Section 5.2 Regulations, Standards, and Frameworks

Question 1

What do you call any information that isn’t public or unclassified?

Answer 1

Sensitive Data

Question 2

What do you call any information that can identify an individual (name, SSN, birthdate/place, biometric records, etc…)

Answer 2

PII

Question 3

What do you call health information that can be related to a specific person?

Answer 3

Protected Health Information (PHI)

Question 4

What regulation deals with the handling of data while maintaining privacy rights of an individual? Applies to any company with customers in the EU

Answer 4

GDPR

Question 5

What do you call the process of removing all relevant data so that it is impossible to identify original subject or person?

Answer 5

Anonymization

Question 6

What process could reduce or eliminate GDPR requirements?

Answer 6

Anonymization

Question 7

What do you call the process of using pseudonyms (aliases) to represent other data? Can result in less stringent requirements than would otherwise apply under the GDPR.

Answer 7

Pseudonymization

Question 8

What law is focused on services of banks, lenders, and insurance?

Answer 8

Gramm-Leach-Bliley Act (GLBA)

Question 9

What act requires that government agencies include the activities of contractors in their security management programs?

Answer 9

Federal Information Security Management Act (FISMA)

Question 10

What do you call a widely accepted set of policies and procedures intended to optimize the security of credit, debt, and cash card transactions?

Answer 10

PCI DSS

Question 11

What do you call a not-for-profit organization that publishes information on cybersecurity best practice and threats? Provides benchmarks for different operating systems and provides controls to help secure your organization.

Answer 11

Center for Internet Security (CIS)

Question 12

What is a set of guidelines and best practices to help organizations build and improve their cybersecurity posture? Aimed at private industry (commercial business)

Answer 12

Cyber Security Framework (CSF)

Question 13

Which ISO is Security techniques for Information Security Management Systems: an international standard on how to manage information security?

Answer 13

ISO 27001

Question 14

Which ISO is a Code of Practice for Information Security Controls, which aims to improve the management of information.

Answer 14

ISO 27002

Question 15

Which ISO is an extension to 27001/27002 for Privacy Information Management - provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management Systems (PIMS)

Answer 15

ISO 27701

Question 16

Which ISO provides principles, a framework and a process for managing risk for organizations of any size in any sector?

Answer 16

ISO 31000

Question 17

What is an audit standard to enhance the quality and usefulness of System and Organization Control (SOC) reports? designed for larger organizations, such as cloud providers.

Answer 17

Statements on Standards for Attestation Engagements (SSAE) 18

Question 18

What report assesses the design of security processes at a specific point in time?

Answer 18

SOC 2 Type 1

Question 19

What report assesses how effective controls are over time by observing operations for six months?

Answer 19

SOC 2 Type 2

Question 20

What is a not-for-profit organization that produces resources to help CSP’s, like online training, webinars, discussion groups, and virtual summits?

Answer 20

Cloud Security Alliance (CSA)

Question 21

What is designed to provide a guide on security principles for cloud vendors and potential cloud customers to assess the overall risk of a cloud provider?

Answer 21

Cloud Control Matrix (CCM)

Question 22

What contains best security practices for CSP’s and examples?

Answer 22

CSA Reference Architecture

Question 23

What are configuration baselines and best practices for securely configuring a system?

Answer 23

Benchmarks