Module 22 - Governance and Compliance Flashcards
(187 cards)
1
Q
Which process determines who is authorized to make cybersecurity risk decisions and ensures alignment with business goals and compliance?
A
IT Security Governance
2
Q
Which function ensures that risk decisions in cybersecurity are accountable and appropriately mitigated?
A
IT Security Governance
2
Q
Which process involves defining and implementing controls to mitigate security risks, distinct from governance?
A
IT Security Management
2
Q
Which type of governance specifically defines who can make decisions about data in an organization?
A
Data Governance
2
Q
Which governance role is responsible for ensuring compliance, classifying data, and determining access criteria?
A
Data Owner
3
Q
Who assigns the proper classification to information assets and defines who may access them?
A
The Data Owner
3
Q
Which data governance role determines why and how personal data is processed?
A
Data Controller
3
Q
Who has the authority to set the purpose and means of personal data processing within an organization?
A
The Data Controller
3
Q
Which role processes personal data on behalf of the data controller, often a third party?
A
Data Processor
4
Q
Who carries out the actual handling of personal data as instructed by the data controller?
A
The Data Processor
5
Q
Which role is responsible for implementing data classification and technical controls, based on data owner rules?
A
Data Custodian
6
Q
Who is responsible for applying the correct technical measures to protect data under the data owner’s policies?
A
The Data Custodian
7
Q
Which role ensures that data supports both the business’s needs and regulatory compliance?
A
Data Steward
8
Q
Who ensures data quality and utility across business and regulatory dimensions?
A
The Data Steward
9
Q
Which role oversees the organization’s overall strategy for protecting personal data?
A
Data Protection Officer
9
Q
Who is tasked with developing and monitoring a company’s data protection policies?
A
The Data Protection Officer
9
Q
Which role in data governance is responsible for both compliance and ensuring data meets business requirements?
A
Data Steward
10
Q
Who typically defines the security and classification rules that custodians implement?
A
The Data Owner
10
Q
What role ensures that classification and security controls for data are correctly enforced?
A
Data Custodian
10
Q
Which type of document outlines an organization’s cybersecurity vision, goals, scope, and responsibilities?
A
A Cybersecurity policy
10
Q
Which document sets behavioral and security standards for protecting technology and information assets?
A
A Cybersecurity Policy
11
Q
What does a cybersecurity policy provide to the security team from senior management?
A
Support and authority for implemeting controls
11
Q
What does a cybersecurity policy define to handle rule-breaking ?
A
The legal consequences of policy violations
12
Q
Which type of cybersecurity policy acts as a strategic plan and blueprint for implementing security controls?
A
A Master Cybersecurity policy
12
Which policy serves as the foundation for the organization’s overall cybersecurity program?
A Master Cybersecurity policy
13
Which cybersecurity policy is tailored to specific devices or systems and standardizes software, hardware, and configurations?
A system-specific policy
14
Which policy type ensures standardization of approved applications, OS settings, and hardening measures for certain systems?
A System-specific policy
15
Which cybersecurity policy addresses particular operational issues, circumstances, or conditions with detailed requirements?
An Issue specific policy
16
Which policy provides in-depth guidance for specific issues or operational conditions?
An Issue specific policy
17
Which type of cybersecurity policy is typically developed for a server or workstation to define its secure configuration?
A System-specific policy
18
Which policy type focuses on detailed, scenario-based requirements rather than broad strategy or system-wide settings?
An issue-specific policy
19
Which document demonstrates an organization’s commitment to cybersecurity at a high level?
A Cybersecurity policy
19
Which type of policy outlines who is allowed to access network resources and what verification is required?
Identification and Authentication policy
20
Which policy defines access permissions and authentication procedures for network users?
Identification and authentication policy
21
Which policy sets the minimum character requirements and renewal frequency for user passwords?
A Password policy
22
Which type of policy may require passwords to include special characters and change regularly?
Password policy
23
Which policy defines rules for how employees may use network resources and the consequences of violations?
AUP (Acceptable Use Policy)
23
Which policy governs how users can access internal systems and outlines penalties for misuse?
AUP (Acceptable Use Policy)
24
Which policy explains how to securely connect to an organization's internal network from an external location?
Remote Access Policy
25
Which type of policy defines which internal resources are accessible during a remote session?
A Remote Access policy
26
Which policy provides instructions for updating operating systems and end-user software within the organization?
A Network maintenance policy
27
Which policy ensures consistent procedures for maintaining and patching network systems?
A Network maintenance policy
28
Which policy outlines how to report and respond to security-related events?
A incident handling policy
29
Which type of policy helps employees respond appropriately to cybersecurity threats or breaches?
An incident handling policy
29
Which policy defines rules for storing, classifying, handling, and disposing of data?
A Data policy
30
Which policy may specify data classification levels like confidential, public, or private?
A Data policy
31
Which policy establishes the rules for how passwords or credentials should be composed?
Credential Policy
32
Which type of policy might require credentials to meet specific length and complexity standards?
Credentials Policy
33
Which policy provides overarching guidance on how organizational tasks such as change control or asset management are conducted?
An Organizational policy
34
Which policy may include procedures for change management and how to track assets?
An Organizational policy
35
Which field relies on personal judgment to choose the right course of action when no clear legal or procedural answer is available?
Ethics
36
Which internal guide helps cybersecurity specialists distinguish right from wrong when making decisions?
Ethics
37
Which ethical theory, developed by Jeremy Bentham and John Stuart Mill, bases morality on the consequences of actions?
Utilitarian Ethics
38
Which ethical theory evaluates actions based on whether they produce the greatest good for the greatest number of people?
Utilitarian Ethics
39
Which approach emphasizes outcomes as the most important factor in determining if an action is moral?
Utilitarian Ethics
40
Which ethical perspective is based on respecting each individual’s right to make their own choices, including rights to truth, privacy, and fairness?
The Rights Approach
40
Which ethical framework values the fundamental rights of the individual, such as safety and privacy?
The Rights Approach
41
Which ethical theory argues that decisions must not violate the rights of others, regardless of broader consequences?
The Rights Approach
41
Which approach defines ethical actions as those that benefit the entire community and reflect shared values and goals?
The Common good approach
42
Which ethical framework challenges individuals to act in ways that support the welfare of all community members?
The Common good approach
43
Which ethical model promotes decisions that align with the collective well-being rather than individual benefit?
The Common good approach
43
Which organization based in Washington, DC, created the Ten Commandments of Computer Ethics?
The Computer Ethics institute
43
Which type of cybercrime involves using a computer as the primary target of criminal activity, such as in hacking or DoS attacks?
A computer targeted crime
44
Which category of cybercrime includes activities like malware attacks and denial-of-service attempts?
A computer targeted crime
45
Which type of cybercrime uses a computer as a tool to carry out offenses like fraud or theft?
A computer assisted crime
46
Which category involves crimes like using a computer to commit identity theft or embezzlement?
Computer assisted crimes
47
Which type of cybercrime involves using a computer in a way that supports a crime without being the main tool used?
A computer incidental crime
47
Which cybercrime type includes storing illegally downloaded content on a computer?
Computer incidental crime
48
Which crime category does downloading pirated software and keeping it on a local drive fall under?
Computer incidental crime
48
Which U.S. agency operates the Internet Crime Complaint Center (IC3)?
The FBI
49
Which FBI-backed program helps protect critical infrastructure by promoting public–private collaboration?
Infraguard
50
Which U.S. industry group helps combat cybercrime, particularly intellectual property violations?
SIIA (Software and Information Industry Association)
51
Which term refers to laws created by the U.S. Congress that include civil and criminal penalties?
Statutory law
51
Which U.S. law prohibits unauthorized access to computers and includes both fines and prison penalties?
The computer fraud and abuse act
51
Which type of law involves creating rules and regulations through federal agencies, like the Computer Fraud and Abuse Act?
Statutory law
51
Which area of law ensures that government agencies act legally and regulate bodies like the FCC (Federal Communications Commission and FTC (Federal Trade Commission)?
Administrative Law
51
Which federal agencies are responsible for enforcing administrative law related to cybersecurity, such as intellectual property theft?
FCC (federal communications commission) and FTC (Federal trade commission)
52
Which type of law is derived from judicial decisions and case precedents over time?
Common Law
52
Which legal framework develops through court rulings and helps shape future interpretations of cybersecurity laws?
Common law
53
Which law mandates federal agencies to conduct risk assessments and maintain an annual inventory of IT systems?
FISMA (Federal information security management act)
53
Which legal category addresses both civil and criminal violations like unauthorized data access?
Statutory law
54
Which law source helps ensure agencies like the FTC act within their legal limits when investigating fraud?
Administrative law
55
Which U.S. law was created in 2002 to require federal agencies to establish an information security program?
FISMA (Federal information security management act)
56
Which sector is primarily affected by the Gramm-Leach-Bliley Act (GLBA)?
Finance
56
Which law gives individuals opt-out rights regarding how their shared financial information is used?
GLBA (Gramm-Leach-Bliley Act)
56
Which legislation restricts information sharing with third parties in the financial industry?
GLBA (Gramm-Leach-Bliley Act)
57
Which law reformed corporate accounting practices and standards after high-profile U.S. scandals?
SOX (Sarbanes-Oxley Act)
57
Which act was passed in response to corporate accounting scandals and targets publicly traded U.S. firms?
SOX (Sarbanes-Oxley Act)
57
Which private-sector initiative defines enforceable rules for storing, processing, and transmitting cardholder data?
PCI DSS (Payment card industry Data security standard)
58
Which industry is directly affected by the Sarbanes-Oxley Act of 2002?
Corporate accounting and publicly traded firms
58
Which standard was created by the payment card industry in 2006 to protect cardholder data and reduce fraud?
PCI DSS (Payment card industry Data security standard)
59
Which standard imposes potential fines and loss of card processing rights for non-compliance?
PCI DSS (Payment card industry data security standard)
59
Which set of rules, though technically voluntary, can result in fines up to $500,000 for violations?
PCI DSS (Payment card industry data security standard)
60
Which type of laws in the U.S. require organizations to notify individuals when their personal data is breached?
Security Breach notification laws
61
Which law protects electronic communications like email and phone calls from unauthorized access, interception, or disclosure?
ECPA (Electronic Communications Privacy Act)
61
Which law, passed in 1986, prohibits unauthorized access to computer systems and trafficking of access credentials?
CFAA (Computer Fraud and Abuse Act)
62
Which law criminalizes knowingly transmitting code that causes damage to a computer system?
CFAA (Computer Fraud and Abuse Act)
63
Which act, passed in 1974, governs how federal agencies collect, maintain, use, and disseminate PII in system records?
The Privacy Act of 1974
63
Which law includes a presumption of disclosure, meaning records must be shared unless a valid exemption applies?
FOIA (Freedom Of Information Act)
64
Which act gives the public access to U.S. government records, placing the burden on the government to justify withholding information?
FOIA (Freedom of Information Act)
65
Which law protects the privacy of children under 13 by requiring parental consent for online data collection?
COPPA (Children's online privacy protection act)
65
Which federal law governs the disclosure of educational records and operates on an opt-in basis?
FERPA (Family Education Records and Privacy Act)
66
Which 2013 amendment allowed Netflix and similar services to share rental histories with user consent?
VPPA (Video privacy protection act)
66
Which law originally prohibited disclosing video rental history and was later amended to allow consent-based sharing?
VPPA (Video Privacy Protection Act)
66
What does COPPA require before collecting personal data from children under 13?
Parental consent
67
Which act was passed in 2000 to protect children under 17 from obscene or harmful internet content?
CIPA (Children Internet Protection Act)
67
Which act mandates signer authentication and nonrepudiation for organizations using electronic signatures?
HIPAA (Health Insurance portability and accountability act)
68
Which law created national standards to secure physical storage, transmission, and access to health data?
HIPAA (Health Insurance Portability and Accountability Act)
69
Which 2003 California law was the first to require breach notification for lost or exposed personal data?
The California Senate Bill 1386 (SB 1386)
69
70
71
71
72
72
72
72
73
74
75
76
76
77
77
78
78
78
78
79
80
81
82
82
82
83
83
84
85
85
86
86
87
87
88
88
88
89
89
90
90
91
91
92
93
94
95
95
95
96
96
97
97
98
99
99
100
101
101
102
103
103
103
104
104
105
105
105
106
106
107
107
107
107
108
108
109
110
