1. A publicly traded company is subject to a security audit that reviews access controls and audit logging for systems that produce financial statements. The auditor cites SOX Section 404 as the authority. What does SOX require of these systems, and which type of organization is NOT subject to SOX requirements?
2. A hospital stores patient medical records on a server that is not encrypted. The server is stolen in a physical break-in. Under HIPAA, what is the hospital's likely obligation, and what would have prevented it?
3. Legal counsel notifies IT that the company is a defendant in a pending lawsuit and issues a directive to preserve all email, documents, and system logs related to a specific project from the past three years. Normal policy deletes email after 90 days and log files after 30 days. What must IT do, and what is this directive called?
4. A European company suffers a ransomware attack at 9 AM on Monday and confirms at 3 PM that personal data of EU residents was exfiltrated. Under GDPR, what is the breach notification deadline to the supervisory authority?
5. A power utility uses SCADA systems to control turbines and distribution switches. The CISO wants to apply monthly OS patches to the SCADA systems on the same schedule as corporate workstations. Why would the operations team likely object?
6. A global cloud provider stores customer data on servers in both the United States and the European Union. A U.S. law enforcement agency issues a subpoena for data stored on EU servers. Meanwhile, GDPR prohibits transferring that data to the U.S. without adequate protections. What type of challenge does this scenario illustrate?
Matching: Security Consideration Concepts
Match each concept (1–4) to its correct description (A–D).
1SOX (Sarbanes-Oxley)
2Legal hold
3HIPAA breach notification
4Air-gapped OT network
APhysically isolated industrial control system network used in utilities and manufacturing, prioritizing availability and limiting external attack surface
B2002 law requiring publicly traded companies to maintain integrity of financial reporting systems with access controls, audit logs, and 7-year retention of financial records
CRequirement to notify affected individuals and HHS within 60 days when protected health information is improperly accessed or disclosed
DLegal counsel directive to suspend normal data deletion schedules and preserve all potentially relevant records for the duration of anticipated or active litigation