Chapter 28 — Exercises
These exercises build the working muscles of a compliance professional: sorting the landscape, crosswalking controls, drawing scope boundaries, assembling evidence, and running gap assessments — all while keeping the floor-versus-ceiling distinction in view. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis/synthesis), ⭐⭐⭐ (open-ended/transfer). Exercises marked with a dagger (†) have full worked solutions in the answer key your instructor holds; attempt them before checking.
A reminder that runs through every exercise: the goal of compliance work is never the clean report. It is a defended organization for which the clean report is a byproduct. When an exercise asks you to "satisfy" a requirement, ask yourself the second question too — would this actually stop the attacker?
Section A — Sorting the landscape (conceptual)
A1. ⭐ For each item, state whether it is voluntary or mandatory, and what triggers the obligation: (a) NIST CSF, (b) PCI-DSS, (c) SOC 2, (d) HIPAA, (e) GDPR, (f) ISO/IEC 27001.
A2. ⭐† Match each obligation to the kind of data or activity that puts an organization in scope: PCI-DSS, HIPAA, GDPR. Then name one organization type that would be subject to all three at once.
A3. ⭐ Classify each as framework, standard, or regulation, and say what "passing" produces: (a) ISO/IEC 27001, (b) HIPAA, (c) PCI-DSS, (d) NIST CSF.
A4. ⭐⭐ A colleague says, "We're ISO 27001 certified, so we don't need SOC 2." In two or three sentences, explain why this reasoning is incomplete — what different question does each instrument answer, and why might a customer still demand the one you don't have?
A5. ⭐⭐† Explain the difference between a certification and an attestation to a non-technical executive in plain language, using ISO/IEC 27001 and SOC 2 as your two examples. Why might an attestation report sometimes be more informative to a reader than a certificate?
A6. ⭐⭐ A startup founder asks, "We're pre-revenue with no customers. Do we have to do any compliance?" Give the technically correct answer, then name the four single events that would each create a new obligation overnight.
Section B — Crosswalk these controls
B1. ⭐† Build a crosswalk row for the control "All cardholder data is encrypted in transit using strong TLS." Provide a column for NIST CSF, ISO/IEC 27001, PCI-DSS, and SOC 2, and name the requirement area each one satisfies (describe the area; do not invent exact requirement numbers). Then write the single piece of evidence that would prove this control to all four.
B2. ⭐⭐ Build a crosswalk row for "User access is reviewed and recertified every quarter." Map it to NIST CSF, ISO/IEC 27001, SOC 2, and the GLBA Safeguards Rule. For each cell, name the requirement area. Then describe the artifact that proves the control operated (not merely that it was designed).
B3. ⭐⭐† Here is a partial crosswalk a junior analyst built. Find the two problems with it and explain why each is dangerous.
CONTROL: "MFA is enabled for some applications."
NIST_CSF: Protect — Access Control ✓
ISO_27001: Access control ✓
PCI_DSS: Strong authentication into the CDE ✓
HIPAA: Technical safeguards — access ✓
EVIDENCE: "We sent an email telling everyone to turn on MFA."
B4. ⭐⭐ Two controls both claim to satisfy the PCI-DSS "strong authentication into the CDE" requirement: (a) a six-digit SMS one-time code, and (b) a FIDO2 hardware key. Both might be marked "✓" in a crosswalk. Explain why the crosswalk cannot distinguish them, and which one a defender should prefer and why. Tie your answer to this chapter's theme.
B5. ⭐⭐⭐ Design a crosswalk table (not just one row) of at least five controls across at least three frameworks for a small SaaS company that handles EU personal data and sells to enterprises. Choose controls that genuinely span multiple frameworks. For each row, note one cell where the frameworks' intent differs and explain the difference.
B6. ⭐⭐ Explain why a published, official crosswalk between two frameworks (e.g., a NIST-provided mapping) should be used as a starting point and not the finished answer for your organization. Give a concrete example of a cell where the official mapping might say "✓" but your specific implementation might not actually satisfy both.
Section C — Determine the scope
C1. ⭐† Define scope in the compliance sense in one sentence, then explain why "everything in scope must have evidence, and everything out of scope must be provably out" is the operational core of audit preparation.
C2. ⭐⭐ Meridian's network has these segments: (1) the cardholder data environment (point-of-sale and card-processing systems), (2) the general corporate LAN (email, file shares, HR), (3) a guest WiFi network, (4) a jump host that administrators use to reach the CDE. For a PCI-DSS audit, which segments are in scope for the CDE, and why is the jump host the trickiest call?
C3. ⭐⭐† A company claims its customer-analytics database is "out of scope" for PCI-DSS because it contains no card numbers. During a review you discover the analytics database pulls nightly from the payment system over an open network path, and the payment system trusts it. Is the analytics database actually out of scope? What would you need to change to legitimately put it out of scope?
C4. ⭐⭐ Explain why scope reduction (shrinking the PCI-DSS CDE through segmentation and by not storing card data you don't need) is simultaneously a cost-saving measure and a genuine security control. Give the attacker's-eye view of what scope reduction takes away from them.
C5. ⭐⭐⭐ Draw (in ASCII or describe precisely) a scope boundary for a hypothetical telehealth startup subject to both HIPAA (it handles PHI) and GDPR (it has EU patients). Where do the two scopes overlap, where do they differ, and what single system, if compromised, would breach both at once?
C6. ⭐⭐ A regulator after a breach asks Meridian to prove that a server it claimed was "out of CDE scope" really was isolated. Name three artifacts Meridian would need to defend that claim, and explain why a verbal assurance or an architecture diagram alone is insufficient.
Section D — Prepare audit evidence
D1. ⭐† For each of the following claimed controls, write one artifact that proves the control operated over time (Type II evidence), not merely that it was designed: (a) "We patch critical vulnerabilities within 30 days," (b) "We require MFA for admin access," (c) "We review access quarterly," (d) "We back up the core database nightly."
D2. ⭐⭐ An auditor says, "Show me that you encrypt customer data at rest." A junior analyst replies, "We have a policy that says we do." Explain why this answer earns nothing, and write the two-part artifact (design + operation) that would actually satisfy the auditor.
D3. ⭐⭐† Explain the difference between evidence that a control is designed and evidence that it operated, and why a SOC 2 Type II review demands the latter. For the control "departing employees are deprovisioned within 24 hours," give one example of each kind of evidence.
D4. ⭐⭐ You discover, two weeks before a SOC 2 Type II window closes, that a required control (automated deprovisioning) silently stopped running three months ago. List your options, rank them by integrity, and explain why fabricating or backdating evidence is never one of them — including the practical reason auditors catch it.
D5. ⭐⭐⭐ Design an evidence-collection process for one control that produces audit-ready artifacts continuously rather than scrambling at audit time. Pick a control (e.g., quarterly access review), and specify: what is collected, when, by whom, where it is stored, and how you would demonstrate a year of it to an auditor in five minutes.
D6. ⭐⭐ An auditor asks an open-ended question that, if you answer fully, would reveal a control you are not sure is in scope. Per the chapter's audit habits, how should you respond, and why is "answer the question asked and stop" a defensible practice rather than evasiveness?
Section E — Gap assessment
E1. ⭐† Define gap assessment and explain, in terms of gaps versus findings, why running one on yourself before an external audit is the single highest-leverage audit-preparation activity.
E2. ⭐⭐ Run a mini gap assessment. For each requirement, mark covered, partial, or gap, and justify in a phrase, given this (constructed) state of a small company: - Requirement: MFA on all remote access. State: MFA on VPN, but the admin web console allows password-only. - Requirement: Logs retained 12 months. State: Logs retained 90 days. - Requirement: Quarterly access reviews. State: Reviews done, with signed records for the last 4 quarters. - Requirement: Encryption of PII at rest. State: Database encrypted; nightly backups written to an unencrypted bucket.
E3. ⭐⭐† For each gap and partial you found in E2, write the remediation item and state where it should flow next (hint: the risk register from Chapter 27). Explain why routing gaps into the risk register — rather than a separate compliance to-do list — is the more mature design.
E4. ⭐⭐ A gap assessment finds that a logging control "exists" (the SIEM is collecting) but does not cover a critical system. The control would pass a naive "do you have logging?" check. Explain how this gap is invisible to a checkbox audit but visible to a real gap assessment, and connect it to the chapter's "checks existence, not effectiveness" point.
E5. ⭐⭐⭐ You are handed a brand-new, never-assessed organization and asked to get it audit-ready for its first SOC 2. Outline your first 90 days as a sequence of the chapter's steps (scope → map requirements → gap assessment → remediate → evidence process), and name the one step most teams skip and regret.
Section F — Write the policy / rule
F1. ⭐⭐† Write a short policy statement (3–5 sentences) for an organization's compliance program that captures the floor-versus-ceiling principle — i.e., a policy that explicitly states compliance is the minimum and that risk-based controls may exceed it. Make it the kind of sentence a CISO could put in front of a board.
F2. ⭐⭐ Draft the scope-definition section (one paragraph plus a bullet list) of a PCI-DSS compliance document for Meridian: define the CDE, name what is in and out, and state how the out-of-scope claim is defended (the evidence). Use only documentation-safe specifics.
F3. ⭐⭐ Write a breach-notification procedure snippet (numbered steps) that would satisfy GDPR's expectation of notifying the supervisory authority of a qualifying personal-data breach without undue delay (generally within 72 hours where feasible). Note where the clock starts and what the first three actions are. (Do not state legal advice as fact — frame it as a defensible operational procedure and flag that legal counsel sets the final determination.)
Section G — Find the problem (compliance review)
G1. ⭐⭐† Review this (constructed) compliance claim and find at least three problems:
"We are fully secure because we passed our PCI-DSS assessment in January. Our scope is the payment system. We screenshot our firewall rules each January for the auditor. Our SOC 2 covers Availability only. We store full card numbers for chargeback convenience."
G2. ⭐⭐ A company's compliance dashboard shows "100% of frameworks satisfied — all controls ✓." The same quarter, it suffers a breach of data that lived outside every framework's scope. Write the three-sentence explanation you would give the board about how both statements can be true at once, and what the dashboard should have shown instead.
G3. ⭐⭐⭐ A vendor hands you a clean SOC 2 Type II report to satisfy your vendor-security review. List five questions you would ask about the report itself before treating it as assurance (hint: scope, criteria covered, window, exceptions noted, and what was excluded). Explain why accepting the report at face value is the floor-as-ceiling mistake from the vendor's side.
Section H — Respond to this (tabletop)
H1. ⭐⭐ It is day one of Meridian's PCI-DSS QSA assessment. The QSA's first request is the scope diagram and segmentation evidence. The most recent network diagram is eight months old and a new fintech-integration server was added since. Walk through your first four actions as the GRC lead, in order, and state which action protects Meridian's credibility most.
H2. ⭐⭐⭐ A regulator opens an investigation after a breach of EU customer data. They request: (1) proof of your lawful basis for the processing, (2) your breach-notification timeline, and (3) your "appropriate technical measures." For each, name the artifact you would produce and the single most damaging gap that artifact could reveal. Then state how the chapter's "build for the adversary, not the audit" stance would have changed the outcome.
Section I — Interleaved (mixing prior chapters)
I1. ⭐⭐ (with Ch. 27) A gap assessment surfaces a partially covered requirement. Show how it becomes a risk-register entry: assign an illustrative likelihood and impact (1–5), compute the risk score, choose a risk-treatment option (mitigate/transfer/avoid/accept), and state the residual risk. Why is "accept" a legitimate — but sign-off-requiring — answer for some compliance gaps?
I2. ⭐⭐ (with Ch. 26) A new MFA requirement arrives from PCI-DSS. Place it correctly in Meridian's document hierarchy: which artifact (policy / standard / procedure / guideline) states the requirement, which states the specific technical baseline (e.g., "FIDO2 for admin access"), and which gives the step-by-step enrollment instructions?
I3. ⭐⭐⭐ (with Ch. 27 and Ch. 26) A control appears as "✓" in your crosswalk for five frameworks, but your risk register flags the underlying risk as still HIGH because the control is a phishable push-based MFA. Reconcile the contradiction: how can a control be a compliance success and a security failure simultaneously, and what does this tell you about the relationship between the compliance mapping, the governance hierarchy, and the risk register?
Section J — CTF-style challenge
J1. ⭐⭐⭐ "The compliant breach." You are handed the post-incident facts of a (constructed) company that passed every audit and was breached anyway. The facts: - Held a valid ISO/IEC 27001 certificate and a clean SOC 2 Type II. - Was fully PCI-DSS compliant; CDE properly segmented. - The breach exfiltrated 4 million customer records (names, emails, hashed passwords, support tickets) from a customer-support platform. - The support platform was explicitly scoped out of PCI-DSS (no card data), and was covered by the SOC 2 "Security" criterion — but the specific API used to exfiltrate had been added after the SOC 2 review window. - The attacker used a leaked API key found in a public code repository.
Your challenge: produce a one-page root-cause analysis that (a) explains how every audit could be clean while this happened, citing the specific structural reasons from §28.6; (b) identifies which framework should have caught it and why it didn't; and (c) names the three controls — beyond compliance — that would have changed the outcome. This is the capstone of the chapter: if you can write this analysis, you have internalized that compliance is the floor.
Full solutions to the daggered (†) exercises are in the answer key. For the rest, the chapter's worked examples (the crosswalk in §28.4, the audit-readiness workflow in §28.5) are your models — and remember to always ask the second question: not just "does this pass?" but "does this defend?"