Chapters 108โ112 Practice Exam
Time remaining
25:00
Part A โ Multiple Choice (Questions 1โ20)
Ch 108 ยท Security Considerations
Question 1 of 20
A financial controller at a 50-person privately held software startup is briefing a new board member. The board member asks: "Are we subject to Sarbanes-Oxley (SOX) Section 404 requirements for our IT controls over financial reporting?" The controller responds: "SOX does not apply to us." Under what condition is this response accurate, and what is the key SOX applicability criterion?
โ
A โ Privately held companies are exempt from SOX. The Sarbanes-Oxley Act was enacted in response to Enron-era public company accounting fraud. Its Section 404 IT control requirements apply exclusively to publicly traded companies โ companies with publicly traded equity or debt securities registered with the SEC. Private companies are entirely exempt. The exam facts: SOX requires CEOs/CFOs to personally attest to the effectiveness of internal controls over financial reporting (executive attestation), mandates 7-year audit record retention, and applies only to publicly traded companies. The controller's response is accurate precisely because the company is private.
Ch 108 ยท Security Considerations
Question 2 of 20
A healthcare organization's records management system is configured to automatically delete patient communications older than 7 years in accordance with the applicable state retention schedule. The organization is named as a defendant in a class-action lawsuit alleging improper PHI disclosure. Legal counsel issues a formal written directive to the IT department citing the pending litigation. What must the IT department do immediately, and what is the specific legal risk of non-compliance?
โ
B โ Suspend all automated deletion immediately. A litigation hold (legal hold) is a formal directive from legal counsel that suspends ALL automated deletion processes for records potentially relevant to the litigation. "Potentially relevant" is interpreted broadly โ far beyond just records about named plaintiffs. The risk of non-compliance is spoliation of evidence: intentional or negligent destruction of material that was under a legal obligation to preserve. Spoliation consequences include adverse inference instructions (the jury is told to assume destroyed records were damaging), case dismissal, or default judgment. The retention schedule โ however well-designed โ must stop for covered records when legal counsel issues a hold directive.
Ch 108 ยท Security Considerations
Question 3 of 20
A EU-regulated company's security operations team receives an alert at 8:00 AM Monday indicating unusual data access patterns. By 2:00 PM Monday the team confirms that personal data of 3,000 EU data subjects was exfiltrated โ the breach itself occurred at 11:00 PM the previous Friday. Under GDPR Article 33, when does the 72-hour notification clock for the supervisory authority begin?
โ
C โ The clock starts at 2:00 PM Monday (moment of confirmed awareness). GDPR Article 33 requires notification to the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become AWARE of it." The operative word is aware โ not when the breach occurred, and not when an ambiguous alert arrived. In this scenario: breach Friday 11 PM โ alert Monday 8 AM โ confirmation Monday 2 PM โ 72-hour clock starts at 2 PM Monday. If the full notification cannot be completed within 72 hours, the initial notification may include what is known with additional information to follow โ but the deadline still runs from the moment of awareness.
Ch 108 ยท Security Considerations
Question 4 of 20
A manufacturing plant's SCADA system manages production line equipment. The security team identifies a critical CVE (CVSS 9.1) in the SCADA software. The vendor releases a patch. The IT security manager wants to deploy the patch immediately given the critical severity. The OT engineer objects, arguing the patch cannot be deployed on an accelerated schedule. Which argument best justifies the OT engineer's position?
โ
D โ OT/ICS availability takes priority; patching has physical consequences. The CIA triad priority order is reversed in OT/ICS/SCADA environments compared to traditional IT: Availability > Integrity > Confidentiality. A SCADA system crash could cause a physical process to fail in an unsafe state โ equipment damage, production shutdown, or worker injury. This is why OT patching cycles are inherently slower: patches must be validated in isolated environments replicating exact hardware/software configurations before production deployment. The known vulnerability risk must be weighed against the operational and safety risk of an untested patch. Air-gapping may reduce (not eliminate) exposure, but the primary argument here is the physical consequence of downtime.
Ch 109 ยท Data Roles
Question 5 of 20
A healthcare organization designates its Chief Medical Officer (CMO) as Data Owner for the patient records system. The CMO has no administrator account, cannot execute database queries, and has never logged into the database management console. The IT department argues the CMO cannot be the Data Owner without system access. Which response correctly evaluates this argument?
โ
A โ Data Owner accountability is organizational, not technical. The Data Owner is typically a senior organizational leader (CMO, CFO, department head) who: (1) determines data sensitivity classification, (2) approves who may access the data, (3) defines data retention and disposal policies, and (4) bears ultimate organizational accountability for data governance decisions. The Data Custodian (technical IT staff) implements those decisions โ configuring RBAC per the owner's approvals, managing encryption, performing backups, running audit logs. The CMO's lack of system access is correct and expected: the CMO decides, the custodian implements. This separation of accountability from technical access is a foundational exam concept.
Ch 109 ยท Data Roles
Question 6 of 20
A company's HR department collects employee payroll data and shares it with a third-party payroll processing company to handle paycheck calculations and direct deposit disbursement. Under GDPR's data role framework, what are the correct role designations and what documentation is required between them?
โ
B โ HR department = Controller; payroll company = Processor. The controller/processor distinction turns entirely on who determines purpose and means: the HR department decides why employee data is collected (payroll administration) and what is done with it โ this is controller status. The payroll company processes data according to the HR department's instructions and for the HR department's purposes โ this is processor status. A Data Processing Agreement (DPA) is mandatory under GDPR Article 28; it specifies what the processor can and cannot do with the data, security requirements, breach notification obligations, and sub-processor rules. The processor cannot use the data for its own independent purposes โ doing so would make it a controller for that additional use.
Ch 109 ยท Data Roles
Question 7 of 20
An organization assigns a senior clinical leader as Data Owner and a database administrator (DBA) team as Data Custodians for a new patient records system. A junior analyst asks: "What specific tasks fall under the Data Custodian role?" Which description correctly defines the Data Custodian's responsibilities?
โ
C โ Data Custodian = operational technical implementation. The Data Custodian (also called Data Steward) is the technical staff who run the system day-to-day: configuring RBAC per the owner's access decisions, managing encryption, performing backups, reviewing audit logs, and operating monitoring and SIEM tools. Key distinction: the Data Owner decides WHO can access data and at what classification; the Custodian configures the system to implement those decisions. The Data Owner bears ultimate organizational accountability; the Custodian bears operational responsibility for technically implementing the owner's policies correctly. Approving access and defining classification are Data Owner functions, not Custodian functions.
Ch 109 ยท Data Roles
Question 8 of 20
A European retail company (Data Controller) stores customer purchase history with a cloud analytics provider (Data Processor) under a valid Data Processing Agreement. The cloud provider suffers a breach exposing 180,000 customer records. The retail company's legal team argues: "The breach occurred entirely at the processor's infrastructure โ our DPA transfers all breach accountability to the processor. The supervisory authority should hold the processor, not us." Which statement correctly evaluates this argument?
โ
D โ A DPA cannot transfer GDPR regulatory accountability. Under GDPR, the Data Controller cannot outsource regulatory accountability to a processor through contract. The DPA creates contractual obligations that may support a civil claim if the processor violated those terms, but the supervisory authority holds the controller primarily accountable for: (1) choosing to work with this processor, (2) conducting adequate due diligence on their security controls, (3) including appropriate technical and organizational requirements in the DPA, and (4) the ongoing processing relationship. A controller cannot shield itself from GDPR enforcement by pointing to the processor's contractual breach. Both parties may face separate, simultaneous enforcement actions arising from the same incident.
Ch 110 ยท Risk Management
Question 9 of 20
A company deploys a new enterprise ERP system. The CISO establishes a dedicated risk assessment team to evaluate the ERP's security controls, data exposure risks, integration points, and access control architecture before go-live. After deployment, the team disbands. Six months later, the CISO does not schedule another ERP-specific assessment. What type of risk assessment was conducted, and why is not scheduling a follow-up consistent with this type?
โ
A โ One-time assessment. A one-time assessment is scoped to a specific, bounded event (an acquisition, a new system deployment, a major infrastructure migration) and is not repeated once that event concludes. The assessment team forms, evaluates, and disbands. There is no expectation of a recurring follow-up โ the same methodology would only be re-applied if the same type of triggering event occurs again (e.g., another major system deployment). This contrasts with recurring assessments (calendar-driven, repeating), ad hoc assessments (triggered by unplanned concerns), and continuous assessments (permanently integrated with no defined end). Not scheduling a follow-up is correct behavior for a one-time assessment.
Ch 110 ยท Risk Management
Question 10 of 20
A healthcare organization's CISO reads a news report that a competitor โ a similarly sized regional health system โ was hit by ransomware through exploitation of a specific EMR vulnerability. The organization runs the same EMR software. The CISO immediately assembles a cross-functional team of security analysts, system administrators, and the EMR vendor's support contact to assess exposure. The team disbands after completing the assessment and implementing mitigations. What type of risk assessment is this, and what three characteristics identify it?
โ
B โ Ad hoc assessment, identified by three markers. An ad hoc assessment is triggered by an unplanned, specific concern โ a competitor breach, a new threat intelligence report, a CEO's concern about a particular risk area. All three markers are present: (1) trigger was unplanned external intelligence, not a calendar date; (2) the team formed specifically for this concern and disbanded after completion; (3) there is no repeat schedule. This distinguishes it from: one-time assessment (triggered by a specific internal event like a deployment), recurring assessment (calendar-driven, repeating), and continuous assessment (permanently integrated into all operations). Ad hoc assessments are reactive; the team dissolves when the specific concern is resolved.
Ch 110 ยท Risk Management
Question 11 of 20
A financial services company conducts risk assessments on a fixed quarterly schedule using the same methodology and scoring framework each time. The CISO presents a chart showing risk scores across eight consecutive quarterly assessments over two years. A board member asks: "What is the primary advantage of this quarterly fixed-calendar approach over conducting assessments only when significant concerns arise?" What is the correct response?
โ
C โ Recurring assessments enable trend analysis. The defining advantage of recurring assessments over ad hoc ones is trend analysis: because the same methodology is applied at consistent calendar intervals, the CISO can compare results across periods and determine whether the risk posture is improving, stable, or deteriorating. An ad hoc assessment produces a point-in-time finding โ valuable but not comparable to prior periods if methodologies differ or timing is irregular. The board chart showing eight quarters of data is only meaningful because the underlying assessments used consistent methodology; without that consistency, the scores cannot be validly compared over time.
Ch 110 ยท Risk Management
Question 12 of 20
An organization's security program includes: (1) Automated vulnerability scans running against all production systems every 4 hours, 24/7. (2) A SIEM aggregating logs from all network devices and servers with real-time correlation rules. (3) Every Change Control Board (CCB) change request includes a mandatory risk impact analysis evaluated by the security team before approval. (4) No defined start or end dates for any of these activities โ all are permanently integrated into operations. What type of risk assessment framework does this describe?
โ
D โ Continuous assessment. Continuous assessment is permanently integrated into all organizational operations with no defined start or end date. The three defining characteristics are all present: (1) time-continuous (4-hour automated scanning), (2) real-time event monitoring (SIEM), and (3) per-change risk analysis (CCB integration โ every change request includes a mandatory risk impact analysis). The critical exam distinction: PCI DSS Requirement 12.3 requires risk assessments at least annually (recurring), but the continuous model goes further by making risk evaluation a component of every operational activity. Continuous assessment is the highest-maturity model and is the only type with no defined start or end.
Ch 111 ยท Risk Analysis
Question 13 of 20
A company's data center contains a production database server valued at $120,000. A flood risk assessment determines that if a flood occurs, it will destroy approximately 25% of the data center's equipment (Exposure Factor = 0.25). What is the Single Loss Expectancy (SLE) for a flood event affecting this server?
โ
A โ SLE = $30,000. The formula: SLE = Asset Value (AV) ร Exposure Factor (EF). Here: $120,000 ร 0.25 = $30,000. The Exposure Factor is the percentage of asset value LOST per incident (not the percentage remaining). EF = 0.25 means 25% of the asset is destroyed; 75% survives. A complete theft scenario would have EF = 1.0 (total loss). A partial damage scenario uses a fraction. Common exam trap: confusing the EF with the surviving fraction โ the EF represents what is lost, not what is preserved. SLE is always AV ร EF.
Ch 111 ยท Risk Analysis
Question 14 of 20
A company experiences an average of 3 server hardware failures per year (Annual Rate of Occurrence = 3). Each server failure has an SLE of $15,000 (including emergency hardware replacement, data recovery labor, and business downtime costs). What is the Annualized Loss Expectancy (ALE), and what security investment decisions does this figure support?
โ
B โ ALE = $45,000. The formula: ALE = Annual Rate of Occurrence (ARO) ร Single Loss Expectancy (SLE). Here: 3 ร $15,000 = $45,000. The ALE represents the expected annual financial cost of a specific risk. It is the foundational figure for security investment justification: any control costing less than $45,000 per year that fully eliminates the risk produces a net positive ROI. Controls that partially reduce occurrence (e.g., reduce from 3 to 1 failure/year) reduce the effective ALE proportionally, and are justified if their annual cost is less than the ALE reduction they produce. This is the quantitative risk analysis framework used to justify security spending to management.
Ch 111 ยท Risk Analysis
Question 15 of 20
A CISO presents the board with a risk matrix: a grid with "Likelihood" on the X-axis (Rare / Unlikely / Possible / Likely / Almost Certain) and "Impact" on the Y-axis (Insignificant / Minor / Moderate / Major / Catastrophic). Each identified risk is plotted as a colored dot โ green in the lower-left, yellow along the middle diagonal, red in the upper-right. What type of risk analysis does this represent, and what is its primary limitation?
โ
C โ Qualitative analysis with financial quantification as its primary limitation. Qualitative risk analysis uses descriptive categories โ adjective labels for likelihood and impact โ and visual tools such as traffic light grids, heat maps, and color-coded risk matrices. It does not produce dollar figures. The primary limitation is that a "Catastrophic" label cannot differentiate between a $50K loss and a $500M loss; two risks in the same red zone cannot be prioritized by financial magnitude. Qualitative analysis is valuable for board-level visibility and executive communication โ it presents complex risk information in an accessible format โ but must be supplemented with quantitative analysis (ALE, SLE) when dollar justification for security investments is required.
Ch 111 ยท Risk Analysis
Question 16 of 20
A company's board-approved risk policy states two things: (1) "The organization's risk appetite for system downtime is 7 hours per quarter." (2) "The acceptable variance above the stated appetite before formal escalation is triggered is 3 hours." Last quarter, a server failure caused 9 hours of downtime. Does the 9-hour incident trigger the mandatory board notification and executive escalation requirement?
โ
D โ 9 hours is within tolerance; no escalation required. Risk appetite is the board-approved policy-level acceptable risk limit โ in this case, 7 hours of quarterly downtime. Risk tolerance is the acceptable variance ABOVE the stated appetite before formal action is triggered โ in this case, 3 additional hours. The tolerance ceiling = appetite + tolerance = 7 + 3 = 10 hours. An incident must exceed the tolerance ceiling (10 hours) to trigger mandatory escalation. At 9 hours, the incident exceeds the stated appetite (7h) but remains within tolerance (10h). This means management should note the breach of appetite and investigate, but board escalation is not yet mandated. If downtime had been 11 hours, escalation would be required.
Ch 112 ยท Risk Management Strategies
Question 17 of 20
A company purchases a $2 million annual cyber insurance policy covering ransomware incidents. Three months later, ransomware encrypts the ERP system. Recovery takes 11 days; the policy pays out $800,000 covering recovery costs and lost revenue. During those 11 days, customer orders cannot be processed, partners miss SLAs, and a major client terminates their contract. Which statement most accurately describes what the insurance policy achieved?
โ
A โ Risk transfer shifts financial consequences; it does not eliminate the threat. Risk transfer (insurance, outsourcing) moves the financial consequences of a risk to another party โ in this case, $800,000 moved from the company's balance sheet to the insurer's. What risk transfer cannot do: prevent the attack from happening, restore the 11 days of lost operations, recover the terminated client contract, or repair SLA damage. The underlying ransomware threat is unchanged by the insurance purchase. This is the critical exam distinction: risk transfer is a financial mechanism, not a security control. Organizations that rely solely on insurance without implementing technical controls are managing financial consequences, not reducing the probability of incidents.
Ch 112 ยท Risk Management Strategies
Question 18 of 20
An industrial manufacturer operates a legacy ICS managing critical production equipment. The ICS vendor went out of business in 2019; no security patches have been released since 2018 and no future patches will ever be provided. The company's security policy requires all systems to receive patches within 30 days of vendor release. The security team must document a formal policy deviation for this system. Which type of deviation is appropriate, and why?
โ
B โ Permanent exemption. The exemption/exception distinction is a critical exam concept: an exemption applies when the policy fundamentally CANNOT apply to the system (no patches exist, legacy system, vendor prohibition, physical constraint) โ it is a permanent deviation with compensating controls documented. An exception applies when the policy CAN eventually apply but has a temporary, resolvable conflict (ERP incompatibility, pending vendor fix) โ it is time-limited and expires when the conflict is resolved. Since this ICS vendor no longer exists and no patches will ever be produced, the policy cannot apply. This is an exemption, not an exception. Compensating controls (network segmentation, enhanced monitoring, physical access control) are mandatory to document alongside the exemption.
Ch 112 ยท Risk Management Strategies
Question 19 of 20
A mobile fitness application collects precise GPS route data. The security team identifies significant regulatory exposure under GDPR and CCPA, reputational risk if the data is breached (location histories can reveal sensitive behavioral patterns), and limited internal resources to secure it adequately. The product team proposes: "We will completely remove all location data collection and storage from the app โ the app will provide fitness tracking without storing GPS routes." What risk management strategy does this represent, and what is its key trade-off?
โ
C โ Risk avoidance. Risk avoidance is the strategy of eliminating the risk entirely by stopping the risk-creating activity. It is the ONLY risk management strategy that fully removes the risk โ not reduces it, not transfers it, but eliminates it. The mechanism: stop collecting GPS data โ no GPS data to breach, no GDPR/CCPA GPS data obligations, no reputational exposure from location history theft. The mandatory trade-off: the organization loses the capability entirely. GPS route tracking cannot be offered to users. This distinguishes avoidance from mitigation (reduces risk while keeping the activity) and transfer (keeps the activity, shifts financial consequences). Avoidance sacrifices capability to achieve zero risk from that activity.
Ch 112 ยท Risk Management Strategies
Question 20 of 20
A company identifies credential theft as the leading attack vector in their threat model. The security team implements: MFA on all corporate accounts (eliminating password-only access), Privileged Access Workstations (PAWs) for all administrator accounts (isolated workstations used exclusively for privileged operations), and a company-wide password manager with breach detection (preventing reuse and detecting compromised credentials). After implementation, the risk of successful credential attacks is substantially reduced. What risk management strategy was applied, and what important limitation remains?
โ
D โ Risk mitigation. Risk mitigation implements controls to reduce the likelihood or impact of a risk โ it is the most common risk management strategy. The key characteristic: the risk is reduced to a more acceptable level but is not fully eliminated. MFA + PAWs + password manager substantially reduce the attack surface for credential theft, but sophisticated adversaries still have attack paths (MFA bypass, hardware supply chain, manager compromise). Avoidance would require ceasing all use of credentials โ impossible for a functioning organization. Mitigation is the correct strategy when the risk cannot be fully avoided but can be meaningfully reduced to within the organization's risk appetite. Residual risk always remains after mitigation.
Part B โ Scenario Questions (unscored โ self-assess)
Ch 108โ109 ยท Scenario
Scenario Question A
A European retail company outsources employee payroll processing to a cloud HR platform under a signed Data Processing Agreement. The HR platform suffers a ransomware attack on Saturday evening that exposes employee personal data โ SSNs, bank accounts, and salary information โ for 3,100 employees. The retail company's security team receives an alert from the provider at 9 AM Monday and confirms the breach at 11 AM Monday. Separately, the retail company is also named as a defendant in litigation from 18 months ago; the company's automated records deletion system is scheduled to purge two years of HR communications this Friday.
Address: (1) When does the GDPR Article 33 72-hour notification clock start, and what must the initial notification contain if investigation is incomplete? (2) Identify the data controller and data processor in this scenario, and explain what documentation governs their relationship. (3) The retail company's legal team argues the DPA transfers all regulatory accountability to the HR platform. Evaluate this argument. (4) What must happen to the scheduled Friday records purge given the pending litigation, and what is the legal risk if the purge proceeds?
Address: (1) When does the GDPR Article 33 72-hour notification clock start, and what must the initial notification contain if investigation is incomplete? (2) Identify the data controller and data processor in this scenario, and explain what documentation governs their relationship. (3) The retail company's legal team argues the DPA transfers all regulatory accountability to the HR platform. Evaluate this argument. (4) What must happen to the scheduled Friday records purge given the pending litigation, and what is the legal risk if the purge proceeds?
1. GDPR Article 33 clock and initial notification:
The 72-hour clock starts at 11 AM Monday โ when the organization confirmed (became aware of) the breach. Not Friday when the breach occurred; not 9 AM when the ambiguous alert arrived. Article 33 says "having become aware" โ awareness means confirmed knowledge, not suspicion.
If the full investigation is incomplete at the 72-hour mark, the initial notification may include what is currently known with a note that further information will follow. The supervisory authority notification must include at minimum: nature of the breach, approximate number of data subjects affected, categories of personal data involved, likely consequences, and measures taken. Missing details can be provided in a phased notification โ but the 72-hour deadline still runs from 11 AM Monday regardless.
2. Data controller vs. data processor:
Retail company = Data Controller: it determines the purpose (payroll administration) and means (how employee data is collected and processed) โ the defining controller criteria.
HR platform = Data Processor: it processes personal data on behalf of and under the instructions of the retail company, for the retail company's purposes, not its own.
Governing documentation: a Data Processing Agreement (DPA) under GDPR Article 28, specifying what the processor can do with the data, security requirements, breach notification obligations to the controller, sub-processor rules, and data return/deletion obligations after the contract ends.
3. DPA accountability transfer argument:
The legal team's argument is incorrect. A DPA creates contractual obligations and may support a civil claim if the processor violated those obligations, but it cannot transfer GDPR regulatory accountability from the controller to the processor. The supervisory authority holds the controller primarily responsible for: choosing this processor, conducting due diligence on their security posture, writing appropriate technical and organizational requirements into the DPA, and the ongoing data processing relationship. Both the retail company and the HR platform may face independent, simultaneous regulatory enforcement actions from the same incident. The DPA does not shield the controller from regulatory scrutiny.
4. Litigation hold and the scheduled purge:
The scheduled Friday purge must be suspended immediately. The pending litigation creates a legal hold obligation: all automated deletion processes for records potentially relevant to the litigation must stop. Legal counsel's involvement in the litigation (from 18 months ago) likely already triggered a litigation hold โ if a formal hold has been issued, the IT department is already obligated to have suspended automated deletions of covered records.
Legal risk of proceeding with the purge: Spoliation of evidence โ the intentional or negligent destruction of material subject to a legal preservation obligation. Court consequences: adverse inference instructions (the jury is instructed to assume the destroyed records contained damaging evidence), case dismissal, default judgment, or monetary sanctions against the company and potentially its counsel. The severity of spoliation sanctions means the cost of the Friday purge vastly exceeds any storage cost savings from the deletion.
The 72-hour clock starts at 11 AM Monday โ when the organization confirmed (became aware of) the breach. Not Friday when the breach occurred; not 9 AM when the ambiguous alert arrived. Article 33 says "having become aware" โ awareness means confirmed knowledge, not suspicion.
If the full investigation is incomplete at the 72-hour mark, the initial notification may include what is currently known with a note that further information will follow. The supervisory authority notification must include at minimum: nature of the breach, approximate number of data subjects affected, categories of personal data involved, likely consequences, and measures taken. Missing details can be provided in a phased notification โ but the 72-hour deadline still runs from 11 AM Monday regardless.
2. Data controller vs. data processor:
Retail company = Data Controller: it determines the purpose (payroll administration) and means (how employee data is collected and processed) โ the defining controller criteria.
HR platform = Data Processor: it processes personal data on behalf of and under the instructions of the retail company, for the retail company's purposes, not its own.
Governing documentation: a Data Processing Agreement (DPA) under GDPR Article 28, specifying what the processor can do with the data, security requirements, breach notification obligations to the controller, sub-processor rules, and data return/deletion obligations after the contract ends.
3. DPA accountability transfer argument:
The legal team's argument is incorrect. A DPA creates contractual obligations and may support a civil claim if the processor violated those obligations, but it cannot transfer GDPR regulatory accountability from the controller to the processor. The supervisory authority holds the controller primarily responsible for: choosing this processor, conducting due diligence on their security posture, writing appropriate technical and organizational requirements into the DPA, and the ongoing data processing relationship. Both the retail company and the HR platform may face independent, simultaneous regulatory enforcement actions from the same incident. The DPA does not shield the controller from regulatory scrutiny.
4. Litigation hold and the scheduled purge:
The scheduled Friday purge must be suspended immediately. The pending litigation creates a legal hold obligation: all automated deletion processes for records potentially relevant to the litigation must stop. Legal counsel's involvement in the litigation (from 18 months ago) likely already triggered a litigation hold โ if a formal hold has been issued, the IT department is already obligated to have suspended automated deletions of covered records.
Legal risk of proceeding with the purge: Spoliation of evidence โ the intentional or negligent destruction of material subject to a legal preservation obligation. Court consequences: adverse inference instructions (the jury is instructed to assume the destroyed records contained damaging evidence), case dismissal, default judgment, or monetary sanctions against the company and potentially its counsel. The severity of spoliation sanctions means the cost of the Friday purge vastly exceeds any storage cost savings from the deletion.
Ch 110โ112 ยท Scenario
Scenario Question B
A technology company's annual risk assessment (conducted every January) identifies two critical findings: (1) A critical vulnerability (CVSS 9.4) in their customer-facing web application has a public exploit available; the vendor will not release a patch for at least 90 days. (2) A legacy billing system deployed in 2007 runs an OS version for which the manufacturer stopped all security updates three years ago; replacing it requires 18 months of regulatory certification. The CISO also proposes integrating automated vulnerability scanning into the Change Control Board so that every proposed infrastructure change receives a real-time risk analysis before CCB approval.
Address: (1) What four risk management strategies are available for the unpatched web application vulnerability (Finding 1)? Evaluate each option's trade-offs. (2) What type of policy deviation (exemption vs. exception) applies to each finding, and why are they different types? (3) What type of risk assessment does the proposed CCB-integrated scanning represent, and how does it differ from the annual January assessment that found these issues? (4) What information must the CISO include in the board risk report regarding these unresolved findings?
Address: (1) What four risk management strategies are available for the unpatched web application vulnerability (Finding 1)? Evaluate each option's trade-offs. (2) What type of policy deviation (exemption vs. exception) applies to each finding, and why are they different types? (3) What type of risk assessment does the proposed CCB-integrated scanning represent, and how does it differ from the annual January assessment that found these issues? (4) What information must the CISO include in the board risk report regarding these unresolved findings?
1. Four risk management strategies for Finding 1 (unpatched web application):
Risk Mitigation: Deploy compensating controls โ WAF rules targeting the specific exploit pattern, enhanced logging and alerting on affected endpoints, network segmentation to limit blast radius, temporary removal of the most vulnerable features. Trade-off: reduces likelihood/impact but does not eliminate risk; attacker creativity may bypass WAF rules; residual risk remains for 90 days until patch available.
Risk Avoidance: Shut down the customer-facing web application entirely until the patch is available. Trade-off: fully eliminates the vulnerability but also eliminates revenue and customer access โ the most protective option is often operationally unacceptable. Only appropriate if the business can tolerate 90 days of no web service.
Risk Transfer: Notify cyber insurance carrier of the active vulnerability; verify policy coverage for exploitation events; engage incident response retainer. Trade-off: shifts financial consequences of a breach but does nothing to prevent exploitation. The underlying vulnerability and all operational disruption from a breach remain.
Risk Acceptance: Formally document the unmitigated vulnerability, acknowledge the risk, and continue operations as-is pending the patch. Trade-off: appropriate only if the organization's risk appetite explicitly permits this level of exposure and leadership understands the specific CVSS 9.4 risk being accepted. Must be a documented, deliberate decision โ not a default due to inaction.
Recommended approach: Mitigation (WAF + segmentation + enhanced monitoring) while the patch cycle runs, combined with documented acceptance of residual risk and insurance notification.
2. Policy deviation types:
Finding 1 (web application, 90-day patch delay) โ Exception: The patch policy CAN eventually apply โ the vendor will release a patch in 90 days. The conflict is temporary and has a defined resolution date. An exception is appropriate: time-limited (90 days), expires when the vendor releases the patch, documents the compensating controls in effect during the window.
Finding 2 (legacy billing system, no OS updates ever) โ Exemption: The patch policy CANNOT apply โ the OS manufacturer will never release updates. The conflict is permanent with no resolution path (replacing the system takes 18 months, and even then, the replacement is a different system). An exemption is appropriate: permanent deviation acknowledging the policy does not apply to this system, with documented compensating controls (network isolation, application whitelisting, enhanced monitoring) and a note that replacement is in progress.
Key distinction: exception = CAN apply, temporarily doesn't; exemption = CANNOT apply, permanently doesn't.
3. CCB-integrated scanning = Continuous assessment:
The proposed CCB-integrated scanning is a continuous assessment component: it is permanently integrated into all operations (every change request), has no defined start or end date, and evaluates risk in real-time at the moment of each proposed change. It is the event-based dimension of continuous assessment โ risk analysis triggered by the operational event of each CCB submission.
The annual January assessment is a recurring assessment: it runs on a fixed calendar schedule (every January), uses a consistent methodology across years to enable trend analysis, and produces a point-in-time snapshot of the risk posture. These two approaches are complementary, not redundant: the recurring assessment provides the longitudinal risk posture view; the continuous CCB integration catches new risks introduced by specific changes between January cycles.
4. Board risk report requirements:
The board risk report must include both findings in full โ specifically as unmitigated or partially mitigated risks:
โข Finding 1: Active CVSS 9.4 vulnerability in production system, public exploit available, 90-day patch timeline; compensating controls in effect; estimated ALE during the 90-day window; recommended board action if risk appetite is exceeded
โข Finding 2: Legacy billing system permanently outside patch policy; exemption documentation status; compensating controls; replacement timeline (18 months); cost and risk of accelerating replacement vs. operating with compensating controls
The board cannot make informed budget and risk appetite decisions without visibility into unresolved risks. Reporting only fully mitigated risks creates a false sense of security posture. The board's risk governance role requires them to understand what risks remain, at what level, and for how long โ so they can decide whether the current risk acceptance posture is consistent with the organization's stated risk appetite.
Risk Mitigation: Deploy compensating controls โ WAF rules targeting the specific exploit pattern, enhanced logging and alerting on affected endpoints, network segmentation to limit blast radius, temporary removal of the most vulnerable features. Trade-off: reduces likelihood/impact but does not eliminate risk; attacker creativity may bypass WAF rules; residual risk remains for 90 days until patch available.
Risk Avoidance: Shut down the customer-facing web application entirely until the patch is available. Trade-off: fully eliminates the vulnerability but also eliminates revenue and customer access โ the most protective option is often operationally unacceptable. Only appropriate if the business can tolerate 90 days of no web service.
Risk Transfer: Notify cyber insurance carrier of the active vulnerability; verify policy coverage for exploitation events; engage incident response retainer. Trade-off: shifts financial consequences of a breach but does nothing to prevent exploitation. The underlying vulnerability and all operational disruption from a breach remain.
Risk Acceptance: Formally document the unmitigated vulnerability, acknowledge the risk, and continue operations as-is pending the patch. Trade-off: appropriate only if the organization's risk appetite explicitly permits this level of exposure and leadership understands the specific CVSS 9.4 risk being accepted. Must be a documented, deliberate decision โ not a default due to inaction.
Recommended approach: Mitigation (WAF + segmentation + enhanced monitoring) while the patch cycle runs, combined with documented acceptance of residual risk and insurance notification.
2. Policy deviation types:
Finding 1 (web application, 90-day patch delay) โ Exception: The patch policy CAN eventually apply โ the vendor will release a patch in 90 days. The conflict is temporary and has a defined resolution date. An exception is appropriate: time-limited (90 days), expires when the vendor releases the patch, documents the compensating controls in effect during the window.
Finding 2 (legacy billing system, no OS updates ever) โ Exemption: The patch policy CANNOT apply โ the OS manufacturer will never release updates. The conflict is permanent with no resolution path (replacing the system takes 18 months, and even then, the replacement is a different system). An exemption is appropriate: permanent deviation acknowledging the policy does not apply to this system, with documented compensating controls (network isolation, application whitelisting, enhanced monitoring) and a note that replacement is in progress.
Key distinction: exception = CAN apply, temporarily doesn't; exemption = CANNOT apply, permanently doesn't.
3. CCB-integrated scanning = Continuous assessment:
The proposed CCB-integrated scanning is a continuous assessment component: it is permanently integrated into all operations (every change request), has no defined start or end date, and evaluates risk in real-time at the moment of each proposed change. It is the event-based dimension of continuous assessment โ risk analysis triggered by the operational event of each CCB submission.
The annual January assessment is a recurring assessment: it runs on a fixed calendar schedule (every January), uses a consistent methodology across years to enable trend analysis, and produces a point-in-time snapshot of the risk posture. These two approaches are complementary, not redundant: the recurring assessment provides the longitudinal risk posture view; the continuous CCB integration catches new risks introduced by specific changes between January cycles.
4. Board risk report requirements:
The board risk report must include both findings in full โ specifically as unmitigated or partially mitigated risks:
โข Finding 1: Active CVSS 9.4 vulnerability in production system, public exploit available, 90-day patch timeline; compensating controls in effect; estimated ALE during the 90-day window; recommended board action if risk appetite is exceeded
โข Finding 2: Legacy billing system permanently outside patch policy; exemption documentation status; compensating controls; replacement timeline (18 months); cost and risk of accelerating replacement vs. operating with compensating controls
The board cannot make informed budget and risk appetite decisions without visibility into unresolved risks. Reporting only fully mitigated risks creates a false sense of security posture. The board's risk governance role requires them to understand what risks remain, at what level, and for how long โ so they can decide whether the current risk acceptance posture is consistent with the organization's stated risk appetite.