Flashcards
Checking access...
Q1: What is the difference between SOC 2 Type I and Type II?
Tip
A: Type I reports on the DESIGN of controls at a specific point in time. Type II reports on the OPERATING EFFECTIVENESS of controls over a period (typically 6-12 months). Type II is more valuable because it shows controls were working, not just designed.
Q2: What is GDPR’s 72-hour notification requirement?
Tip
A: Under GDPR Article 33, organisations must notify the relevant supervisory authority of a personal data breach within 72 hours of becoming aware of it. Failure to notify can result in fines up to 2% of annual global turnover.
Q3: What are the five trust service criteria in SOC 2?
Tip
A: Security (protected against unauthorised access), Availability (available for operation and use), Processing Integrity (processing is complete, accurate, timely), Confidentiality (confidential information is protected), Privacy (personal information is collected, used, retained, disclosed in accordance with commitments).
Q4: What is the maximum GDPR fine?
Tip
A: The higher of €20 million or 4% of annual global turnover. Fines are tiered: 2% for notification failures, 4% for core GDPR principle violations.
Q5: What is a DSAR?
Tip
A: Data Subject Access Request — a right under GDPR that allows individuals to request access to their personal data held by an organisation. Organisations must respond within one month (extendable to three months for complex requests). DSARs must be fulfilled free of charge.
Q6: What is SOX and who does it apply to?
Tip
A: Sarbanes-Oxley Act (2002) — US law requiring public companies to maintain adequate internal controls over financial reporting. Section 404 requires management to assess and report on the effectiveness of internal controls. ITGC (IT General Controls) are a key component of SOX compliance.
Q7: What is the difference between a control objective and a control activity?
Tip
A: A control objective is WHAT you want to achieve (e.g., “Ensure data is encrypted at rest”). A control activity is HOW you achieve it (e.g., “Enable AES-256 encryption on all storage volumes”). Objectives are stable; activities may change as technology evolves.
Q8: What are the five elements of the PCI DSS?
Tip
A: 1. Build and Maintain a Secure Network (firewall, secure config). 2. Protect Cardholder Data (encryption at rest and in transit). 3. Maintain a Vulnerability Management Program (anti-malware, secure coding). 4. Implement Strong Access Control Measures (need-to-know, unique IDs, physical security). 5. Regularly Monitor and Test Networks (logging, scanning, testing). 6. Maintain an Information Security Policy (policy, risk assessment).
Q9: What is the difference between a certification and an attestation?
Tip
A: A certification (ISO 27001) is issued by an accredited certification body after an audit — the organisation IS certified. An attestation (SOC 2) is a report by a CPA firm stating whether controls are fairly presented — the organisation is NOT “certified,” but has an attestation report.
Q10: What is the purpose of an audit trail?
Tip
A: An audit trail provides chronological evidence of activities — who did what, when, and from where. It is essential for: detecting security incidents, supporting forensic investigations, demonstrating compliance with regulatory requirements, and providing evidence for auditors.