Ch 6 - Information Security & Data Breach Notification Flashcards Preview

CIPP-US > Ch 6 - Information Security & Data Breach Notification > Flashcards

Flashcards in Ch 6 - Information Security & Data Breach Notification Deck (32)
Loading flashcards...
1

Which of the following is not one of the key attributes of the information security triad?
a. Applicability
b. Confidentiality
c. Integrity
d. None of the above

a. Applicability

2

Which of the following is not one of the key attributes of the information security triad?
a. Availability
b. Confidentiality
c. Intelligent
d. None of the above

c. Intelligent

3

Which of the following is not one of the types of security controls for preventing, detecting, or correcting a security incident?
a. Physical controls
b. Administrative controls
c. Technical controls
d. None of the above

d. None of the above

4

Which of the following involves the data subject’s right to control their data, including rights to notice and choice?
a. Information security
b. Information privacy
c. Privacy controls
d. All of the above

b. Information privacy

5

Which law preempts the CA AB 1950 due to greater information security requirements?
a. Gramm-Leach Bliley Act
b. Right to Financial Privacy
c. The Privacy Act of 1974
d. None of the above

a. Gramm-Leach Bliley Act

6

Which of the following laws preempts the CA AB 1950 information security requirements?
a. Right to Financial Privacy
b. Health Insurance Portability and Accountability Act
c. The Privacy Act of 1974
d. None of the above

b. Health Insurance Portability and Accountability Act

7

Which of the following are sources that, when combined with an individual’s name, constitute personal information under California’s Assembly Bill 1950?
a. SSN, Driver’s License or ID Card number, financial account number
b. Health card ID number, gym membership number, employee ID number
c. Medical information, health insurance information, data collected from an automated license plate recognition system
d. Only a and c

d. Only a and c

8

Which of the following states enacted the most prescriptive information security law in 2010 following the law enacted by CA in 2003?
a. New York
b. Washington
c. Massachusetts
d. Delaware

c. Massachusetts

9

Which of the following states enacted information security laws after CA enacted AG 1950?
a. New York
b. Massachusetts
c. Washington
d. All of the above

d. All of the above

10

Which of the following states enacted the strictest information security law in 2017 following the law enacted by CA in 2003?
a. Washington
b. New York
c. Massachusetts
d. Delaware

b. New York

11

Which of the following is not one of the eight types of incidents listed by the Privacy Rights Clearinghouse?
a. Unintended disclosure
b. Hacking or malware
c. Phishing
d. Payment card fraud

c. Phishing

12

Which of the following states enacted an information security law that mirrors some of the requirements of the Payment Card Industry Data Security Standard (PCI DSS)?
a. Minnesota
b. Nevada
c. Washington
d. All of the above

d. All of the above

13

Which of the following is not one of the eight types of incidents listed by the Privacy Rights Clearinghouse?
a. Identity theft
b. Insider
c. Physical loss
d. Portable device

a. Identity theft

14

Which of the following is not one of the eight types of incidents listed by the Privacy Rights Clearinghouse?
a. Unintended disclosure
b. Stationary device
c. Elder abuse
d. Unknown or other

c. Elder abuse

15

Which of the following is potential evidence that a data breach by attackers may have occurred?
a. Multiple failed log-in attempts
b. Sudden use of long-dormant access accounts
c. Use of information systems during off-hours
d. All of the above

d. All of the above

16

What should IT managers look for when a data breach by attackers is suspected?
a. Presence of unknown programs or files
b. Presence of unknown devices
c. Presence of unknown users
d. All of the above

d. All of the above

17

When a U.S. company experiences a data breach of personal information belonging to EU customers, the GDPR requires notification:
a. Within 30 days of the date the company became aware of the breach
b. Within 72 hours of the time the company became aware of the breach
c. Within 10 days from the time the company became aware of the breach
d. Within a reasonable amount of time after the company became aware of the breach

b. Within 72 hours of the time the company became aware of the breach

18

In the second step, containment and analysis, of a data breach incident:
a. Steps that need to be taken will vary depending on the type of incident
b. A full system audit should be performed to ensure discontinuance of any system vulnerabilities
c. A thorough analysis should be performed and documented
d. All of the above

d. All of the above

19

The first step in incident management for data breaches is:
a. Containment and analysis of the incident
b. Notify affected parties
c. Determine whether a breach has occurred
d. Implement effective follow-up methods

c. Determine whether a breach has occurred

20

In the third step, incident management, of a data breach incident:
a. Affected individuals and government authorities need to be notified
b. All applicable notification laws should be followed
c. All applicable terms of contractual agreements concerning breach notification should be followed
d. All of the above

d. All of the above

21

Which of the following is not part of implementing effective follow-up methods in managing a breach incident?
a. Contents of notification letters should comply with applicable state, federal, or contractual requirements
b. Internal self-assessments and audits
c. Employee training
d. All of the above

a. Contents of notification letters should comply with applicable state, federal, or contractual requirements (this is part of the 'incident management' stage)

22

Which of the following is an element of the OMB’s requirements for federal agencies preparing for and responding to breaches of personally identifiable information, which can be used as a best practice by an organization?
a. Designate a breach response team
b. Identify relevant privacy compliance documentation
c. Share information related to the breach to better understand the extent of the breach
d. All of the above

d. All of the above

23

Which of the following is not a requirement of Connecticut’s substitute notice provision of their data breach notification law?
a. Notification via first class mail within 5 days of discovery of the breach
b. Email notice when the organization has an email address on file for the affected person
c. Conspicuous posting of the notice on the website of the organization
d. Notification to major state-wide media, including newspapers, radio and television

a. Notification via first class mail within 5 days of discovery of the breach

24

Which of the following is not an exception for providing data breach notification?
a. In most states, an exception for entities that have their own breach notification procedures, as long as they are not incompatible with state laws
b. Entities subject to HIPAA or GLBA rules for data breach notification
c. Safe harbor for organizations using a model form for their breach notification
d. Safe harbor for data that was encrypted, redacted, unreadable or unusable

c. Safe harbor for organizations using a model form for their breach notification

25

Which of the following is an element of the OMB’s requirements for federal agencies preparing for and responding to breaches of personally identifiable information, which can be used as a best practice by an organization?
a. Determine what reporting is required
b. Assess the risk of harm for individuals potentially affected by the breach
c. Mitigate the risk of harm for individuals potentially affected by the breach
d. All of the above

d. All of the above

26

The encryption exception for notifying consumers of a breach of their personal information is only applicable when:
a. The key has not been breached
b. The key has been breached
c. The key is locked in a secure place
d. None of the above

a. The key has not been breached

27

For the encryption exception for notifying consumers of a breach of their personal information, state laws generally:
a. Specify the technical requirements of encryption expectations
b. Do not specify the level and type of encryption required
c. Allow the organization to determine the encryption needed
d. None of the above

b. Do not specify the level and type of encryption required

28

The Massachusetts Personal Information Security Regulation requires all parties that own or license personal information of Massachusetts residents encrypt all personal information:
a. Stored on laptops
b. Stored on portable devices
c. Sent via wireless transmissions and transmissions over public networks
d. All of the above

d. All of the above

29

There is a growing trend in state breach notification laws to:
a. Provide safe harbor when any type of encryption is used for personal data
b. Allow organizations to determine whether they deserve safe harbor
c. Not provide the encryption safe harbor provision, or to require additional conditions
d. None of the above

c. Not provide the encryption safe harbor provision, or to require additional conditions

30

Many state laws allow businesses to subcontract record destruction businesses:
a. After due diligence is performed
b. After a contract is signed
c. Prior to reviewing references
d. All of the above

a. After due diligence is performed