Download ISC2 Practice Exam Questions And Answers With Complete Solutions 100% Correct | 2024 and more Exams Advanced Education in PDF only on Docsity! ISC2 Practice Exam Questions And Answers With Complete Solutions 100% Correct | 2024 Replaced SAS 70 in 2011 - Correct Answer-SSAE 16 - Statement on Standards for Attestation Engagements (SSAE) No. 16 created SAS 70, a standard used until 2011 - Correct Answer- AICPA - american institute of certified public accountants Sarbanes-Oxley Act of 2002 - Correct Answer-instigated the move from SAS 70 SOC reports - Correct Answer-Service Organization Control Reports SSAE 16 - Correct Answer-the standard used for a SOC 1 report Readers of SOC 1 reports - Correct Answer-could include financial executives at a user organization, compliance officers, and financial auditors of the service organization. pg. 1 professoraxe l TSC - Correct Answer-AICPA's Trust Services Criteria tests the controls for effectiveness - Correct Answer-A SOC 2 Type 2 audit the result of the auditor ensuring the controls are in place and well-designed - Correct Answer-SOC 2 Type 1 A Soc 3 - Correct Answer-Same information as a Soc 2 report. Intended for a general audience. Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach are in this category - Correct Answer-PCI DSS level 1 US PII law regarding the government itself - Correct Answer- Privacy Act US PII law regarding medical providers - Correct Answer- HIPAA pg. 2 professoraxe l the automated injection of breached username/password pairs from a website breach or password dump site - Correct Answer-Credential stuffing only provides information about financial reporting mechanisms of the target. While this information may be of little use to the IT security professional, it may be of great use to potential investors, if for nothing other than providing some assurance that reporting is valid and believable. - Correct Answer-SOC 1 report only describes IT security controls designed by the target but not how effectively those controls function. While of some interest to the IT security professional, this is of little interest to the investor - Correct Answer-SOC 2, Type 1 report will provide details on IT security controls used by the target and how well those controls function. While of great interest to the IT security professional, this is of little interest to the investor - Correct Answer-The SOC 2, Type 2 report is only an attestation that the target was audited and that it passed the audit, without detail - Correct Answer-SOC 3 report pg. 5 professoraxe l due care - Correct Answer-the minimal level of effort necessary to perform your duty to others Due diligence - Correct Answer-any activity taken in support or furtherance of due care where the third party acts on behalf of the member organizations, reviewing each to ensure that they are all acceptable to the others - Correct Answer-proxy federation model ENISA includes "_________________" as a defining trait of cloud computing. This is not included in the definition published by (ISC)2 (or by NIST). - Correct Answer- programmatic management NIST's definition of cloud carrier - Correct Answer-an intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers a term associated with Kerberos single sign-on systems - Correct Answer-TGT pg. 6 professoraxe l if one tenant can influence another's resources that is considered _________ - Correct Answer-isolation failure FIPS - Correct Answer-federal information processing standard - a set of guidelines for US Federal government information systems - the benchmark for validating the effectiveness of cryptographic hardware FIPS 140-2 level 1 - Correct Answer-Requires production-grade equipment and externally tested algorithms. FIPS 140-2 level 2 - Correct Answer-Adds requirements for physical tamper-evidence and role-based authentication. Software implementations must run on an Operating System approved to Common Criteria at EAL2. FIPS 140-2 level 3 - Correct Answer-Adds requirements for physical tamper-resistance and identity-based authentication. There must also be physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module. Private keys can only enter or leave in encrypted form. pg. 7 professoraxe l Silver Platter Doctrine - Correct Answer-allows law enforcement entities to use material presented voluntarily by the owner as evidence in the prosecution of crimes, without the necessity of a warrant or court order. Doctrine of Plain View - Correct Answer-allows law enforcement to act on probable cause when evidence of a crime is within their presence TLS (Transport Layer Security) - Correct Answer-uses X.509 certificates to establish a connection and create a symmetric key that lasts for only one session Diffie-Hellman - Correct Answer-uses asymmetric key pairs to create a symmetric key SOC 2 reports - Correct Answer-not designed for dissemination outside the target organization ISO 27001 certification - Correct Answer-for the information security management system (ISMS), the organization's entire security program pg. 10 professoraxe l SAS 70 and SSAE 16 - Correct Answer-audit standards for service providers and include some review of security controls but not a cohesive program Spoliation - Correct Answer-the term used to describe the destruction of potential evidence (intentionally or otherwise); in various jurisdictions, it can be a crime, or the grounds for another lawsuit. iSCSI (Internet Small Computer System Interface) - Correct Answer-allows you to connect remote data storage entities to computing resources over the TCP/IP network via IP-based commands FCoE - Correct Answer-a protocol, distinct from TCP and IP, and is not routable on IP networks Cloud service arbitrage - Correct Answer-similar to cloud service aggregation. The difference between them is that the services being aggregated aren't fixed. Indeed the goal of arbitrage is to provide flexibility and opportunistic choices for the service aggregator, e.g., providing multiple e-mail services through one service provider or providing a credit-scoring pg. 11 professoraxe l service that checks multiple scoring agencies and selects the best score. PIPEDA - Correct Answer-Canadian law governing protection of personal information FIPS 140-2 standard - Correct Answer-certifies cryptologic components for use by American federal government entities EFTA - Correct Answer-not a standard, it is a group of European countries CAIQ - Correct Answer-self-administered tool propagated by the CSA for the purpose of aiding organizations in selecting the necessary controls CSC - Correct Answer-comes from the Center for Internet Security (CIS), not the CSA In a third-party certification model, the third party is the identity provider; this is often a _____ - Correct Answer-CASB pg. 12 professoraxe l CMM - Correct Answer-a way of determining a target's maturity in terms of process documentation and repeatability CSA STAR and Eurocloud Star programs - Correct Answer- certifications based on applicable control sets and compliance with standards and regulations Vendor lockout - Correct Answer-can occur when your provider no longer offers the service for which you contracted MAD - Correct Answer-maximum allowable downtime Purpose Specification Principle - Correct Answer-a citizen needs to be informed why the personal data is being collected and the specific purposes for which it will be processed and kept, Purpose Specification Principle - Correct Answer-OECD reccomends STRIDE Threat Model - Correct Answer-Spoofing Tampering pg. 15 professoraxe l Repudiation Information disclosure (privacy breach or data leak) Denial of service Elevation of privilege Department of Commerce - Correct Answer-manages the Safe Harbor/Privacy Shield program in the United States TCB - Correct Answer-includes the elements of hardware and software (usually in the OS) that ensure that a system can only be controlled by those with the proper permissions data processor - Correct Answer-if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a _______________ Data Custodian - Correct Answer-can deliver technical protection of information assets Consumer Privacy Bill of Rights - Correct Answer-2012, the Obama administration unveiled a __________ as part of a comprehensive blueprint to protect individual privacy rights pg. 16 professoraxe l and give users more control over how their information is handled. AONT - Correct Answer-can be used to increase the strength of encryption without increasing TLS, message level encryption - Correct Answer-Cryptography for the two main types of APIs is required; this is ___ for REST and _____ for SOAP. 2 - Correct Answer-Level ____ of the CSA STAR program requires third-party assessment of the provider current May 2017 - Correct Answer-SSAE 18 FIPS 140-2 Level 1 - Correct Answer-correct implementation FIPS 140-2 Level 2 - Correct Answer-tamper-evident FIPS 140-2 Level 3 - Correct Answer-tamper-resistant pg. 17 professoraxe l OECD - Correct Answer-Organization for Economic Cooperation and Development — Privacy and Security Guidelines — aims to globally protect privacy through a practical, risk-management-based approach. Should follow these principles: Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness APEC - Correct Answer-Asia-Pacific Economic Cooperation — Privacy Framework — Ensure free flow of information and open conduct of business within the region, while protecting privacy (but not as stringently as EU) EU — Data Protection Directive 95/46/EC - Correct Answer- Applies to electronic and paper records, does not apply to purely personal or household activities, or in operations related to public safety or state security. EU — GDPR - Correct Answer-General Data Protection Regulation — Updated 95/46/EU to include: Consent Transfers abroad The right to be forgotten Establishing the role of the data protection officer Access requests Home state regulation increased sanctions pg. 20 professoraxe l National laws compliant with EU GDPR - Correct Answer- Argentina Australia — Privacy Act 1988, since 2014 Australian Privacy Principles New Zealand EFTA — Switzerland, Lichtenstein, Norway, Iceland Japan Canada — PIPEDA And more recent additions, probably less prominent in the question pool: Androrra Israel Uruguay federation technologies - Correct Answer-include protocols like WS-Federation, SAML, OAuth or OpenID Connect (OIDC) pg. 21 professoraxe l