WEBVTT 1 00:00:00.000 --> 00:00:01.180 foreign [Music] 2 00:00:21.780 --> 00:00:30.600 okay so the second session for this evening is on security policies and standards this is part two 3 00:00:32.220 --> 00:00:41.580 and our first question involves SQL injections your network administrator wants to mitigate the 4 00:00:41.580 --> 00:00:49.680 potential risk of SQL injection attacks as much as possible which of the following is the best 5 00:00:49.680 --> 00:00:55.560 route they could take all right take a moment look at your choices and make your selections 6 00:01:01.140 --> 00:01:01.740 okay 7 00:01:05.280 --> 00:01:10.260 so we have lots of choices for answer C 8 00:01:11.580 --> 00:01:20.580 that is enable input validation and that is the correct answer here um applying host server OS 9 00:01:20.580 --> 00:01:30.120 updates uh changing login passwords these are not effective to mitigate SQL injection attacks 10 00:01:30.720 --> 00:01:42.840 are neither is enabling https input validation is in fact the way to mitigate the risk or potential 11 00:01:42.840 --> 00:01:53.640 risk of SQL injections attacks as much as possible okay all right let's move on to the next question 12 00:01:59.520 --> 00:02:07.080 okay all of the following are true about an mou except for what 13 00:02:12.540 --> 00:02:14.280 should the following statements 14 00:02:17.100 --> 00:02:22.020 is not true about memorandum of understanding 15 00:02:26.460 --> 00:02:31.020 okay we have several responses in the chat let's see what you're thinking 16 00:02:33.600 --> 00:02:35.040 Okay so 17 00:02:38.340 --> 00:02:42.480 yes we have choices or B 18 00:02:45.120 --> 00:02:45.900 okay 19 00:02:48.360 --> 00:02:50.580 all right so again 20 00:02:51.600 --> 00:03:00.780 these statements all of these statements about mou are true except for one of them 21 00:03:04.920 --> 00:03:07.380 which one is not true 22 00:03:22.140 --> 00:03:25.920 so questions that involve 23 00:03:28.200 --> 00:03:33.360 what something is not are often a little more difficult 24 00:03:35.100 --> 00:03:44.220 um only from the perspective that we are so used to studying what something is okay so 25 00:03:44.940 --> 00:03:53.160 and the way this is worded makes it I think maybe a little more difficult all of the following 26 00:03:54.960 --> 00:04:04.560 is true or are true about an mou except for what except one of these Okay so 27 00:04:05.280 --> 00:04:13.380 memorandum of understanding is typically a less formal agreement 28 00:04:14.880 --> 00:04:24.960 okay so not legally binding do you think that is a true statement or not a true statement 29 00:04:28.500 --> 00:04:35.880 you see another vote for B it's not involved The Exchange okay all right so 30 00:04:36.480 --> 00:04:43.500 not legally binding if that's true then that's not the answer we're looking for okay 31 00:04:46.200 --> 00:04:52.500 um now even though it's a less formal agreement it's still an agreement between two parties 32 00:04:53.040 --> 00:05:01.200 so that statement's true what about does not involve the exchange of money is that true 33 00:05:04.680 --> 00:05:06.300 it's a less formal agreement 34 00:05:09.000 --> 00:05:09.500 okay 35 00:05:11.580 --> 00:05:19.680 so typically with the exchange of money we're looking at something contractual and signed by the 36 00:05:19.680 --> 00:05:27.420 appropriate parties okay so does not involve the exchange of money that is a true statement about 37 00:05:27.420 --> 00:05:37.380 mousse that leaves us with the correct answer summarizes the work or responsibilities assigned 38 00:05:38.040 --> 00:05:45.960 okay all right now looking back at the chat a lot of you chose answer Choice B 39 00:05:47.340 --> 00:05:57.360 and we have sort of a question not sort of we do have a question that is asking for the exception 40 00:05:57.360 --> 00:06:08.400 okay so it's kind of you know a nut situation but then you have that same situation and one 41 00:06:08.400 --> 00:06:17.340 of the answers does not involve the exchange of money okay so again you really need to be 42 00:06:17.340 --> 00:06:24.780 careful when it comes to questions like this make sure you read the question twice and make sure 43 00:06:24.780 --> 00:06:33.420 you understand what you are being asked for and that's just good General test taking tip no matter 44 00:06:33.420 --> 00:06:41.280 which certification exam you may be sitting for okay Let's uh let's move on to the next question 45 00:06:58.080 --> 00:06:58.580 okay 46 00:07:00.180 --> 00:07:05.340 an organizations corporate audit and security employees 47 00:07:05.340 --> 00:07:12.060 need to investigate and discover any discrepancies in employee activity 48 00:07:13.020 --> 00:07:20.160 which policy should they enforce so that they are able to complete this task with enough time 49 00:07:21.960 --> 00:07:27.600 okay let's take a moment and look at the answer choices and make your selections 50 00:07:32.280 --> 00:07:34.620 Okay so we've had a couple responses 51 00:07:37.860 --> 00:07:40.920 for Choice C access policies 52 00:07:47.700 --> 00:07:51.540 okay so we're looking for discrepancies in employee activity 53 00:07:57.060 --> 00:07:58.860 okay 54 00:08:01.560 --> 00:08:05.160 anybody else want to weigh in before we go over the correct answer 55 00:08:12.960 --> 00:08:22.020 okay so for this question the policy that should be enforced is mandatory vacation policy 56 00:08:23.160 --> 00:08:34.740 and this policy is sometimes used as a security control okay so what the intent is 57 00:08:36.120 --> 00:08:47.640 is to sort of keep an individual from having exclusive use of a system and by periodically 58 00:08:47.640 --> 00:08:55.740 enforcing that the individual takes the vacation they then relegate control of the system to 59 00:08:55.740 --> 00:09:04.200 someone else okay so it's a kind of detective control and that is the correct answer okay 60 00:09:04.920 --> 00:09:16.440 so credential management is not the correct answer these protections these policies for production 61 00:09:16.440 --> 00:09:24.720 of credentials can sometimes involve you know besides credential management the strategies 62 00:09:24.720 --> 00:09:34.260 can be eliminating vulnerabilities or securing employee devices teaching employees to recognize 63 00:09:34.260 --> 00:09:42.480 credential phishing attacks um administrator credential policy is also not correct 64 00:09:43.920 --> 00:09:51.480 um this refers to admin accounts or root accounts right and the Mandate that 65 00:09:52.560 --> 00:10:00.120 um for example credentials are different from one system to another especially passwords so 66 00:10:00.120 --> 00:10:08.460 that if one account is compromised uh several others are not and then access policy defines 67 00:10:08.460 --> 00:10:17.160 the level of access for users so the correct answer here is mandatory vacation policy 68 00:10:19.440 --> 00:10:22.320 okay let's go to the next question 69 00:10:28.080 --> 00:10:37.260 okay Ryan one of your co-workers has empty food wrappers soda cans and even stacks 70 00:10:37.260 --> 00:10:44.640 of sensitive customer data on his desk what security policy is Ryan violating 71 00:11:01.320 --> 00:11:06.060 okay so there's a couple of answers that stand out is pretty obviously wrong 72 00:11:07.140 --> 00:11:14.100 uh and then there's something in the question I think that leads you to the correct answer 73 00:11:18.420 --> 00:11:22.860 okay so we have several responses in the chat let's see what you're thinking 74 00:11:24.780 --> 00:11:36.420 okay d c d e c okay one two three four five so out of these five 75 00:11:36.420 --> 00:11:44.880 choices we had two votes for C which is the correct answer clean desk policy okay 76 00:11:45.780 --> 00:11:56.100 so empty food wrappers soda cans and of course the the real giveaway here stacks of sensitive 77 00:11:56.100 --> 00:12:03.180 customer data on his desk okay so yeah this is a violation of the clean desk policy 78 00:12:04.440 --> 00:12:15.120 in fact it is the description is an antithesis of what a clean desk would be all right 79 00:12:17.400 --> 00:12:21.240 next question some of this dirty practices 80 00:12:25.140 --> 00:12:32.880 okay the I.T Department of Karen's organization decides to test their 81 00:12:32.880 --> 00:12:40.800 employees by sending out a phishing email with a malicious link that tracks whoever clicks on it 82 00:12:41.400 --> 00:12:49.800 the results show that 87 of the 100 employees clicked on the fake URL 87 percent 83 00:12:50.880 --> 00:12:55.860 what could have prevented that many people from falling for this attack 84 00:12:59.460 --> 00:13:03.780 this is another one of those questions I think that you really like to see 85 00:13:04.440 --> 00:13:08.820 because and I think that everybody agrees with me it's pretty obvious 86 00:13:10.260 --> 00:13:19.500 and yeah yeah so this is this is a situation of user security awareness um 87 00:13:21.720 --> 00:13:33.720 this is just one of those things that has to be done certainly for people in the business that 88 00:13:33.720 --> 00:13:43.680 is what all of you are intent upon doing um some things that we see all the time 89 00:13:44.340 --> 00:13:51.540 are or become obvious because we have so much exposure to them but somebody whose job 90 00:13:52.320 --> 00:14:05.820 is completely out of this field it basically is using the computer systems as a tool may not be as 91 00:14:05.820 --> 00:14:16.680 aware and therefore it is up to you know the I.T Department to make sure that employees get proper 92 00:14:16.680 --> 00:14:25.380 and not just inundated with training but the proper user awareness training so yeah okay 93 00:14:28.260 --> 00:14:30.360 let's move on to the next question 94 00:14:33.660 --> 00:14:34.320 okay 95 00:14:39.900 --> 00:14:47.940 which of the following is not a necessary procedure when off-boarding thank you 96 00:14:56.340 --> 00:15:02.700 so here again you're being asked which one of these is not necessary 97 00:15:08.520 --> 00:15:16.560 okay we have about five responses in the chat and let's see what people are thinking 98 00:15:18.060 --> 00:15:22.140 okay it looks like everybody's voting for answer Choice C 99 00:15:25.020 --> 00:15:28.260 e activate personal emails and that is the correct Choice 100 00:15:29.340 --> 00:15:38.520 um disabling user accounts and privileges is absolutely necessary um doing the best 101 00:15:38.520 --> 00:15:46.500 that you can to make sure that whoever's being off boarded is not in possession of information assets 102 00:15:48.120 --> 00:15:52.860 um and then wiping employee-owned devices of corporate data and applications these are all 103 00:15:52.860 --> 00:16:00.300 common sense it seems good and good things to do certainly deactivating personal emails or contact 104 00:16:00.300 --> 00:16:08.340 information yeah that's the correct answer for this question okay let's move on to the next 105 00:16:14.220 --> 00:16:21.180 which term describes a gamified training event where Learners must discover Point 106 00:16:21.180 --> 00:16:31.200 baits point-based tokens within a live Network or scripted Q and A game environment gee 107 00:16:33.960 --> 00:16:40.320 okay I think this one's pretty obvious too it might even say that it's what 108 00:16:40.320 --> 00:16:49.680 we're doing right now okay so yeah the correct answer here is capture the flag 109 00:16:51.060 --> 00:16:57.360 um and that's exactly uh what you're looking at here with these questions they are Point 110 00:16:57.360 --> 00:17:09.240 based and this is the preaching the Cyber range CTF fun stuff okay let's move on to the next one 111 00:17:13.740 --> 00:17:22.620 okay which security principle states that a user should be allocated the minimum necessary 112 00:17:22.620 --> 00:17:29.280 rights privileges or information to perform his or her role and no more 113 00:17:35.280 --> 00:17:37.920 okay lots of responses in the chat 114 00:17:41.520 --> 00:17:51.720 and for Choice answer Choice B least privilege and that is correct this does 115 00:17:51.720 --> 00:17:58.920 not involve a code of conduct or separation of duties or standard operating procedures 116 00:17:59.820 --> 00:18:03.360 this is the principle of least privilege 117 00:18:05.580 --> 00:18:18.660 okay so um segregation of duties could look like a correct answer basically it ensures 118 00:18:18.660 --> 00:18:26.760 that employees don't have access to systems that will lead to conflicts of interest fraud or abuse 119 00:18:27.840 --> 00:18:34.980 okay so the correct answer again least privilege all right let's go on to the next question 120 00:18:45.420 --> 00:18:52.560 a company's employee just got a new social media account they have a lot of friends 121 00:18:52.560 --> 00:18:59.220 that work in the same field of business what is the biggest security risk in this situation 122 00:19:01.320 --> 00:19:05.160 okay take a moment look at your answer choices and make your selections 123 00:19:12.720 --> 00:19:16.320 okay so an employee gets a new social media account 124 00:19:17.220 --> 00:19:21.600 and they have a lot of friends that work in the same type of business 125 00:19:25.320 --> 00:19:30.000 so that's pretty much the big clue here 126 00:19:34.920 --> 00:19:37.020 so when it comes to security 127 00:19:39.180 --> 00:19:41.400 what's the weakest link in the chain 128 00:19:46.620 --> 00:19:47.520 what do you think 129 00:19:50.520 --> 00:19:55.080 the end user sure the human element right 130 00:19:57.540 --> 00:19:58.380 and 131 00:20:00.660 --> 00:20:05.700 even if it is not malicious 132 00:20:08.100 --> 00:20:15.180 okay um what do we like to do what do we like to talk about with our friends 133 00:20:16.260 --> 00:20:21.900 uh and especially if they do what we do 134 00:20:29.160 --> 00:20:36.840 yeah over sharing talk about work what we do maybe something interesting that happened 135 00:20:37.800 --> 00:20:43.920 okay all right so the answer choices the employee's email address will be added into 136 00:20:43.920 --> 00:20:55.320 a database for random subscriptions no not not really a concern uh answer Choice C others can 137 00:20:55.320 --> 00:21:01.800 see the employee's IP address while they're at work using the social media account okay 138 00:21:03.480 --> 00:21:12.720 um that's really not going to be representative of a big security risk an attacker can post on 139 00:21:12.720 --> 00:21:20.040 the employee's I guess account acting as them I mean that can be a problem 140 00:21:21.120 --> 00:21:28.380 but it really boils down to sort of human nature here the employee could engage on 141 00:21:28.380 --> 00:21:36.900 the site too much and expose the company's intellectual property um I mentioned earlier that 142 00:21:38.100 --> 00:21:50.220 the intent does not have to be malicious and I can speak from experience to this point thinking back 143 00:21:50.220 --> 00:21:58.920 to my early days as a software engineer and I was working on a particularly interesting project for 144 00:21:58.920 --> 00:22:05.880 a company called flexible manufacturing systems and we were engaged with building an autonomous 145 00:22:05.880 --> 00:22:12.480 guided vehicles and you know this this was the coolest thing I think I'd ever seen in my life 146 00:22:13.140 --> 00:22:20.340 um this was in the late you know mid to late 80s and um this vehicle was just 147 00:22:21.240 --> 00:22:28.320 off the chain it was not Guided by paint stripes on the floor or wires buried in the floor was 148 00:22:28.320 --> 00:22:36.300 free-ranging and it was just like I said the slickest piece of technology I'd ever seen and 149 00:22:36.300 --> 00:22:43.080 you know so myself and some of the other software Engineers we'd go out after work and you know have 150 00:22:43.080 --> 00:22:50.340 some something to eat and you know I mean it just it just would come out I mean we talk about other 151 00:22:50.340 --> 00:22:57.180 things but the first things that usually came from Miles were the events of the day or you know how 152 00:22:57.180 --> 00:23:02.460 part of the project that we were working on was turning out or maybe some of the challenges um 153 00:23:02.460 --> 00:23:10.200 that we were coming across and you know this was all done in in the spirit of you know camaraderie 154 00:23:10.200 --> 00:23:16.020 and you know possibly even getting someone else's opinion on you know what was going on 155 00:23:17.460 --> 00:23:23.580 um but when I think back to this sitting in in the restaurant having these conversations 156 00:23:23.580 --> 00:23:31.500 sometimes they get quite animated and fact of the matter is you don't know who's sitting around you 157 00:23:31.500 --> 00:23:40.080 and you know maybe you know in the excitement of of having these great discussions with your 158 00:23:40.080 --> 00:23:45.540 colleagues you know even though they work on other parts of the project you could have been exposing 159 00:23:47.160 --> 00:23:57.360 um proprietary information and so there's no malicious intent but you know that was human 160 00:23:57.360 --> 00:24:05.760 nature to have these kinds of discussions so anyhow let's move on to the next question 161 00:24:17.220 --> 00:24:26.460 okay which of the following is the information security standard for organizations that process 162 00:24:26.460 --> 00:24:32.580 credit or bank card payments okay so hopefully everybody knows this one 163 00:24:37.920 --> 00:24:42.060 okay lots of responses very quick 164 00:24:44.100 --> 00:24:48.600 and all per Choice D so D is correct 165 00:24:49.920 --> 00:24:59.880 so PCI DSS payment card industry data security standard okay set of security standards formed 166 00:24:59.880 --> 00:25:09.900 in 2004 by Visa Mastercard Discover Financial Services JCB International and American Express 167 00:25:12.000 --> 00:25:17.820 um the standard is administered by the payment card industry security standards Council 168 00:25:18.480 --> 00:25:25.260 and it's use mandated by the different card brands so this is the correct answer 169 00:25:27.000 --> 00:25:35.400 um IEEE Institute of electrical and electronic Engineers um that's a Professional Organization 170 00:25:36.180 --> 00:25:45.060 not the correct answer statement on standards for attestation engagements is a set of Standards 171 00:25:45.060 --> 00:25:50.220 governing service organizations security practices Choice B and that is not correct 172 00:25:51.000 --> 00:25:57.900 and then Phipps is federal information processing standards uh refers to a series of computer 173 00:25:57.900 --> 00:26:04.440 security standards developed by the federal government United States federal government in 174 00:26:04.440 --> 00:26:10.680 line with federal information security management Act and approved by the Secretary of Commerce 175 00:26:11.520 --> 00:26:20.460 so PCI DSS payment card industry data security standard correct answer okay 176 00:26:33.120 --> 00:26:42.600 a company that is located in Paris France is complying with the gdpr when dealing with what 177 00:26:43.980 --> 00:26:48.900 okay take a second look at your choices and make your selections 178 00:26:56.160 --> 00:27:11.040 okay so we have some choices in the chat let's see looks like we have votes for b c and B okay so 179 00:27:11.640 --> 00:27:19.740 vulnerability assessments personal data protection financial services and separating workloads for 180 00:27:19.740 --> 00:27:31.500 performance and load balancing okay this is an example of a more knowledge based question uh 181 00:27:31.500 --> 00:27:41.940 the um key to this is understanding what gdpr is and that is the general data protection regulation 182 00:27:42.720 --> 00:27:52.560 this gdpr introduces rules for organizations that offer goods and services to people in the 183 00:27:52.560 --> 00:28:06.420 European Union so this is very much involved with personal data protection okay all right so the 184 00:28:07.740 --> 00:28:13.680 again if you if you know that much of it then you would go right to personal data protection 185 00:28:13.680 --> 00:28:22.260 understanding that workloads separating workloads for performance and load balancing balancing load 186 00:28:22.260 --> 00:28:31.080 balancing and vulnerability assessments are you know more technical answers not involved with this 187 00:28:31.080 --> 00:28:38.760 uh Financial Services personal data protection would be the remaining two but again understanding 188 00:28:38.760 --> 00:28:48.420 a little bit about gdpr would lead you right to the solution of personal data protection okay 189 00:28:59.880 --> 00:29:09.180 okay HIPAA the date of privacy framework protects Health Care data for which of the following 190 00:29:16.380 --> 00:29:27.600 it looks like they're all for answer D all options are correct so protecting personal 191 00:29:27.600 --> 00:29:37.980 health care data for storage reading and data in transit and yes all options are correct 192 00:29:38.700 --> 00:29:47.460 okay so that one's I think fairly easy as well all right let's move on to the next question 193 00:29:53.040 --> 00:30:07.080 as the corporate ciso a new industry security compliance certification you're pursuing requires 194 00:30:07.080 --> 00:30:16.440 that you implement a new corporate security policy regarding smartphone usage for business purposes 195 00:30:16.440 --> 00:30:20.400 before writing the policy what is a good first step 196 00:30:22.440 --> 00:30:26.220 all right take a second look at the choices and make your selection 197 00:30:29.340 --> 00:30:30.000 okay 198 00:30:34.200 --> 00:30:41.400 all right so we've got some responses in the chat see what you're thinking a b a a 199 00:30:43.440 --> 00:30:48.000 okay so it looks like the bulk of the choices in 200 00:30:48.000 --> 00:30:54.480 the chat are voting for get the legal Department's opinion first 201 00:30:57.900 --> 00:31:06.240 okay so we can look at answer Choice C which states issue compliance smartphones to all 202 00:31:06.240 --> 00:31:12.660 employees and that's definitely putting the cart before the horse so to speak 203 00:31:13.920 --> 00:31:19.740 pass the rough draft to the policy out to the employees no that's obviously wrong 204 00:31:20.940 --> 00:31:30.660 the question States before writing the policy so C and D clearly wrong A and B are the two 205 00:31:31.260 --> 00:31:38.940 that you have to decide between and for the Chief Information Security Officer 206 00:31:39.600 --> 00:31:44.520 you're going to be discussed with management and get their write-off 207 00:31:47.220 --> 00:31:55.680 because you need to have something to show the legal department before you can get their opinion 208 00:31:58.320 --> 00:32:05.220 and yes always important to ensure upper management is on board and aware of policies 209 00:32:05.220 --> 00:32:22.020 prior to Creation well said so correct answer is Choice B okay all right very good okay 210 00:32:24.360 --> 00:32:25.980 now the next question 211 00:32:30.540 --> 00:32:32.220 next question 212 00:32:36.240 --> 00:32:48.360 yes which of the following is based on s t i x and t a x i i standards 213 00:32:57.300 --> 00:33:00.540 okay take a look at this and make your selection 214 00:33:07.620 --> 00:33:13.920 okay so as before with at least one other question the one involving gdpr 215 00:33:15.480 --> 00:33:22.620 you need to know um what these two clever acronyms stand for 216 00:33:24.180 --> 00:33:33.480 so Stix structured threat information expression sticks if you will 217 00:33:35.100 --> 00:33:42.660 t-a-x-i-i or maybe we will just say taxi trusted automated exchange of intelligence information 218 00:33:47.520 --> 00:33:49.020 so what are they involved with 219 00:33:57.720 --> 00:34:00.000 okay so we have a couple of responses 220 00:34:11.760 --> 00:34:22.740 okay so we have three responses in the chat let's see what's on your mind A A and C okay two votes 221 00:34:22.740 --> 00:34:33.180 for a a vote for C all right so the correct answer here is automated indicator sharing okay 222 00:34:34.140 --> 00:34:44.400 and so basically um the structured threat information or Stakes defines 223 00:34:45.240 --> 00:34:54.300 the what if you will of a Potential Threat and taxi defines how the information is transmitted 224 00:34:55.140 --> 00:35:05.280 and so the point here is to you know make these things easily available 225 00:35:06.060 --> 00:35:14.400 and so this is done because the um outputs are machine readable automated 226 00:35:15.240 --> 00:35:24.900 and can easily be integrated into systems now when you look at this question and these responses 227 00:35:25.620 --> 00:35:31.620 one of these and I'm talking now about answer Choice D vulnerability databases 228 00:35:32.940 --> 00:35:40.020 um hopefully you've seen this enough that an organization 229 00:35:41.220 --> 00:35:47.460 will come to mind fairly quickly when you see that what organization am I talking about 230 00:35:52.740 --> 00:35:59.940 okay so concerning vulnerability databases um I'm talking about the miter Corporation 231 00:36:01.620 --> 00:36:09.300 so you've got that yes cve right common vulnerabilities and exposures and that's miter 232 00:36:10.260 --> 00:36:19.740 so knowing that you can eliminate Choice d uh pretty quickly that leaves threat maps and filer 233 00:36:19.740 --> 00:36:30.360 code repositories so file and code repositories websites that contain a list of common exploits or 234 00:36:30.360 --> 00:36:38.700 threats against product okay and they typically publish the compose code or compiled files 235 00:36:39.780 --> 00:36:51.000 so again not involved with stakes and taxi and threat maps are what you can see just go by 236 00:36:51.000 --> 00:36:58.560 going in and doing a search for you know real-time attack Maps or something of that nature all right 237 00:36:58.560 --> 00:37:07.620 let's see yeah CBD right so automated indicator sharing is the correct answer let's move on 238 00:37:12.240 --> 00:37:18.060 okay this looks like last question for this section 239 00:37:22.140 --> 00:37:29.820 which of the following statements below is true regarding gdpr okay we're going to revisit this 240 00:37:29.820 --> 00:37:36.960 for a second take a moment read your answer choices carefully and then make your selections 241 00:37:41.940 --> 00:37:46.020 okay we've got several responses in the chat 242 00:37:49.560 --> 00:37:53.340 there's two boats for a e let's see 243 00:37:55.440 --> 00:38:04.320 and a couple more votes for a all right I have a lot of people voting for a it seems okay wow 244 00:38:07.620 --> 00:38:14.400 General data protection regulation is a European Union 245 00:38:16.680 --> 00:38:27.720 deal okay so a is incorrect it applies to EU personnel 246 00:38:30.540 --> 00:38:31.140 okay 247 00:38:33.540 --> 00:38:35.100 so a is not correct 248 00:38:38.220 --> 00:38:41.760 and B is not correct 249 00:38:45.480 --> 00:38:53.580 Choice C gdpr applies to EU data subjects but does not apply to 250 00:38:53.580 --> 00:39:00.240 American companies that collect or process the personal data of people in EU countries 251 00:39:02.220 --> 00:39:09.660 this answer is stated is also not correct but if we took out the word not 252 00:39:10.620 --> 00:39:19.080 and we say gdpr applies to EU data subjects and applies to American companies that collect 253 00:39:19.080 --> 00:39:24.360 or process the personal data of people in EU countries that would be a correct statement 254 00:39:25.320 --> 00:39:31.620 but for this question the correct answer gdpr applies to European 255 00:39:31.620 --> 00:39:40.020 Union data subjects that does not apply to American data subjects okay all right 256 00:39:42.720 --> 00:39:51.060 Okay so that perhaps up this section on security policies and standards part two