Questions

  1. Which of the following runs counter to the requirements of PCI-DSS?
    1. Using the out-of-box settings for the firewall
    2. Installing a firewall to protect CDE systems from public systems (for example, the internet)
    3. Applying only vendor-supplied patches and updates
    4. Using custom passwords and settings
  2. Which of the following is a recommended best practice under PCI DSS but could also be applied to all the other frameworks?
    1. Impose strict access controls.
    2. Maintain and evolve security awareness across the organization.
    3. Use third-party software to reduce the scope.
    4. Maintain training programs to ensure standards do not slip.
  3. Which of the following is the best method for preventing exposure of cardholder data?
    1. Masking cardholder data
    2. Encrypting cardholder data
    3. Storing only the data required
    4. Truncating cardholder data
  4. Which of the following name formats would not count as an identifiable feature under HIPAA?
    1. Mr. John Doe
    2. Mr. J Doe
    3. Mr. Doe
    4. J Doe
  5. Which of the following controls is listed in PCI DSS, HIPAA, and SOX?
    1. Audit controls
    2. Encryption
    3. Data expiration
    4. Maintenance of backups

The following five questions are related to the following scenario. Additional details may be provided in the questions.

A new start-up has launched in Florida, which links customers with providers of therapies such as pharmacy services, massage, and acupuncture. Their app allows users to record their symptoms and any other relevant health information, book appointments, and pay for them through the app, either through their insurance companies or by credit card. The therapy providers are also paid through the app.

  1. The company, as a start-up, is privately owned. Which of the following statements is true?
    1. SOX does not apply until shares are issued publicly.
    2. SOX does not apply at the current time.
    3. SOX may still apply if the company has registered debt securities.
    4. SOX will still apply because the company is operating in the US.
  2. The start-up is planning an upgrade that would allow customers and therapists to call each other through the app rather than the current system, which shares customers' phone numbers with providers. Which of the following statements is true?
    1. Both the systems are in scope for HIPAA because they store identifiable health data.
    2. The present system is out of scope for HIPAA because phone numbers are not identifiable data elements.
    3. The proposed system, which would remove the requirement for phone numbers would be exempt from HIPAA as the data would be unidentifiable.
    4. The use of a privacy and sharing article in the terms and conditions of service exempts the system from HIPAA.
  3. The system used a third-party provider to certify that they were compliant with PCI DSS. Which of the following is true?
    1. The system, now certified, will always be compliant with PCI DSS.
    2. The system should be re-checked annually as per PCI DSS regulations.
    3. The system should be continuously monitored as it is good practice.
    4. The system must be regularly monitored as this is a specified requirement.
  1. The company wants to move to a new site. The proposed office would be an open plan, hot-desking environment. Which of the following is true?
    1. This layout would not comply with the workstation and device security physical safeguard under HIPAA.
    2. The company could comply with the workstation and device security physical safeguard under HIPAA by locking away its servers so that the people in the open plan office cannot physically access them.
    3. This layout would not comply with the restrict physical access requirement under PCI DSS.
    4. The company could comply with the restrict physical access requirement under PCI DSS by moving all the devices in the open plan environment to a different subnet to the CDE and ensuring no data is shared between the two systems.
  2. The company has decided that complying with HIPAA is too difficult and that it no longer wishes to store patient symptoms on the app. Which of the following is true?
    1. The company still needs to comply with HIPAA because individuals are being connected to covered entities.
    2. The company still needs to comply with HIPAA because it processes payments in relation to healthcare provision for individuals.
    3. The company would no longer need to comply with HIPAA because they are only relaying information about service providers to its customers.
    4. The company would still need to comply with HIPAA for its backups and historical data only.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.136.236.231