Key Phrase: "One way to comply"

Explanation:
Correct Answer (B): Joe is writing a guideline because the key phrase “one way” suggests a non-mandatory approach to compliance. Guidelines offer recommendations rather than enforceable rules.

Why others are wrong:

• A: Policy - Policies are mandatory and define required behaviors, which is not indicated in the scenario.

• C: Procedure - A procedure would involve a detailed step-by-step process, which isn’t described here.

• D: Standard - Standards are also mandatory and enforceable, but Joe is describing one option for compliance, not a strict requirement.

Key Phrase: "Compensating controls"

Explanation:
Correct Answer (A): PCI DSS compensating controls must meet the same rigor as the original control, but they cannot be used across different requirements. The original requirement must be met independently, and compensating controls should address gaps in specific requirements.

Why others are wrong:

• B: Controls must meet the intent of the original requirement - This is correct. Compensating controls should fulfill the original intent of the requirement.

• C: Controls must meet the rigor of the original requirement - This is also true; compensating controls should not be less rigorous than the original control.

• D: Compensating controls must provide a similar level of defense as the original requirement - This is correct as well. Compensating controls should offer an equivalent level of protection.

Key Phrase: "Personal information of EU residents"

Explanation:
Correct Answer (C): The General Data Protection Regulation (GDPR) governs the handling of personal data for residents of the European Union, imposing strict privacy requirements.

Why others are wrong:

• A: HIPAA - HIPAA applies to the healthcare industry and U.S. citizens' health data.

• B: FERPA - FERPA applies to educational institutions in the U.S. and governs student records, not personal data in general.

• D: PCI DSS - PCI DSS applies to payment card information, not general personal data privacy.

Key Phrase: "Core security functions"

Explanation:
Correct Answer (B): The NIST Cybersecurity Framework includes the following five core functions: Identify, Protect, Detect, Respond, and Recover. "Contain" is not one of them.

Why others are wrong:

• A: Identify - This is one of the five core functions: understanding assets, risks, and vulnerabilities.

• C: Respond - This is a core function: responding to detected cybersecurity events.

• D: Recover - This is a core function: restoring capabilities after a cybersecurity event.

Key Phrase: "Privacy controls"

Explanation:
Correct Answer (C): ISO 27701 specifically provides guidelines on privacy controls and how to integrate them with ISO 27001, which is focused on information security management.

Why others are wrong:

• A: ISO 27002 - ISO 27002 provides guidelines on the implementation of information security controls, not privacy-specific ones.

• B: ISO 27001 - ISO 27001 is focused on information security management systems, not specifically privacy.

• D: ISO 31000 - ISO 31000 provides guidelines on risk management, not privacy.

Key Phrase: "Approved by the CEO or high-level executive"

Explanation:
Correct Answer (D): Policies usually require approval from senior leadership, such as the CEO, because they are mandatory and set the direction for the organization’s security practices.

Why others are wrong:

• A: Standard - While standards are important, they often do not require CEO approval, though they do need executive endorsement.

• B: Procedure - Procedures are operational and often approved by department heads or managers, not necessarily the CEO.

• C: Guideline - Guidelines are optional and do not typically require high-level approval.

Key Phrase: "Umbrella agreement"

Explanation:
Correct Answer (C): An MSA (Master Service Agreement) is a long-term contract that outlines the general terms and conditions for all future work with a vendor, including security requirements. It serves as the overarching agreement, with project-specific details covered in statements of work (SOWs).

Why others are wrong:

• A: BPA - A BPA (Blanket Purchase Agreement) is typically used for purchasing goods and services in an ongoing relationship, not specifically for security terms.

• B: MOU - An MOU (Memorandum of Understanding) is a non-binding agreement that outlines general intentions but doesn't typically cover detailed security terms.

• D: SLA - An SLA (Service Level Agreement) focuses on service performance and quality, not overarching terms or security conditions.