CHAPTER 6
Domain 6: Legal, Risk, and Compliance

Domain 6 contains material that some candidates find the most awkward and confusing: the legal and policy elements. It also delves into compliance and how cloud customers ensure that their organization is fulfilling regulatory requirements. It is weighted much less than the previous domains on the exam, though, so this chapter is much shorter than the ones you’ve seen so far.

  1. Which of the following is a U.S. audit standard often used to evaluate cloud providers?

    1. ISO 27001
    2. SOX
    3. SSAE 18
    4. IEC 43770

  2. The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program has _______________ tiers.

    1. Two
    2. Three
    3. Four
    4. Eight

  3. The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program’s tier of self-assessment is which of the following?

    1. Tier 1
    2. Tier 2
    3. Tier 5
    4. Tier 8

  4. Alice and Bob want to use the Internet to communicate privately. They each have their own asymmetric key pairs and want to use them to create temporary symmetric keys for each connection or session. Which of the following will enable them to do this?

    1. Remote Authentication Dial-In User Service (RADIUS)
    2. Rivest-Shamir-Adelman (RSA) encryption
    3. Diffie-Hellman exchange
    4. Terminal Access Controller Access-Control System (TACACS)

  5. Under European Union (EU) law, a cloud customer who gives sensitive data to a cloud provider is still legally responsible for the damages resulting from a data breach caused by the provider; the EU would say that it is the cloud customer’s fault for choosing the wrong provider. This is an example of insufficient _______________.

    1. Proof
    2. Evidence
    3. Due diligence
    4. Application of reasonableness

  6. Which of the following is not an enforceable governmental request?

    1. Warrant
    2. Subpoena
    3. Court order
    4. Affidavit

  7. Which of the following is not a way of managing risk?

    1. Mitigation
    2. Acceptance
    3. Avoidance
    4. Streamlining

  8. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

    1. Amorphous curtailment principle
    2. Collection limitation principle
    3. State-based incorporation principle
    4. Hard-copy instantiation principle

  9. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

    1. Data quality principle
    2. Transformative neologism principle
    3. Encryption matrices principle
    4. Restful state principle

  10. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

    1. Archipelago enhancement principle
    2. Solidity restoration principle
    3. Netherworking substrate principle
    4. Purpose specification principle

  11. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

    1. Use limitation principle
    2. Erstwhile substitution principle
    3. Flatline cohesion principle
    4. Airstream fluidity principle

  12. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

    1. Transient data principle
    2. Security safeguards principle
    3. Longtrack resiliency principle
    4. Arbitrary insulation principle

  13. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. One of the characteristics the OECD suggests that privacy laws include is the _______________.

    1. Volcanic principle
    2. Inherency principle
    3. Repository principle
    4. Openness principle

  14. The Organisation for Economic Cooperation and Development (OECD) is a multinational entity that creates nonbinding policy suggestions for its member countries. The OECD has published recommendations for privacy laws. The OECD privacy principles influenced which lawmaking body and are readily apparent in the law(s) it created?

    1. U.S. Congress
    2. European Union (EU)
    3. Politburo
    4. International Standards Organization (ISO)

  15. Which of the following is not a way in which an entity located outside the European Union (EU) can be allowed to gather and process privacy data belonging to EU citizens?

    1. Be located in a country with a nationwide law that complies with the EU laws.
    2. Appeal to the EU High Court for permission.
    3. Create binding contractual language that complies with the EU laws.
    4. Join the Privacy Shield program in its own country.

  16. The Privacy Shield program is _______________.

    1. Voluntary for non–European Union (EU) entities
    2. Mandatory for all EU entities
    3. Mandatory for all non-EU entities
    4. Voluntary for all EU entities

  17. Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?

    1. Canada
    2. United States
    3. Switzerland
    4. Japan

  18. Which of the following countries does not have a federal privacy law that complies with the European Union (EU) General Data Protection Regulation?

    1. Argentina
    2. Israel
    3. Australia
    4. Brazil

  19. In the United States, who manages the Privacy Shield program for voluntary compliance with European Union (EU) data privacy laws?

    1. Department of State
    2. Department of Interior
    3. Department of Trade
    4. Department of Commerce

  20. You’re a sophomore at a small, private medical teaching college in the midwestern United States; you make your tuition payments directly from your bank account via a debit card. Which of the following laws and standards will not be applicable to you, your personal data, or the data you work with as a student?

    1. Sarbanes-Oxley Act (SOX)
    2. Health Information Portability and Accountability Act (HIPAA)
    3. Payment Card Industry Data Security Standards (PCI DSS)
    4. Family Educational Rights and Privacy Act (FERPA)

  21. U.S. federal entities are required to use cloud data centers within the borders of the United States only. Which law, standard, or requirement mandates this?

    1. Federal Information Security Management Act (FISMA)
    2. Federal Risk and Authorization Management Program (FedRAMP)
    3. Organisation for Economic Cooperation and Development (OECD)
    4. General Data Protection Regulation (GDPR)

  22. The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program includes a level of certification for cloud providers that acquire third-party assessments of their environment and controls. Which STAR level is this?

    1. 1
    2. 2
    3. 3
    4. 4

  23. _______________ is the legal concept whereby a cloud customer is held to a reasonable expectation for providing security of its users’ and clients’ privacy data.

    1. Due care
    2. Due diligence
    3. Liability
    4. Reciprocity

  24. Under European Union law, what is the difference between a directive and a regulation?

    1. A directive is enforced by the member states; a regulation is enforced by an international body.
    2. A directive is put in place by statute; a regulation is put in place by precedent.
    3. A directive is for local laws; a regulation is for laws dealing with matters outside the EU.
    4. A directive allows member states to create their own laws; a regulation is applied to all member states.

  25. You work for a European government agency providing tax counseling services to taxpayers. On your website home page, you include a banner with the following text: “As a visitor to this website, I agree that any information I disclose to the Tax Counseling Agency can be used for any and all purposes under the General Data Protection Regulation (GDPR).” This is followed by a button that says, “I Agree”: users have to click the button, or they are taken to a page that says, “Goodbye. Thank you for visiting the Tax Counseling Agency, and have a nice day.”

    This method of collecting personal information is _______________.

    1. Illegal under the GDPR because it is electronic and needs to be in hard copy
    2. Legal under the GDPR
    3. Illegal under the GDPR because it doesn’t allow service if the visitor refuses
    4. Illegal under the GDPR because it doesn’t ask the nationality of the visitor

  26. Administrative penalties for violating the General Data Protection Regulation (GDPR) can range up to _______________.

    1. US$100,000
    2. 500,000 euros
    3. 20,000,000 euros
    4. 1,000,000 euros

  27. The European Union (EU) General Data Protection Regulation (GDPR) addresses performance by _______________.

    1. Data subjects
    2. Data controllers
    3. Data processors
    4. Data controllers and processors

  28. You are the security manager for a mid-sized nonprofit organization. Your organization has decided to use a software as a service (SaaS) public cloud provider for its production environment. A service contract audit reveals that while your organization has budgeted for 76 user accounts, there are currently 89 active user accounts. Your organization is paying the contract price, plus a per-account fee for every account over the contracted number.

    This is an example of costs incurred by _______________.

    1. Data breach
    2. Shadow IT
    3. Intrusions
    4. Insider threat

  29. An audit against the _______________ will demonstrate that an organization has a holistic, comprehensive security program.

    1. Statement on Auditing Standards (SAS) 70 standard
    2. Statement on Standards for Attestation Engagements (SSAE) 18 standard
    3. Service Organization Control (SOC) 2, Type 2 report matrix
    4. ISO 27001 certification requirements

  30. An audit against the _______________ reporting mechanism will demonstrate that an organization has an adequate security control design.

    1. Service Organization Control (SOC) 1
    2. SOC 2, Type 1
    3. SOC 2, Type 2
    4. SOC 3

  31. A(n) _______________ includes reviewing the organization’s current position/performance as revealed by an audit against a given standard.

    1. Service Organization Control (SOC) report
    2. Gap analysis
    3. Audit scoping statement
    4. Federal guideline

  32. An audit against the _______________ will demonstrate that an organization has adequate security controls to meet its ISO 27001 requirements.

    1. Statement on Auditing Standards (SAS) 70 standard
    2. Statement on Standards for Attestation Engagements (SSAE) 18 standard
    3. ISO 27002 certification criteria
    4. National Institute of Standards and Technology (NIST) Special Publication (SP) 
800-53

  33. An audit scoping statement might include constraints on all of the following aspects of an environment except _______________.

    1. Time spent in the production space
    2. Business areas and topics to be reviewed
    3. Automated audit tools allowed in the environment
    4. Not reviewing illicit activities that may be discovered

  34. An audit scoping statement might include all of the following constraints except _______________.

    1. Limitation on destructive techniques
    2. Prohibition of all personnel interviews
    3. Prohibition on access to the production environment
    4. Mandate of particular time zone review

  35. You are the IT director for a European cloud service provider. In reviewing possible certifications your company may want to acquire for its data centers, you consider the possibilities of the Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) program, the Uptime Institute’s tier certification motif, and _______________.

    1. The National Institute of Standards and Technology (NIST) Risk Management Framework (Special Publication [SP] 800-37)
    2. The Federal Risk and Authorization Management Program (FedRAMP)
    3. ISO 27034
    4. The EuroCloud Star Audit (ECSA) program

  36. Who should perform the gap analysis following an audit?

    1. The security office
    2. The auditor
    3. A department other than the audit target
    4. An external audit body other than the original auditor

  37. An IT security audit is designed to reveal all of the following except _______________.

    1. Financial fraud
    2. Malfunctioning controls
    3. Inadequate controls
    4. Failure to meet target standards and guidelines

  38. What was the first international privacy standard specifically for cloud providers?

    1. National Institute of Standards and Technology (NIST) Special Publication (SP) 
800-37
    2. Personal Information Protection and Electronic Documents Act
    3. Payment Card Industry
    4. ISO 27018

  39. Choose the entity that has not published a privacy principle document that includes recognizing a subject’s right to access any of their own privacy data; limitations on the use of privacy data collected from subjects; and security measures for privacy data.

    1. Organisation for Economic Cooperation and Development (OECD)
    2. American Institute of Certified Public Accountants (AICPA)
    3. The European Union (EU) parliament
    4. U.S. Congress

  40. The field of digital forensics does not include the practice of securely _______________ data.

    1. Collecting
    2. Creating
    3. Analyzing
    4. Presenting

  41. Which of the following is a legal practice of removing a suspect from one jurisdiction to another in order for the suspect to face prosecution for violating laws in the latter?

    1. Applicable law
    2. Judgments
    3. Criminal law
    4. Extradition

  42. In which court must the defendant be determined to have acted in a certain fashion according to the preponderance of the evidence?

    1. Civil court
    2. Criminal court
    3. Religious court
    4. Tribal court

  43. You are the security manager for a retail sales company that uses a software as a service (SaaS) public cloud service. One of your employees uploads sensitive information they were not authorized to put in the cloud. An administrator working for the cloud provider accesses that information and uses it for an illegal purpose, benefiting the administrator and causing harm to your organization.

    After you perform all the incident-response activity related to the situation, your organization determines that the price of the damage was US$125,000. Your organization sues the cloud provider, and the jury determines that your organization shares in the blame (liability) for the loss because it was your employee performing an unauthorized action that created the situation.

    If the jury determines that 25 percent of the evidence shows that the situation was your organization’s fault and 75 percent of the evidence shows that the situation was the cloud provider’s fault, what is the likely outcome?

    1. Your organization owes the cloud provider $31,250.
    2. The cloud provider owes your organization $93,750.
    3. Neither side owes the other party anything.
    4. The cloud provider owes your organization $125,000.

  44. You are the security manager for a small American tech firm and investigate an incident. Upon analysis, you determine that one of your employees was stealing proprietary material and selling it to a competitor. You inform law enforcement and turn over the forensic data with which you determined the source and nature of the theft. The prosecutor can use the material you delivered because of _______________.

    1. The doctrine of plain view
    2. The silver platter doctrine
    3. The General Data Protection Regulation (GDPR)
    4. The Federal Information System Management Act (FISMA)

  45. You are the security director for an online retailer in Belgium. In February 2019, an audit reveals that your company may have been responsible for exposing personal data belonging to some of your customers over the previous month. Which law is applicable in this instance?

    1. Belgian law
    2. The General Data Protection Regulation (GDPR)
    3. National Institute of Standards and Technology (NIST) Special Publication (SP) 
800-53
    4. The Federal Information Systems Management Act (FISMA)

  46. You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. You should immediately issue a(n) _______________ to all personnel and offices within your company.

    1. Litigation hold notice
    2. Audit scoping letter
    3. Stop loss memo
    4. Memorandum of agreement

  47. You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. If you do not take proper steps to retain, capture, and deliver pertinent data to the person making the request (or their attorney), the company could be facing legal problems with _______________ as well as the lawsuit.

    1. Spoliation
    2. Fraud
    3. Jurisdiction
    4. Recompositing

  48. You are the chief information officer (CIO) for an IT hardware manufacturer. Your company uses cloud-based software as a service (SaaS) services, including email. You receive a legal request for data pertinent to a case. Your e-discovery efforts will largely be dependent on _______________.

    1. The cloud provider
    2. Regulators
    3. The cloud customer
    4. Internal IT personnel

  49. You work for a company that operates a production environment in the cloud. Another company using the same cloud provider is under investigation by law enforcement for racketeering. Your company should be concerned about this because of the cloud characteristic of _______________.

    1. Virtualization
    2. Pooled resources
    3. Elasticity
    4. Automated self-service

  50. You are the security manager for a software company that uses platform as a service (PaaS) in a public cloud service. Your company’s general counsel informs you that they have received a letter from a former employee who is filing a lawsuit against your company. What is one of the common practices used in your industry that will have to be halted until the resolution of the case?

    1. Versioning
    2. Patching
    3. Threat modeling
    4. Secure destruction

  51. Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going be very difficult to review for pertinence to the case.

    The senior executive at your firm who is making decisions about this case suggests handing over all data the company has archived for the time frame related to the case, whether or not it may be pertinent, in order to both allow the litigant to find the pertinent data and reduce the costs your company would incur if it performed the reform.

    What should be your response to the executive?

    1. This is an excellent idea; it fulfills the company’s legal requirements and reduces the overall costs of the litigation.
    2. This is a good idea; it may alleviate some of the costs associated with the court case.
    3. This is a bad idea; the company might not realize the full cost savings that it expects.
    4. This is a horrible idea; it could lead to extensive unauthorized disclosure and additional lawsuits.

  52. Your company receives a litigation hold notice from a customer that is suing you for harm caused by one of your products. You are using a managed cloud service for your production environment. You determine that the data requested by the litigant is vast and is going be very difficult to review for pertinence to the case.

    Which security control mechanism may also be useful in the e-discovery effort?

    1. Trained and aware personnel
    2. An egress monitoring solution (data loss prevention or data leak protection [DLP])
    3. A digital rights management (DRM) solution
    4. A multifactor authentication implementation

  53. When targeting a cloud customer, a court grants an order allowing a law enforcement entity to seize _______________.

    1. Electronic data
    2. Hardware
    3. Electronic data and the hardware on which it resides
    4. Only data extracted from hardware

  54. Your company is defending itself during a civil trial for a breach of contract case. Personnel from your IT department have performed forensic analysis on event logs that reflect the circumstances related to the case.

    In order for your personnel to present the evidence they collected during forensic analysis as expert witnesses, you should ensure that _______________.

    1. Their testimony is scripted, and they do not deviate from the script
    2. They present only evidence that is favorable to your side of the case
    3. They are trained and certified in the tools they used
    4. They are paid for their time while they are appearing in the courtroom

  55. In some jurisdictions, it is mandatory that personnel conducting forensic analysis collection or analysis have a proper _______________.

    1. Training credential
    2. License
    3. Background check
    4. Approved toolset

  56. You run an IT security incident response team. When seizing and analyzing data for forensic purposes, your investigative personnel modify the data from its original content. For courtroom evidentiary purposes, this makes the data _______________.

    1. Inadmissible
    2. Less believable, if the changes aren’t documented
    3. Harder to control
    4. Easily refutable

  57. You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title “Computer-related attack.”

    What may be the result of this situation?

    1. A criminal trial
    2. A civil case
    3. Both criminal and civil proceedings
    4. Federal racketeering charges

  58. You are the security manager for a small investing firm. After a heated debate regarding security control implementation, one of your employees strikes another employee with a keyboard. The local media hear about the incident and broadcast/publish stories about it under the title “Computer-related attack.”

    In this circumstance, who would likely be prosecuted?

    1. Your organization
    2. The attacker
    3. The victim
    4. You, as the manager of both parties

  59. _______________ is the legal concept that describes the actions and processes a cloud customer uses to ensure that a reasonable level of protection is applied to the data in their control.

    1. Due care
    2. Due diligence
    3. Liability
    4. Reciprocity

  60. Which of the following aspects of virtualization make the technology useful for evidence collection?

    1. Hypervisors
    2. Pooled resources
    3. Snapshotting
    4. Live migration

  61. Which of the following practices can enhance both operational capabilities and forensic readiness?

    1. Highly trained forensic personnel
    2. Regular full backups
    3. A highly secure data archive
    4. Homomorphic encryption

  62. Which of the following practices can enhance both operational capabilities and configuration management efforts?

    1. Regular backups
    2. Constant uptime
    3. Multifactor authentication
    4. File hashes

  63. Which of the following is probably the most volatile form of data that might serve a forensic purpose?

    1. Virtual instance RAM
    2. Hardware RAM
    3. Hypervisor logs
    4. Drive storage

  64. You are the security representative of a small company doing business through a cloud provider. Your company comes under investigation by law enforcement for possible wrongdoing. In performing e-discovery activity so as to comply with a court order, the cloud provider offers to ship a piece of hardware, a storage drive, from their data center to you for inspection/analysis.

    What should probably be your response?

    1. Yes. You want it because it gives you the most granular and comprehensive view of the pertinent data.
    2. Yes. You want to be able to inspect it before law enforcement has the opportunity to review it.
    3. No. You don’t want the liability of possibly disclosing someone else’s privacy data.
    4. No. You don’t want the liability of possibly damaging someone else’s property.

  65. The Reporting phase of forensic investigation usually involves presenting findings to _______________.

    1. Senior management
    2. Regulators
    3. The court
    4. Stakeholders

  66. When presenting forensic evidence in court as testimony, you should include, if at all possible, _______________.

    1. Your personal opinion
    2. A clear, concise view of your side of the case
    3. Alternative explanations
    4. Historical examples that have bearing on the circumstances of the current case

  67. When collecting digital evidence for forensic purposes, it is important to compare the integrity value for any copied material against _______________.

    1. The original
    2. The backup
    3. Another copy
    4. The industry standard

  68. Who should be responsible for ensuring the state, security, and control of all evidence, from the time it’s collected until it is presented in court?

    1. The data controller
    2. The evidence custodian
    3. The security manager
    4. The IT director

  69. When you’re accessing an electronic storage file for forensic purposes, it is a best practice to use _______________.

    1. Gloves
    2. A trusted computing base
    3. Sysadmin access
    4. A write-blocker

  70. Which of the following should not be true about any tests performed during forensic analysis?

    1. Tests should be repeatable by opposing attorneys.
    2. Tests should be standard to the forensics industry.
    3. Tests should be performed by trained, certified professionals.
    4. Tests should be tailored and customized for specific purposes.

  71. Which of the following pieces of data is considered personally identifiable information (PII) in the European Union (EU) but not in the United States?

    1. Name
    2. Home address
    3. Birth date
    4. Mobile phone number

  72. The Privacy Shield program allows U.S. companies to collect and process privacy information about European Union (EU) citizens. The program is included in which law?

    1. Federal Information Security Management Act (FISMA)
    2. The EU General Data Protection Regulation (GDPR)
    3. Health Information Portability and Accountability Act (HIPAA)
    4. Sarbanes-Oxley Act

  73. You are the security manager for a U.S.-based company that has branches abroad, including offices in Germany, Italy, and Brazil. If your company wants to process European Union (EU) citizen personally identifiable information (PII) data, one of the options is to use standard contractual clauses (also known as model contracts, or binding rules).

    If you choose this option, your company will have to get approval from _______________.

    1. Privacy officials in Italy
    2. Privacy officials in Brazil
    3. Privacy officials in Italy and Germany
    4. Privacy officials in Italy, Germany, and Brazil

  74. Using cloud storage is considered _______________ under most privacy frameworks and laws.

    1. Illegal
    2. Data collection
    3. Opt-in
    4. Processing

  75. Which U.S. federal government entity is in charge of administering the Privacy Shield program?

    1. State Department
    2. Privacy Protection Office
    3. Federal Trade Commission (FTC)
    4. Department of Health and Human Services (HHS)

  76. In deciding which cloud provider to use, one of the characteristics you may want to determine about the provider is their level of professionalism. Which of the following tools could be used to determine the thoroughness, detail, and repeatability of the processes and procedures offered by a cloud provider?

    1. The Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) certification program
    2. The Risk Management Framework (RMF)
    3. The Capability Maturity Model (CMM)
    4. The EuroCloud Star Audit Certification

  77. Service Organization Control (SOC) 2 reports were intended to be _______________.

    1. Released to the public
    2. Only technical assessments
    3. Retained for internal use
    4. Nonbinding

  78. To receive a Service Organization Control (SOC) 2 Type 2 report from a potential provider, the provider may require you to perform/provide a(n) _______________.

    1. Security deposit
    2. Nondisclosure agreement (NDA)
    3. Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) certification application
    4. Act of fealty

  79. The Generally Accepted Privacy Principles described by the American Institute of Certified Public Accountants (AICPA) are very similar to the privacy principles described by _______________.

    1. The Organisation for Economic Cooperation and Development (OECD) and European Union (EU) General Data Protection Regulation (GDPR)
    2. National Institute of Standards and Technology (NIST) and European Union Agency for Network and Information Security (ENISA)
    3. Health Information Portability and Accountability Act (HIPAA) and Gramm–Leach–Bliley Act (GLBA)
    4. The Federal Trade Commission (FTC) and the U.S. State Department

  80. The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Approximately how many controls are listed in the PCI DSS?

    1. Around a dozen
    2. About 20
    3. About 100
    4. Over 200

  81. The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transactions be compliant with a wide variety of security control requirements. Merchants are assigned different tier levels under PCI DSS, based on _______________.

    1. Availability
    2. Redundancy
    3. Location of their corporate headquarters
    4. Number of transactions per year

  82. The Payment Card Industry Data Security Standard (PCI DSS) requires that all merchants who want to process credit card transaction be compliant with a wide variety of security control requirements. The different merchant tier requirements will dictate _______________.

    1. Different types of audits each must conduct
    2. Different amounts of audits each must conduct
    3. Different control sets based on tier level
    4. Different cost of controls based on tier level

  83. _______________ are required to use only cryptographic modules that are compliant with Federal Information Processing Standard (FIPS) 140-2.

    1. Americans
    2. Cloud providers
    3. Infrastructure as a service (IaaS) providers
    4. U.S. federal agencies

  84. In performing vendor management and selection, one of the questions you, as the potential cloud customer, might ask is, “Does it seem as if this vendor is subject to any pending acquisitions or mergers?” In gathering data to answer this question, what are you trying to avoid?

    1. Vendor lockout
    2. Due care
    3. Third-party dependencies
    4. Regulatory oversight

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.59.219