Unit 6 - Practice Quiz

INT242 60 Questions
0 Correct 0 Wrong 60 Left
0/60

1 What is the primary goal of the risk identification step in the risk management process?

Explain Risk Management Processes Easy
A. To apply security controls to all systems
B. To purchase insurance for all assets
C. To choose a security software
D. To find, recognize, and describe risks that might affect a project or organization

2 Which of the following describes the risk response strategy of 'risk acceptance'?

Explain Risk Management Processes Easy
A. Buying cybersecurity insurance
B. Implementing a new security control
C. Deciding not to engage in an activity that is considered risky
D. Acknowledging a risk and making no specific effort to control it

3 In cybersecurity, what is a 'threat'?

Risk Management Processes and Concepts Easy
A. A weakness in a system that can be exploited
B. The value of an asset to the organization
C. A security measure put in place to protect a system
D. Any potential for an event that could cause harm to an asset

4 What does a 'vulnerability' represent in the context of risk management?

Risk Management Processes and Concepts Easy
A. A flaw or weakness in a system or process
B. A potential danger that might exploit a weakness
C. The monetary value of a potential loss
D. A policy that prevents security breaches

5 Which term describes an organization's willingness to take on risk to achieve its objectives?

Risk Management Processes and Concepts Easy
A. Risk appetite
B. Risk assessment
C. Risk mitigation
D. Risk register

6 What is the purpose of a Service Level Agreement (SLA) in vendor management?

Vendor Management Concepts Easy
A. To list all employees of the vendor company
B. To define the specific terms and metrics for the service a vendor will provide
C. To act as a purchase order for new equipment
D. To serve as a non-disclosure agreement

7 The process of investigating a third-party vendor's security posture before entering into a contract is known as:

Vendor Management Concepts Easy
A. Onboarding
B. Due diligence
C. Offboarding
D. Incident response

8 Why is it critical to have a vendor offboarding process?

Vendor Management Concepts Easy
A. To ensure all vendor access to company systems and data is revoked
B. To negotiate a lower price for services
C. To hire the vendor's employees
D. To send a thank you note to the vendor

9 What is the primary goal of a security audit?

Audits and Assessments Easy
A. To create a list of all company hardware
B. To measure an organization's practices against a specific set of criteria or standards
C. To find as many vulnerabilities as possible by actively trying to exploit them
D. To train the IT department on new software

10 A penetration test is a type of security assessment where testers...

Audits and Assessments Easy
A. interview employees about security procedures.
B. simulate an attack on a computer system to find vulnerabilities.
C. scan the network for open ports.
D. review security policies for completeness.

11 Which of these would be considered an internal assessment?

Audits and Assessments Easy
A. An assessment conducted by a government regulator
B. An assessment required by a client before signing a contract
C. An assessment performed by the company's own security team
D. An assessment performed by a paid third-party security firm

12 Which of the following is a key principle of data protection?

Summarize Data Protection and Compliance Concepts Easy
A. Data sharing (making all data publicly available)
B. Data maximization (collecting as much data as possible)
C. Data hiding (never telling users what data is collected)
D. Data minimization (collecting only necessary data)

13 What is the main purpose of regulations like GDPR and CCPA?

Summarize Data Protection and Compliance Concepts Easy
A. To ensure fair competition between businesses
B. To regulate financial markets
C. To protect the privacy and rights of individuals regarding their personal data
D. To set standards for manufacturing products

14 Personally Identifiable Information (PII) refers to any data that can be used to...

Summarize Data Protection and Compliance Concepts Easy
A. identify a type of malware.
B. identify a piece of hardware on a network.
C. identify a company's profit margin.
D. identify a specific individual.

15 What is the primary reason for classifying data into categories like 'Public', 'Internal', and 'Confidential'?

Data Classification and Compliance Easy
A. To help with marketing efforts
B. To decide which data to delete first
C. To make the data look more organized
D. To determine the appropriate level of security controls needed to protect it

16 Which data classification level would be appropriate for information intended for public press releases?

Data Classification and Compliance Easy
A. Public
B. Private
C. Top Secret
D. Confidential

17 A company's secret product formula would most likely be classified as:

Data Classification and Compliance Easy
A. Public
B. Confidential or Restricted
C. Internal
D. Unclassified

18 An Acceptable Use Policy (AUP) typically defines:

Personnel Policies Easy
A. The rules for using company computers, networks, and internet access
B. The company's health insurance benefits
C. The procedure for requesting vacation time
D. The salary structure for employees

19 What is the principle of 'separation of duties'?

Personnel Policies Easy
A. Dividing a critical task between two or more individuals to prevent fraud or error
B. Requiring all employees to take mandatory vacations
C. Ensuring that employees from different departments do not interact
D. Assigning all security responsibilities to a single person

20 The 'Zero Trust' security model is based on which core principle?

Recent Trends in Security Governance and Data Protection Easy
A. Trust everyone inside the network by default
B. Never trust, always verify
C. Eliminate the need for passwords
D. Only trust devices that are less than one year old

21 A company calculates the Annualized Loss Expectancy (ALE) for a specific data breach threat to be 8,000 annually. From a purely financial standpoint, which risk response strategy is the most logical choice?

Risk Management Processes and Concepts Medium
A. Transfer the risk by buying cybersecurity insurance.
B. Accept the risk and continue current operations.
C. Mitigate the risk by purchasing the firewall.
D. Avoid the risk by discontinuing the associated business activity.

22 During a due diligence review of a potential SaaS provider, your company's security team requests to see their latest third-party audit report. The provider offers a SOC 2 Type 2 report. What does this specific report signify to your team?

Vendor Management Concepts Medium
A. The provider's security and availability controls were evaluated for operational effectiveness over a specified period.
B. The provider's financial reporting controls are designed properly at a single point in time.
C. The provider has successfully passed a PCI DSS compliance audit for processing credit card data.
D. The provider's security and availability controls were evaluated for design effectiveness at a single point in time.

23 A security analyst is tasked with identifying potential weaknesses in a web application. The goal is to find as many vulnerabilities as possible using automated tools without actively trying to exploit them. Which of the following activities should the analyst perform?

Audits and Assessments Medium
A. A social engineering audit
B. A code review
C. A vulnerability scan
D. A black-box penetration test

24 A hospital's IT department is implementing data loss prevention (DLP) rules. According to its data classification policy, patient medical records are classified as 'Restricted'. Which of the following handling requirements is most appropriate for this data classification level?

Data Classification and Compliance Medium
A. Backed up to unencrypted portable hard drives for offsite storage.
B. Stored on a public-facing web server for easy access by doctors.
C. Encrypted at rest and in transit, with access restricted via role-based access control (RBAC).
D. Allowed to be shared freely on the internal company network.

25 To prevent a single employee from having the ability to both create a fictitious vendor in the payment system and approve invoices for that vendor, which security principle should be implemented?

Personnel Policies Medium
A. Job Rotation
B. Mandatory Vacations
C. Principle of Least Privilege
D. Separation of Duties

26 A company is developing a new mobile application that collects user location data. The development team is building features to minimize data collection, anonymize data where possible, and provide users with clear, granular privacy controls from the very beginning of the design phase. This approach is a core example of:

Recent Trends in Security Governance and Data Protection Medium
A. DevSecOps
B. Zero Trust
C. Defense in Depth
D. Privacy by Design

27 A risk analyst is performing a qualitative risk assessment. The analyst identifies a risk and rates its impact as 'High' and its likelihood as 'Low'. How would this risk typically be represented on a risk matrix?

Risk Management Processes and Concepts Medium
A. In a central area of the matrix indicating moderate overall risk.
B. In a corner of the matrix indicating high overall risk.
C. In a corner of the matrix indicating low overall risk.
D. It cannot be represented without a quantitative dollar value.

28 A European Union citizen contacts a U.S.-based company that has customers in the EU and requests that all of their personal data be permanently deleted from the company's systems. Which specific right under the General Data Protection Regulation (GDPR) are they exercising?

Summarize Data Protection and Compliance Concepts Medium
A. Right of Access
B. Right to Rectification
C. Right to Erasure (Right to be Forgotten)
D. Right to Data Portability

29 A contract with a critical cloud storage vendor is being finalized. Why is it essential for the security team to insist on including a 'Right-to-Audit' clause in the agreement?

Vendor Management Concepts Medium
A. To ensure the vendor provides 24/7 customer support.
B. To allow the company to legally resell the vendor's services.
C. To provide a legal basis for verifying the vendor's security controls and compliance.
D. To guarantee the lowest possible price for the service.

30 An organization's internal audit team conducts an annual review of the IT department's access control procedures. What is the primary purpose of this type of audit?

Audits and Assessments Medium
A. To fulfill a specific request from a law enforcement agency.
B. To provide an independent, external opinion for shareholders and customers.
C. To identify non-compliance with internal policies and opportunities for process improvement.
D. To prepare marketing materials highlighting the company's security posture.

31 An attacker exploits a known software flaw in a company's public-facing web server to gain unauthorized access. In the context of risk assessment, the 'known software flaw' represents a:

Risk Management Processes and Concepts Medium
A. Vulnerability
B. Threat
C. Control
D. Risk

32 A company policy requires all employees in the finance department to take a continuous, uninterrupted five-day vacation each year, during which their access to all systems is temporarily revoked. What is the primary security benefit of this policy?

Personnel Policies Medium
A. It reduces the cost of software licensing for the company.
B. It improves employee morale and prevents burnout.
C. It helps detect and deter fraudulent activities that require ongoing user intervention.
D. It allows for cross-training of other employees.

33 A company is shifting from a traditional network security model, where everything inside the corporate firewall is trusted, to a model that requires strict identity verification for every person and device seeking access to resources, regardless of their location. This strategic shift is known as adopting a:

Recent Trends in Security Governance and Data Protection Medium
A. Defense in Depth strategy
B. Honeypot deployment
C. Zero Trust architecture
D. Bring Your Own Device (BYOD) policy

34 An organization implements data labeling for all its documents and emails. A document containing trade secrets is automatically labeled 'Restricted'. What is the primary function of this label in the context of a Data Loss Prevention (DLP) system?

Data Classification and Compliance Medium
A. To allow anyone in the company to access the document.
B. To act as metadata that the DLP system can use to enforce a policy, such as blocking it from being emailed externally.
C. To inform the reader of the document's author.
D. To increase the file size of the document for archival purposes.

35 An e-commerce company processes, stores, and transmits credit card data for online payments. Which of the following compliance frameworks is mandatory for this company to adhere to?

Summarize Data Protection and Compliance Concepts Medium
A. NIST Cybersecurity Framework (CSF)
B. Health Insurance Portability and Accountability Act (HIPAA)
C. Payment Card Industry Data Security Standard (PCI DSS)
D. ISO/IEC 27001

36 During a penetration test, the testing team is given full access to source code, network diagrams, and other internal documentation before the engagement begins. What type of penetration test is being conducted?

Audits and Assessments Medium
A. Gray-Box Test
B. White-Box Test
C. Red Team Exercise
D. Black-Box Test

37 A small business determines that the impact of a complete server failure is catastrophic, but the cost of building a fully redundant, geographically separate hot site is prohibitively expensive. They decide to purchase business interruption insurance to cover the financial losses that would result from such an outage. This is an example of which risk response strategy?

Risk Management Processes and Concepts Medium
A. Risk Acceptance
B. Risk Mitigation
C. Risk Transfer
D. Risk Avoidance

38 When terminating a contract with a cloud service provider, which of the following is the most critical security concern that must be addressed in the vendor exit strategy?

Vendor Management Concepts Medium
A. Publishing a press release about the change in partnership.
B. Migrating the company's email accounts to a new provider.
C. Receiving a final invoice for all services rendered.
D. Ensuring all company data is securely and verifiably deleted from the vendor's systems.

39 Under GDPR, what is the primary role of a Data Protection Officer (DPO)?

Summarize Data Protection and Compliance Concepts Medium
A. To independently oversee the organization's data protection strategy and ensure compliance.
B. To be the primary point of contact for marketing and sales activities.
C. To act as the lead software developer for security products.
D. To directly manage the IT help desk and user support tickets.

40 An employee mistakenly emails a spreadsheet containing 'Confidential' customer contact information to an external mailing list instead of an internal one. This event is best categorized as a:

Data Classification and Compliance Medium
A. Data Breach
B. Risk Assessment
C. Vulnerability Scan
D. Security Policy

41 A financial services firm calculated the Annualized Loss Expectancy (ALE) for a specific data exfiltration threat to be 40,000 annually. The solution is projected to reduce the ARO to 0.1. What is the Return on Security Investment (ROSI) for this DLP solution, and what critical factor might this calculation be overlooking?

Risk Management Processes and Concepts Hard
A. ROSI is 50%. It overlooks the implementation and training costs associated with the new solution.
B. ROSI is 100%. It overlooks the residual risk that remains even after the control is implemented.
C. ROSI is 150%. It overlooks the possibility that the threat's ARO could increase due to new attack vectors, negating the control's effectiveness.
D. ROSI is 200%. It overlooks the potential for the control to reduce the Single Loss Expectancy (SLE) as well, by limiting the scope of a breach.

42 Your company is engaging a cloud service provider (CSP) to host its new PII-processing application. The contract includes a right-to-audit clause, but the CSP, citing their multi-tenant architecture, will not allow on-site audits. Instead, they provide a recent SOC 2 Type II report and attestations from a reputable third-party auditor. From a risk management perspective, what is the most significant remaining risk that must be addressed through other contractual means?

Vendor Management Concepts Hard
A. The risk that the CSP's employees are not adequately trained on data privacy.
B. The risk of the CSP going out of business, requiring a data migration plan.
C. The risk of the CSP refusing to provide evidence during a future security incident investigation.
D. The risk that the SOC 2 report's scope does not cover the specific services or controls relevant to your application.

43 During a penetration test, an ethical hacker successfully executes a privilege escalation attack by exploiting a zero-day vulnerability in a third-party software component used by the client. The client's vulnerability management team argues that since it's a zero-day, it falls outside the scope of their responsibility. What is the most appropriate and mature response from the security auditor in their final report?

Audits and Assessments Hard
A. Classify the finding as a high-risk vulnerability and recommend immediate implementation of compensating controls, such as application sandboxing or enhanced monitoring, and initiating contact with the vendor.
B. Acknowledge the finding as 'Informational' since no patch is available and the client cannot be held responsible for an unknown vulnerability.
C. Exclude the finding from the final report, as zero-day vulnerabilities are considered outside the scope of a standard penetration test focused on known vulnerabilities.
D. Report the finding as a critical risk but assign responsibility to the third-party vendor, absolving the client of direct remediation actions.

44 A pharmaceutical company classifies its new drug formula data as 'Confidential'. The compliance framework they must adhere to (e.g., HIPAA) requires specific encryption standards for data at rest. Their cloud storage provider uses AES-256 encryption by default for all data. However, the company's data handling policy for 'Confidential' data also mandates strict key management, including customer-managed keys (CMK) and key rotation every 90 days. The storage provider offers this, but it is not enabled by default. In case of a breach, what is the most likely point of compliance failure?

Data Classification and Compliance Hard
A. The company's failure to implement its own policy's key management requirements, even though the provider's base encryption was compliant.
B. The cloud provider's failure to enable customer-managed keys by default for all customers.
C. The choice of AES-256 encryption, as a more advanced algorithm should have been used for such sensitive data.
D. The data classification of 'Confidential' was too low; it should have been 'Restricted' or 'Secret'.

45 A company enforces a mandatory two-week vacation policy for all IT administrators with privileged access. During one administrator's absence, a review of system logs reveals a series of unauthorized, sophisticated configuration changes made over the past six months using that administrator's credentials. The changes were cleverly disguised to look like routine maintenance. This discovery was a direct result of which two security principles working in tandem?

Personnel Policies Hard
A. Least privilege and job rotation.
B. Separation of duties and least privilege.
C. Mandatory vacation and separation of duties.
D. Mandatory vacation and log review/auditing.

46 A company is implementing a Zero Trust Architecture (ZTA). A core tenant of their implementation is micro-segmentation, where workloads can only communicate with other explicitly authorized workloads. During a security review, an engineer points out that all traffic between segments is encrypted with TLS 1.3. However, the security architect flags a significant governance gap. What is the most likely gap the architect has identified?

Recent Trends in Security Governance and Data Protection Hard
A. The use of TLS 1.3, as a newer protocol may have undiscovered vulnerabilities.
B. The failure to also implement a traditional perimeter firewall, as Zero Trust should augment, not replace, perimeter security.
C. The performance overhead caused by encrypting all internal traffic, which could impact application latency.
D. The lack of a deep packet inspection (DPI) capability that can decrypt and inspect the inter-segment traffic for threats, rendering the micro-segmentation less effective for threat detection.

47 A US-based healthcare provider uses a cloud platform to process patient data (ePHI). The provider has a signed Business Associate Agreement (BAA) with the cloud vendor as required by HIPAA. The cloud vendor suffers a ransomware attack, and the provider's ePHI is encrypted and rendered inaccessible for 72 hours. No data is confirmed to have been exfiltrated. According to the HIPAA Breach Notification Rule, what is the provider's primary compliance obligation?

Summarize Data Protection and Compliance Concepts Hard
A. No reporting is required because the data was only encrypted (an availability issue) and not exfiltrated (a confidentiality issue).
B. Report the incident to law enforcement but not to HHS, as it is a criminal matter and not a privacy breach.
C. Only an internal incident report is required, as the BAA shifts the responsibility for external reporting to the cloud vendor.
D. Report the incident as a breach to the Department of Health and Human Services (HHS) and affected individuals, as unauthorized acquisition, access, use, or disclosure is presumed unless a low probability of compromise is demonstrated.

48 A company's risk register contains a high-impact, low-likelihood risk of a catastrophic data center failure due to a natural disaster. The company's risk appetite for operational downtime is extremely low. They have already implemented a robust daily backup solution. Which of the following risk treatment strategies represents the most appropriate next step, and why?

Risk Management Processes and Concepts Hard
A. Risk Mitigation, by adding a secondary, redundant power supply to the existing data center.
B. Risk Acceptance, because the likelihood is very low and the cost of further mitigation is prohibitive.
C. Risk Avoidance, by migrating all critical services out of the data center to a geographically diverse, fully redundant public cloud infrastructure.
D. Risk Transference, by contracting with a cloud provider for a hot-site disaster recovery solution and purchasing business interruption insurance.

49 A company is considering two SaaS vendors for a critical HR function. Vendor A is ISO 27001 certified and has a clean SOC 2 Type II report. Vendor B is not certified but offers a significant price discount and allows full, unrestricted right-to-audit by the company's internal audit team. The company has a mature and highly skilled audit team. From a pure supply chain risk management perspective, which vendor presents a more complex long-term challenge?

Vendor Management Concepts Hard
A. Vendor B, because the burden of continuous assurance shifts from a trusted third-party auditor to the company's own team, creating a significant ongoing operational cost and resource drain that may not be sustainable.
B. Vendor A, because ISO 27001 certification is expensive, and those costs are passed on to the customer, affecting the total cost of ownership.
C. Vendor A, because reliance on third-party certifications can create a false sense of security, and the scope of the audits may not cover the specific controls most critical to the company.
D. Vendor B, because without standard certifications, it will be impossible to prove due diligence to regulators in the event of a breach.

50 A company is using a Security Orchestration, Automation, and Response (SOAR) platform to automate its incident response playbooks. For a phishing incident, the playbook automatically quarantines the email, blocks the sender's domain on the firewall, and suspends the recipient's user account. This process has drastically reduced response times. What is the most significant governance risk introduced by this high level of automation?

Recent Trends in Security Governance and Data Protection Hard
A. The risk of a sophisticated false positive leading to the automatic suspension of a critical executive's account during a business-critical operation, causing significant disruption.
B. The risk that security analysts become de-skilled because they are no longer performing manual incident response tasks.
C. The risk that the SOAR platform is more expensive than manually performing the same tasks.
D. The risk that the automation script contains a vulnerability that could be exploited by an attacker.

51 An organization is preparing for a CMMC (Cybersecurity Maturity Model Certification) Level 2 assessment. Their System Security Plan (SSP) documents all required controls, and their Plan of Action & Milestones (POAM) lists several outstanding items. The auditor discovers that one of the documented controls—multifactor authentication for all remote access—is described in the SSP but has not been fully implemented across all legacy systems. This gap is not listed on the POAM. What is the most likely outcome of the assessment?

Audits and Assessments Hard
A. The auditor will add the item to the POAM on the organization's behalf and allow the assessment to proceed, as the intent to implement was clear from the SSP.
B. The assessment will pass with a conditional certification, requiring the organization to fix the MFA gap within 90 days.
C. The assessment will likely fail because a documented control was found to be not implemented, and this discrepancy was not tracked in the POAM, indicating a failure in the security governance process itself.
D. The assessment will be paused, and the organization will be given a 30-day grace period to implement the control before the final report is issued.

52 A company's data classification policy defines 'Internal' data as 'data not for public release but which would cause minimal business impact if disclosed'. The policy allows for 'Internal' data to be shared with trusted partners via encrypted email. An employee sends a partner a document containing a list of all employee names and their internal-only email addresses, which is classified as 'Internal'. This partner then suffers a breach, and the employee list is posted online. What is the primary failure in the security governance process?

Data Classification and Compliance Hard
A. The partner was not properly vetted and should not have been trusted with any internal data.
B. The employee who sent the email violated policy and requires disciplinary action.
C. The encrypted email control was insufficient; a secure file-sharing portal with access controls should have been used.
D. The data was misclassified. A full employee directory, while internal, represents a significant risk for social engineering and should have been classified at a higher level (e.g., 'Confidential') with stricter handling controls.

53 Under GDPR, a Data Protection Impact Assessment (DPIA) is required for processing that is 'likely to result in a high risk to the rights and freedoms of natural persons.' Which of the following scenarios would most definitively trigger the mandatory requirement for a DPIA?

Summarize Data Protection and Compliance Concepts Hard
A. A small e-commerce website implementing a standard analytics tool to track user browsing habits to recommend products.
B. A marketing department purchasing a publicly available list of business contacts for a B2B marketing campaign.
C. A hospital implementing a new system to process patient genetic data on a large scale for research purposes.
D. A company setting up a new CCTV system to monitor the entrance of its private office building for security purposes.

54 A company is concerned about intellectual property theft by departing employees. They have an Acceptable Use Policy (AUP) and standard non-disclosure agreements (NDAs). Which of the following technical and procedural controls, when combined, provides the most effective preventative and detective capability against this specific threat?

Personnel Policies Hard
A. Using User and Entity Behavior Analytics (UEBA) to monitor for baseline deviations, combined with a two-person integrity rule for accessing the most sensitive data repositories.
B. Implementing a Data Loss Prevention (DLP) solution that flags large data transfers to USB drives, combined with a formal, audited offboarding process that includes a final exit interview and immediate access revocation.
C. Encrypting all company laptops and enforcing a mandatory remote wipe for all departing employees' devices.
D. Requiring all employees to undergo annual security awareness training focused on IP theft and enforcing a strict clean desk policy.

55 When performing a qualitative risk assessment, a security analyst uses a 5x5 matrix of Likelihood and Impact. The analyst identifies two risks: Risk A has a 'Very High' Impact but 'Very Low' Likelihood. Risk B has a 'Moderate' Impact and 'Moderate' Likelihood. Based on the heatmap, both risks fall into a 'Medium' overall risk category. What is the primary limitation of this qualitative model that a quantitative analysis could address?

Risk Management Processes and Concepts Hard
A. The model fails to account for the vastly different financial implications and remediation priorities between a catastrophic, rare event (Risk A) and a more frequent, less damaging event (Risk B), which an ALE calculation would clarify.
B. The 5x5 matrix is not granular enough; a 10x10 matrix would have placed Risk A in a higher category than Risk B.
C. The model does not incorporate the concept of risk velocity (how quickly a risk can manifest), which would show Risk B is a more immediate threat.
D. The model is subjective and relies on the analyst's opinion, whereas a quantitative analysis is purely objective.

56 A company receives the results of an external vulnerability scan, which reports a critical 'Remote Code Execution' vulnerability on a public-facing web server. The system administrator investigates and determines that an upstream Web Application Firewall (WAF) has a specific rule that effectively blocks the exact exploit payload used by the scanner. The administrator argues the risk should be downgraded to 'Low'. What is the most accurate way for the risk manager to treat this situation?

Audits and Assessments Hard
A. Mark the finding as a 'False Positive' because the exploit is not currently possible in the production environment.
B. Accept the administrator's assessment and downgrade the risk to 'Low' since a mitigating control is in place and has been proven effective.
C. Keep the risk rated as 'Critical' because compensating controls like a WAF can be bypassed and should not be considered when rating the underlying vulnerability.
D. Treat the vulnerability's 'Likelihood' as low due to the compensating control (WAF), but keep the 'Impact' as critical. The overall risk is reduced but not eliminated, and the vulnerability should still be patched on the server itself as a defense-in-depth measure.

57 The EU's proposed AI Act classifies AI systems into risk categories (Unacceptable, High, Limited, Minimal). A bank wants to deploy an AI system to automate its loan approval process, which uses applicant data including income, credit history, and postal code. Under the proposed framework, what is the most significant governance obligation the bank would face before deploying this system?

Recent Trends in Security Governance and Data Protection Hard
A. The system would be 'Limited Risk', requiring only that the bank be transparent with customers that they are interacting with an AI.
B. The system would be classified as 'High-Risk', mandating a conformity assessment, rigorous risk management, data governance checks for bias, and human oversight before it can be put into the market.
C. The system would be 'Unacceptable Risk' and banned outright because it uses social scoring.
D. The system would be 'Minimal Risk', as credit scoring is a standard and well-understood practice, freeing the bank from specific AI-related obligations.

58 A data controller in the EU uses a US-based cloud provider (the data processor) to store customer data. Following the invalidation of the Privacy Shield framework, both parties sign Standard Contractual Clauses (SCCs) to legitimize the data transfer. However, the Court of Justice of the European Union (CJEU) in the Schrems II ruling added a critical requirement beyond just signing the SCCs. What is this additional, mandatory step?

Summarize Data Protection and Compliance Concepts Hard
A. The data controller must conduct a case-by-case Transfer Impact Assessment (TIA) to verify that the laws in the recipient country (USA) do not undermine the protections offered by the SCCs, and implement supplementary measures if they do.
B. All data transferred to the US must be encrypted using quantum-resistant algorithms.
C. The data processor in the US must achieve ISO 27701 (Privacy Information Management System) certification.
D. The data controller must notify their local Data Protection Authority (DPA) of every individual data transfer made under the SCCs.

59 A company's data handling policy, derived from its classification scheme, states that any document tagged as 'Confidential' must be encrypted when stored in the cloud. An automated system tags a sales report containing quarterly revenue projections as 'Confidential'. An employee uploads this report to the company-approved cloud storage, which encrypts all data at rest by default. However, the employee also creates a public share link with 'view only' permissions to easily share it with an external partner, which is a feature of the cloud service. This action directly violates the spirit of the classification. What is the primary control failure?

Data Classification and Compliance Hard
A. A failure of security awareness training, as the employee did not understand the implications of creating a public link.
B. A failure in the data classification engine, which should have tagged the document as 'Restricted' instead of 'Confidential'.
C. A failure in the technical configuration of the cloud storage service, which should have had its public sharing feature disabled or restricted for files tagged as 'Confidential'.
D. A failure of the encryption policy, as the data should have been encrypted before upload (client-side encryption) rather than relying on the service's server-side encryption.

60 Your company is terminating a contract with a SaaS provider who stored and processed sensitive customer PII. The contract includes a 'right to data portability' and a 'data destruction' clause. The vendor provides an export of your data in a proprietary format and a certificate of destruction for the data on their primary servers. What is the most critical security assurance you must seek from the vendor beyond these two items?

Vendor Management Concepts Hard
A. A final, discounted invoice to ensure all financial obligations are met before terminating the relationship.
B. A guarantee that the vendor will not use any aggregated, anonymized data derived from your PII for their own business intelligence purposes.
C. A detailed attestation that all data has also been purged from all secondary storage, including backup tapes, disaster recovery sites, and development/testing environments, and a timeline for their eventual destruction.
D. A copy of the vendor's most recent penetration test report to confirm they had no breaches during the contract period.