Compliance Regulations Overview

Questions and Answers

A contractor is set to perform cybersecurity vulnerability assessments for a local health clinic. Which U.S. government regulation is most important for the contractor to understand?

• FedRAMP
• HIPAA (correct)
• GDPR
• GLBA

An IRS office in New York plans to move some services to a cloud platform. Which U.S. government regulation is most relevant to this transition?

• GDPR
• FFIEC
• FedRAMP (correct)
• HIPAA

A U.S. university in California offers online courses to students in France and Germany. Which regulation is most likely to apply to these courses?

• FedRAMP
• HIPAA
• FERPA
• GDPR (correct)

Which U.S. government agency primarily enforces the Privacy Rule of the Gramm-Leach-Bliley Act (GLBA)?

Federal Trade Commission (FTC) (B)

In healthcare, which term best describes an entity that processes nonstandard health information into a standard format for transactions?

Healthcare clearinghouse (D)

In the healthcare sector, what describes an entity offering payment for medical services?

Health plan (C)

In e-commerce, what primarily determines whether the Payment Card Industry Data Security Standard (PCI DSS) applies?

Merchant (D)

Which two data elements are considered sensitive authentication data under the Payment Card Industry Data Security Standard (PCI DSS)? (Choose two.)

CAV2/CVC2/CVV2/CID (D), full magnetic strip data or equivalent data on a chip (E)

Match the parts of Recommendation for Key Management in the NIST SP 800-57 to the description: Part 1: General

provides general guidance and best practices for the management of cryptographic keying material (A)

A U.S. cybersecurity firm is hired to perform penetration tests for European financial institutions. What is a key element the employee must have before starting the assignment?

documentation of permission for performing the tests from the client institutions (D)

A company hires a cybersecurity professional for penetration testing to check compliance. Which legal document outlines expectations, constraints, quality, timelines, and cost?

statement of work (SOW) (A)

A cybersecurity professional is hired to perform penetration testing. Which document includes a list of deliverables, project scope, timeline, report schedule, location, and payment schedule?

statement of work (SOW) (B)

A company hires a cybersecurity consultant. The company insists that the consultant disclose information only to them. Which NDA agreement should be presented?

unilateral NDA (C)

A cybersecurity consultant is hired for penetration testing. Which document specifies the agreement between the consultant and the company for the engagement?

contract (B)

A consultant is preparing a final penetration testing report. Where should the report cover limitations, such as testing dates and that findings do not guarantee all vulnerabilities are covered?

disclaimers (B)

Flashcards

What is HIPAA?

U.S. regulation protecting health information privacy, security, and integrity.

What is a Statement of Work (SOW)?

Outlines the scope, timeline, deliverables, and payment schedule for a project.

What is a contract?

A legal document specifying the terms for penetration testing engagement.

What are disclaimers?

Section of the report that covers limitations.

What is location of testing?

Testing only covers web applications on specified websites, excluding social engineering.

What is GraphQL Documentation?

Document providing a common query language for APIs.

What is scope creep?

Unexpected expansion of a project's scope.

Confirm the contents of the RFP.

First step in validating the engagement scope.

What is PGP?

Encryption protocol for secure email exchange.

What is the goal for unknown-environment testing?

(Unknown-environment testing) Consultant having very limited information provided

Key difference between Testing: unknown vs known environment.

The amount of information provided to the consultant.

Study Notes

• For a contractor performing cybersecurity vulnerability assessments for a local health clinic, understanding HIPAA is essential before starting.
• An Internal Revenue Service (IRS) office in New York moving services to the cloud must follow FedRAMP regulations.
• A US university in California offering online courses to students in partner universities in France and Germany must follow GDPR.
• The Federal Trade Commission (FTC) enforces the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act (GLB Act).
• In healthcare, a healthcare clearinghouse processes nonstandard health information into a standard format.
• In the healthcare sector, a health plan is an entity that provides payment for medical services.
• In e-commerce, the application of PCI DSS requirements depends on the merchant.
• Two examples of sensitive authentication data associated with a payment card include:
  • CAV2/CVC2/CVV2/CID,
  • Full magnetic strip data or equivalent data on a chip.

NIST SP 800-57 Key Management Recommendations:

• Part 1: General provides general guidance and best practices for cryptographic keying material management.
• Part 2: Best Practices for Key Management Organization provides guidance on policy and security planning requirements for U.S. government agencies.
• Part 3: Application Specific Key Management Guidance offers guidance when using the cryptographic features of current systems.
• An employee assessing vulnerabilities of financial institutions in Europe needs documentation of permission from client institutions before starting penetration tests.
• A company hiring a cybersecurity professional for penetration tests should provide a Statement of Work (SOW) specifying expectations, constraints, quality, timelines, and cost.
• A company hiring a cybersecurity professional for penetration testing should provide a Statement of Work (SOW) specifying a detailed list of deliverables, project scope, timeline, report delivery schedule, location, and payment schedule.
• A company wanting a cybersecurity consultant to disclose information only to them should present a unilateral NDA to the consultant.
• A company hiring a cybersecurity consultant must provide a contract that specifies the agreement between the consultant and the company for the penetration testing engagement.
• The consultant should cover the limitations of the pen test work in the disclaimers section of the final report.
• Typical elements in the rules of engagement document include:
  • Testing timeline.
  • Payment schedule.
  • Location of testing.
• The element specifying that pen tests should be performed only toward web applications include location of testing and types of allowed or disallowed tests.
• A company assessing applications using different APIs should provide a Web Services Description Language (WSDL) document about an XML-based language for documenting a web service's functionality.
• A company assessing applications using different APIs should provide GraphQL documentation about a query language for APIs and a language for executing queries at runtime.
• To assess vulnerability on web application devices, the company should provide a system and network architectural diagram to help the consultant document and define what systems are in the testing.
• Scope creep can be caused by:
  • Poorly formatted request for proposal (RFP).
  • Ineffective identification of technical and nontechnical elements required for the penetration test.
• The consultant's first step in validating the engagement scope should be to confirm the contents of the request for proposal (RFP).
• For a company wanting the consultant to set up secure communication procedures, PGP and S/MIME should be considered for exchanging emails securely.
• Unknown-environment testing involves the consultant being provided with very limited information about the targeted systems and network.
• The key difference between unknown-environment testing and known-environment testing is the amount of information provided to the consultant.