CSL CSL Legal, Regulatory & Ethical Considerations

Question 1

Under US law, which federal agency has primary oversight responsibility for cybersecurity in the financial sector?

Accepted Answer

The SEC (Securities and Exchange Commission) and banking regulators like FFIEC

Answer

The FTC only

Answer

The Department of Agriculture

Answer

OSHA

Question 2

What is the purpose of the SEC's cybersecurity disclosure rules for public companies?

Accepted Answer

Require timely public disclosure of material cybersecurity incidents and annual reporting on cybersecurity risk management

Answer

Mandate specific security technologies for all public companies

Answer

Require public companies to hire a CISO

Answer

Apply HIPAA requirements to financial institutions

Question 3

What does the Computer Fraud and Abuse Act (CFAA) primarily govern?

Accepted Answer

Unauthorized access to computer systems and networks in the United States

Answer

Copyright protection for software code

Answer

Data privacy rights of consumers

Answer

Export controls on encryption technology

Question 4

A CSL leader must ensure compliance with HIPAA. Which cybersecurity control is explicitly required?

Accepted Answer

Access controls limiting ePHI access to authorized users only

Answer

Mandatory two-factor authentication for all devices

Answer

Full disk encryption on all endpoints

Answer

Public disclosure of all security incidents within 24 hours

Question 5

What is the primary purpose of state-level data breach notification laws in the US?

Accepted Answer

Require organizations to notify affected individuals and regulators when their personal data is exposed in a breach

Answer

Mandate specific encryption standards for data at rest

Answer

Establish federal cybersecurity standards for all industries

Answer

Regulate how organizations may collect personal data

Question 6

Which ethical obligation does a cybersecurity leader have when discovering a significant security vulnerability in a competitor's public-facing system?

Accepted Answer

Follow responsible disclosure practices by notifying the affected organization through proper channels

Answer

Exploit the vulnerability for competitive advantage

Answer

Publish the vulnerability publicly immediately without notification

Answer

Ignore the vulnerability as it is not their responsibility