices.
Which one of the following control models describes the five core activities associated with IT service management as service strategy, service design, service transition, service operation, and continual service improvement?
A. COBIT
B. TOGAF
C. ISO 27001
D. ITIL
Answer:
D. The Information Technology Infrastructure Library (ITIL) is a framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise. ITIL covers five core activities: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement.
What compliance obligation applies to merchants and service providers who work with credit card information?
A. FERPA
B. SOX
C. HIPAA
D. PCI DSS
Answer:
D. The Payment Card Industry Data Security Standard (PCI DSS) provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers.
Which one of the following policies would typically answer questions about when an organization should destroy records?
A. Data ownership policy
B. Account management policy
C. Password policy
D. Data retention policy
Answer:
D. The data retention policy outlines what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.
While studying an organization’s risk management process under the NIST Cybersecurity Framework, Rob determines that the organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. What tier should he assign based on this measure?
A. Tier 1
B. Tier 2
C. Tier 3
D. Tier 4
Answer:
D. The description provided matches the definition of a Tier 4 (Adaptive) organization’s risk management practices under the NIST Cybersecurity Framework.