Domain 6
The CSA STAR program includes a level of certification for cloud providers that acquire third-party assessments of their environment and controls. Which STAR level is this? 1 2 3 4
2 - Level 1 = self-assessment/ Level 2 = 3rd party assessment / Level 3 = Continuous Monitoring
Administrative penalties for violating the GDPR can range up to _______. US$1000,000 500,000 euros 20,000,000 euros 1,000,000 euros
20,000,000 euros
The CSA Security, Trust, and Assurance Registry (STAR) program has _______ tiers. 2 3 4 8
3
The PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate _____. Different types of audits each must conduct Different amounts of audits each must conduct Different control sets based on tier level Different cost of controls based on tier level
Different amounts of audits each must conduct
_____ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control. Due care Due diligence Liability Reciprocity
Due diligence
You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the CSA STAR program, the Uptime Institute's Tier certification motif, and ________. NIST Risk Management Framework (SP 800-37) FedRAMP ISO 27034 EuroCloud Star Audit Program
EuroCloud Star Audit Program
The OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. The OECD privacy principles influenced which lawmaking body and are readily apparent in the law(s) it created? US Congress European Union Politburo International Standards Organization (ISO)
European Union
Which of the following is a legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violating laws in the latter. Applicable law Judgements Criminal law Extradition
Extradition
A audit scoping statement might include constraints on all of the following aspects of an environment except ______. Limitation on destructive techniques Prohibition of all personnel interviews Prohibition on access to the production environment Mandate of particular time zone review
Prohibition of all personnel interviews
Which of the following is one of the advantages of using automation in configuration management? Reduce potential for human error Streamline novelty aspects Avoid time zone conflicts Hard-copy tracking
Reduce potential for human error
Which of the following practices can enhance both operation capabilities and forensic readiness? Highly trained forensic personnel Regular full backups A highly secure data archive Homomorphic encryption
Regular full backups
SOC 2 reports were intended to be ________. Released to the public Only technical assessments Retained for internal use Nonbinding
Retained for internal use
You're a sophomore at a small, private medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student? SOC HIPPA PCI DSS FERPA
SOC
An audit against the _______ reporting mechanism will demonstrate that an organization has an adequate security control design. SOC 1 SOC 2, Type 1 SOC 2, Type 2 SOC 3
SOC 2, Type 1
The current AICPA standard was created in reaction to what US federal law? Gramm-Leach-Bliley Act (GLBA) Sarbanes-Oxley Act Family Education Rights and Privacy Act PCI DSS
Sarbanes-Oxley Act
You are the security manager for a software company that uses PaaS in a public cloud service. Your company's general counsel informs you that they have received a letter from a former employee who is filling a lawsuit against your company. What is one of the common practices used in your industry that will have to be halted until the resolution of the case? Versioning Patching Threat modeling Secure destruction
Secure destruction
You are the security manager for a mid-sized nonprofit organization. Your organization has decided to use a SaaS public cloud provider for its production environment. A service contract audit reveals that while your organization has budgeted for 76 user accounts, there are currently 89 active user accounts. Your organization is paying the contract price, plus a per-account fee for every account over the contracted number. This is an example of costs incurred by ______. Data breach Shadow IT Intrusions Insider threat
Shadow IT
Which of the following aspects of virtualization make the technology useful for evidence collection? Hypervisors Pooled resources Snapshotting Live migration
Snapshotting
Which of the following is one of the advantages of using automation in configuration management? Speed Knowledge Customization Price
Speed
Under European Union Law, what is the difference between a directive and a regulation? A directive is enforced by the member states; a regulation is enforced by an international body A directive is put in place by statues; a regulation is put in place by precedent A directive is for local laws; a regulation is for laws dealing with matters outside the EU A directive allows member states to create their own laws; a regulation is applied to all member states
A directive allows member states to create their own laws; a regulation is applied to all member states
Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going to be very difficult to review for pertinence to the case. What security control mechanism may also be useful in the e-discovery effort? Trained and aware personnel An egress monitoring solution (DLP) A digital rights management solution A multifactor authentication implementation
An egress monitoring solution (DLP)
When presenting forensic evidence in court as testimony, you should include, if at all possible _____. Your personal opinion A clear, concise view of your side of the case Alternative explanation Historical examples that have bearing on the circumstances of the current case
Alternative explanation
You are the security manager for a software company that uses PaaS in a public cloud service. Your company's general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with _____ as well as the lawsuit. Spoliation Fraud Jurisdiction Recompositing
Spoliation
Which of the following is not a way of managing risk? Mitigation Acceptance Avoidance Streamlining
Streamlining
Which of the following should not be true about any tests performed during forensic analysis? Tests should be repeatable by opposing attorneys Tests should be standard to the forensics industry Tests should be performed by trained, certified professionals Tests should be tailored and customized for specific purposes
Tests should be tailored and customized for specific purposes
The Safe Harbor program, while no longer used, allowed US companies to collect and process privacy information about EU citizens. The program was included in which law? FISMA The EU Data Directive HIPAA SOX
The EU Data Directive
You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month. Which law is applicable in this instance? Belgian law The General Data Protection Act NIST SP 800-53 The FISMA
The General Data Protection Act
The Generally Accepted Privacy Principles described by the AICPA are very similar to the privacy principles described by ________. The OECD and EU Data Directive/GDPR NIST and ENISA HIPAA and GLBA The FTC and the US State Department
The OECD and EU Data Directive/GDPR
You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title "Computer-related attack." In this circumstance, who would likely be prosecuted? Your organization The attacker The victim You, as the manager of both parties
The attacker
You are the CIO for an IT hardware manufacturer. Your company uses cloud-based SaaS services, including email. You receive a legal request for data pertinent to a case. Your e-discovery efforts will largely be dependent on _________. The cloud provider Regulators The cloud customer Internal IT personne
The cloud provider
Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going to be very difficult to review for pertinence to the case. The senior executive at your firm who is making decisions about this case suggests handing over all data the company has archived for the time frame related to the case, whether or not it may be pertinent, in order to both allow the litigant to find the pertinent data and reduce the costs your company would incur if it performed the reform. What should be your response to the executive? This is an excellent idea; it fulfills the company's legal requirements and reduces the overall costs of the litigation This is a good idea; it may alleviate some of the costs associated with the court case This is a bad idea: the company might not realize the full cost savings that it expects This is a horrible idea: it could lead to extensive unauthorized disclosure and additional lawsuits
This is a horrible idea: it could lead to extensive unauthorized disclosure and additional lawsuits
The OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _________. Use limitation principle Erstwhile substitution principle Flatline cohesion principle Airstream fluidity principle
Use limitation principle - any entity that gathers PII must only use it to that which was permitted by the data subject and the reason given when it was collected
In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, "Does it seem as if this vendor is subject to any pending acquisitions or mergers?" In gathering data to answer this question, what are you are trying to avoid? Vendor lockout Due care Third-party dependencies Regulatory oversight
Vendor lockout
Which of the following is probably the most volatile form of data that might serve a forensic purpose? Virtual instance RAM Hardware RAM Hypervisor logs Drive storage
Virtual instance RAM
The Privacy Shield program is ______. Voluntary for non-EU entities Mandatory for all EU entities Mandatory for all non-EU entities Voluntary for all EU entities
Voluntary for non-EU entities
Who should perform the gap analysis following an audit? The security office The auditor A department other than the audit target An external audit body, other than the original auditor
A department other than the audit target
When accessing an electronic storage file for forensic purposes, it is a best practice to use _______. Gloves A trusted computing base Sysadmin access A write-blocker
A write-blocker - Ensures changes aren't made to the data
The PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Approximately how many controls are listed in the PCI DSS? Around a dozen About 20 About 100 About 200
About 200
Which of the following is not a way in which an entity located outside the EU can be allowed to gather/process privacy data belonging to an EU citizen? Be located in a country with a nationwide law that complies with the EU laws Appeal to the EU high court for permission Creating binding contractual language that complies with the EU laws Join the Safe Harbor/Privacy Shelf program in its own country
Appeal to the EU high court for permission
In which court must the defendant be determined to have acted in a certain fashion according to the preponderance of the evidence? Civil court Criminal court Religious court Tribal court
Civil court
The Organization for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _________. Amorphous curtailment principle Collection limitation principle State-based incorporation principle Hard-copy instantiation principle
Collection limitation principle
The field of digital forensics does not include the practice of securely _________ data. Collecting Creating Analyzing Presenting
Creating
The EU GDPR addressed performance by ________. Data subjects Data controllers Data processors Data controllers and processors
Data controllers and processors
The OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _________. Data quality principle Transformative neologism principle Encryption matrices principle Restful state principal
Data quality principle
In the United States, who manages the Safe Harbor/Privacy Shield program for voluntary compliance with EU data privacy laws? Department of state Department of interior Department of trade Department of commerce
Department of commerce
Alice and Bob want to use the Internet to communicate privately. They each have their own asymmetric key pairs and want to use them to create temporary symmetric keys for each connection/session. Which of the following will enable them to do this? Remote authentication dial-in service (RADIUS) Rivest-Shamir-Adelman (RSA) encryption Diffie-Hellman exchange Terminal Access Controller Access-Control System (TACAS)
Diffie-Hellman exchange - Allows for two users to create a shared secret over an untrusted medium
________is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users' and clients' privacy data. Due care Due diligence Liability Reciprocity
Due care - Due Diligence is the processes and activities used to ensure that due care is maintained
Under EU law, a cloud customer who gives sensitive data to a cloud provider is still legally responsible for the damages resulting from a data breach caused by the provider; the EU would say that it is the cloud customer's fault for choosing the wrong provider. This Is an example of insufficient _____. Proof Evidence Due diligence Application of reasonableness
Due diligence
When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize ______________. Electronic data Hardware Electronic data and the hardware on which it resides Only data extracted from hardware
Electronic data and the hardware on which it resides
US Federal entities are required to only use cloud data centers within the borders of the United States. Which law/standard/requirement mandates this? FISMA FedRAMP OECD GDPR
FedRAMP
Which US federal government entity was the regulator for the American Safe Harbor program and is now in charge of administering the Privacy Shield program? State Department Privacy Protection Office Federal Trade Commission Department of Health and Human Services
Federal Trade Commission
Which of the following practices can enhance both operational capabilities and configuration management efforts? Regular backups Constant uptime Multifactor authentication File hashes
File hashes - Integrity checks for CM to compare against base lines and audit purposes
An IT security audit is designed to reveal all of the following except _______. Financial fraud Malfunctioning controls Inadequate controls Failure to meet target standards/guidelines
Financial fraud
A(n) _______________ includes reviewing the organization's current position/performance as revealed by an audit against a given standard. SOC report Gap analysis Audit scoping statement Federal guideline
Gap analysis
An audit against the ________ will demonstrate that an organization has a holistic, comprehensive security program. SAS 70 standard SSAE 16 standard SOC 2, Type 2 report matric ISO 27001 certification requirements
ISO 27001 certification requirements
An audit against the ________will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements. SAS 70 standard SSAE 16 standard ISO 27002 certification criteria NIST SP 800-53
ISO 27002 certification criteria
What was the first international privacy standard specifically for cloud providers? NIST SP 800-37 PIPEDA PCI ISO 27018
ISO 27018
Which one of the following technologies allows you to utilize your existing TCP/IP network to manage data storage elements using IP traffic? Internet Small Computer System Interface (iSCSI) Fibre Channel Fibre Channel over Etherent (FCoE) Storage area networks (SAN)
Internet Small Computer System Interface (iSCSI)
In order to receive a SOC 2 Type 2 report from a potential provider, the provider may require you to perform/provide a(n) ______. Security deposit Non-disclosure agreement CSA STAR certification application Act of fealty
Non-disclosure agreement
When implementing iSCSI in your network environment, what is one of the possible problems you can accidently create? Neutrality Oversubscription Dampening Surges
Oversubscription - Possibility of impinging on network data traffic by have too many nodes connected to storage entities and too many IPs managing them
You are the security manager for a US-based company that has branches abroad, including offices in Germany, Italy and Brazil. If your company wants to process EU citizen PII data, one of the options is to use standard contractual clauses (also known as model contracts, or binding rules). If you choose this option, your company will have to get approval form _________. Privacy officials in Italy Privacy officials in Brazil Privacy officials in Italy and Germany Privacy officials in Italy, Germany, and Brazil
Privacy officials in Italy and Germany - Brazil is not an EU member state
The OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _________. Archipelago enhancement principle Solidity restoration principle Netherworking substrate principle Purpose specification principle
Purpose specification principle - Requires any entity that gathers PII must clearly state the explicity purpose for which the PII will be used
The OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _________. Transient data principle Security safeguards principle Longtrack resiliency principle Arbitrary insulation principle
Security safeguards principle - any entity that gathers the PII must protect the data against unauthorized access and modification
In deciding which cloud provider to use, one of the characteristics you may want to determine about the provider is their level of professionalism. Which of the following tools could be used to determine the thoroughness, detail, and repeatability of the processes and procedures offered by a cloud provider? The CSA-STAR certification program The RMF The Capability Maturity Model (CMM) The Eurocloud Star Audit Certification
The Capability Maturity Model (CMM) - Determines a target's maturity in terms of process documentation and repeatability
You are the security manager for a retail sales company that uses a SaaS public cloud service. One of your employees uploads sensitive information they were not authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefiting the administrator and causing harm to your organization. After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation. If the jury determines that 25% of the evidence shows that the situation was your organization's fault and 75% of the evidence shows that the situation was the cloud provider's fault, what is the likely outcome? Your organization owes the cloud provider $31,250 The cloud provider owes your organization $93,750 Neither side owes the other party anything The cloud providers owes your organization $125,000
The cloud providers owes your organization $125,000 - evidence over 51% of the fault is responsible for the full weight of the breach
The Reporting phase of forensic investigation usually involves presenting findings to _______. Senior management Regulators The court Stakeholders
The court
Who should be responsible for ensuring the state, security, and control of all evidence, from the time its collected until it is presented in court? The data controller The evidence custodian The security manager The IT director
The evidence custodian
When collecting digital evidence for forensic purposes, it is important to compare the integrity value for any copied material against ______. The original The backup Another copy The industry standard
The original
You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft. The prosecutor can use the material you delivered because of _________. The doctrine of plan view The silver platter doctrine The GDPR The FISM
The silver platter doctrine - allowed law enforcement entities to use material represented voluntarily by the owner as evidence
You company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed forensic analysis on event logs that reflect the circumstances related to the case. In order for your personnel to present the evidence they collected during forensic analysis as expert witness, you should ensure that ________. Their testimony is scripted, and they do not deviate from the script They only present evidence that is favorable to your side of the case They are trained and certified in the tools they used They are paid for their time while they are appearing in the courtroom
They are trained and certified in the tools they used
The CSA STAR program's tier of self-assessment is which of the following? Tier 1 Tier 2 Tier 5 Tier 8
Tier 1
_______ are required to use only cryptographic modules that are compliant with FIPS 140-2. Americans Cloud providers IaaS providers US federal agencies
US federal agencies
Which of the following is one of the advantages of using automation in configuration management? Development Uniformity Texture Distinguishing applicability
Uniformity
Choose the entity that has not published a privacy principle document that includes recognizing privacy as a general human right to access any of their own privacy data; limitations on the use of privacy data collected from subjects; and security measures for privacy data. OECD AICPA The EU Parliament United States Congress
United States Congress
Which of the following countries does not have a federal privacy law that complies with the EU Data Directive/Privacy Regulation? Canada United states Switzerland Japan
United states
Using cloud storage is considered _________ under most privacy frameworks and laws. Illegal Data collection Opt-in Processing
Processing
Under the Common Criteria, the Evaluation Assurance Level (EAL) rating should describe the thoroughness of the design and testing of the security controls in a(n) ______. Product Risk management framework Environment Given infrastructure
Product
Which of the following pieces of data is considered PII in the EU but not in the US? Name Home address Birth date Mobile phone number
Mobile phone number
Which of the following is not an enforceable governmental request? Warrant Subpoena Court order Affifdavit
Affifdavit
You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title "Computer-related attack." What may be the result of this situation? A criminal trial A civil case Both criminal and civil proceedings Deferral racketeering charges
Both criminal and civil proceedings
Which of the following countries does not have a federal privacy law that complies with the EU Data Directive/Privacy Regulation? Argentina Israel Australia Brazil
Brazil
You work for a European government agency providing tax counseling service to taxpayers. On your website home page, you include a banner with the following text: "As a visitor to this website, I agree that any information I disclose to the Tax Counseling Agency can be used for any and all purposed under the GDPR." This is followed by a button that says, "I agree"; users have to click the button, or they are taken to a page that says, "Goodbye. Thank you for visiting the Tax Counseling Agency, and have a nice day." This method of collecting personal information is ______. Illegal under the GDPR because it is electronic and needs to be in hard copy Legal under the GDPR Illegal under the GDPR because it doesn't allow service if the visitor refuses Illegal under the GDPR because it doesn't ask the nationality of the visitor
Illegal under the GDPR because it doesn't allow service if the visitor refuses
You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purpose, this makes the data _______. Inadmissible Less believable, if the changes aren't documented Harder to control Easily refutable
Less believable, if the changes aren't documented
In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper _______. Training credential License Background check Approved toolset
License
You are the security manager for a software company that uses PaaS in a public cloud service. Your company's general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue a(n) _______ to all personnel and offices within your company. Litigation hold notice Audit scoping letter Stop loss memo Memorandum of agreement
Litigation hold notice
You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrongdoing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection/analysis. What should probably be your response? Yes, you want it because it gives you the most granular and comprehensive view of the pertinent data Yes, you want to be able to inspect it before law enforcement has the opportunity to review it No, you don't want the liability of possibly disclosing someone else' privacy data No, you don't want the liability of possibly damaging someone else's property
No, you don't want the liability of possibly disclosing someone else' privacy data
An audit scoping statement might include constraints on all of the following aspects of an environment except ________. Time spent in the production space Business areas/topics to be reviewed Automated audit tools allowed in the environment Not reviewing illicit activities that may be discovered
Not reviewing illicit activities that may be discovered
The PCI DSS requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Merchants are assigned different tier levels under PCI DSS, based on _______. Availability Redundancy Location of their corporate headquarters Number of transactions per year
Number of transactions per year
The OECD is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _________. Volcanic principle Inherency principle Repository principle Openness principle
Openness principle
You work for a company that operates a production environment in the cloud. Another company using the same cloud provider is under investigation by law enforcement for racketeering. Your company should be concerned about this because of the cloud characteristic of ____________. Virtualization Pooled resources Elasticity Automated self-service
Pooled resources