Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CCSP > Domain 6: Legal, Risk, and Compliance > Flashcards

Domain 6: Legal, Risk, and Compliance Flashcards

(100 cards)

Start Studying
1
Q

Your company is considering migrating its production environment to the cloud. In reviewing the proposed contract, you notice that it includes a clause that requires an additional fee, equal to six monthly payments (equal to half the term of the contract) for ending the contract at any point prior to the scheduled date. This is best described as an example of
_________________.

A. Favorable contract terms
B. Strong negotiation
C. Infrastructure as a service (IaaS)
D. Vendor lock-in

A

Answer: D. Vendor lock-in

Vendor lock-in occurs when the customer is dissuaded from leaving a provider, even when that is the best decision for the customer.
These contract terms can be described as favorable only from the provider’s perspective; option D is preferable to option A for describing this situation. There was no description of negotiation included in the question; option B is incorrect. IaaS is a service model and doesn’t really apply to anything in this context; option C is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cathy is developing an eDiscovery program to help her organization formalize its compliance with legal hold obligations. She would like to use an industry standard to guide her toward best practices. What standard should she consider using for this work?

A. ISO 27001
B. ISO 27002
C. ISO 27050
D. ISO 27701

A

Answer: C. ISO 27050

ISO 27050 is an industry standard that provides guidance for eDiscovery programs. ISO 27001 and ISO 27002 provide industry-standard control objectives and control suggestions for cybersecurity. ISO 27701 provides industry standard guidance for information privacy programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In regard to most privacy guidance, the data processor is _________________.

A. The individual described by the personally identifiable information (PII).
B. The entity that collects or creates the personally identifiable information (PII).
C. The entity that uses personally identifiable information (PII) on behalf of the controller.
D. The entity that regulates personally identifiable information (PII).

A

Answer: C. The entity that uses personally identifiable information (PII) on behalf of the controller.

The entity that uses the data on behalf of the owner/controller is a data processor. The data subject is the person whom the personally identifiable information (PII) describes. The entity that collects or creates the PII is the data owner or controller. Entities that regulate the use of PII are regulators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed a forensic analysis on event logs that reflect the circumstances related to the case. For your personnel to present the evidence they collected during forensic analysis as expert witnesses, you should ensure that _________________.

A. Their testimony is scripted, and they do not deviate from the script
B. They present only evidence that is favorable to your side of the case
C. They are trained and certified in the tools they used.
D. They are paid for their time while they are appearing in the courtroom

A

Answer: C. They are trained and certified in the tools they used.

In order to deliver credible, believable expert testimony, it’s important that your personnel have more than an amateur’s understanding and familiarity with any forensic tools they use to perform analysis. Formal training and certification are excellent methods for creating credibility.
Scripting testimony is usually frowned on by the court; coaching witnesses how to perform and what to expect in court is all right, but it does not lead to credibility. Option A is incorrect. Your expert witnesses are not allowed to withhold any evidence from their testimony if it is pertinent to the case, even if that evidence aids the other side. Option B is incorrect.
You should pay your employees for their time, regardless of whether they’re performing on
the job site or in a courtroom, but this has nothing to do with enhancing credibility. Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

After conducting a qualitative risk assessment of her organization, Prisha decides to recommend adding a new module to the firewall that will filter out inbound malware. What type of risk response behavior is she recommending?

A. Accept
B. Transfer
C. Reduce
D. Reject

A

Answer: C. Reduce

Deploying a firewall is a risk mitigation strategy designed to reduce the likelihood or impact of the risk. If Prisha suggested that the organization simply continue to function as-is, that would be risk acceptance.
Risk transference would shift the risk to a third-party, such as an insurance provider. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Nora is an employee of Acme Widgets and works on a team of auditors who examine the organization’s financial controls. She is currently working on a project to evaluate whether payments to cloud providers are proper and will be reporting her results to management.
What term best describes Nora’s role in this project?

A. Internal assessment
B. External audit
C. Internal audit
D. External assessment

A

Answer: C. Internal audit

Nora is an employee of the organization, so her work is clearly internal in nature. External work is performed by independent third parties. Nora is an auditor, and she is testing the effectiveness of controls, so her work is within the scope of a formal audit, rather than an informal assessment. Therefore, this project should be described as an internal audit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Carla is assigned to manage her organization’s privacy program and is working to communicate to customers about a change in the organization’s privacy practices. She plans to send an email notifying customers of the change and allowing them to opt out of the use of their data. Which GAPP principle is not described in this scenario?

A. Notice
B. Management
C. Access
D. Choice and Consent

A

Answer: C. Access

Carla is assigned as the manager of her organization’s privacy program. This assignment is an example of the GAPP principle of Management. She is communicating about a change in privacy practices to her customers, which is an example of Notice. She is also offering
those customers the opportunity to opt out of the use of their data. This is an example of the principle of Choice and Consent. It is important to note that consent does not need to be explicit and done on an opt-in basis. Opt-out, implicit consent also satisfies this principle. The principle of Access says that individuals should be able to review and update their personal information. There is no description of Access in this scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You’re a medical student at a private research university in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?

A. Sarbanes–Oxley Act (SOX)
B. Health Information Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standards (PCI DSS)
D. Family Educational Rights and Privacy Act (FERPA)

A

Answer: A. Sarbanes–Oxley Act (SOX)

SOX is only applicable to publicly traded corporations, not all companies. HIPAA may be applicable to the data you work with as a medical student if you work with patient data. Your payment and personal data are governed by PCI DSS. FERPA protects your personal student information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Rolando is a risk manager with a large-scale cloud service provider. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando’s organization pursue?

A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance

A

Answer: D. Risk acceptance

In a risk acceptance strategy, the organization decides that taking no action is the most beneficial route to managing a risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

A. GLBA
B. SOX
C. HIPAA
D. FERPA

A

Answer: A. GLBA

The Gramm–Leach–Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Bill is conducting an audit of a cloud provider under the SSAE and ISAE standards. During the audit, he discovers that some records required to complete one of his tests were accidentally destroyed and are not recoverable. There are no alternative tests available for this control objective. What action should Bill take?

A. Describe the limitation in the audit scope statement.
B. Postpone the audit for one year until adequate records are available.
C. Issue a failing audit report.
D. Remove this test from the audit and test a different control objective instead.

A

**Answer: A. Describe the limitation in the audit scope statement. **

The proper course of action when records are not available is to write a statement of scope limitation that describes the issue and the impact on the audit. Bill could have avoided this by performing an alternative test of the same control objective, but the scenario says this is not possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is not a way in which an entity located outside the European Union (EU) can be allowed to gather and process privacy data belonging to EU citizens?

A. Be located in a country with a nationwide law that complies with the EU laws.
B. Appeal to the EU High Court for permission.
C. Create binding contractual language that complies with the EU laws.
D. Join the Privacy Shield program in its own country.

A

**Answer: B. Appeal to the EU High Court for permission. **

The General Data Protection Regulation prohibits entities within a country that has no nationwide privacy law from gathering or processing privacy data belonging to EU citizens. Entities can be allowed to do so if the following conditions are met:
(1) Their own country has nationwide laws that comply with the EU laws.
(2) The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather citizen data.
(3) The entity voluntarily subscribes to its own nation’s Privacy Shield program (assuming that program is found acceptable by the EU authorities).
There is no process for the entity to appeal to the EU for permission to do so, however.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

A. Quantitative
B. Qualitative
C. Annualized loss expectancy
D. Reduction

A

Answer: B. Qualitative

Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An audit against the _________________ will demonstrate that an organization has a holistic, comprehensive program of internal security controls.

A. Statement on Auditing Standards (SAS) 70 standard
B. Statement on Standards for Attestation Engagements (SSAE) 18 standard
C. Service Organization Control (SOC) 2, Type 2 report matrix
D. ISO 27001 certification requirements

A

Answer: D. ISO 27001 certification requirements

The ISO 27001 certification is for the information security management system (ISMS), the organization’s entire security program.

The SAS 70 and SSAE 18 are audit standards for service providers and include some review of security controls, but not a cohesive program (and the SAS 70 is outdated); options A and B are not correct. The SOC reports are how SSAE 18 audits are conducted; option C is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An IT security audit is designed to reveal all of the following except _________________.

A. Financial fraud
B. Malfunctioning controls
C. Inadequate controls
D. Failure to meet target standards and guidelines

A

Answer: A. Financial fraud

n IT security audit is not intended to locate financial fraud; it may, however, lead to such revelations unintentionally. There are specific other audits that exist for this purpose. All the other options are incorrect because they are intended goals for IT security audits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

During an IT audit, the CEO of a cloud provider demands regular updates on the testing process. How should auditors respond to this demand?

A. Refuse to provide the CEO with any information until the conclusion of the audit.
B. Refer the matter to the client’s Board of Directors.
C. Provide the CEO with regular updates.
D. Refer the matter to the audit firm’s partnership review board

A

Answer: C. Provide the CEO with regular updates.

It is entirely appropriate to engage stakeholders during the audit process. While the CEO may be demanding information in a rude manner, that does not mean that they are not an important stakeholder. The audit team should carefully engage the CEO and keep them engaged throughout the audit process. The matter only needs to be referred to other authorities if the CEO makes improper requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following is a U.S. audit standard often used to evaluate cloud providers?

A. ISO 27001
B. SOX
C. SSAE 18
D. IEC 43770

A

Answer: C. SSAE 18

The Statement on Standards for Attestation Engagements (SSAE) 18 is the current AICPA
(American Institute of Certified Public Accountants) audit standard.
ISO 27001 is an international audit standard.
The Sarbanes–Oxley Act (SOX) is a U.S. law pertaining to publicly traded corporations.
There is no such thing as the IEC 43770 standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Digital forensics investigators perform all of the following actions routinely except for securely _________________ data.

A. Collecting
B. Creating
C. Analyzing
D. Presenting

A

Answer: B. Creating

With rare exceptions, digital forensics does not include creation of data (other than the forensic reports regarding the analysis of data). While this could arguably be considered an aspect of digital forensics as well, the other options are more suited to describing digital forensics, so this is the best negative answer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A(n) _________________ includes reviewing the organization’s current position/performance
as revealed by an audit against a given standard.

A. Service Organization Control (SOC) report
B. Gap analysis
C. Audit scoping statement
D. Federal guideline

A

Answer: B. Gap analysis

This is the definition of a gap analysis.
SOC reports are specific kinds of audits; option A is incorrect. The scoping statement is a pre-audit function that aids both the organization and the auditor to determine what, specifically, will be audited. Option C is incorrect.
Federal guidelines are government recommendations on how something should be done.
Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Belinda is auditing the financial controls of a manufacturing company and learns that the financial systems are run on a major IaaS platform. She would like to gain assurance that the platform has appropriate security controls in place to assure the accuracy of her client’s financial statements. What action should she take?

A. Perform an IT audit of the cloud provider.
B. Obtain a SOC 1 report.
C. Obtain a SOC 2 report.
D. Continue testing only controls at the client and note the use of the cloud provider in her report.

A

Answer: B. Obtain a SOC 1 report.

Belinda is obligated to gain assurance that the cloud provider has appropriate controls in place. It is unlikely that she will gain permission to audit those controls herself, and even if she gained this permission, that would result in excessive and unnecessary costs. She should instead ask the cloud provider for the report of an independent audit. SOC 1 audits are designed specifically to test the controls covering customer financial statements and would be the appropriate audit type in this scenario. SOC 2 audits cover cybersecurity controls more broadly and would be unnecessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Tony is developing a business continuity plan and is having trouble prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

A

Answer: D. Combination of quantitative and qualitative risk assessment

Tony would see the best results by combining elements of quantitative and qualitative risk
assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a
well-rounded risk picture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What was the first international privacy standard specifically for cloud providers?

A. National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 37
B. Personal Information Protection and Electronic Documents Act
C. Payment Card Industry
D. ISO 27018

A

Answer: D. ISO 27018

ISO 27018 describes privacy requirements for cloud providers, including an annual audit mandate.

Option A is incorrect because NIST SP!800- 37 describes the Risk Management Framework
and is not an international privacy standard.

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. Option B is incorrect.

Option C is incorrect because the PCI DSS is specifically for merchants who accept credit cards, not cloud providers (while cloud providers may process credit cards, and therefore must follow PCI DSS, option D is preferable, and a better answer).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which one of the following elements of information is not considered a direct identifier that would trigger most United States (U.S.) state data breach laws?

A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number

A

Answer: A. Student identification number

Most state data breach notification laws are modeled after California’s data breach notification law, which covers Social Security numbers, driver’s license numbers, state identification card numbers, credit/debit card numbers, and bank account numbers (in conjunction with a PIN or password). California’s breach notification law also protects some items not commonly found in other state laws, including medical records and health insurance information.
These laws are separate and distinct from privacy laws, such as the California Consumer Privacy Act (CCPA), which regulates the handling of personal information more broadly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following items, included in the contract between a cloud customer and cloud provider, can best aid in reducing vendor lock-in?

A. Data format type and structure
B. Availability
C. Storage space
D. List of available OSs

A

Answer: A. Data format type and structure

When the cloud customer can ensure that their data will not be ported to a proprietary data format or system, the customer has a better assurance of not being constrained to a given provider; a platform-agnostic data set is more portable and less subject to vendor lock-in.
Availability may be an aspect of portability; the ease and speed at which the customer can access their own data can influence how readily the data might be moved to another provider. However, this is less influential than the format and structure of the data; option A is preferable to option B.
Storage space has little to do with vendor lock-in; option C is incorrect. A list of OSs the provider offers might be influential for the customer’s decision of which provider to select, but it is not typically a constraining factor that would restrict portability.
Option D is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Which of the following contract terms most incentivizes the cloud provider to meet the requirements listed in the service-level agreement (SLA)? A. Regulatory oversight B. Financial penalties C. Performance details D. Desire to maintain customer satisfaction
**Answer: B. Financial penalties** The contract usually stipulates what kind of financial penalties are imposed when the provider fails to meet the SLAs (for instance, waiver for payment of a given service term). This is a huge motivating element for the provider. Regulatory oversight usually affects the customer, not the provider; option A is incorrect. The performance details are often included in the SLA but aren’t the motivating factor; option C is incorrect. In a perfect world, option D would be the correct answer; B is a better answer to this question, however.
26
Fran recently conducted a review of the risk management program in her organization and developed an analysis of all of the risks facing the organization and their quantitative impact. What term best describes this analysis? A. Risk appetite B. Risk tolerance C. Risk controls D. Risk profile
**Answer: D. Risk profile** A quantitative analysis of all of the risks facing an organization and their potential impact is best described as the organization’s risk profile. Risk appetite, or risk tolerance, is the amount of risk that an organization is willing to accept. Risk appetite is a conceptual target, whereas risk profile is an assessment of the actual situation. Risk controls are used to manage risks to an acceptable level.
27
Which of the following was the first international standard addressing the privacy aspects of cloud computing for consumers? A. ISO 27001 B. ISO 27018 C. ISO 27002 D. GDPR
**Answer: B. ISO 27018** ISO/IEC 27018 addresses the privacy aspects of cloud computing for consumers and was the first international set of privacy controls in the cloud.
28
You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue a(n) _________________ to all personnel and offices within your company. A. Litigation hold notice B. Audit scoping letter C. Statement of work D. Memorandum of agreement
**Answer: A. Litigation hold notice** A litigation hold notice is required to prevent possible destruction of pertinent evidence that may be used in the case. An audit scoping letter outlines the parameters for an audit engagement. A memorandum of agreement documents a relationship between two organizations. A statement of work describes the work that will be performed by a contractor. None of these are used in response to the threat of a lawsuit.
29
Gwen is a cybersecurity professional for a financial services firm that maintains records of their customers. These records include personal information about each customer, including the customer’s name, Social Security number, date and place of birth, and mother’s maiden name. What category best describes these records? A. PHI B. Proprietary data C. PII D. EDI
**Answer: C. PII** Personally identifiable information (PII) includes data that can be used to distinguish or trace a person’s identity, and also includes information like their medical, educational, financial, and employment information. PHI is a form of PII that includes personal health information, EDI is electronic data interchange, and proprietary data is used to maintain an organization’s competitive advantage.
30
Aaron is concerned about the possibility that a cloud vendor that his organization relies on may go out of business. What term best describes this risk? A. Vendor lock-in B. Vendor viability C. Vendor lockout D. Vendor diversity
**Answer: B. Vendor viability** Vendor viability is the risk that a vendor will not be able to continue operations and that a vendor shutdown will adversely impact customers. Vendor lock-in occurs when the costs of switching to a different vendor are prohibitively high. Vendor lockout occurs when a vendor prevents a customer from gaining access to their information. Vendor diversity is the use of multiple vendors to meet the same need to protect against vendor viability and reliability issues.
31
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference
**Answer: C. Risk mitigation** Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.
32
Viola is planning a user account audit to determine whether accounts have the appropriate level of permissions and that all permissions were approved through a formal process. The organization has approximately 50,000 user accounts and an annual employee turnover rate of 24 percent. Which one of the following sampling approaches would be the most effective use of her time when choosing records for manual review? A. Select all records that have been modified during the past month. B. Ask access administrators to identify the accounts most likely to have issues and audit those. C. Select a random sample of records, either from the entire population or from the population of records that have changed during the audit period. D. Sampling is not effective in this situation, and all accounts should be audited.
**Answer: C. Select a random sample of records, either from the entire population or from the population of records that have changed during the audit period.** Sampling should be done randomly to avoid human bias. Sampling is an effective process if it is done on a truly random sample of sufficient size to provide effective coverage of the userbase. It is infeasible for a single person to review every single record. In an organization of 50,000 users with a 24 percent annual turnover, it is likely that at least 1,000 of those records have changed in the last month. This is still too many records to review. Asking account administrators to select the records to review is a conflict of interest, as they are the group being audited.
33
Which one of the following issues is not normally addressed in a service-level agreement (SLA)? A. Confidentiality of customer information B. Failover time C. Uptime D. Maximum consecutive downtime
**Answer: A. Confidentiality of customer information** SLAs do not normally address issues of data confidentiality. Those provisions are normally included in a nondisclosure agreement (NDA).
34
Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors? A. Compliance with all laws and regulations B. Handling information in the same manner the organization would C. Elimination of all identified security risks D. Compliance with the vendor’s own policies
**Answer: B. Handling information in the same manner the organization would** The most appropriate standard to use as a baseline when evaluating vendors is to determine whether the vendor’s security controls meet the organization’s own standards. Compliance with laws and regulations should be included in that requirement and are a necessary, but not sufficient, condition for working with the vendor. Vendor compliance with their own policies also fits into the category of necessary, but not sufficient, controls, as the vendor’s policy may be weaker than the organization’s own requirements. The elimination of all identified security risks is an impossible requirement for a potential vendor to meet.
35
HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services? A. Risk mitigation B. Risk acceptance C. Risk transference D. Risk avoidance
**Answer: D. Risk avoidance** HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse. A risk mitigation strategy would continue offering the service, but do so in a more secure manner. A risk acceptance strategy would continue offering the service as is. A risk transference strategy would shift some of the risk to a third party.
36
Who would normally conduct a review of security controls under SSAE 18? A. Security team B. External auditor C. Government regulator D. IT leadership
**Answer: B. External auditor** SSAE 18 is an audit standard for service organization controls (SOC) audits. These audits are conducted by independent, external audit firms.
37
Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure? A. Impact B. RPO C. MTO D. Likelihood
**Answer: D. Likelihood** Installing a device that will block attacks is an attempt to lower risk by reducing the likelihood of a successful application attack.
38
Which of the following statements about SSAE- 18 is not correct? A. It mandates a specific control set. B. It is an attestation standard. C. It is used for external audits. D. It uses a framework, including SOC 1, SOC 2, and SOC 3 reports.
**Answer: A. It mandates a specific control set.** SSAE- 18 does not assert specific controls. Instead, it reviews the use and application of controls in an audited organization. It is an attestation standard, used for external audits, and forms part of the underlying framework for SOC 1, 2, and 3 reports.
39
Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt’s clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests? A. ECPA B. CALEA C. Privacy Act D. HITECH Act
**Answer: B. CALEA** The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
40
Tim’s organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract? A. FISMA B. PCI DSS C. HIPAA D. GISRA
**Answer: A. FISMA** The Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.
41
Katie is conducting a thorough review of all of the personally identifiable information (PII) used by her organization. What term best describes this assessment? A. BIA B. BPA C. PPA D. PIA
**Answer: D. PIA ** **Privacy impact assessments (PIA) are used to review the appropriateness of all PII use by an organization. Business impact assessments (BIA) consider risks more broadly and are used in risk assessment processes.** Business process assessments (BPA) are used to evaluate the efficiency of an organization’s processes and identify opportunities for improvement. PPA is not an assessment type.
42
Kevin is reviewing and updating the security documentation used by his organization. He would like to document some best practices for securing cloud computing services that his team has implemented over the past year. The practices are generalized in nature and do not cover specific services. What type of document would be best for this purpose? A. Policy B. Standard C. Guideline D. Procedure
**Answer: C. Guideline** It is possible that Kevin could use any one of these documents. We should zero in on the portion of the question where it indicates that these are best practices. This implies that the advice is not mandatory and, therefore, would not go into a policy or standard. The fact that the advice is general in nature means that it likely is not well suited to the step-by-step nature of a procedure. A guideline would be the perfect place to document these best practices.
43
Colin is conducting an audit of the internal information security management system (ISMS) of a cloud service provider. Which one of the following items would normally be outside the scope of this audit? A. Uses of customer data B. Accuracy of financial statements C. Network firewall protections D. Endpoint security
**Answer: B. Accuracy of financial statements** An organization’s information security management system (ISMS) is a broad program covering all aspects of cybersecurity. This would include uses of customer data, network firewall protections, endpoint security, and many other control types. It would not cover the accuracy of the organization’s financial statements, which would be within the scope of the financial audit. It would, however, include an evaluation of the cybersecurity controls affecting financial systems and statements.
44
Which of the following is not an enforceable governmental request? A. Warrant B. Subpoena C. Court order D. Affidavit
**Answer: D. Affidavit** An affidavit is only a form of formal testimony presented to the court. All the other options are enforceable governmental requests
45
Helen is assessing a cloud provider’s risk management methodology. Which one of the following documents would be least helpful to her in this effort? A. ISO 31000 B. NIST 800- 37 C. COBIT D. PCI DSS
**Answer: D. PCI DSS** The Payment Card Industry Data Security Standard (PCI DSS) is a set of cybersecurity controls required for organizations that process credit card data. It is not a risk management standard, and no information in this scenario describes credit card processing. ISO 31000, NIST 800- 37, and the Control Objectives for Information Technology (COBIT) are all relevant risk management standards
46
Vincent is responsible for a privacy program that spans international borders. Of the following countries where his organization operates, which does not have a comprehensive national privacy law? A. United States B. France C. Canada D. Germany
**Answer: A. United States** **The United States does not have a comprehensive national privacy law.** Instead, it has a patchwork of industry-specific and subject-specific legislation. France and Germany are both members of the European Union and are subject to the comprehensive General Data Protection Regulation (GDPR). Canada has a comprehensive law titled the Personal Information Protection and Electronic Documents Act (PIPEDA).
47
Nitesh is conducting a global audit of a multinational cloud service provider and has a question about appropriate testing procedures. Which one of the following documents would be most applicable to his situation? A. ISAE 3402 B. ISAE 3410 C. SSAE 16 D. SSAE 18
**Answer: A. ISAE 3402** **ISAE 3402 provides international guidance on the assessment of service providers, and is the appropriate standard to use in this situation.** SSAE 18 is the equivalent document for assessments performed within the United States. SSAE 16 is an outdated version of that standard and has been superseded by SSAE 18. ISAE 3410 covers greenhouse gas emission statements and is completely irrelevant to this scenario.
48
Which of the following represents the legislation enacted to protect shareholders and the public from enterprise accounting errors and fraudulent practices? A. PCI B. Gramm–Leach–Bliley Act (GLBA) C. Sarbanes–Oxley Act (SOX) D. HIPAA
**Answer: C. Sarbanes–Oxley Act (SOX)** The Sarbanes–Oxley Act (SOX) was enacted in response to the 2000 accounting scandal that caused the bankruptcy of Enron. At that time, top executives laid the claim that they were unaware of the accounting practices that led to the company’s demise. SOX not only forces executives to oversee all accounting practices, but holds them accountable should such activity occurs again.
49
Joe’s organization is considering expanding the geographic footprint of its data centers to include facilities located in other countries. What is likely going to be the most serious complication introduced by this expansion? A. Multiple jurisdictions B. Different electric standards C. Internet connectivity and bandwidth D. Operating system compatibility
**Answer: A. Multiple jurisdictions** **The most serious complication introduced by geographic expansion is the applicability of different laws and regulations from multiple jurisdictions.** While datacenters in different countries may have different electrical standards, but this is not a major issue, as datacenter equipment is available for different electricity standards. There is no indication that Joe would expand into regions that lack sufficient internet connectivity or bandwidth, and there is no reason that Joe’s organization would not be able to use the same operating systems in different regions.
50
FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed? A. The right to access B. Privacy by design C. The right to be forgotten D. The right of data portability
**Answer: C. The right to be forgotten** The right to be forgotten, also known as the right to erasure, guarantees the data subject the ability to have their information removed from processing or use. It may be tied to consent given for data processing; if a subject revokes consent for processing, the data controller may need to take additional steps, including erasure.
51
In most privacy-regulation situations, which entity is most responsible for deciding how a particular privacy-related data set will be used or processed? A. The data subject B. The data controller C. The data steward D. The data custodian
**Answer: B. The data controller** The data controller makes the determination of purpose, and scope of privacy-related data sets. The other options are the names of other privacy-related roles.
52
Which of the following is probably the most volatile form of data that might serve a forensic purpose in a virtualized environment? A. Virtual instance RAM B. Hardware RAM C. Hypervisor logs D. Drive storage
**Answer: A. Virtual instance RAM** **Because RAM is inherently volatile, and virtual resources are simulated only for limited time periods, virtual RAM is probably the most volatile data store.** Hardware RAM is probably as volatile as virtual RAM, but the virtualization aspect of option A may make it a more suitable answer for this particular question. Log data and drive storage should both be durable and not volatile at all, so options C and D are incorrect.
53
Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance? A. Binding corporate rules B. Privacy Shield C. Standard contractual clauses D. Safe harbor
**Answer: C. Standard contractual clauses** The European Union provides standard contractual clauses that may be used to facilitate data transfer. That would be the best choice in a case where two different companies are sharing data. If the data were being shared internally within a company, binding corporate rules would also be an option. The EU/U.S. Privacy Shield was a safe harbor agreement that would previously have allowed the transfer, but it is no longer valid.
54
You are the chief information officer (CIO) for an IT hardware manufacturer. Your company uses cloud-based software as a service (SaaS) services, including email. You receive a legal request for data pertinent to a case. Your eDiscovery efforts will largely be dependent on _________________. A. The cloud provider B. Regulators C. The cloud customer D. Internal IT personnel
**Answer: A. The cloud provider** In an SaaS model, the customer has little insight into event logs and traffic analysis useful for evidentiary purposes. The customer will largely be reliant on the cloud provider to locate, collect, and deliver this information for eDiscovery. Regulators do not take part in eDiscovery option B is incorrect. In this situation, your company is the cloud customer and will not have a great deal of access to event logs, which may be a crucial element of eDiscovery options C and D are incorrect.
55
Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to the policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? A. Purchasing insurance B. Encrypting the database contents C. Removing the data D. Objecting to the exception
**Answer: B. Encrypting the database contents** Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk, but it is not a mitigating control.
56
James has been asked to lead a review of his organization’s compliance with GAPP principles. What area will most directly fall into the scope of his assessment? A. Accounting B. Privacy C. Cybersecurity D. eDiscovery
**Answer: B. Privacy** While all of these areas may be indirectly touched by a GAPP assessment, the assessment is primarily focused on privacy, as GAPP is the Generally Accepted Privacy Principles.
57
Brad recently learned that his organization will be subject to a new legal requirement due to an expansion of their work into a new industry. What type of analysis should Brad perform first? A. Business impact analysis B. Privacy impact analysis C. Gap analysis D. Baseline development
**Answer: C. Gap analysis** **Brad should first perform a gap analysis to identify any areas where his organization is not compliant with the new regulation.** This gap analysis can serve as the roadmap for remediation efforts. The business impact analysis (BIA) is performed as part of a risk assessment process. Privacy impact analyses (PIA) focus primarily on privacy matters. Baseline development is done to identify common configuration standards.
58
Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions? A. Healthcare provider B. Health and fitness application developer C. Health information clearinghouse D. Health insurance plan
**Answer: B. Health and fitness application developer** A health and fitness application developer would not necessarily be collecting or processing healthcare data, and the terms of HIPAA do not apply to this category of business. HIPAA regulates three types of entities— healthcare providers, health information clearinghouses, and health insurance plans— as well as the business associates of any of those covered entities.
59
Bella is working to develop a long-term relationship with a consulting firm that will assist in her organization’s cloud migration. She would like to create a contract that may govern the terms of many different projects. What type of document should she create? A. MSA B. BPA C. SOW D. MOU
**Answer: A. MSA** **A master services agreement (MSA) is an umbrella document that governs many different projects conducted by the same service provider.** Each one of those projects is then described within a statement of work (SOW). A business partnership agreement (BPA) is used to define the terms of a joint venture between two organizations. A memorandum of understanding (MOU) is an informal document describing the relationship between two organizations or business units of the same organization.
60
What best describes the Cloud Security Alliance Cloud Controls Matrix? A. A set of regulatory requirements for cloud service providers B. A set of software development life cycle requirements for cloud service providers C. A security controls framework that provides mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA’s COBIT, and PCI-DSS D. An inventory of cloud service security controls that are arranged into separate security domains
**Answer: C. A security controls framework that provides mapping/cross relationships with the main industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA’s COBIT, and PCI-DSS** The CCM cross-references many industry standards, laws, and guidelines.
61
Gordon’s organization is considering using a new cloud vendor to handle the backups. He is conducting a risk assessment to determine the amount of damage that lost backups at the provider should be expected to cause each year. What metric has Gordon identified? A. ALE B. ARO C. SLE D. EF
**Answer: A. ALE** The annualized loss expectancy (ALE) is the amount of damage that the organization expects to occur each year as the result of a given risk. The annualized rate of occurrence (ARO) is the number of times the organization expects the risk to occur each year. The single loss expectancy (SLE) is the amount of damage that the organization expects to occur each time the risk materializes. The exposure factor (EF) is the percentage of the asset that will be damaged each time the risk materializes.
62
Greg’s company operates only in the United States. They recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action? A. The breach laws of the jurisdiction where they are headquartered. B. The breach laws of all jurisdictions where they do business. C. The breach of the laws of the federal government only because this involves interstate commerce. D. No breach of the laws would apply to this situation.
**Answer: B. The breach laws of all jurisdictions where they do business.** In general, companies should be aware of the breach laws in any location where they do business. U.S. states have a diverse collection of breach laws and requirements, meaning that in this case, Greg’s company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state's residents.
63
_________________ is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users’ and clients’ privacy data. A. Due care B. Due diligence C. Liability D. Reciprocity
**Answer: ** This is an example of due care. **Due care is that you’re taking the same care that an ordinary, reasonable person would take under the same circumstances. So, when you’re making day-to-day security decisions, you’re making the same decisions that a reasonable security professional would take.** Due diligence, like due care, is all about doing the right things, but due diligence is all about prior planning. When we perform due diligence, we’re putting all of the governance structures, processes, and frameworks in place to make sure that we are meeting our obligations. Liability is the measure of responsibility an entity has for providing due care. Reciprocity is a legal arrangement where the benefits granted by the government to citizens of a country should be returned by that other country to the citizens of the first government.
64
Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions? A. NERC/CIP B. PCI DSS C. HITECH D. GLBA
**Answer: B. PCI DSS** **The Payment Card Industry Data Security Standard (PCI DSS) governs the storage, processing, and transmission of credit card information.** The Health Information Technology for Economic and Clinical Health (HITECH) Act extends the provisions of HIPAA regarding the protection of health information. The North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) program outlines compliance requirements for firms involved in the maintenance of the electric grid.
65
You are considering adding a web application firewall to your public-facing applications to reduce the risk of an attack. If you implement the firewall, what risk treatment action are you taking? A. Risk avoidance B. Risk acceptance C. Risk mitigation D. Risk transference
**Answer: C. Risk mitigation** **Installing a firewall reduces the likelihood of the risk materializing and is, therefore, a risk mitigation action.** Risk avoidance would shut down the web services completely to avoid the associated risk. Risk acceptance would take no action and continue operations as is. Risk transference includes actions that shift some of the financial burden of a risk from one organization to another. Purchasing insurance is the most common example of risk transference.
66
You are conducting a risk assessment for a cloud service provider that will be operating the infrastructure for an electric utility. What regulatory framework is most relevant to this organization? A. HIPAA B. HITECH C. NERC/CIP D. PCI DSS
**Answer: C. NERC/CIP** **The North American Electric Reliability Corporation’s Critical Infrastructure Program (NERC/CIP) provides security standards for electric utilities and other elements of critical infrastructure.** The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Electronic and Clinical Health (HITECH) Act govern personal health information. The Payment Card Industry Data Security Standard (PCI DSS) governs credit and debit card records.
67
You are concerned that different virtual machines in your organization have different security configurations and would like to apply a standard configuration at the time they are built. What term describes this approach? A. Scanning B. Baselining C. Operationalizing D. Customizing
**Answer: B. Baselining** The application of a consistent security standard at the time a virtual machine (or a physical machine, for that matter) is built is called baselining. The standard configuration is known as a baseline.
68
You are the compliance officer for a medical device manufacturing firm. Your company maintains a cloud-based list of patients currently fitted with your devices for long-term care and quality assurance purposes. The list is maintained in a database that cross-references details about the hardware and some billing data. In this situation, who is likely to be considered the data custodian under many privacy regulations and laws? A. You (the compliance officer) B. The cloud provider’s network security team C. Your company D. The database administrator
**Answer: D. The database administrator** **The custodian is usually that specific entity in charge of maintaining and securing the privacy-related data on a daily basis, as an element of the data’s use.** The compliance officer might be considered a representative of the data controller (your company), or perhaps the data steward, depending on how much actual responsibility and interaction with the data you have on a regular basis. Option A is not as accurate as option D. The cloud provider (and anyone working for the provider) would be considered the data processor under most privacy regulations; option B is incorrect. Your company is the data controller, the legal entity ultimately responsible for the data. Option C is incorrect.
69
You are conducting an audit of a cloud service provider and are unsure about the types of tests that you should plan. Which resource provides the most definitive guidance? A. Client organization management B. Applicable audit standard C. Client organization chief audit executive D. Auditor organization management
**Answer: B. Applicable audit standard** The most definitive source of guidance when conducting an audit is the standard under which the audit is being conducted. Auditors may consult other sources for guidance when interpreting standards, but the standard remains the definitive reference.
70
When a conflict of laws occurs, ________________determines the jurisdiction in which the dispute will be heard. A. Tort law B. Doctrine of Proper Law C. Common law D. Criminal law
**Answer: B. Doctrine of Proper Law** The Doctrine of Proper Law is used when a dispute occurs over which jurisdiction will hear a case. Tort law refers to civil liability suits. Common law refers to laws regarding marriage, and criminal law refers to violations of state or federal criminal code.
71
Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? A. His supply chain B. His vendor contracts C. His post-purchase build process D. The original equipment manufacturer (OEM)
**Answer: A. His supply chain** Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.
72
Greg is evaluating a new vendor that will be supplying networking gear to his organization. Due to the nature of his organization’s work, Greg is concerned that an attacker might attempt a supply chain exploit. Assuming that both Greg’s organization and the vendor operate under reasonable security procedures, which one of the following activities likely poses the greatest supply chain risk to the equipment? A. Tampering by an unauthorized third party at the vendor’s site B. Interception of devices in transit C. Misconfiguration by an administrator after installation D. Tampering by an unauthorized third party at Greg’s site
**Answer: B. Interception of devices in transit** If the vendor operates with reasonable security procedures, it is unlikely that the devices will be tampered with at the vendor’s site. Similarly, if Greg’s organization has reasonable security procedures, tampering at his site is also unlikely. Misconfiguration by an administrator is always possible, but this is a post-installation risk and not a supply chain risk. It is possible that devices will be intercepted and tampered with while in transit from the vendor to Greg’s organization.
73
What is an accounting report on controls at a service organization that replaces older SAS 70 type reports? A. SOC 1 B. SSAE 16 C. GAAP D. SOC 2
**Answer: A. SOC 1** The correct answer is the SOC 1 report, which is designed to assess the controls primarily revolving around financial reporting, formerly found in the SAS 70. The SOC 2 is a report that provides information related to one or more of the AICPA five security principles.
74
In which of the following cases would it be most appropriate to engage an internal auditor? A. Confirming the accuracy of financial statements B. Certifying against an international standard C. Investigating employee malfeasance D. Complying with PCI DSS requirements
**Answer: C. Investigating employee malfeasance** Internal audit teams perform a variety of audits and assessments that are mainly used by internal customers. It is quite common for these teams to investigate employee malfeasance. Internal auditors are generally not used when the customer is external. Examples include providing audited financial statements (where the investing public is the customer), certifying against an international standard (where the certification requires an independent audit), and complying with PCI DSS or other regulatory requirements that demand an independent assessment.
75
Which one of the following frameworks is a U.S. federal law governing privacy? A. PCI DSS B. CCPA C. GDPR D. HIPAA
**Answer: D. HIPAA** The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law governing the privacy of protected health information. The California Consumer Privacy Act (CCPA) is a California state law. The General Data Protection Regulation is European Union law. The Payment Card Industry Data Security Standard (PCI DSS) is a private contractual relationship and is not a law.
76
You operate a cloud service and would like to provide potential customers with a report that confirms the effectiveness of your security controls and is appropriate for use by the general public. What type of audit should you conduct? A. SOC 1 B. SOC 2 C. SOC 3 D. SOC 4
**Answer: B. SOC 2** SOC 2 audits cover the confidentiality, integrity, and availability of information and are intended for internal audiences only because they contain sensitive information. SOC 2 audits should only be shared with customers under a nondisclosure agreement. SOC 3 audits cover the same controls as SOC 2 audits but are intended for a general audience. SOC 1 audits cover only the internal controls related to financial statements and reporting. SOC 4 audits do not exist.
77
Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies? A. Data custodian B. Data owner C. Data user D. Auditor
**Answer: A. Data custodian** The data custodian role is assigned to an individual who is responsible for implementing the security controls defined by policy and senior management. The data owner does bear ultimate responsibility for these tasks, but the data owner is typically a senior leader who delegates operational responsibility to a data custodian.
78
A _____________ typically employs a set of methods, principles, or rules for assessing risk based on absolute numerical values. A. Qualitative assessment B. One-sided assessment C. Vulnerability assessment D. Quantitative assessment
**Answer: D. Quantitative assessment** A quantitative assessment employs a set of methods or rules much like a qualitative assessment, with the difference being the use of absolute numerical values. So instead of High, Medium, and Low, values such as 1, 2, and 3 are used, respectively.
79
Nolan is a procurement officer for a U.S. federal government agency and is selecting a cloud service provider. What program offers a set of prescreened cloud providers authorized for use in the federal government? A. FIPS 140- 2 B. NIST 800- 53 C. ISO 27017 D. FedRAMP
**Answer: D. FedRAMP** The Federal Risk and Authorization Management Program (FedRAMP) provides a list of prescreened cloud service providers authorized to work with U.S. government agencies. FIPS 140- 2 is a security standard for cryptographic modules. ISO 27017 is a standard for evaluating the security of cloud service providers, but does not offer a list of prescreened providers. NIST 800- 53 is a standard covering security and privacy controls for information systems.
80
What procedures should an organization follow when collecting evidence from a security incident that may be used in court? A. Digital forensics B. ISO 27001 C. Common law D. eDiscovery
**Answer: A. Digital forensics** Digital forensics procedures outline the process of collecting evidence in a manner that it may be used in court with reliability. eDiscovery may use forensic procedures, but it is specifically intended to ensure compliance with litigation hold obligations and is not used to collect evidence for security incidents. Common law is a set of legal principles derived from historic precedent. ISO 27001 is a standard providing guidance on cybersecurity and privacy controls.
80
Which one of the following principles requires that organizations put governance structures in place to ensure they are meeting their obligations? A. Due diligence B. Separation of duties C. Due care D. Least privilege
**Answer: A. Due diligence** Due diligence includes all of the prior planning done to create an environment where due care can succeed. This includes creating governance structures and frameworks.
81
You would like to ensure that your organization’s insurance policy covers the damage resulting from a security incident sufficiently to allow you to resume operations. What asset valuation technique should you use? A. Depreciated value B. Original cost C. Estimation D. Replacement cost
**Answer: D. Replacement cost** The replacement cost technique values assets at the price it would take to replace them on the current market and is the most appropriate technique to use when looking to cover your costs. The original cost technique uses the purchase price of equipment. The depreciated value technique takes the original cost and reduces it over the expected life of the equipment. Estimation simply makes an informed guess of the asset value.
82
You are concerned that you may no longer have access to the necessary source code if a cloud vendor ceases operations. What security control would best protect against this risk? A. Contractual terms B. Escrow C. SLA D. Litigation
**Answer: B. Escrow** If your cloud vendor goes out of business, any legal and contractual terms you have with them will be essentially useless. Therefore, you should not rely upon contractual terms, service-level agreements (SLAs), or litigation to resolve this issue. Escrow places a copy of the code in the hands of an independent third party who will release it to customers if the vendor goes out of business.
83
What is a type of assessment that employs a set of methods, principles, or rules for assessing risk based on non-numerical categories or levels? A. Quantitative assessment B. Qualitative assessment C. Hybrid assessment D. SOC 2
**Answer: B. Qualitative assessment** A qualitative assessment is a set of methods or rules for assessing risk based on non-mathematical, categories, or levels. One that uses those mathematical categories or levels is called a quantitative assessment. There is no such thing as a hybrid assessment, and an SOC 2 is an accounting report regarding control effectiveness.
84
Which one of the following terms is not commonly found in cloud service provider contracts? A. Right to access facilities B. Right to audit C. Termination provisions D. Right to access data
**Answer: A. Right to access facilities** Cloud vendor contracts typically provide customers with the right to either perform audits or receive the results of independent audits. They also normally include termination provisions and the right of the customer to access their own data. Cloud providers generally do not grant customers the right to access their facilities in order to ensure the security of data belonging to other customers.
85
Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs? A. ITIL B. ISO 27002 C. CMM D. PMBOK Guide
**Answer: B. ISO 27002** ISO 27002 is an international standard focused on information security and titled “Information technology— Security techniques— Code of practice for information security management.” The Information Technology Infrastructure Library (ITIL) does contain security management practices, but it is not the sole focus of the document, and the ITIL security section is derived from ISO 27002. The Capability Maturity Model (CMM) is focused on Software development and the Project Management Body of Knowledge (PMBOK®) Guide focus on project management.
86
When an organization uses a cloud service provider to handle protected health information, who is responsible for securing that data? A. Customer B. Cloud provider C. Both the customer and the cloud provider D. Neither the customer nor the cloud provider
**Answer: C. Both the customer and the cloud provider** Cloud services operate under a shared responsibility model. Depending on the nature of the cloud service and the terms of the contract, security responsibilities will be split between the customer and the service provider.
87
What term is used to describe an individual within an organization who has been delegated day-to-day responsibility for decision-making about a category of information? A. Data owner B. Data custodian C. Data processor D. Data steward
**Answer: D. Data steward** The data steward is an individual who has been delegated responsibility by a data owner for particular categories of information. Data custodians are those responsible for handling, and protecting information, such as IT professionals. Data processors are third-party organizations that handle information on behalf of an organization.
87
Ron is the CISO of a U.S. company that is entering into a business partnership with a European firm. The European firm will be sending his company customer records to run through Ron’s firm’s proprietary credit scoring algorithm. Under GDPR, what role will Ron’s company have relative to the customer data? A. Data controller B. Data owner C. Data subject D. Data processor
**Answer: D. Data processor** Ron’s company is a data processor in this instance, as it is receiving records from the European firm. The European firm is the data controller in this case, as it bears responsibility for the data. The individuals described in the records are the data subjects. Data owners are tasked with making decisions about data such as who receives access to it and how it is used.
88
Which of the following would normally be considered a supply chain risk? (Choose all that apply.) A. Adversary tampering with hardware prior to being shipped to the end customer B. Adversary hacking into a web server run by the organization in an IaaS environment C. Adversary using social engineering to compromise an employee of an SaaS vendor to gain access to customer accounts D. Adversary conducting a denial- of- service attack using a botnet
**Answer: A, C** Supply chain risks occur when the adversary is interfering with the delivery of goods or services from a supplier to the customer. This might involve tampering with hardware before the customer receives it or using social engineering to compromise a vendor employee. Hacking into a web server run in an IaaS environment is not a supply chain risk because the web server is already under the control of the customer. Using a botnet to conduct a denial-of-service attack does not involve any supply chain elements.
89
For questions 91–93, please refer to the following scenario: Henry is the risk manager for Atwood Cloud Services, an SaaS provider in the midwestern United States. The firm’s main datacenter is located in northern Indiana in an area that is prone to tornadoes. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the datacenter would cost $10 million. Henry consulted with tornado experts, datacenter specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years. Based on the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s datacenter? A. 10 percent B. 25 percent C. 50 percent D. 75 percent
**Answer: C. 50 percent** The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50 percent.
90
Based on the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing’s datacenter? A. 0.0025 B. 0.005 C. 0.01 D. 0.015
**Answer: B. 0.005** The annualized rate of occurrence is the number of times that risk analysts expect a risk to happen in any given year. In this case, the analysts expect tornadoes once every 200 years, or 0.005 times per year.
91
Based on the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s datacenter? A. $25,000 B. $50,000 C. $250,000 D. $500,000
**Answer: A. $25,000** The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.
92
Tamara recently decided to purchase cyber-liability insurance to cover her company’s costs in the event of a data breach at a cloud service provider. What risk management strategy is she pursuing? A. Risk acceptance B. Risk mitigation C. Risk transference D. Risk avoidance
**Answer: C. Risk transference** Risk transference involves shifting the impact of a potential risk from the organization that incurs the risk to another organization. Insurance is a common example of risk transference.
93
The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention? II. I III IV A. I B. II C. III D. IV
**Answer: A. I ** The risk assessment team should pay the most immediate attention to those risks that appear in quadrant I. These are the risks with a high probability of occurring and a high impact on the organization if they do occur.
94
Jim starts a new job as a system engineer, and he is reviewing a team document titled “Forensic Response Guidelines for Cloud Services.” Which one of the following statements is not true? A. Jim must comply with the information in this document. B. The document contains information about forensic examinations. C. Jim should read the document thoroughly. D. The document is likely based on industry best practices.
**Answer: A. Jim must comply with the information in this document.** Guidelines provide advice based on best practices developed throughout the industry and organizations, but they are not compulsory. Compliance with guidelines is optional.
95
Which one of the following laws does not contain breach notification requirements? A. GLBA B. HIPAA/HITECH C. FERPA D. GDPR
**Answer: C. FERPA** Most privacy laws include a breach reporting requirement. These provisions exist in the Gramm–Leach–bliley Act (GLBA), the Health Information Technology for Economic and Clinical Health (HITECH) amendments to the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR). The Family Educational Rights and Privacy Act (FERPA) does not contain breach reporting requirements.
96
Which one of the following metrics would not commonly be found in an SLA? A. Network performance B. Compute capacity C. Help desk response time D. Number of security incidents
**Answer: D. Number of security incidents** Service-level agreements (SLAs) generally include operational metrics, such as network performance, compute capacity, and help desk response times. They would generally not set standards for the number of security incidents because that metric would incentivize the service provider to cover up security incidents rather than openly share information.
97
You are the CISO for a major hospital system and are preparing to sign a contract with a software-as-a-service (SaaS) email vendor and want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal? A. SOC 1 B. FISMA C. PCI DSS D. SOC 2
**Answer: D. SOC 2** The Service Organizations Control audit program includes business continuity controls in an SOC 2, but not SOC 1, audit. Although FISMA and PCI DSS may audit business continuity, they would not apply to an email service used by a hospital.
98
Which of the following is probably least suited for inclusion in the service-level agreement (SLA) between a cloud customer and cloud provider? A. Bandwidth B. Jurisdiction C. Storage space D. Availability
**Answer: B. Jurisdiction** The SLA should contain elements of the contract that can be subject to discrete, objective, repeatable, and numeric metrics. Jurisdiction is usually dictated by location instead, which should be included in the contract, but is probably not useful to include in the SLA. All the other options are excellent examples of items that can and should be included in the SLA.

CCSP (26 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions