CISSP CISSP Legal and Compliance 2

Question 1

What does the term 'due diligence' mean in the context of information security governance?

Accepted Answer

Investigating and verifying security practices before entering a business relationship

Answer

Due diligence involves proactively investigating security posture, risks, and controls before a merger, acquisition, or vendor engagement.

Question 2

Which US law requires publicly traded companies to maintain accurate financial records and internal controls, with CISOs often accountable for IT controls?

Accepted Answer

SOX (Sarbanes-Oxley Act)

Answer

SOX Section 404 requires management to assess internal controls over financial reporting, which heavily involves IT systems and access controls.

Question 3

Under the EU GDPR, what is the maximum fine for the most serious violations?

Accepted Answer

€20 million or 4% of global annual turnover

Answer

GDPR's highest tier penalty is €20 million or 4% of global annual turnover, whichever is higher, for severe violations.

Question 4

What is the main purpose of a privacy impact assessment (PIA)?

Accepted Answer

To identify and mitigate privacy risks before deploying new systems or processes

Answer

A PIA proactively identifies privacy risks in new projects and recommends controls before the system is built or deployed.

Question 5

Which regulation governs the security and privacy of student education records in the US?

Accepted Answer

FERPA

Answer

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records and grants parents/students access rights.

CISSP - Certified Information Systems Security Professional Practice Test

CISSP - Certified Information Systems Security Professional Practice Test

CISSP CISSP Legal and Compliance 2