NIST
HIPAA
PCI-DSS/FERPA
NIST 800-53
Compliance Corner
100

The National Institute of Standards and ...

Technology

100

Is it HIPPA or HIPAA? (2 P's or 2 A's)

HIPAA

100

True or False...FERPA is a law.

True!

100
What is NIST 800-53?

A catalog of cyber security and privacy controls published by NIST.

100

What cyber security concepts are represented in the CIA triad?

Confidentiality, integrity, and availability.

200

What is the type of product that NIST failed to standardize sizing for?

Women's Clothing

200

What does HIPAA stand for?

Health Insurance Portability and Accountability Act

200

True or False...PCI-DSS is a law

False; it was created by the Payment Card Industry Security Standards Council as optional standards. 

200

There are [x] control families in NIST 800-53.

20

200

What would we be doing if we adjust and modify controls to meet our organization's specific needs?

Tailoring

300

What is the shape used to represent the functions in the NIST Cyber Security Framework CSF?

A Circle

300

True or False...HIPAA is not a law but it is a guideline created by the Nurses of America Group.

False; It is a federal US law.

300

There are four levels of PCI-DSS standards/complinace. What are those levels based on?

The amount of transactions made per year.

300

Each control in NIST 800-53 has a unique identifier which includes a 2-letter acronym and a number? (Ex. AC-2)

Where does the acronym come from? 

It comes from the control family of the control.
300

What is the process of identifying the relationships between security controls of multiple frameworks?

Mapping

400

The NIST Cyber Security Framework contains [x] functions that all contribute to managing cyber risk.

6

400

What is the difference between the HIPAA Privacy Rule and the HIPAA Security Rule?

HIPAA Privacy Rule established how PHI can be used/disclosed.

HIPAA Security Rule established how to protect ePHI.

400

True or False...FERPA only applies to digital education records and PII.

False; It applies to digital, verbal, and physical records.

400

Every control family has a '-1' control

(Ex. AC-1, CM-1, AT-1).

What do the '-1's' regard?

Policies to implement the control family.

400

What is the difference between PII and PHI?

Personally Identifiable Information

Protected Health Information

500

In what year was the NIST Cyber Security Framework (CSF) 2.0 launched?

2024

500

HIPAA is purposefully vague because....

All covered entities, regardless of size, must comply with HIPAA. Small medical offices may have different capabilities or needs than a larger hospital system.
500

What does FERPA and PCI-DSS stand for?

Family Educational Rights and Privacy Act

Payment Card Industry - Data Security Standard

500

If you saw a control identifier that looked like

AC-3(2)

Why is there a 2 in parenthesis? 

The 2 is called an enhancement which further defines a control.

500

How would you explain the concept of mapping through an analogy?

Imagine you and your roommates are planning a big dinner.

Roommate A writes a shopping list: “Buy bread, cheese, lettuce.”

Roommate B writes their own: “Get sandwich fixings.”

Roommate C says: “We need carbohydrates, dairy, and vegetables.”

M
e
n
u