The two most commonly tested regulations on Security+ for this domain:
- SOX = Stocks / Securities. Applies to publicly traded companies. Protects financial data integrity. 7-year retention of key records. Section 404 = IT controls audit. If the scenario mentions a public company, financial records, or Wall Street, think SOX.
- HIPAA = Health = Hospitals. Applies to covered entities (providers, health plans, clearinghouses) and their business associates. Protects PHI (patient health information) in storage, transmission, and disclosure. 60-day breach notification. If the scenario mentions patient records, healthcare, medical devices, or doctors, think HIPAA.
Exam trap 1: "SOX requires encryption of all financial data." WRONG. SOX does not specifically mandate encryption; it requires integrity, access controls, and audit logging for financial systems.
Exam trap 2: "HIPAA requires notification within 72 hours." WRONG. GDPR = 72 hours. HIPAA = 60 days. Do not mix them up.
Memory: GDPR = 72 (hours). HIPAA = 60 (days). G comes before H in the alphabet, and 72 hours is shorter than 60 days, so GDPR is stricter/faster.
Legal hold is the most common exam scenario involving data preservation. The setup is always the same: "The company faces a lawsuit / receives notice of litigation / legal counsel issues a preservation order." The question: what must IT do with data deletion?
Answer: Immediately suspend all automated deletion of covered data.
- Email purge schedule: suspended for covered mailboxes
- Log rotation: suspended for covered log sources
- Backup tape expiration: suspended for covered backup sets
- Database archiving: suspended for covered records
Who issues the legal hold? Legal counsel — not IT, not the CISO, not the user. IT implements it; legal counsel directs it.
Legal hold vs. backup: a backup protects against data loss. A legal hold protects against evidence destruction for litigation. They are different purposes. A backup that is overwritten during a litigation hold can constitute spoliation even if the backup policy is normal procedure.
Exam trap: "IT automatically deleted email per the 90-day retention policy during pending litigation." This is spoliation, even if IT did not know about the litigation — which is why prompt and documented legal hold notification to IT is critical.
Industrial control systems (ICS), SCADA, and OT networks prioritize the CIA triad in a different order than typical IT:
- IT systems: Confidentiality > Integrity > Availability
- OT/ICS systems: Availability > Integrity > Confidentiality
Why? A power grid control system going offline causes immediate real-world consequences: blackouts, equipment damage, safety risks. Confidentiality of that control data is secondary to keeping the lights on.
Key OT facts for the exam:
- Air-gapped = physically isolated from internet/IT networks (gold standard OT protection)
- Patching is slower because reboots risk outages (test first, patch carefully)
- Legacy OS is common because system vendors certify specific OS versions
- NERC CIP = regulatory standard for bulk electric system cybersecurity in North America
Exam scenario: "A security team wants to apply monthly patches to SCADA systems." The objection is always about availability risk, not technical impossibility.
Any exam scenario involving cloud data stored in multiple countries is testing jurisdictional conflict knowledge. The key insight: each country's laws apply to data about its residents, and those laws may be incompatible.
Three scenarios to recognize:
- Data sovereignty: country requires data stay within its borders. Cloud must store data in-country or violate local law. Watch for: "stores EU citizen data on US servers" = potential GDPR violation.
- Cross-border transfer: moving data from one country to another requires legal mechanism (GDPR standard contractual clauses). "The company transferred EU customer data to the US affiliate without a data transfer agreement" = GDPR violation.
- Jurisdictional conflict: U.S. subpoena for data stored in EU conflicts with GDPR. No easy answer — this is the recognized challenge, not a solvable exam scenario. The answer the exam wants: "conflict between legal requirements of two jurisdictions."
The global scope exam question answer is almost always about regulatory conflict, cross-border requirements, or data residency — not technical encryption or access control.
Practice Scenarios
A hospital is being acquired by a publicly traded healthcare corporation. The new parent company tells IT that they must immediately comply with both SOX and HIPAA for all systems. The IT director asks: which systems are subject to which regulation, and what are the specific controls required by each?
Analyze which systems fall under SOX, which under HIPAA, and what controls each requires.
Answer: SOX applies to systems that support the parent company's financial reporting as a publicly traded company. These include: financial accounting systems (ERP, general ledger), audit trail systems, financial data warehouses, and change management systems for financial applications. SOX controls: access controls restricting who can modify financial records, audit logging of all access and changes, 7-year retention of financial records, and annual assessment of IT controls over financial reporting. HIPAA applies to all systems that create, receive, maintain, or transmit Protected Health Information. These include: electronic health record (EHR) systems, medical imaging systems, billing systems that contain PHI, and any clinical application handling patient data. HIPAA controls: access controls (unique user IDs, role-based access), audit controls (logging who accessed which patient record), encryption for ePHI at rest and in transit, and business associate agreements with all vendors handling ePHI. Some systems may overlap: a billing system handling both financial data and PHI may be subject to both SOX (financial integrity) and HIPAA (PHI protection) simultaneously.
On Monday morning, legal counsel notifies IT that the company is being sued over a product defect that allegedly caused customer harm three years ago. Legal counsel issues a legal hold covering all product development communications, test results, customer complaints, and related emails from January 2021 to present. IT normally deletes emails after 90 days and rotates server logs monthly.
What must IT do immediately, what is the risk if they fail to act, and how long does the hold last?
Answer: IT must immediately: (1) Identify all mailboxes of employees who worked on the product development team from January 2021 onward and suspend their email deletion. (2) Place litigation holds on the email system to preserve covered mailboxes from normal purge cycles. (3) Preserve all server logs that may contain relevant records from the covered period. (4) Notify covered employees that they must not delete any relevant emails or documents even if their normal practice would be to do so. (5) Document exactly what data sources were preserved, when the hold was implemented, and which data custodians were notified. Risk of failure: routine deletion of emails or logs after the legal hold is issued — even per normal policy — constitutes spoliation. The opposing counsel could argue that deleted data was unfavorable evidence intentionally destroyed, leading to sanctions or adverse inference instructions. The hold duration: until legal counsel formally releases it at case conclusion. IT should not release the hold without explicit written authorization from legal counsel.
A U.S.-based company with European customers wants to move its customer database to a cloud provider that stores data in both U.S. and European data centers. The database contains EU customer names, email addresses, and purchase history. The cloud provider uses shared infrastructure (multi-tenant) and operates under U.S. law. Legal asks IT to identify the compliance risks.
Identify at least four compliance risks and what controls or agreements are required to address each.
Answer: (1) GDPR data transfer restriction: transferring EU personal data to U.S. servers requires a legal mechanism such as Standard Contractual Clauses (SCCs) or reliance on an adequacy decision. Without this, the transfer violates GDPR Article 46. Control: execute SCCs with the cloud provider, or ensure EU customer data stays on EU-based cloud infrastructure only. (2) Data sovereignty: if the cloud provider can replicate EU data to U.S. servers for redundancy, this creates a cross-border transfer without the customer's knowledge. Control: contractually require EU data to remain in EU regions (data residency agreement). (3) U.S. law enforcement access: under the U.S. CLOUD Act, U.S. authorities can subpoena data held by U.S. companies even when stored abroad. This may conflict with GDPR. Control: transparency with customers; legal analysis of applicable treaties. (4) Multi-tenant isolation: shared cloud infrastructure means another tenant's security failure could expose data. Control: require dedicated infrastructure or strong contractual isolation guarantees; review SOC 2 Type II reports. (5) Breach notification: a breach affecting EU customers triggers GDPR 72-hour notification requirements regardless of where the breach occurred. Control: ensure incident response plan covers GDPR notification timelines; include breach notification obligations in the cloud provider contract.