Domain 6 contains material that some candidates find the most awkward and confusing: the legal and policy elements. It also delves into compliance and how cloud customers ensure that their organization is fulfilling regulatory requirements. It is weighted much less than the previous domains on the exam, though, so this chapter is much shorter than the ones you’ve seen so far. Which of the following is a U.S. audit standard often used to evaluate cloud providers?
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program has _______________ tiers.
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program’s tier of self-assessment is which of the following?
Alice and Bob want to use the Internet to communicate privately. They each have their own asymmetric key pairs and want to use them to create temporary symmetric keys for each connection or session. Which of the following will enable them to do this?
Under European Union (EU) law, a cloud customer who gives sensitive data to a cloud provider is still legally responsible for the damages resulting from a data breach caused by the provider; the EU would say that it is the cloud customer’s fault for choosing the wrong provider. This is an example of insufficient _______________.
Which of the following is not an enforceable governmental request?
Which of the following is not a way of managing risk?
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.
The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. The OECD privacy principles influenced which lawmaking body and are readily apparent in the law(s) it created?
Which of the following is not a way in which an entity located outside the European Union (EU) can be allowed to gather and process privacy data belonging to EU citizens?
The Privacy Shield program is _______________.
Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?
Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?
In the United States, who manages the Privacy Shield program for voluntary compliance with European Union (EU) data privacy laws?
You’re a sophomore at a small, private medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?
U.S. federal entities are required to use cloud data centers within the borders of the United States only. Which law, standard, or requirement mandates this?
The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program includes a level of certification for cloud providers that acquire third-party assessments of their environment and controls. Which STAR level is this?
_______________ is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users’ and clients’ privacy data.
Under European Union law, what is the difference between a directive and a regulation?
You work for a European government agency providing tax counseling services to taxpayers. On your website home page, you include a banner with the following text: “As a visitor to this website, I agree that any information I disclose to the Tax Counseling Agency can be used for any and all purposes under the General Data Protection Regulation (GDPR).” This is followed by a button that says, “I Agree”: users have to click the button, or they are taken to a page that says, “Goodbye. Thank you for visiting the Tax Counseling Agency, and have a nice day.” This method of collecting personal information is _______________.
Administrative penalties for violating the General Data Protection Regulation (GDPR) can range up to _______________.
The European Union (EU) General Data Protection Regulation (GDPR) addresses performance by _______________.
You are the security manager for a mid-sized nonprofit organization. Your organization has decided to use a software as a service (SaaS) public cloud provider for its production environment. A service contract audit reveals that while your organization has budgeted for 76 user accounts, there are currently 89 active user accounts. Your organization is paying the contract price, plus a per-account fee for every account over the contracted number. This is an example of costs incurred by _______________.
An audit against the _______________ will demonstrate that an organization has a holistic, comprehensive security program.
An audit against the _______________ reporting mechanism will demonstrate that an organization has an adequate security control design.
A(n) _______________ includes reviewing the organization’s current position/performance as revealed by an audit against a given standard.
An audit against the _______________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.
An audit scoping statement might include constraints on all of the following aspects of an environment except _______________.
An audit scoping statement might include all of the following constraints except _______________.
You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program, the Uptime Institute’s tier certification motif, and _______________.
Who should perform the gap analysis following an audit?
An IT security audit is designed to reveal all of the following except _______________.
What was the first international privacy standard specifically for cloud providers?
Choose the entity that has not published a privacy principle document that includes recognizing a subject’s right to access any of their own privacy data; limitations on the use of privacy data collected from subjects; and security measures for privacy data.
The field of digital forensics does not include the practice of securely _______________ data.
Which of the following is a legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violating laws in the latter?
In which court must the defendant be determined to have acted in a certain fashion according to the preponderance of the evidence?
You are the security manager for a retail sales company that uses a software as a service (SaaS) public cloud service. One of your employees uploads sensitive information they were not authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefiting the administrator and causing harm to your organization. After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation. If the jury determines that 25 percent of the evidence shows that the situation was your organization’s fault and 75 percent of the evidence shows that the situation was the cloud provider’s fault, what is the likely outcome?
You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft. The prosecutor can use the material you delivered because of _______________.
You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month. Which law is applicable in this instance?
You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue a(n) _______________ to all personnel and offices within your company.
You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with _______________ as well as the lawsuit.
You are the chief information officer (CIO) for an IT hardware manufacturer. Your company uses cloud-based software as a service (SaaS) services, including email. You receive a legal request for data pertinent to a case. Your e-discovery efforts will largely be dependent on _______________.
You work for a company that operates a production environment in the cloud. Another company using the same cloud provider is under investigation by law enforcement for racketeering. Your company should be concerned about this because of the cloud characteristic of _______________.
You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. What is one of the common practices used in your industry that will have to be halted until the resolution of the case?
Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going be very difficult to review for pertinence to the case. The senior executive at your firm who is making decisions about this case suggests handing over all data the company has archived for the time frame related to the case, whether or not it may be pertinent, in order to both allow the litigant to find the pertinent data and reduce the costs your company would incur if it performed the reform. What should be your response to the executive?
Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going be very difficult to review for pertinence to the case. Which security control mechanism may also be useful in the e-discovery effort?
When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize _______________.
Your company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed forensic analysis on event logs that reflect the circumstances related to the case. In order for your personnel to present the evidence they collected during forensic analysis as expert witnesses, you should ensure that _______________.
In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper _______________.
You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purposes, this makes the data _______________.
You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title “Computer-related attack.” What may be the result of this situation?
You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title “Computer-related attack.” In this circumstance, who would likely be prosecuted?
_______________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.
Which of the following aspects of virtualization make the technology useful for evidence collection?
Which of the following practices can enhance both operational capabilities and forensic readiness?
Which of the following practices can enhance both operational capabilities and configuration management efforts?
Which of the following is probably the most volatile form of data that might serve a forensic purpose?
You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrongdoing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection/analysis. What should probably be your response?
The Reporting phase of forensic investigation usually involves presenting findings to _______________.
When presenting forensic evidence in court as testimony, you should include, if at all possible, _______________.
When collecting digital evidence for forensic purposes, it is important to compare the integrity value for any copied material against _______________.
Who should be responsible for ensuring the state, security, and control of all evidence, from the time it’s collected until it is presented in court?
When you’re accessing an electronic storage file for forensic purposes, it is a best practice to use _______________.
Which of the following should not be true about any tests performed during forensic analysis?
Which of the following pieces of data is considered personally identifiable information (PII) in the European Union (EU) but not in the United States?
The Privacy Shield program allows U.S. companies to collect and process privacy information about European Union (EU) citizens. The program is included in which law?
You are the security manager for a U.S.-based company that has branches abroad, including offices in Germany, Italy, and Brazil. If your company wants to process European Union (EU) citizen personally identifiable information (PII) data, one of the options is to use standard contractual clauses (also known as model contracts, or binding rules). If you choose this option, your company will have to get approval from _______________.
Using cloud storage is considered _______________ under most privacy frameworks and laws.
Which U.S. federal government entity is in charge of administering the Privacy Shield program?
In deciding which cloud provider to use, one of the characteristics you may want to determine about the provider is their level of professionalism. Which of the following tools could be used to determine the thoroughness, detail, and repeatability of the processes and procedures offered by a cloud provider?
Service Organization Control (SOC) 2 reports were intended to be _______________.
To receive a Service Organization Control (SOC) 2 Type 2 report from a potential provider, the provider may require you to perform/provide a(n) _______________.
The Generally Accepted Privacy Principles described by the American Institute of Certified Public Accountants (AICPA) are very similar to the privacy principles described by _______________.
The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Approximately how many controls are listed in the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Merchants are assigned different tier levels under PCI DSS, based on _______________.
The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transaction be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate _______________.
_______________ are required to use only cryptographic modules that are compliant with Federal Information Processing Standard (FIPS) 140-2.
In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, “Does it seem as if this vendor is subject to any pending acquisitions or mergers?” In gathering data to answer this question, what are you trying to avoid?
3.147.59.219