Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Cybersec Policy - S2
| Question | Answer |
|---|---|
| Which recovery activities are considered best practices? | Reinstalling clean software, Restoring data from verified backups , Monitoring for re-infection |
| Which body oversees breach notifications under GDPR? | Data Protection Authorities (DPAs) |
| Which IRP phase involves revising security controls after analyzing what went wrong? | Lessons Learned |
| Incident response plans should be tested annually or biannually to remain effective. | True |
| A retail company in California experiences a breach affecting customer names and addresses. Which law applies primarily? | CCPA |
| Which IRP step is critical for maintaining evidence integrity in potential legal investigations? | Identification and containment |
| Which are common causes of data breaches? | Phishing attacks, Unpatched vulnerabilities, Insider threats |
| A company delays breach notification because it fears reputational harm. This complies with GDPR. | FALSE |
| What is the main role of a DPA in breach cases? | Investigating and enforcing compliance |
| In the Equifax breach, stolen data included credit card details and Social Security numbers. | TRUE |
| An organization’s systems are patched, but attackers return because stolen credentials weren’t revoked. Which IRP failure occurred? | Eradication |
| An organization detects spam campaigns in its network but ignores them because no sensitive data was exposed. This is acceptable under GDPR. | FALSE |
| A hospital ransomware attack encrypted patient files, but the hospital refused to notify regulators because backups restored data. This action is compliant with HIPAA. | FALSE |
| Which of the following are mandatory elements of a GDPR breach notification? | Nature of the breach , Categories of personal data affected , Contact details of the Data Protection Officer |
| Which IRP stage involves communicating with external stakeholders, including DPAs and customers? | Notification/Communication |
| An organization creates policies, forms a Computer Security Incident Response Team (CSIRT), and trains employees. Which IRP phase does this represent? | Preparation |
| The Marriott breach showed that vulnerabilities inherited during acquisitions may go unnoticed. | TRUE |
| Which regulation specifically protects U.S. healthcare patient records during incidents? | HIPAA |
| Which are examples of Eradication activities? | Removing malware, Deleting unauthorized user accounts, Applying security patches |
| The Philippine Data Privacy Act allows organizations to completely skip reporting if only 10 people are affected, even if sensitive data was stolen. | False |
| Which breach showed failure to secure passport data during hotel bookings? | Marriott |
| The National Privacy Commission (Philippines) requires breach notifications even for suspected incidents. | FALSE |
| A ransomware attack encrypts a company’s HR system. Employees cannot work. What should the organization do first? | Contain the affected HR system |
| A company that encrypts sensitive data but still gets breached is not legally required to notify authorities under any law. | FALSE |
| Which breach involved attackers injecting malicious scripts into an airline’s website to capture card details? | British Airways |
| A company creates an incident logbook documenting actions during a breach. This practice belongs to which IRP phase? | Identification and Containment |
| A company tests its breach notification procedures by running a simulation. This falls under which IRP phase? | Preparation |
| Which of the following were highlighted as ETSI Security Incident Indicators? | Website Defacement |
| Which laws mandate breach notification obligations? | GDPR, HIPAA, Philippine DPA 2012 |
| Lessons Learned meetings should include both technical and non-technical staff. | TRUE |
| Which case taught the importance of vendor and acquisition risk management? | Marriott |
| Which breach revealed the risk of using third-party scripts for payments? | British Airways |
| If an organization keeps a detailed incident response log, it can be used as legal evidence later. | TRUE |
| Which IRP step ensures systems are monitored after recovery to detect recurrence? | Post-Recovery Monitoring |
| During an incident, the security team isolates affected servers to prevent further spread. This represents which IRP phase? | Containment |
| An effective IRP requires coordination between technical teams, legal counsel, and communication staff. | TRUE |
| What is the main difference between HIPAA and GDPR breach notifications? | HIPAA applies to PHI, GDPR covers all personal data |
| Which best practices apply during the Lessons Learned phase? | Update security policies, Revise training programs, Analyze logs and response effectiveness |
| Which incidents specifically involved credit card theft? | British Airways, Target (reference example) |
| GDPR requires that breach notifications include details about mitigation efforts. | TRUE |
| Which industries are especially regulated regarding breach notifications? | Healthcare (HIPAA), Finance (GDPR, DPA), E-commerce (PCI-related) |
| Which breach taught the industry about risks in credit-reporting infrastructures? | Equifax |
| Which law emphasizes consumer rights to know, delete, and opt-out after a breach? | CCPA |
| Which breach response step can be legally required across GDPR, HIPAA, and DPA 2012? | Breach notification to regulators and affected individuals |
| An organization restores systems before identifying the cause of a breach. This increases the chance of recurrence. | TRUE |
| Under the Philippine Data Privacy Act (DPA 2012), who must organizations notify during a major breach? | National Privacy Commission and affected individuals |
| What activities should organizations perform during the Preparation phase of IRP? | Draft incident response policies, Establish CSIRT teams, Conduct training and simulations |
| Failing to patch known vulnerabilities is an example of poor preparation in IRP. | TRUE |
| Which organizations must comply with HIPAA breach notification rules? | Hospitals, Health insurance companies, Healthcare clearinghouses |
| Under HIPAA, covered entities must notify affected individuals without unreasonable delay. | TRUE |
| Which Philippine authority enforces data privacy regulations and breach notifications? | National Privacy Commission |
| If hackers replace a company website with political propaganda, what ETSI indicator is this? | Website Defacement |
| Which communication channels are acceptable for notifying individuals of a breach? | Written letters, Email notifications , Public announcements (for large-scale incidents) |
| The British Airways breach involved stolen data from passengers’ travel itineraries and payment details. | TRUE |
| Which factor worsened Yahoo’s response to its breach? | Delay in disclosure to users |
| Which breach highlighted vulnerabilities in web applications through malicious JavaScript? | British Airways |
| After responding to a phishing attack, the security team updates training programs and policies. This reflects which IRP phase? | Lessons Learned |
| Which Philippine regulation obliges companies to submit a breach notification within 72 hours? | DPA 2012 |
| Which IRP phase includes determining whether the event is a true security incident or a false alarm? | Identification |
| Which breach highlighted poor incident monitoring and communication with regulators? | Yahoo |
| A company immediately notifies customers about a suspected breach even before confirming it. This may cause panic but fulfills notification duties. | TRUE |
| Which law requires notification of a data breach to a supervisory authority within 72 hours? | GDPR |
| An attacker modifies DNS records to redirect users to fake sites. Which ETSI indicator best applies? | Website Forgery |
| Which are common consequences of poor breach notification? | Regulatory fines, Loss of customer trust, Litigation costs |
| In HIPAA breach notifications, which of the following must be communicated to individuals? | Description of the incident, Types of PHI involved. Steps individuals should take to protect themselves |
| Which ETSI indicator involves overwhelming a server with traffic to disrupt services? | DoS Attack |
| A financial firm discovers hackers exploiting an unpatched vulnerability. What must be done after containment? | Eradicate the root cause |
| Which steps ensure legal compliance in breach response? | Timely notification to regulators, Providing mitigation advice to victims, Documenting all actions taken |
| Which incident response best practice reduces downtime for critical services? | Maintain redundant systems for continuity |
| Under GDPR, who bears the burden of proving compliance with breach notification rules? | Organizations (Data Controllers) |
| The Yahoo breach demonstrated that multi-year notification delays severely damage trust. | TRUE |
| The ETSI indicator “Spam” would most likely be detected during which IRP phase? | Identification |
| A phishing email campaign should be classified as an intrusion in ETSI categories. | FALSE |
| Which law primarily enforces consumer rights in California regarding breach notifications? | CCPA |
| Which factors determine whether a breach must be reported? | Number of individuals affected, Sensitivity of data exposed, Likelihood of harm |
| A company uses “tabletop exercises” to test its IRP. This technique belongs to which stage? | Preparation |
| Which phase ensures systems are fully functional and secure before going back online? | Recovery |
| Which breach case showed that acquisition due diligence should include cybersecurity checks? | Marriott |
| If a hacker uses fake “Bank Login” emails to steal credentials, what ETSI indicator is this? | Phishing |
| Which breach case demonstrates the importance of encryption of sensitive fields like passport numbers? | Marriott |
| Which breach revealed vulnerabilities inherited during an acquisition? | Marriott |
| What is the main purpose of incident assessment? | Determine scope, impact, and severity |
| A phishing campaign successfully tricks employees into clicking malicious links. Which immediate step is best? | Containment |
| A university suffers ransomware but recovers from backup. Which ETSI indicator applies? | Malware |
| What is the most important factor in successful breach notifications? | Timeliness and accuracy of disclosure |
| A bank notifies customers within 24 hours of detecting unauthorized ATM withdrawals. This demonstrates strong compliance with incident response. | TRUE |
| A Philippine hospital loses unencrypted laptops containing patient records. Which step must follow immediately after containment? | Notify NPC and affected patients |
| Which actions are part of the Containment phase in IRP? | Isolating affected systems, Blocking malicious IP addresses |
| Which breaches were notable for delayed notifications? | Yahoo, Equifax |
| Which IRP phase ensures continuity of critical operations while incidents are addressed? | Containment |
| In breach notifications under the Philippine DPA 2012, which information must be provided? | Measures taken by the organization |
| Which IRP step involves removing unauthorized accounts created during a breach? | Eradication |
| In the “Lessons Learned” phase, which action is most effective? | Reviewing logs and updating IRP policies |
| Which breach taught organizations about the cost of failing to patch known vulnerabilities? | Equifax |
| A delay of several years in notifying users about stolen account credentials characterizes which case? | Yahoo |
| F4 | F4 |
| An ISP monitors and blocks child pornography websites. This aligns with RA 9775. | TRUE |
| Which is an example of malicious disclosure under RA 10173? | An employee leaking a patient’s HIV status online out of spite |
| Who ensures organizational compliance with RA 10173? | Data Protection Officer (DPO) |
| Which law protects intellectual property rights, including software and databases? | RA 8293 |
| Which are common compliance challenges in the Philippines? | Lack of awareness of privacy laws, Limited resources among SMEs, Cross-border transfer complexities |
| Which of the following are general data privacy principles under RA 10173? | Transparency , Legitimate purpose, Proportionality |
| RA 8792 grants legal recognition to: | Electronic contracts and digital signatures |
| The COMELEC 2016 data breach exposed how many voters’ personal data? | 55 million |
| Which law mandated the use of digital signatures in government transactions? | E.O. 810 |
| Which laws regulate digital signatures? | RA 8792 – E-Commerce Act, E.O. 810 – Institutionalizing digital signatures |
| An employee leaks a co-worker’s medical record on social media out of spite. This is malicious disclosure under RA 10173. | TRUE |
| Which RA 10173 provision ensures accountability when outsourcing data processing? | Section 21 – Principle of Accountability |
| If a personal information controller hires a third-party processor, what is required? | A written contract ensuring compliance with the DPA |
| What penalty did the ILOVEYOU virus author face under Philippine law? | None, because no cybercrime law existed then |
| A government office shreds outdated personnel files before disposal. This complies with RA 10173’s rules on disposal of information. | TRUE |
| A company ignores the NPC’s compliance orders without consequence. This is consistent with RA 10173. | FALSE |
| A school refuses to correct inaccurate student records when requested. This violates the right to rectification under RA 10173. | TRUE |
| Which are responsibilities of a Data Protection Officer (DPO)? | Ensure compliance with the DPA , Conduct privacy impact assessments, Serve as contact with NPC |
| A parent uses a child’s personal data to open a fraudulent loan account. This is identity theft under RA 10175. | TRUE |
| Which is NOT a right of the data subject? | Right to own government databases |
| A person hacks into a bank’s system to steal client information. This is punishable as illegal access under RA 10175. | TRUE |
| Which agency enforces RA 8293 (Intellectual Property Code)? | IPOPHL |
| A blogger posts defamatory remarks about a politician on Facebook. This can be prosecuted as cyber libel under RA 10175. | TRUE |
| Which law prohibits the unauthorized capture and distribution of sexual images? | RA 9995 |
| Which type of data requires stricter protection under RA 10173? | Sensitive personal information |
| he NPC reports directly to: | Office of the President |
| Which provisions extend privileged communication to electronic formats? | Lawyer–client communication, Doctor–patient communication |
| A hospital fails to notify the NPC within 72 hours after discovering a breach of patient records. This violates RA 10173. | TRUE |
| A blogger copies entire copyrighted articles and reposts them online without permission. This violates RA 8293. | TRUE |
| An individual posts intimate videos of an ex-partner online without consent. This violates RA 9995. | TRUE |
| A company continuously trains its staff on data privacy awareness. This is a best practice for compliance. | TRUE |
| A public official knowingly misuses citizens’ personal data for political gain. This may result in aggravated liability under RA 10173. | TRUE |
| RA 9775 criminalizes: | Child pornography |
| A company uses employee health data in performance evaluations without consent. This is lawful under RA 10173. | FALSE |
| Which cases involved major data breaches in the Philippines? | COMELEC “Comeleak” (2016), DFA passport data breach (2019), PhilHealth ransomware attack (2021) |
| Which are security measures recommended under RA 10173? | Encryption of sensitive data, Access controls, Regular security audits |
| Under RA 10173, the right to data portability allows individuals to: | Obtain and transfer their own data to another service provider |
| Which 2016 incident was one of the world’s largest government-related data breaches? | COMELEC “Comeleak” |
| Which principle requires that data collection only be for lawful and specific purposes? | Legitimate purpose |
| Which are considered cybercrime offenses under RA 10175? | Illegal access, Identity theft, Cyber libel |
| A news outlet publishes the grades of students with names without consent. This is an authorized disclosure under RA 10173. | FALSE |
| Which RA 10175 offense involves altering or destroying computer data? | Data interference |
| A hacker installs malware to disrupt government websites. This is system interference under RA 10175. | TRUE |
| How soon must the NPC be notified of a data breach? | 72 hours |
| Which law required government websites to migrate to secure hosting? | A.O.39 |
| Which provision extends lawyer–client confidentiality to digital formats? | Section 15 |
| The DFA 2019 passport data breach violated: | RA 10173 and RA 10175 |
| Which demonstrates proportionality? | Collecting only information needed for a loan application |
| Under RA 10175, system interference refers to: | Disrupting or destroying a computer system |
| A hospital discovers a data breach but hides it from the NPC to protect its reputation. This is concealment of a security incident under RA 10173. | TRUE |
| Which organization suffered a ransomware attack in 2021 that disrupted services? | Philhealth |
| A cybercriminal sends phishing emails disguised as government COVID-19 aid notices. This is computer-related fraud under RA 10175. | TRUE |
| Which is an example of a cross-border compliance challenge? | Transferring Filipino personal data to servers abroad |
| Which agency leads prosecution of cybercrime? | DOJ-Office of Cybercrime |
| A hospital requires its contractors to comply with the same privacy standards it follows. This aligns with RA 10173. | TRUE |
| Which law established a national Public Key Infrastructure (PKI)? | E.O. 810 |
| Which of the following is considered system interference under RA 10175? | Launching a denial-of-service attack |
| A hospital publishes patient records online without consent. Which law is violated? | RA 10173 |
| Which body was created under RA 10173? | National Privacy Commission (NPC) |
| AThe main objective of the Data Privacy Act is to: | Protect personal data while allowing free flow of information |
| What year was the Data Privacy Act (RA 10173) enacted? | 2012 |
| What penalty applies when multiple RA 10173 violations are committed together? | Higher penalties under Section 33 |
| What penalty applies for improper disposal of sensitive personal information under RA 10173? | 1–3 years imprisonment and ₱100K–₱1M fine |
| A government agency mandates all employees to use certified digital signatures for internal communication. This aligns with E.O. 810. | TRUE |
| Which rights are transmissible to heirs under RA 10173? Right to access | Right to access , Right to rectification , Right to erasure |
| A bank encrypts its transaction logs and limits access to authorized employees. This follows proper security measures under RA 10173. | TRUE |
| Which laws criminalize unauthorized capture or distribution of intimate images? | RA 9995 – Anti-Photo and Video Voyeurism Act , RA 10175 – Cybercrime Prevention Act (content-related offenses) |
| RA 8792 primarily regulates: | Electronic transactions and digital signatures |
| Which are functions of the National Privacy Commission (NPC)? | Investigate data breaches, Issue compliance orders, Promote data privacy awareness |
| Which case involved hackers attempting to steal millions from a bank in 2016? | PNB vs. Hackers |
| Which case highlighted the lack of a cybercrime law before RA 10175? | ILOVEYOU virus |
| A bank deletes customer records once accounts are closed and obligations are settled. This follows proportionality under RA 10173. | TRUE |
| Which law prohibits unauthorized interception of communications? | RA 4200 |
| Which of the following is NOT one of the Five Pillars of Privacy Accountability? | Outsourcing all personal data with no safeguards |
| Which 2020 incident exposed personal data of city residents? | Marikina LGU data breach |
| Under RA 10173, large-scale offenses involve at least: | 100 Persons |
| Which agency supervises the Government Web Hosting Service mandated by A.O. 39? | DOST-ICTO (now DICT) |
| A bank encrypts its transaction logs and limits access to authorized employees. This follows proper security measures under RA 10173. | TRUE |
| What is the penalty for illegal access to critical infrastructure under RA 10175? | Reclusion temporal (12–20 years) |
| Which is a cybercrime under RA 10175? | Unauthorized access to a bank system |
| Which are penalties under RA 10173 for violations? | Imprisonment terms, Monetary fines, Restitution for victims |
| Which is an example of negligent access? | An employee leaving a laptop with personal data unattended |
| Which of the following best practices improve compliance with RA 10173? | Regular staff training on privacy, Privacy impact assessments, Having a breach response plan |
| A telecom company clearly informs customers about data collection purposes before signing a contract. This follows the principle of transparency under RA 10173. | TRUE |
| Which of the following is an example of privileged communication extended under RA 10173? | Doctor–patient |
| Which is NOT a general data privacy principle under RA 10173? | Confidentiality |
| A company transfers Filipino customer data to a foreign server without ensuring equivalent protection. This is a compliance issue under RA 10173. | TRUE |
| Which laws are directly related to intellectual property and copyright? | RA 8293 – Intellectual Property Code, RA 10175 – Cybercrime Prevention Act (IP-related offenses) |
| A company obtains valid consent to collect customer emails but later sells them to marketers without permission. This is lawful under RA 10173. | FALSE |
| A group hacks government websites to protest against a law. This is punishable under RA 10175. | TRUE |
| Which right allows a person to demand deletion of their personal data? | Right to erasure (Right to be forgotten) |
| A student records a private phone call with a friend without consent. This is a violation of RA 4200. | TRUE |
| Which of the following is an example of unlawful processing of personal information? | A company selling email addresses without consent |
| Which are examples of improper disposal of sensitive information? | Throwing unshredded medical records in public trash , Leaving police reports in open dumpsters |
| RA 9995 prohibits: | Unauthorized recording and distribution of intimate videos |
| Rights under the DPA are: | Transferable to heirs upon death or incapacity |
Created by:
user-1835460