FORMATIVE 2 Flashcards
(25 cards)
A contractor is hired to review and perform cybersecurity vulnerability assessments for a local health clinic facility. Which U.S. government regulation must the contractor understand before the contractor can start?
GDPR
GLBA
HIPAA
FedRAMP
HIPAA
An Internal Revenue Service office in New York is considering moving some services to a cloud computing platform. Which U.S. government regulation must the office follow in the process?
GDPR
FFIEC
HIPAA
FedRAMP
FedRAMP
An US university in California plans to offer online courses to students in partner universities in France and Germany. Which regulation should the university follow when those courses are offered?
GDPR
HIPAA
FERPA
FedRAMP
GDPR
Which U.S. government agency is responsible for enforcing the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (GLB Act)?
Securities and Exchange Commission (SEC)
Commodity Futures Trading Commission (CFTC)
Federal Trade Commission (FTC)
Federal Deposit Insurance Corporation (FDIC)
Federal Trade Commission (FTC)
In the healthcare sector, which term defines an entity that processes nonstandard health information it receives from another entity into a standard format?
health plan
healthcare provider
business associates
healthcare clearinghouse
healthcare clearinghouse
In the healthcare sector, which term is used to define an entity that provides payment for medical services?
health plan
healthcare provider
business associates
healthcare clearinghouse
health plan
In e-commerce, what determines the application of the Payment Card Industry Data Security Standard (PCI DSS) requirements?
merchant
payment brand
primary account number
approved scanning vendor
primary account number
What are two examples of sensitive authentication data associated with a payment card that requires compliance with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose two.)
expiration date
cardholder name
CAV2/CVC2/CVV2/CID
primary account number
full magnetic strip data or equivalent data on a chip
CAV2/CVC2/CVV2/CID
full magnetic strip data or equivalent data on a chip
Match the parts of Recommendation for Key Management in the NIST SP 800-57 to the description:
provides guidance on policy and security planning requirements for U.S. government agencies
provides guidance when using the cryptographic features of current systems
provides general guidance and best practices for the management of cryptographic keying material
Part 1 : General -
Part 2 : Best Practices for Key Management Organization -
Part 3 : Application Specific Key Management Guidance -
Part 1 : General - provides general guidance and best practices for the management of cryptographic keying material
Part 2 : Best Practices for Key Management Organization - provides guidance on policy and security planning requirements for U.S. government agencies
Part 3 : Application Specific Key Management Guidance - provides guidance when using the cryptographic features of current systems
An employee of a cybersecurity consulting firm in the U.S. is assigned to help assess the system and operation vulnerabilities of several financial institutions in Europe. The task includes penetration tests for compliance. What is a key element the employee must have before starting the assignment?
state-of-the-art penetration testing tools
valid user credentials to perform tests at each client institution
detailed network diagrams and asset inventories from each client institution
documentation of permission for performing the tests from the client institutions
documentation of permission for performing the tests from the client institutions
A company hires a cybersecurity professional to perform penetration tests to assess government regulation compliance. Which legal document should be provided to the cybersecurity professional that specifies the expectations and constraints, including quality of work, timelines, and cost?
statement of work (SOW)
service-level agreement (SLA)
non-disclosure agreement (NDA)
master service agreement (MSA)
service-level agreement (SLA)
A company hires a cybersecurity professional to perform penetration testing to assess government regulation compliance. Which document will be provided to the cybersecurity professional that specifies a detailed and descriptive list of all the deliverables, including the scope of the project, the timeline and report delivery schedule, the location of the work, and payment schedule?
statement of work (SOW)
service-level agreement (SLA)
master service agreement (MSA)
non-disclosure agreement (NDA)
statement of work (SOW)
A company hires a cybersecurity consultant to perform penetration testing to assess government regulation compliance. The company wants the consultant to disclose information to them and no one else. Which type of NDA agreement should be presented to the consultant?
mutual NDA
bilateral NDA
unilateral NDA
multilateral DNA
unilateral NDA
A company hires a cybersecurity consultant to perform penetration testing to assess government regulation compliance. Which document must the consultant receive that specifies the agreement between the consultant and the company for the penetration testing engagement?
contract
disclaimers
statement of work
non-disclosure agreement
contract
A company hires a cybersecurity consultant to perform penetration testing to assess government regulation compliance. The consultant is preparing the final report after the penetration testing is completed. In which section of the report should the consultant cover the limitation of the work performed, such as the only dates when the testing is performed and that the findings mentioned in the report do not guarantee that all vulnerabilities are covered?
disclaimers
scope of work
findings and analysis
non-disclosure statement
disclaimers
A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. What are three examples of typical elements in the rules of engagement document? (Choose three.)
testing timeline
payment schedule
location of testing
non-disclosure agreement
preferred method of communication
unknown-environment testing condition
testing timeline
location of testing
preferred method of communication
A company hires a cybersecurity consultant to perform penetration tests and review the rules of engagement documents. The consultant notices that one element specifies that the tests should be performed toward only web applications on websites www1.company.com and www2.company.com, with no social engineering attacks and no cross-site scripting attacks. Which element in the document is used for the specification?
location of testing
types of allowed or disallowed tests
IP addresses or networks from which testing will originate
the security controls that could potentially detect or prevent testing
types of allowed or disallowed tests
A company hires a cybersecurity consultant to assess applications using different APIs. Which document should the company provide to the consultant about an XML-based language used to document a web service’s functionality?
GraphQL documentation
Swagger (OpenAPI) documentation
Web Services Description Language (WSDL) document
Web Application Description Language (WADL) document
Web Services Description Language (WSDL) document
A company hires a cybersecurity consultant to assess applications using different APIs. Which document should the company provide to the consultant about a query language for APIs and a language for executing queries at runtime?
GraphQL documentation
Swagger (OpenAPI) documentation
Web Services Description Language (WSDL) document
Web Application Description Language (WADL) document
GraphQL documentation
A company hires a cybersecurity consultant to assess vulnerability on crucial web application devices such as web and database servers. Which document should the company provide to help the consultant document and define what systems are in the testing?
examples of application requests
source codes of the applications
system and network architectural diagram
software development kit (SDK) for specific applications
system and network architectural diagram
A company hires a cybersecurity consultant to perform penetration tests. What can cause scope creep of the engagement?
lack of up-to-date testing tools
lack of system and network architectural diagrams
poor formatted request for proposal (RFP) by the company
ineffective identification of what technical and nontechnical elements will be required for the penetration test
ineffective identification of what technical and nontechnical elements will be required for the penetration testing
A company hires a cybersecurity consultant to perform penetration tests. What should be the consultant’s first step in validating the engagement scope?
Confirm the contents of the request for proposal (RFP).
Request user credentials in accessing targeted systems.
Question the company contact person and review contracts.
Ensure that systems and network architectural diagrams are accurate.
Question the company contact person and review contracts.
A company hires a cybersecurity consultant to perform penetration tests. The consultant is working with the company to set up communication procedures. Which two protocols should be considered for exchanging emails securely? (Choose two.)
SCP
PGP
SFTP
HTTPS
S/MIME
PGP
S/MIME
A company hires a cybersecurity consultant to perform penetration tests. The consultant is discussing with the company about the penetration testing strategy. Which statement describes the term unknown-environment testing?
This is a type of testing where the scope of the work could be extended later.
This is a type of testing where the time frame of the work can be flexible and extension is possible.
This type is a type of testing where the budget can be further negotiated throughout the testing.
This type of testing is where the consultant will be provided with very limited information about the targeted systems and network.
This type of testing is where the consultant will be provided with very limited information about the targeted systems and network.
