Unit 6 - Practice Quiz

Risk identification is the foundational step where potential risks are discovered and documented. The other options are potential outcomes or actions taken in later stages of the process, not the goal of identification itself.

Risk acceptance is a conscious decision to accept the potential loss from a risk. This is often done when the cost of mitigation outweighs the potential loss.

A threat is a potential danger or harmful event. A weakness is a vulnerability. The combination of a threat and a vulnerability creates a risk.

A vulnerability is a weakness that can be exploited by a threat. For example, unpatched software is a vulnerability that can be exploited by a virus (a threat).

Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its strategic objectives before action is deemed necessary to reduce the risk.

An SLA is a formal contract that specifies the performance metrics (like uptime, response time, etc.) that a vendor must meet.

Due diligence is the act of performing reasonable investigation or examination into a potential business partner or investment to understand their security practices and potential risks.

A proper offboarding process is crucial for security. It ensures that when a contract ends, the vendor's access credentials and privileges are immediately and completely removed to prevent unauthorized access.

A security audit is a formal, often compliance-focused, process that compares an organization's security posture to a defined standard (like ISO 27001 or PCI DSS).

A penetration test (or pen test) is an authorized, simulated cyberattack designed to evaluate the security of a system by actively exploiting its vulnerabilities.

An internal assessment is conducted by the organization's own staff, whereas external assessments are performed by outside parties.

Data minimization is a core privacy principle which states that organizations should only collect and process personal data that is adequate, relevant, and necessary for the specified purpose.

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are landmark regulations designed to give individuals more control over their personal data.

PII is the standard term for information, such as a name, Social Security number, or email address, that can be used on its own or with other information to identify, contact, or locate a single person.

Data classification assigns a value or sensitivity level to data, which then dictates the security requirements for storing, transmitting, and handling that data.

The 'Public' classification is used for data that has no confidentiality requirements and is intended for public consumption. A press release is a perfect example.

A secret formula is a trade secret and highly sensitive intellectual property. Its disclosure would cause significant harm to the company, so it requires the highest level of security, typically labeled 'Confidential,' 'Restricted,' or 'Top Secret'.

An AUP is a foundational security policy that outlines what employees are and are not allowed to do with company-owned IT assets to prevent misuse and protect the organization.

Separation of duties is a security control that ensures no single individual has complete control over a critical process, thereby reducing the risk of unilateral malicious or accidental actions.

Zero Trust is a modern security framework that assumes no user or device is trusted by default, whether they are inside or outside the corporate network. Every access request must be authenticated and authorized.

The cost of the control (mitigation) is 5,000. In this scenario, it is not cost-effective to implement the control. Therefore, accepting the risk is the most financially sound decision. Transferring or avoiding the risk might be options, but based on the provided financial data, acceptance is the most directly justified response.

A SOC 2 report covers controls related to security, availability, processing integrity, confidentiality, and privacy. A Type 2 report specifically assesses the operational effectiveness of these controls over a period of time (typically 6-12 months), providing a higher level of assurance than a Type 1 report, which only assesses the design of controls at a specific point in time.

A vulnerability scan is an automated process that identifies potential weaknesses in systems and applications by comparing them against a database of known vulnerabilities. It is a non-intrusive process. In contrast, a penetration test is a more active and intrusive process that involves attempting to exploit vulnerabilities to determine the extent of a potential breach.

'Restricted' is typically the highest level of data classification, reserved for the most sensitive data. Patient medical records (Protected Health Information - PHI) fall into this category. The appropriate handling requirement is to apply strong security controls, such as end-to-end encryption and strict access controls like RBAC, to prevent unauthorized disclosure.

Separation of Duties is a foundational security principle that prevents fraud and errors by ensuring that no single individual has control over all aspects of a critical transaction. By separating the ability to create vendors from the ability to approve payments, the company reduces the risk of internal fraud.

Privacy by Design (PbD) is an approach where privacy is embedded into the design and architecture of IT systems and business practices from the outset, rather than being bolted on as an afterthought. The scenario describes proactively building privacy features into the application's core design, which is the essence of PbD.

A risk matrix plots likelihood against impact. A risk with 'High' impact but 'Low' likelihood usually falls into a yellow or orange zone, signifying a moderate level of risk that requires monitoring and a potential response plan. It's not the highest risk (which would be High/High) nor the lowest (Low/Low).

The GDPR's 'Right to Erasure,' also known as the 'Right to be Forgotten' (Article 17), gives individuals the right to have their personal data removed without undue delay under certain circumstances. This is a fundamental right for data subjects under GDPR, and companies that process data of EU citizens must have procedures to fulfill these requests.

A 'Right-to-Audit' clause grants a company the contractual right to assess a vendor's security practices, either directly or through a third party. This is a crucial component of vendor risk management, as it provides a mechanism for ongoing due diligence and ensures the vendor is adhering to the agreed-upon security standards.

Internal audits are conducted by an organization's own employees to provide independent assurance to management and the board of directors. Their primary goal is to evaluate and improve the effectiveness of risk management, control, and governance processes, including checking for compliance with internal policies.

A vulnerability is a weakness or flaw in a system, process, or control that could be exploited by a threat. The 'known software flaw' is the weakness itself. The 'attacker' is the threat agent, and the 'unauthorized access' is the impact. The combination of these elements constitutes the 'risk'.

This policy is known as a mandatory vacation policy. Its primary security purpose is to uncover fraud. An employee engaged in illicit activities often needs to be present every day to manipulate records or cover their tracks. When they are forced to be away and another person takes over their duties, anomalies or fraudulent behavior are more likely to be discovered.

Zero Trust is a security model centered on the belief that organizations should not automatically trust anything inside or outside their perimeters. It operates on the principle of 'never trust, always verify.' This involves verifying every access request as if it originates from an untrusted network, which is a significant shift from the traditional 'castle-and-moat' security model.

Data labels are a form of metadata that classifies the sensitivity of the data. Security systems, especially Data Loss Prevention (DLP) tools, read these labels to enforce policies. For example, a DLP policy might be configured to automatically block any email attachment with the 'Restricted' label from leaving the corporate network, thus preventing data exfiltration.

PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Adherence is not a federal law but is mandated by the major card brands (Visa, MasterCard, etc.). Non-compliance can result in fines and the revocation of the ability to process credit card payments.

In a white-box (or crystal-box) penetration test, the testers are provided with extensive information about the target system. This full knowledge allows them to conduct a much more thorough and deep examination of the system's security, including code analysis and architectural review, which is not possible in black-box (no knowledge) or gray-box (some knowledge) testing.

Risk transfer is the strategy of sharing or shifting the financial burden of a risk to a third party. Purchasing insurance is the classic example of risk transfer. The business is paying a premium to an insurance company, which in turn agrees to cover the financial losses if the specified risk (server failure) occurs.

The most critical security step in vendor offboarding is data disposition. The exit strategy must include a process for securely migrating all data to a new system and then obtaining verifiable proof from the old vendor that all copies of the company's data have been permanently and securely destroyed from their environment. This prevents data remnants from becoming a future security risk.

A Data Protection Officer (DPO) is a senior, independent role responsible for advising on and monitoring compliance with data protection laws like GDPR. Their tasks include informing and advising the company on its obligations, monitoring compliance, conducting data protection impact assessments (DPIAs), and acting as a point of contact for supervisory authorities and data subjects.

A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. The accidental emailing of confidential data to an unauthorized external party fits this definition precisely, regardless of whether the intent was malicious or not.

First, calculate the Single Loss Expectancy (SLE): . The new ALE with the control is . The money saved (or mitigated ALE) is . The Return on Security Investment (ROSI) is calculated as . So, , which is 200%. The hard part of the question is identifying the overlooked factor. A pure quantitative analysis focusing only on ARO reduction misses that a control like DLP could also reduce the impact (SLE) of a successful breach by preventing the exfiltration of the most sensitive data, thus making the actual ROSI even higher.

While all options are valid risks, the most significant and subtle risk in this scenario is a scope mismatch. A SOC 2 Type II report provides assurance about controls, but only for the systems and services in scope for that audit. If your application relies on a new or niche service from the CSP that was not part of their last audit, the report provides no assurance for it. This gap must be addressed contractually, perhaps by requiring the CSP to expand the scope of their next audit or by providing alternative evidence for the out-of-scope controls.

A mature security posture requires taking responsibility for the risk within one's own environment, regardless of the vulnerability's source. Simply blaming the vendor is insufficient. The correct auditor response is to report the risk based on its impact and likelihood (which is now proven to be non-zero) and recommend actionable compensating controls that the client can implement to mitigate the risk until a patch is available. This demonstrates a defense-in-depth approach and proactive risk management, which is the goal of such an assessment.

This question highlights the critical link between internal policy and technical implementation for compliance. The base encryption standard (AES-256) meets the regulatory requirement. However, the company's own data handling policy, which is designed to enforce and potentially exceed that compliance standard, created a more stringent requirement for key management. The compliance failure is not on the cloud provider (who offered the feature) or the encryption standard itself, but on the company for failing to configure the service to meet its own internal policy, which is what auditors would check against.

The key purpose of a mandatory vacation is to break the perpetrator's access to the system, making it impossible for them to continue their malicious activity or cover their tracks. This forces any illicit processes they established to either fail or be discovered by the person covering their duties. However, the discovery itself only happens if another process—in this case, log review and auditing—is actively looking for anomalies. The vacation created the opportunity for discovery, but the log review was the mechanism of discovery. Separation of duties is related but distinct; it's about splitting a task between two people to prevent unilateral fraud, which wasn't the direct discovery method here.

This is a complex, real-world challenge in ZTA implementations. While encrypting all traffic (often called 'encrypt everywhere') is a pillar of Zero Trust, it creates a new problem: it blinds security monitoring tools. If you cannot inspect the content of the traffic, you cannot detect if an already authenticated and authorized workload has been compromised and is now attempting to move laterally or exfiltrate data. This is often referred to as the 'east-west' traffic inspection problem. A mature ZTA governance model must account for how to gain visibility into this encrypted traffic, often through dedicated DPI solutions at segment boundaries, without compromising the principles of Zero Trust.

This is a common and difficult point of confusion regarding HIPAA. The HHS guidance is clear that a ransomware attack that renders ePHI inaccessible is considered a breach. The reasoning is that the attacker's unauthorized access to the system to deploy ransomware constitutes an 'unauthorized acquisition'. Under the Breach Notification Rule, such an event is presumed to be a reportable breach unless the covered entity can demonstrate, through a multi-factor risk assessment, that there was a low probability that the PHI was compromised. Given the severity and duration, it would be extremely difficult to prove a low probability, making notification the required action.

This question requires differentiating between Mitigation, Transference, and Avoidance in a complex scenario. Adding a power supply is Mitigation, but it only addresses one cause of failure and doesn't solve the core risk of a natural disaster. Contracting for a hot site and insurance is Transference (transferring the operational burden and financial risk). However, given the extremely low risk appetite for downtime, the most definitive strategy is Avoidance. Migrating to a geo-redundant cloud infrastructure fundamentally avoids the risk of a single data center being a single point of failure for a natural disaster. It's the most comprehensive solution that aligns with the stated low risk appetite.

This question contrasts third-party assurance with first-party verification. While the right-to-audit clause from Vendor B seems attractive, it presents a major strategic and operational challenge. It makes the company directly responsible for performing the in-depth, continuous security assessments that a SOC 2 audit would normally provide. This is resource-intensive, costly, and may not be as rigorous as an audit by a specialized firm. Vendor A provides standardized, trusted, third-party assurance, which is a more scalable and predictable model for managing vendor risk over the long term, even if it requires careful scope validation.

The core challenge of SOAR is balancing speed with accuracy. Automation acts without human judgment. A well-crafted spear-phishing email from a legitimate but compromised partner account could be misidentified as malicious, triggering the playbook. If this action suspends a key user's account (like the CFO during a financial closing), the automated 'solution' creates a larger business problem than the original threat. Effective SOAR governance requires building in checks and balances, human approval steps for high-impact actions, and robust exception handling to manage the risk of false positives.

CMMC assessments are rigorous and focus not just on the implementation of controls but on the maturity of the processes governing them. The critical failure here is not just the missing MFA (which could potentially be a POAM item), but the fact that the organization's own governance documents (SSP and POAM) are inconsistent with reality. This demonstrates a breakdown in the process of identifying, tracking, and managing security gaps, which is a core tenet of maturity. An auditor would see this as a significant finding, indicating the security program is not operating as described, leading to a likely failure of the assessment.

This question demonstrates that the effectiveness of all other controls hinges on correct data classification. While the other options point to potential weaknesses, the root cause of the failure is the initial misclassification. An employee directory is a prime target for attackers to craft convincing phishing and social engineering attacks. Defining its disclosure impact as 'minimal' is a failure of risk assessment within the classification policy itself. Had the data been correctly classified as 'Confidential', it would have triggered more stringent handling controls, likely prohibiting it from being sent via email to an external partner in the first place.

The key triggers for a mandatory DPIA under GDPR include: processing of special categories of data (like health or genetic data) on a large scale, systematic monitoring of a publicly accessible area, or using new technologies. The hospital scenario ticks multiple boxes definitively: it involves a special category of data (genetic data), on a large scale, and likely involves a new system or technology. The other scenarios are less likely to meet the 'high risk' threshold. Standard analytics are common, limited CCTV monitoring is often considered a legitimate interest with manageable risk, and B2B marketing with public data has a lower impact on the 'rights and freedoms' of individuals compared to the processing of their genetic information.

This is a multi-faceted problem requiring both technical prevention/detection and a strong procedural wrapper. The DLP solution is a direct technical control (preventative and detective) that can alert on or block the exfiltration of data. However, it's not foolproof. The formal, audited offboarding process is the critical procedural control that ensures access is revoked promptly upon departure, limiting the window of opportunity for theft. The exit interview serves as a final reminder of legal obligations under the NDA. This combination is the most comprehensive and directly addresses the threat of a departing employee.

The core weakness of qualitative risk analysis is that it can create false equivalencies. While both risks might be mathematically plotted into a 'Medium' box on a heatmap, they represent fundamentally different business challenges. Risk A is a potential company-ending event that must be addressed with disaster recovery plans, while Risk B might be a routine operational issue. A quantitative analysis, by calculating the Annualized Loss Expectancy (ALE) for both, would assign a dollar value ($) to each. This would almost certainly show a significant difference in their financial impact over time, allowing for much more nuanced and data-driven prioritization of resources.

This scenario tests the understanding of risk treatment and defense-in-depth. The vulnerability on the server still exists, so its potential impact remains critical. The WAF is a compensating control that reduces the likelihood of a successful exploit. It does not eliminate the vulnerability itself. The most accurate risk management approach is to acknowledge the reduction in immediate likelihood but insist on patching the underlying vulnerability. Relying solely on the WAF is risky; a WAF misconfiguration, a new WAF bypass technique, or an internal threat could still exploit the unpatched server.

Under the EU AI Act's proposed text, AI systems that determine access to essential private services like credit are explicitly listed as a 'High-Risk' use case. This classification is the most critical governance factor because it triggers a cascade of demanding obligations. These include pre-market conformity assessments (similar to an audit), ongoing risk management, strict data governance to prevent bias (e.g., using postal codes as a proxy for race), logging, and ensuring effective human oversight is possible. The other options misinterpret the Act's risk categories for this specific, high-stakes application.

This is a highly complex but critical aspect of modern data protection law. The Schrems II ruling established that simply signing SCCs is not enough. The data exporter (the controller) has an active obligation to assess whether the legal framework of the importer's country (e.g., US surveillance laws like FISA 702) would prevent the importer from actually upholding the contractual promises in the SCCs. If a risk is identified in this Transfer Impact Assessment (TIA), the controller must implement 'supplementary measures' (like advanced encryption or technical controls) to protect the data, or else halt the transfer. This shifted the burden of proof squarely onto the companies involved.

While employee error is a factor, the most robust and reliable solution lies in technical enforcement that aligns with the data classification policy. A mature security program does not rely solely on user awareness. The classification tag ('Confidential') should be used to automatically enforce handling rules. In this case, the Data Loss Prevention (DLP) or Cloud Access Security Broker (CASB) integrated with the cloud service should have been configured to recognize the 'Confidential' tag and programmatically block the creation of a public link for that file. This is a technical enforcement of the policy, which is more effective than relying on user behavior alone.

This question addresses the full lifecycle of data in a vendor relationship. A certificate of destruction for primary servers is a good first step, but it's insufficient. Data remanence is a significant risk. Sensitive data often exists in multiple places beyond the live production database. A mature offboarding process requires assurance that the data has been securely and irretrievably purged from all potential locations, including backups (which could otherwise be restored) and non-production environments where it may have been used for testing. Obtaining a detailed attestation covering this full scope is critical for fulfilling your company's data protection obligations.