cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rajib
Viewer

Need clarification on Chapter 1: Security Principles Quiz for Certified in Cyber Security

  1. Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow??(D1, L1.4.2) 

 

A) The Law

B) The Policy? 

C) Any procedures the company has created for the? particular activities? affected by the law

D) Lankesh should be allowed to use personal and professional judgment to make the determination of how to proceed??(my answer)

This is incorrect because laws cannot be violated. ??  Which one is the answer then?

=======================================

 

  • Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission.? 

    According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation??(D1, L1.5.1) 

     

A)The governments of the countries where the company operates?

B)The company Kristal works for?(my answer)

C) The Users?

D) (ISC)2?

This is incorrect because the company is represented by the third Canon ("principals"), which is subservient to the first Canon.  

Which one is the answer then?

==========================================

  • While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do??(D1, L1.5.1) 

A) Nothing—each person is responsible for their own actions.

B) Yell at the other candidate for violating test security.? 

C) Report the candidate to (ISC)2

D) Call local law enforcement

This is incorrect, because members are expected to uphold the standard, including among other members. 

Which one is the answer then?

5 Replies
Mohy
Newcomer I

Quiz 1: A) is correct, becuase you cannot violated the laws.

Quiz 2: C) is coorect, according to the code of hierarchy the Users is more impotant. Check the 1st canon : society, the common good, and public.

Quiz 3: C) Report the candidate to (ISC)2. Check the Canon Code of Ethic

Lordmohi
ericgeater
Community Champion

Answering as myself:

 

Over and over again, you'll hear about governance.  That could be a law, or a regulation, or an adopted code of ethics... or at least a company policy.  And the IT security in that company should align itself to the business objectives, which means that IT should inexorably follow some form of governance.

 

The ISC2 Code of Ethics says you should "Act honorably, honestly, justly, responsibly, and legally", so since law is the highest governance there is, I would choose (A) for Question 1

 

But if a company conspires with a government to do subversive things above the law (like in Question 2), you cannot "Protect society, the common good, necessary public trust and confidence, and the infrastructure," as stated in the Code of Ethics if you choose to support these illegal acts.  The answer is (C).

 

I didn't see your answer for the third question.  I would answer (C) because the exam proctors and ISC2 review both the results of an exam, and the behaviors of exam takers, during their post-exam evaluation.  Your observation may lend weight to their review.

 

edit: @Mohy had a more succinct answer than me.  Good job!

-----------
A claim is as good as its veracity.
JoePete
Advocate I


@ericgeater wrote:

 

Over and over again, you'll hear about governance.  That could be a law, or a regulation, or an adopted code of ethics... or at least a company policy.  And the IT security in that company should align itself to the business objectives, which means that IT should inexorably follow some form of governance.


Well stated. Of course, if the question's implication is that a security engineer should unilaterally violate existing company policy due to the engineer's interpretation of a new law, that's not good governance either. Policy is in the hands of company ownership (e.g., board of directors). Maybe the intent was just to insert Lankesh as a red herring (the question does ask what should the company do - not what should the engineer do), but as you note, we hear "governance" a lot these days. It remains poorly understood as a concept and even more poorly applied as a practice. Authority flows from top to bottom - each level authorizing the action at the next level. Accountability flows from the bottom up, each level having to be responsive to the one above it.

JUNIOR
Newcomer I

1 A THE LAW
2 C THE USERS
3C REPORT THE CANDIDATE TO ISC2
Mramadan
Viewer II

https://quizlet.com/784216194/isc2-practice-exam-3-flash-cards/

 

this link will be very helpful and have all Qs