Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Know how to incorporate security into the procurement and vendor governance process.The expanded use of cloud services by many organizations requires added attention to conducting reviews of information security controls during the vendor selection process and as part of ongoing vendor governance.

Be able to determine compliance and other requirements for information protection.Cybersecurity professionals must be able to analyze a situation and determine what jurisdictions and laws apply. They must be able to identify relevant contractual, legal, regulatory, and industry standards and interpret them for their given situation.

Know legal and regulatory issues and how they pertain to information security.Understand the concepts of cybercrime and data breaches and be able to apply them in your environment when incidents arise. Understand what licensing and intellectual property protections apply to your organization's data and your obligations when encountering data belonging to other organizations. Understand the privacy and export control issues associated with transferring information across international borders.

1 What are the two primary mechanisms that an organization may use to share information outside the European Union under the terms of GDPR?

2 What are some common questions that organizations should ask when considering outsourcing information storage, processing, or transmission?

3 What are some common steps that employers take to notify employees of system monitoring?

1 Brianna is working with a U.S. software firm that uses encryption in its products and plans to export their product outside of the United States. What federal government agency has the authority to regulate the export of encryption software?NSANISTBISFTC

2 Wendy recently accepted a position as a senior cybersecurity administrator at a U.S. government agency and is concerned about the legal requirements affecting her new position. Which law governs information security operations at federal agencies?FISMAFERPACFAAECPA

3 What type of law does not require an act of Congress to implement at the federal level but rather is enacted by the executive branch in the form of regulations, policies, and procedures?Criminal lawCommon lawCivil lawAdministrative law

4 What U.S. state was the first to pass a comprehensive privacy law modeled after the requirements of the European Union's General Data Protection Regulation?CaliforniaNew YorkVermontTexas

5 Congress passed CALEA in 1994, requiring that what type of organizations cooperate with law enforcement investigations?Financial institutionsCommunications carriersHealthcare organizationsWebsites

6 What law protects the right of citizens to privacy by placing restrictions on the authority granted to government agencies to search private residences and facilities?Privacy ActFourth AmendmentSecond AmendmentGramm–Leach–Bliley Act

7 Matthew recently authored an innovative algorithm for solving a mathematical problem, and he wants to share it with the world. However, prior to publishing the software code in a technical journal, he wants to obtain some sort of intellectual property (IP) protection. Which type of protection is best suited to his needs?CopyrightTrademarkPatentTrade secret

8 Mary is the cofounder of Acme Widgets, a manufacturing firm. Together with her partner, Joe, she has developed a special oil that will dramatically improve the widget manufacturing process. To keep the formula secret, Mary and Joe plan to make large quantities of the oil by themselves in the plant after the other workers have left. They want to protect this formula for as long as possible. What type of intellectual property (IP) protection best suits their needs?CopyrightTrademarkPatentTrade secret

9 Richard recently developed a great name for a new product that he plans to begin using immediately. He spoke with his attorney and filed the appropriate application to protect his product name but has not yet received a response from the government regarding his application. He wants to begin using the name immediately. What symbol should he use next to the name to indicate its protected status?©®™†

10 Tom is an adviser to a federal government agency that collects personal information from constituents. He would like to facilitate a research relationship between that firm that involves the sharing of personal information with several universities. What law prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances? Privacy ActElectronic Communications Privacy ActHealth Insurance Portability and Accountability ActGramm–Leach–Bliley Act

11 Renee's organization is establishing a partnership with a firm located in France that will involve the exchange of personal information. Her partners in France want to ensure that the transfer will be compliant with the GDPR. What mechanism would be most appropriate?Binding corporate rulesPrivacy ShieldPrivacy LockStandard contractual clauses

12 The Children's Online Privacy Protection Act (COPPA) was designed to protect the privacy of children using the internet. What is the minimum age a child must be before companies can collect personal identifying information from them without parental consent?13141516

13 Kevin is assessing his organization's obligations under state data breach notification laws. Which one of the following pieces of information would generally not be covered by a data breach notification law when it appears in conjunction with a person's name?Social Security numberDriver's license numberCredit card numberStudent identification number

14 Roger is the CISO at a healthcare organization covered under HIPAA. He would like to enter into a partnership with a vendor who will manage some of the organization's data. As part of the relationship, the vendor will have access to protected health information (PHI). Under what circumstances is this arrangement permissible under HIPAA?This is permissible if the service provider is certified by the Department of Health and Human Services.This is permissible if the service provider enters into a business associate agreement.This is permissible if the service provider is within the same state as Roger's organization.This is not permissible under any circumstances.

15 Frances learned that a user in her organization recently signed up for a cloud service without the knowledge of her supervisor and is storing corporate information in that service. Which one of the following statements is correct?If the user did not sign a written contract, the organization has no obligation to the service provider.The user most likely agreed to a click-through license agreement binding the organization.The user's actions likely violate federal law.The user's actions likely violate state law.

16 Greg recently accepted a position as the cybersecurity compliance officer with a privately held bank. What law most directly impacts the manner in which his organization handles personal information?HIPAAGLBASOXFISMA

17 Ruth recently obtained a utility patent covering a new invention that she created. How long will she retain legal protection for her invention?14 years from the application date14 years from the date the patent is granted20 years from the application date20 years from the date the patent is granted

18 Ryan is reviewing the terms of a proposed vendor agreement between the financial institution where he works and a cloud service provider. Which one of the following items should represents the least concern to Ryan?What security audits does the vendor perform?What provisions are in place to protect the confidentiality, integrity, and availability of data?Is the vendor compliant with HIPAA?What encryption algorithms and key lengths are used?