CISSP PRACTICE QUESTIONS – 20201216

Effective CISSP Questions

You work for a system integrator based in the US that provides consulting and maintenance services to banks issuing credit cards. Your company is subject to contractual obligations being certified by a third-party auditor to provide security assurance. Which of the following is the primary contractual compliance requirements your company shall comply with?
A. Payment Card Industry Data Security Standard (PCI DSS)
B. Service Organization Control (SOC)
C. Gramm-Leach-Bliley Act (GLBA)
D. General Data Protection Regulation (GDPR)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Service Organization Control (SOC).

Your company is the system integrator that provides consulting and maintenance services to banks. It is the service provider to banks, not the bank itself.

Service Organization Control (SOC)
Service Organization Control (SOC)

SOC

Any service organization (your company) that provides services to user entities (banks) can pursue SOC audits to provide security assurance. SOC audits are common in the settings of outsourcing or supply chains.

PCI-DSS

Banks issuing credit cards are obligated to comply with the Payment Card Industry Data Security Standard (PCS DSS).

  • Issuing banks are banks that issue credit cards to consumers. Acquiring banks hold merchants’ bank accounts.
  • Visa, Mastercard, Discover, and American Express developed the PCI DSS in 2004. In 2006, the Payment Card Industry Security Standard Council (PCI SSC) is founded to develop and manage security in the payment card industry and promote the PCI DSS (data security standards).

GLBA and GDPR

Banks based in the US shall comply with the Gramm-Leach-Bliley Act (GLBA). Banks that hold the personal data of EU citizens are subject to GDPR.

GDPR applies to any organization operating within the EU, as well as those located outside of the EU which offer goods or services to customers or businesses in the EU.

Source: SUMAN BHATTACHARYYA

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您在美國的系統集成商工作,該系統集成商為發行信用卡的銀行提供顧問和維護服務。 客戶要求您的公司必須遵守由第三方認證稽核的合同義務,以提供安全保證。 您的公司主要應遵循以下哪個符合性(compliance)要求?
A. Payment Card Industry Data Security Standard (PCI DSS)
B. Service Organization Control (SOC)
C. Gramm-Leach-Bliley Act (GLBA)
D. General Data Protection Regulation (GDPR)

2 thoughts on “CISSP PRACTICE QUESTIONS – 20201216

  1. The Secure framework is a spreadsheet…Let’s start with the definition of framework (that applies here, as opposed to creating an actual building); a basic structure underlying a system, concept, or text. So, a framework is a structure, a schema, method of organization and configuration to accomplish something. When dealing with compliance frameworks, that structure and schema focus on the aggregation of compliance rules, first and foremost. Once identification and harmonization are complete, those requirements need a structure for integration into the organization’s processes as well. Therefore, we can define compliance frameworks as such:
    A compliance framework is a structured set of guidelines to aggregate and harmonize, then integrate, all compliance requirements applicable to an organization.
    In other words, a compliance framework is a methodology for compiling multiple authority documents into a cohesive whole.
    • It provides a structure for identifying Mandates within Citations.
    • It provides a structure and methodology for harmonization.
    • It provides the structure and proof to support the veracity of the identification and harmonization.
    These are the defining requirements for a compliance framework.
    How well does a framework-as-spreadsheet hold up to this scrutiny?
    Not very well.
    How well does a framework-as-spreadsheet hold up to these requirements? First, let’s go back to a term we’ve used above, non satis probandi – an ancient Latin term for not enough proof. You may be more familiar with onus probandi – the burden of proof.
    You may want to check to make sure your framework has proof, such as:
    1. 1a Provide a structure for identifying source documents.
    2. 1b Provide a structure for identifying Citations within those documents.
    3. 1c Provide a structure for identifying Mandates within Citations.
    4. 1d Provide a structure for linking a Mandate’s predicates and subjects to
    their situational definitions.
    2 Provide a structure for measuring correlation between Mandates or a reference control.
    1. 3a Provide the necessary data structures such as JSON-LD for encoding the tagging, dictionary linking, harmonization, and audit trails for change management that are machine readable.
    2. 3b Embed data structures and subsequent data into the identification and harmonization of each record.

    • The SCF, does not provide a structure for identifying Mandates within Citations, a structure and methodology for harmonization or structure and proof to support the veracity of the identification and harmonization. If you investigate further, you will this. Unless it is call the Unified Compliance Framework, a patented process that ONLY UCF has, the others do not.

Leave a Reply