What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization's systems?
Correct Answer: A
Question 107
Due is not related to:
Correct Answer: C
This is obviously a term not related to Profit, a "due" is not going to give us profit, its going to give us the opposite. Its always a good practice to pay your due. This can be learned in the real life. A Prudent man always pays its due, also a Good faith men pays them. This term is not related to profit.
Question 108
Under DAC, a subjects rights must be ________ when it leaves an organization altogether.
Correct Answer: B
Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.
Question 109
Which of the following is related to physical security and is not considered a technical control?
Correct Answer: D
All of the above are considered technical controls except for locks, which are physical controls. Administrative, Technical, and Physical Security Controls Administrative security controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organization's sensitive information. For example, policy might dictate (and procedures indicate how) that human resources conduct background checks on employees with access to sensitive information. Requiring that information be classified and the process to classify and review information classifications is another example of an administrative control. The organization security awareness program is an administrative control used to make employees cognizant of their security roles and responsibilities. Note that administrative security controls in the form of a policy can be enforced or verified with technical or physical security controls. For instance, security policy may state that computers without antivirus software cannot connect to the network, but a technical control, such as network access control software, will check for antivirus software when a computer tries to attach to the network. Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.A. of sensitive information. Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems. Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards), physical intrusion detection systems (motion detector, alarm system), and physical protection systems (sprinklers, backup generator). Administrative and technical controls depend on proper physical security controls being in place. An administrative policy allowing only authorized employees access to the data center do little good without some kind of physical access control. From the GIAC.ORG website
Question 110
Discovery, recording, collection, and preservation are part of what process related to the gathering of evidence?
Correct Answer: D
The correct answer is The evidence life cycle. The evidence life cycle covers the evidence gathering and application process. * Answer "Admissibility of evidence" refers to certain requirements that evidence must meet to be admissible in court. * Answer "The chain of evidence" the chain of evidence, is comprised of steps that must be followed to protect the evidence. * Relevance of evidence is one of the requirements of evidence admissibility.