CCNA Cyber Ops FAQ: Compliance Frameworks
Q1. PCI DSS is designed to ensure which of the following?
A. Protect electronic health care information
B. Protect financial data such as the PAN, account data on a magnetic strip, and data on embedded chips
C. Prevent data loss
D. Prevent corporate fraud
Q2. What is the best answer for defining who must be compliant for PCI DSS?
A. Any financial transactions
B. Any merchant, processor, acquirer, issuer, or service provider that handles payment card processing, outsourced and third parties involved with payment card processing, and the home networks for the contractors responsible for maintaining PCI compliance
C. Any merchant, processor, acquirer, issuer, or service provider that handles payment card processing
D. Any merchant, processor, acquirer, issuer, or service provider that handles payment card processing along with outsourced or third parties involved with payment card processing.
Q3. Which of the following PCI data must be protected?
A. Geographic location of a user
B. The payment amount
C. The full account number
D. A related health condition
Q4. Which of the following is not a high-level PCI DSS 3.2 requirement?
A. Encryption on all PCI-related servers
B. Implementing strong access control measures
C. Regularly monitoring and testing networks
D. Maintaining a vulnerability management program
Q5. Which is the best answer for addressing what must be PCI compliant?
A. Any device associated with financial transactions must be PCI compliant.
B. Any device and the network it connects to must be PCI compliant.
C. The system, version of software installed, environment, and contracted resources must be PCI approved.
D. The system, version of software installed, and environment of software must be PCI approved.
Q6. HIPAA is designed to protect which of the following?
C. PHI and e-PHI
D. PHI, ePHI, and PCI
Q7. What does PHI stand for?
A. Personal health information
B. Protected health insurance
C. Personal health insurance
D. Protected health information
Q8. Which of the following is protected by HIPAA?
A. The full account number in a financial transaction
B. Geolocation of a user
C. Health conditions
D. Full name of the patient
Q9. SOX does not apply to which of the following?
A. All publicly held American companies
B. Accounting firms involved with financial services
C. International organizations that have registered equity or debt securities within the U.S. Security Exchange Commission
D. Third-party service providers involved with companies responsible for SOX within the U.S.
Q10. Which of the following is not a security framework based on what PCOAB publishes?
Q11. According to PCI DSS, cardholder data includes everything but which of following?
A. Primary account number (PAN)
B. Expiration date
C. Image on the card
D. Service code
Q12. Which of the following is not a HIPAA administrative safeguard?
A. A company’s CEO and CFO are required personally to certify that all financial reporting records are complete and accurate.
B. There must be the appropriate supervision of anybody in contact with e-PHI.
C. There must be a designated security officer responsible for developing and implementing security policies and procedures.
D. Periodic assessments must be performed to evaluate HIPAA security rule requirements.
Q13. Cardholder data environment (CDE) can best be defined as which of the following?
A. The people, processes, and technologies that store, process, or transmit cardholder data or authentication data
B. The people, processes, and technologies that store, process, or transmit cardholder data
C. The processes that store, process, or transmit cardholder data or authentication data
D. The technologies that store, process, or transmit cardholder data or authentication data
Q14. Which of the following is not a requirement of the HIPAA security rule?
A. Ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained, or transmitted.
B. Protect against reasonably anticipated, impermissible uses or disclosures.
C. Enforce automated access control using 802.1x-based technologies.
D. Identify and protect against reasonably anticipated threats to the security or integrity of the information.
Q15. Which of the following is not part of the PCI Data Security Standard?
A. Encrypt transmission of cardholder data across open, public networks.
B. Restrict access to cardholder data by business need to know.
C. Ensure that any deficiencies in the controls as well as information on fraud are disclosed.
D.Track and monitor all access to network resources and cardholder data.
Q16. Which of the following is not part of SOX technology and policy monitoring?
A. Access to physical and electronic controls, ensuring only authorized users have access to sensitive information
B. Employing, hiring, and auditing for criminal history
C. Change management for how an organization adds and removes users or workstations, software installation and maintenance, and user database administration
D. How sensitive data is protected while backed up in the event of a need for data recovery
Q17. Which of the following is not a violation of PCI DSS?
A. Sending e-PHI in an unencrypted method due to local law
B. Installing the most secure software versus older PCI-approved software
C. Hardening a PCI system due to being installed on a non-PCI approved network
D. Running a PCI-approved application on a non-PCI-approved server
Q18. In regard to PCI DSS, sensitive authentication data does not include which of the following?
A. PINs/PIN blocks
B. Fingerprint scanning
D. Full track data, which can be magnetic strip or equivalent chip
Q19. Which of the following is not required for the PCI DSS requirement “Implement strong access control measures”?
A. Restrict physical access to cardholder data.
B. Identify and authenticate access to system components.
C. Audit firewall configurations annually.
D. Restrict access to cardholder data by business need to know.
Q20. The HIPAA security rule ensures the CIA of e-PHI. What does CIA stand for?
A. Confidentiality, integrity, and access
B. Confidentiality, integrity, and availability
C. Confidentiality, indisputability, and access
D. Control, integrity, and access