M4: Quizzes

Question 1

1. All of the following are components of a cybersecurity strategy, EXCEPT:

A. Recover
B. Respond
C. Implementation
D. Identify

Answer 1

C. Implementation

Text, pg 156

Question 2

Data breaches cost organizations on average __________million dollars.

A. 3.8
B. 5.9
C. 4.7
D. 3.5

Answer 2

B. 5.9

Text pg 118

Question 3

______ is information that can be used to distinguish or trace an individual’s identity.

A. PHI
B. PIH
C. PII
D. IPI

Answer 3

C. PII

Study guide pg 6, learning outcome 1.3(a); text pg 135-136

Question 4

Section ________of ERISA generally requires a fiduciary to discharge their duties with respect to a plan solely in the interest of the participants and beneficiaries.

A. 304(a)
B. 404(b)
C. 404(a)
D. 344(a)

Answer 4

C. 404(a)

Study guide pg 7, learning outcome 1.5; text pg 118

Question 5

______________ is when cybercriminals encrypt and seize an entire hard drive and will only release it for a high ransom.

A. Phishing
B. Ransomware
C. Wire transfer email fraud
D. Malware via external devices

Answer 5

B. Ransomware

Study guide pg 8, learning outcome 2.1; text pg 133

Question 6

All of the following are data breaches that a government agency identified as having occurred with retirement plans, EXCEPT:

A. Failure to install security system updates
B. An email hoax (phishing attack)
C. Social Security numbers mailed to wrong addresses
D. Using different passwords for multiple clients

Answer 6

D. Using different passwords for multiple clients

Study guide pg 9, learning outcome 2.2; text pg 119

Question 7

_____specifies rules for business associate agreements that plan sponsors enter with TPAs and other service providers.

A. HIPAA
B. FTC
C. ERISA
D. GMR

Answer 7

A. HIPAA

Study guide pg 11, learning outcome 3.2; text pg 136

Question 8

Under the terms of the GMR settlement with the FTC, the settlement will remain in force for the next ________ years.

A. Five
B. Ten
C. Twenty
D. Fifteen

Answer 8

C. Twenty

Study guide pg 12, learning outcome 3.5; text pg 122

Question 9

The DOL issued ________pieces of subregulatory guidance addressing cybersecurity practices.

A. Three
B. Five
C. Two
D. Six

Answer 9

A. Three

Study guide pg 18, learning outcome 5.1; text pg 165

Question 10

All of the following are examples of data breaches with medical plans, EXCEPT:

A. Encrypted information on laptops
B. Failure to implement physical safeguards at workstations
C. Return of photocopiers without erasing data contained on hard drives
D. Lost documents with PHI

Answer 10

A. Encrypted information on laptops

Study guide pg 9, learning outcome 2.3; text pg 119

Question 11

Employee benefit plans are susceptible to cyber
attacks, identity theft, and other forms of data
malfeasance due to the lack of personal and
identifiable information.

True or False?

Answer 11

False

Question 12

PII stands for Personally Identifiable Information.

True or False?

Answer 12

True

Question 13

Phishing is where fraudulent e-mails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a cybercriminal to infiltrate a computer network.

Answer 13

True

Question 14

The Gramm-Leach-Bliley Act controls the ways financial institutions deal with private information of individuals.

Answer 14

True

Question 15

An example of a non-commercial contracting issue that a service provider contract should address is that a plan service provider’s auditing requirements must be specified.

Answer 15

True

Question 16

PHI is defined as information that is a subset of health information, including demographic information collected from an individual.

Answer 16

True

Question 17

A plan fiduciary should assume that service providers will handle all compliance obligations.

Answer 17

False

Question 18

Ransomware is where cybercriminals encrypt and seize a hard drive and will only release it for a high ransom.

Answer 18

True

Question 19

One of the data breaches that a government agency has identified as having occurred with retirement plans is the failure to install security system updates.

Answer 19

True

Question 20

The FTC is requiring companies to take steps to verify and monitor that data-related service providers are adequately protecting the information.

Answer 20

True

Question 21

The acronym PII stands for _________________.

A. Personally indicated information
B. Probably identifiable information
C. Probably indicated information
D. Personally identifiable information

Answer 21

D. Personally identifiable information

Text pg 135

Question 22

Ransomware is a type of cyber threat that is defined as __________.

A. When cybercriminals do not encrypt data
B. Data that be released for a high ransom
C. Data that will be released for a low ransom
D. When cybercriminals encrypt, but do no seize hard drives

Answer 22

B. Data that be released for a high ransom

Text pg 161

Question 23

The Gramm-Leach-Bliley Act was enacted to ____________.

A. Meet DOL guidelines
B. Control the way financial institutions deal with private information of individuals
C. Meet HIPAA guidelines
D. Provide fair credit reporting

Answer 23

B. Control the way financial institutions deal with private information

Text pg 163

Question 24

Which of the following is a U.S. governmental organization that has published a cybersecurity framework to set voluntary standards and best practices for managing cybersecurity risks to critical infrastructure services?

A. RIST
B. MIST
C. NIST
D. GIST

Answer 24

C. NIST

Text pg 161

Question 24

A case was filed against GMR Transcription Services, Inc. for a privacy breach. The results of the case were _____________. A. The case was in violation of Section 7 of the Federal Trade Commission Act B. The FTC concluded that GMR’s failure to adequately choose, contract with, and oversee a data service provider constituted an unfair and deceptive trade practice C. The GMR case involved the deliberate exposure of personal medical data maintained by GMR D. The FTC additionally found that GMR was not deficient in conducting due diligence before hiring its data service provider

Answer 24

B. The FTC concluded that GMR’s failure to adequately choose, contract with, and oversee a data service provider constituted an unfair and deceptive trade practice Text pg 121

Question 25

The terms of the GMR settlement with the Fair Trade Commission (FTC) were that _________. A. The settlement of the GMR case will remain in force for the next 25 years B. The program must be evaluated both initially and every five years by a certified third party C. GMR does not have to establish a comprehensive information security program D. GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information

Answer 25

D. GMR and its owners are prohibited from misrepresenting the extent to which they maintain the privacy and security of consumers’ personal information Text pg 122

Question 26

The second piece of the newly passed DOL guidance, Cybersecurity Best Practices, addresses ERISA plan record keepers and other service providers and __________. A. Summarizes best practices that plan service providers should implement to mitigate exposure to cybersecurity risks B. Confirms that organizations do not need to have strong access control procedures C. Establishes that it is acceptable to have a cybersecurity program that is not formally documented D. Points out that plan fiduciaries do not have to be aware of best practices

Answer 26

A. Summarizes best practices that plan service providers should implement to mitigate exposure to cybersecurity risks Text pg 175

Question 27

Phishing and how it affects organizations is best defined as __________. A. Fraudulent emails that are sent to infiltrate computer networks B. When cybercriminals encrypt and seize an entire hard drive C. Cybercriminals pretending to be senior executives and asking employees to transfer funds D. When intrusive and harmful software is stored on an external drive, inserted, and executed on a network computer

Answer 27

A. Fraudulent emails that are sent to infiltrate computer networks Text pg 133

Question 28

The number of information security vulnerabilities in a given system, expressed as the difference between the attacks known to defenders and the attacks known to malicious actors is defined as the _______________. A. Cyber hole B. Cyber gap C. Cyber loop D. Cyber threat

Answer 28

B. Cyber gap Text pg 160

Question 29

One reason that a data breach could occur relative to medical plans is ____________. A. From encrypted information on laptops B. From the implementation of physical safeguards at workstations C. From lost documents with PII D. From the disposal of prescriptions in trash containers accessible to the public

Answer 29

D. From the disposal of prescriptions in trash containers accessible to the public Text pg 119

Question 30

The DOL can assess penalties on plan sponsors up to __ per annual Form 5500 report filing where the required auditor report is missing or deficient. A. $60,000 B. $40,000 C. $35,000 D. $50,000

Answer 30

D. $50,000 Study Guide, Module 5, Pg. 10, Learning Outcome 2.1 Textbook, Pg.187

Question 31

The types of deficiencies and weaknesses that auditors commonly communicate to management include of the following, EXCEPT: A. Internal plan processes B. Regulatory requirements C. Audit costs D. Outside service providers

Answer 31

C. Audit costs Study Guide, Module 5, Pg. 19, Learning Outcome 4.5 Textbook, Pg. 206