Summarizing Governance & Compliance Strategies Flashcards
An owner of a small company produces digital manga in the United States, but it has also become very popular in Japan. Which privacy law should the owner comply with to set up an operation in Japan?
APPI
Japan’s privacy law, the Act on the Protection of Personal Information (APPI), is a relevant law the owner would want to research before expanding operations.
A system engineer is trying to explain due diligence to a group of system administrators. What word would best describe the idea behind due diligence?
Continuous
Due diligence describes the ongoing and documented effort to continuously evaluate and improve the mechanisms that protect assets.
A large corporation has just completed an audit by a Certifying Authority who determined that they are compliant. What will the Certifying Authority award the corporation?
ATO and Accreditation
After the Certifying Authority accredits a system, they provide a formal letter of accreditation to the system owner, granting the Authority to Operate (ATO) the system for a period of three years.
For the corporation to obtain accreditation, the Certifying Authority will review the company’s information system and the results of the independent audit.
A systems administrator has a litigation hold for HIPAA data that is older than four years old. How should the administrator respond?
Consult with the company attorney
Systems administrators should consult with company attorneys and management on how to proceed before providing any data to anyone.
By regulation, companies must keep HIPAA data for six years. If the administrator had sent the reply regarding four years, the company would most likely be in trouble during a court proceeding, regardless of whether they allowed the data in litigation.
A consultant for various IT services wants to draft a document that explains basic responsibilities but has concerns that companies will try to fight about additional changes in the project. Therefore, the consultant wants to draft a document to set expectations and keep companies from trying to get more services than they paid for in the agreement. Which would best fit this situation?
MOU
Widely considered as a non-binding agreement or one that is difficult to enforce in a court setting, a Memorandum of Understanding (MOU) serves as a formal means to define roles and expectations.
A government agency is trying to ensure their data is not recoverable from their hard drives. Which techniques could they use?
Crypto erase and Purge
Crypto erase refers to the sanitization of the key used to perform the decryption of data. This makes the recovery of the data effectively impossible. Crypto erase is particularly important when considering cloud platforms.
Purge is a type of sanitization that provides effective protection from all recovery techniques, including clean-room methods.
A U.S.-based company has expanded operations globally and decided to start following the 27k standard. However, they have migrated all of their services to the cloud, and they want to follow cloud controls. Which part of the 27k are cloud standards?
27017 and 27018
27017 is one of the standards for cloud security, providing guidelines for information security controls. The International Organization for Standardization (ISO) manages the ISO 27k.
27018 is another standard for cloud security, providing guidelines for protecting personally identifiable information (PII). ISO 27k includes over a dozen standards and is more suited to global standards than the NIST framework.
A small business owner is reviewing third-party vendors to manage the server environment. The company provides IT services, so it is important that they define areas such as data protection requirements, privacy protection requirements, and other concerns. What document should the business owner draft?
Attestation of compliance
An attestation of compliance (AOC) describes the set of policies, contracts, and standards identified as essential in the agreement between two parties.
A system administrator has decided to start a small data center venture for small businesses. What type of agreement should the sysadmin set up to meet the performance metrics defined in Service Level Agreements?
OLA
Operational-level agreements are typically internal documents established by an organization to define the essential operational needs of an organization. OLAs meet the performance metrics defined in a Service Level Agreement.