Chapter 116 · Quiz

Compliance — Quiz

Ten questions covering regulatory frameworks (SOX, HIPAA, GLBA), HIPAA criminal penalty tiers, real-world compliance consequences, due care vs. due diligence, attestation, and compliance monitoring.

1. A security manager explains that the organization's compliance program requires: monthly patch application to all financial reporting systems, quarterly access reviews for systems storing financial data, and retention of all financial audit logs for 7 years. The organization is a publicly traded US company. Which regulation most directly drives these IT control requirements?
2. A hospital administrator discovers that a medical billing clerk knowingly accessed and sold patient records to an insurance fraud ring. The clerk had full knowledge that selling PHI was illegal. Based on HIPAA criminal penalty tiers, which penalty range applies to this violation?
3. In October 2016, attackers breached a ride-sharing company's systems and exfiltrated data on 25.6 million users. Instead of notifying regulators and affected individuals as required by law, the company's security leadership paid the attackers $100,000 and required them to sign an NDA to keep the breach confidential. The breach was not publicly disclosed until November 2017. What were the compliance consequences of this concealment?
4. A bank's security team conducts quarterly access reviews of internal financial systems, implements and maintains a security awareness training program for employees, and operates a SIEM to continuously monitor for unauthorized access to customer financial data. A separate team evaluates the security practices of the bank's cloud storage vendor, reviews the vendor's SOC 2 report, and conducts an annual vendor security assessment. Which activities represent due care, and which represent due diligence?
5. A healthcare organization's CEO and CFO are required to sign the annual HIPAA compliance report submitted to the board of directors, certifying that the information is accurate and complete to the best of their knowledge. The report states that the organization has implemented all required HIPAA safeguards and has experienced no reportable breaches in the past year. Later, investigators discover three unreported breaches occurred. What is the significance of the executives' signatures?
6. A Chief Compliance Officer (CCO) implements an automated compliance dashboard that continuously monitors patch compliance across 5,000 servers, tracks access review completion status, alerts when security policies are violated, and generates monthly compliance reports for the board. External auditors conduct an annual review of the compliance program. Why is automation essential to this compliance monitoring approach?
Matching: Compliance Concepts

Match each concept (1–4) to its correct description (A–D).

1SOX
2GLBA
3Due Care
4Attestation
AThe 1999 US financial services privacy law requiring financial institutions to explain data-sharing practices and implement security programs to protect customer financial information
BInternal security activities demonstrating responsible management of an organization's own security obligations, such as access reviews, training programs, and security monitoring
CThe 2002 US law triggered by accounting scandals that requires publicly traded companies to implement and report on IT controls over financial reporting; executive signatures create criminal liability for fraudulent certifications
DFormal executive sign-off on compliance documentation certifying its accuracy; creates personal legal accountability for signatories if the certified information is later found to be false