CCNA Cyber Ops FAQ: Compliance Frameworks

CCNA Cyber Ops FAQ: Compliance Frameworks

Q1. PCI DSS is designed to ensure which of the following?
A. Protect electronic health care information
B. Protect financial data such as the PAN, account data on a magnetic strip, and data on embedded chips
C. Prevent data loss
D. Prevent corporate fraud

Answer: B. PCI DSS is designed to protect financial transactions, meaning the primary account number (PAN), account data on the magmatic strip, and data on the embedded chip.

Q2. What is the best answer for defining who must be compliant for PCI DSS?
A. Any financial transactions

B. Any merchant, processor, acquirer, issuer, or service provider that handles payment card processing, outsourced and third parties involved with payment card processing, and the home networks for the contractors responsible for maintaining PCI compliance

C. Any merchant, processor, acquirer, issuer, or service provider that handles payment card processing

D. Any merchant, processor, acquirer, issuer, or service provider that handles payment card processing along with outsourced or third parties involved with payment card processing.

Answer: D. In this case, D is the best answer. B is incorrect because someone’s personal home network doesn’t impact the networks they work on during their day job, unless those networks are connected and are the responsibility of the employer (IE working from home).

Q3. Which of the following PCI data must be protected?
A. Geographic location of a user
B. The payment amount
C. The full account number
D. A related health condition

Answer: C. PCI is related to financial data and includes the full account number. A health condition would be something related to HIPAA.

Q4. Which of the following is not a high-level PCI DSS 3.2 requirement?
A. Encryption on all PCI-related servers
B. Implementing strong access control measures
C. Regularly monitoring and testing networks
D. Maintaining a vulnerability management program

Answer: A. Answer A is a good practice; however, it is not specifically called out as a high-level PCI DSS 3.2 requirement. Encryption would fall under protecting cardholder data; however, PCI DSS states that encryption does not remove PCI compliance requirements.

Q5. Which is the best answer for addressing what must be PCI compliant?
A. Any device associated with financial transactions must be PCI compliant.

B. Any device and the network it connects to must be PCI compliant.

C. The system, version of software installed, environment, and contracted resources must be PCI approved.

D. The system, version of software installed, and environment of software must be PCI approved.

Answer: D. Answer D is the best answer. Answers A and B do not consider the installed software. Answer C includes a false aspect (that is, contractors).

Q6. HIPAA is designed to protect which of the following?
A. PHI
B. e-PHI
C. PHI and e-PHI
D. PHI, ePHI, and PCI

Answer: C. HIPAA is designed to guard protected health information (PHI) and electronic PHI (e-PHI).

Q7. What does PHI stand for?
A. Personal health information
B. Protected health insurance
C. Personal health insurance
D. Protected health information

Answer: D. PHI is protected health information.

Q8. Which of the following is protected by HIPAA?
A. The full account number in a financial transaction
B. Geolocation of a user
C. Health conditions
D. Full name of the patient

Answer: C. Any health condition is protected by HIPAA.

Q9. SOX does not apply to which of the following?
A. All publicly held American companies

B. Accounting firms involved with financial services

C. International organizations that have registered equity or debt securities within the U.S. Security Exchange Commission

D. Third-party service providers involved with companies responsible for SOX within the U.S.

Answer: B. SOX is a U.S.-based compliance requirement. Answer B could mean organizations outside the U.S. The other answers are associated with U.S.-based financial services and therefore must be SOX compliant.

Q10. Which of the following is not a security framework based on what PCOAB publishes?
A. COBIT
B. OWASP
C. ITGI
D. COSO

Answer: B. The Open Web Application Security Project (OWASP) creates web application security content and is not related to SOX compliance.

Q11. According to PCI DSS, cardholder data includes everything but which of following?
A. Primary account number (PAN)
B. Expiration date
C. Image on the card
D. Service code

Answer: C. Images presented on cards are not part of what PCI DSS is responsible to protect.

Q12. Which of the following is not a HIPAA administrative safeguard?
A. A company’s CEO and CFO are required personally to certify that all financial reporting records are complete and accurate.

B. There must be the appropriate supervision of anybody in contact with e-PHI.

C. There must be a designated security officer responsible for developing and implementing security policies and procedures.

D. Periodic assessments must be performed to evaluate HIPAA security rule requirements.

Answer: A. Answer A is a SOX requirement.

Q13. Cardholder data environment (CDE) can best be defined as which of the following?
A. The people, processes, and technologies that store, process, or transmit cardholder data or authentication data

B. The people, processes, and technologies that store, process, or transmit cardholder data

C. The processes that store, process, or transmit cardholder data or authentication data

D. The technologies that store, process, or transmit cardholder data or authentication data

Answer: A. Answer A is the best definition of CDE.

Q14. Which of the following is not a requirement of the HIPAA security rule?
A. Ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained, or transmitted.

B. Protect against reasonably anticipated, impermissible uses or disclosures.

C. Enforce automated access control using 802.1x-based technologies.

D. Identify and protect against reasonably anticipated threats to the security or integrity of the information.

Answer: C. Answer C is a great practice; however, it is not a requirement listed for the HIPAA security rule.

Q15. Which of the following is not part of the PCI Data Security Standard?
A. Encrypt transmission of cardholder data across open, public networks.

B. Restrict access to cardholder data by business need to know.

C. Ensure that any deficiencies in the controls as well as information on fraud are disclosed.

D.Track and monitor all access to network resources and cardholder data.

Answer: C. Answer C relates to SOX compliance.

Q16. Which of the following is not part of SOX technology and policy monitoring?
A. Access to physical and electronic controls, ensuring only authorized users have access to sensitive information

B. Employing, hiring, and auditing for criminal history

C. Change management for how an organization adds and removes users or workstations, software installation and maintenance, and user database administration

D. How sensitive data is protected while backed up in the event of a need for data recovery

Answer: B. Answer B is a good practice to enforce but not part of SOX compliance. Remember compliance can offer good practices but should be considered the minimal best practices. There are usually other areas that can be improved beyond what is required for compliance.

Q17. Which of the following is not a violation of PCI DSS?
A. Sending e-PHI in an unencrypted method due to local law

B. Installing the most secure software versus older PCI-approved software

C. Hardening a PCI system due to being installed on a non-PCI approved network

D. Running a PCI-approved application on a non-PCI-approved server

Answer: A. PCI does not supersede legal requirements.

Q18. In regard to PCI DSS, sensitive authentication data does not include which of the following?
A. PINs/PIN blocks
B. Fingerprint scanning
C. CAV2/CVC2/CVV2/CID
D. Full track data, which can be magnetic strip or equivalent chip

Answer: B. Currently, biometrics isn’t listed as part of a PCI DSS 3.2 security requirement.

Q19. Which of the following is not required for the PCI DSS requirement “Implement strong access control measures”?
A. Restrict physical access to cardholder data.
B. Identify and authenticate access to system components.
C. Audit firewall configurations annually.
D. Restrict access to cardholder data by business need to know.

Answer: C. Answer C is a good best practice; however, it is not part of the PCI DSS 3.2 Implementing strong access control measure requirements.

Q20. The HIPAA security rule ensures the CIA of e-PHI. What does CIA stand for?
A. Confidentiality, integrity, and access
B. Confidentiality, integrity, and availability
C. Confidentiality, indisputability, and access
D. Control, integrity, and access

Answer: B. Answer B is the correct CIA breakdown.

More Resources

About the author

Scott

Leave a Comment