who is the subject?The cloud customerThe cloud providerThe regulatorThe individual105 In a personally identifiable information (PII) context, who is the processor?The cloud customerThe cloud providerThe regulatorThe individual
106 In a personally identifiable information (PII) context, who is the controller?The cloud customerThe cloud providerThe regulatorThe individual
107 In a personally identifiable information (PII) context, which of the following is not normally considered “processing”?StoringViewingDestroyingPrinting
108 Which of the following countries does not have a national privacy law that concerns personally identifiable information (PII) and applies to all entities?ArgentinaThe United StatesItalyAustralia
109 In protections afforded to personally identifiable information (PII) under the U.S. Health Information Portability and Accountability Act (HIPAA), the subject must __________ in order to allow the vendor to share their personal data.Opt inOpt outUndergo screeningProvide a biometric template
110 In protections afforded to personally identifiable information (PII) under the U.S. Gramm-Leach-Bliley Act (GLBA), the subject must __________ in order to prevent the vendor from sharing their personal data.Opt inOpt outUndergo screeningProvide a biometric template
111 The European Union (EU), with its implementation of privacy directives and regulations, treats individual privacy as ____________.A passing fadA human rightA legal obligationA business expense
112 If your organization collects/creates privacy data associated with European Union (EU) citizens and you operate in the cloud, you must prevent your provider from storing/moving/processing that data where?ArgentinaThe United StatesJapanIsrael
113 European Union (EU) personal privacy protections include the right to be _______________.SecureDeliveredForgottenProtected
114 The Cloud Security Alliance (CSA) has developed a model for cloud privacy frameworks called the Privacy Level Agreement (PLA). Why might a cloud service provider be reluctant to issue or adhere to a PLA?A PLA might limit the provider’s liability.A PLA would force the provider to accept more liability.A PLA is nonbinding.A PLA is not enforceable.
115 The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) lists security controls from all the following frameworks except _______________.ISACA’s Control Objectives for Information and Related Technology (COBIT)Payment Card Industry Data Security Standard (PCI DSS)The Capability Maturity Model (CMM)International Organization for Standardization (ISO) 27001
116 The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) lists security controls from all the following laws except _______________.Health Information Portability and Accountability Act (HIPAA)Family Education Rights and Privacy Act (FERPA)Personal Information Protection and Electronic Documents Act (PIPEDA)Digital Millennium Copyright Act (DMCA)
117 Digital rights management (DRM) tools might be used to protect all the following assets except _______________.A trusted deviceProprietary softwareMedical recordsFinancial data
118 Deploying digital rights management (DRM) tools in a bring-your-own-device (BYOD) environment will require _______________.User consent and actionEnhanced security protocolsUse of the cloudNewer, upgraded devices
119 Deploying digital rights management (DRM) tools in a bring-your-own-device (BYOD) environment will require _______________.A uniform browser installationPlatform-agnostic solutionsTurnstilesA secondary business continuity and disaster recovery (BC/DR) vendor
120 The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) addresses all the following security architecture elements except _______________.Physical securityInfrastructure as a service (IaaS)Application securityBusiness drivers
121 DRM requires that every data resource be provisioned with __________.A tracking deviceAn access policyA hardware security module (HSM)A biometric system
122 Digital rights management (DRM) tools can be combined with __________ to enhance security capabilities.Roaming identity services (RIS)Egress monitoring solutions (DLP)Internal hardware settings (BIOS)The TEMPEST program
123 Digital rights management (DRM) tools should enforce __________, which is the characteristic of access rights following the object, in whatever form or location it might be or move to.Continuous audit trailLimiting printing outputPersistenceAutomatic expiration
124 Digital rights management (DRM) tools should enforce __________, which is the practice of capturing all relevant system events.Continuous audit trailLimiting printing outputPersistenceAutomatic expiration
125 Digital rights management (DRM) tools should enforce __________, which is the capability to revoke access based on the decision of the object owner or an administrator action.Integration with email filtering enginesDisabling screencap capabilitiesContinuous audit trailDynamic policy control
126 Digital rights management (DRM) tools should enforce __________, which is the revocation of access based on time.PersistenceDisabling screencap capabilitiesAutomatic expirationDynamic policy control
127 Digital rights management (DRM) tools should enforce __________, which is interoperability with the organization’s other access control activities.PersistenceSupport for existing authentication security infrastructureContinuous audit trailDynamic policy control
128 In a data retention policy, what is perhaps the most crucial element?Location of the data archiveFrequency of backupsSecurity controls in long-term storageData recovery procedures
129 __________ is the practice of taking data out of the production environment and putting it into long-term storage.DeletionArchivingCrypto-shreddingStoring
130 In general, all policies within an organization should include each of the following elements except _______________.The date on which the policy will expireThe assignment of an entity to review the applicability of the possibility occasionallyThe assignment of an entity to monitor and maintain the process described in the policyA list of the laws, regulations, practices, and/or standards that drove the creation of the policy
131 The goals of secure sanitization (or “data destruction”) include all of the following except _______________.Removing data objects or filesMinimizing or eliminating data remanenceRemoving pointers and metadata about specific files or objectsCreating a secure, archived copy for business continuity and disaster recovery (BC/DR) purposes
132 Why is deleting a file or object insufficient for secure sanitization purposes?Drives and disks must be demagnetized for true secure destruction.Physical destruction is the only acceptable method of secure sanitization.Deletion usually only removes pointers or indicators of file location.Only administrators should be allowed to delete files or objects.
133 Data destruction in the cloud is difficult because ____________.Cloud data doesn’t have substanceRegulations prevent itThe hardware belongs to the providerMost of the data is subterranean
134 Data destruction in the cloud is difficult because ____________.Data in the cloud is constantly being replicated and backed upDelete commands are prohibited in the cloudInternet service providers (ISPs) will not allow destruction of data stored in the cloudThe end clients may prevent it
135 Data destruction in the cloud is difficult because ____________.Only law enforcement is permitted to destroy cloud dataThe largest cloud vendors have prevented customers from destroying dataCloud data renews itself automaticallyThe cloud is often a multitenant environment
136 Which of the following is the best and only completely secure method of data destruction?DegaussingCrypto-shreddingPhysical
