1) Many issues are involved when planning for a third party to perform services involving data storage, backup and restore, and destruction or processing services for your company. Which of the following statements is not correct with regard to such planning or to your actual conduct of operations with that third party? (Choose all that apply.)

Group of answer choices

Your data protection responsibilities remain with you; you need to be able to actively verify that such third parties are doing what you've contracted with them to do. Otherwise, you are blindly trusting them.

Your contracts with these third parties should use a shared responsibility model to clearly delineate which party has which responsibilities; this will, in most cases, hold you harmless when the third party goes outside of the contract

Since third parties are by definition on a contract with you, as your subcontractor, you are not liable or responsible for mistakes they make in performing their duties.

What your third party providers, subcontractors, or employees (for that matter) do in your name and in your service, you are ultimately responsible for.

1.2) Which statements about continuity and resilience are correct? (Choose all that apply.)

Group of answer choices

Continuity measures a system's ability to deal with events the designers did not anticipate.

Continuity and resilience are basically the same idea, since they both deal with how systems handle errors, component or subsystem failures, or abnormal operational commands from users or other system elements.

Resilience measures a system's ability to tolerate events or conditions not anticipated by the designers.

Continuity measures a system's ability to deal with out-of-limits conditions, component or subsystems failures, or abnormal operating commands from users or other system elements, by means of designed-in redundancy, load shedding, or other strategies.

1.3

Fred is on the IT team migrating his company's business systems into a public cloud provider, which will host the company's processes and data on its datacenters in three different countries to provide load balancing, failover/restart, and backup and restore capabilities. Which statement or statements best addresses key legal and regulatory concerns about this plan? (Choose all that apply.)

Group of answer choices

Because Fred's company does not have a business office or presence in the countries where the cloud host's datacenters are, those countries do not have legal or regulatory jurisdiction over company data.

The countries where the cloud host's datacenters are located, plus all of the countries in which Fred's company has a business presence, office, or other facility, have jurisdiction over company data.

In addition to staying compliant with all of those different countries' laws and regulations, Fred's company must also ensure that it does not violate cultural, religious, or political taboos in any of those countries.

These jurisdictional arguments only apply to data stored on servers or systems within a given country, or that is being used in that country; nations do not control the movement of data across their borders.

1.4

Sandi has suggested to her boss that their small company should be using a cloud-based shared storage service, such as OneDrive, Dropbox, or Google Drive. Her boss believes these are inherently insecure. Which of the following statements would not help Sandi make her case?

Group of answer choices

Check the reputation and business model of the shared storage providers; check what national/legal jurisdiction they operate in, compared to the one her business operates in.

Examine their stated, posted privacy and security policies; ask for a sample contract, terms of reference, or service level agreement, and see if they claim to provide what her company needs.

Sandi can always encrypt her files before moving them into storage; that way, even if another user, a hacker, or the provider themselves try to read the file, they can't.

Sandi can take advantage of a free trial offer and see if her information security staff can hack into other users' storage or into system logs and account information on the provider. If her "white hats" can't break in and peek, the system is safe enough for her.