Chapter 28 — Self-Check Quiz

DataField.Dev

Chapter 28 — Self-Check Quiz

Twenty-five questions to test your grasp of the compliance landscape, crosswalking, audits, and the floor-versus-ceiling principle. Several are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for the (ISC)² CISSP — because compliance is heavily tested on both. Answer before opening the key. Mix of multiple choice (MC), true/false with justification (TF), and short answer (SA).

Multiple choice

Q1. [Sec+] Which of the following best describes the relationship between compliance and security? - A) Compliance and security are the same thing. - B) Security is a subset of compliance. - C) Compliance is necessary but not sufficient for security — a floor, not a ceiling. - D) Compliance is irrelevant to security.

Q2. [Sec+] An organization processes credit-card payments. Which obligation applies by contract with the card brands (not by government law)? - A) HIPAA - B) GDPR - C) PCI-DSS - D) SOX

Q3. [CISSP] What does ISO/IEC 27001 fundamentally certify? - A) That every individual control is configured perfectly. - B) That an Information Security Management System (ISMS) — a managed, risk-driven process — exists and functions. - C) That the organization has never been breached. - D) That the organization's software is free of vulnerabilities.

Q4. [Sec+] A SOC 2 Type II report differs from a Type I report in that Type II assesses whether controls: - A) are designed appropriately at a single point in time. - B) operated effectively over a period of time (e.g., 6–12 months). - C) are certified by an accredited body. - D) comply with EU law.

Q5. [CISSP] The precisely defined boundary of the people, processes, systems, and data to which a compliance obligation applies is called the: - A) attack surface. - B) scope. - C) risk appetite. - D) control baseline.

Q6. [Sec+] For PCI-DSS, the set of systems that store, process, or transmit cardholder data — plus anything connected to or able to affect them — is the: - A) DMZ. - B) Cardholder Data Environment (CDE). - C) trust boundary. - D) security perimeter.

Q7. [CISSP] Under the HIPAA Security Rule, an "addressable" implementation specification means the safeguard is: - A) optional and may be skipped freely. - B) required to be implemented, or a documented justification provided for an equivalent or for why it is not reasonable and appropriate. - C) only for organizations over a certain size. - D) a recommendation with no documentation expectation.

Q8. [Sec+] GDPR generally requires notifying the relevant supervisory authority of a qualifying personal-data breach: - A) within 24 hours, always. - B) within 30 days. - C) without undue delay and, where feasible, within 72 hours. - D) only if more than one million records are affected.

Q9. [CISSP] The practice of identifying which controls in one framework correspond to controls in another — so one control and one artifact satisfy multiple obligations — is called: - A) gap assessment. - B) control mapping (crosswalking). - C) scoping. - D) attestation.

Q10. [Sec+] Which pair correctly matches the instrument to what it produces? - A) ISO/IEC 27001 → a CPA's report; SOC 2 → a certificate. - B) ISO/IEC 27001 → a certificate (certification); SOC 2 → a CPA's report (attestation). - C) Both produce government-issued certificates. - D) Both produce only internal self-assessments.

Q11. [CISSP] In an audit, the records that demonstrate a control exists and operates are called evidence; a single concrete piece (a config export, a log sample, a signed access review) is an: - A) artifact. - B) attestation. - C) finding. - D) control objective.

Q12. [Sec+] A gap assessment is most accurately described as: - A) the external auditor's final report. - B) a self-run comparison of current controls against a framework's requirements, producing a list of shortfalls to remediate before the formal audit. - C) the difference between two SOC 2 reports. - D) a penetration test of the in-scope environment.

Q13. [CISSP] Which of these is a structural reason a fully compliant organization can still be insecure? - A) Frameworks lag the threat — they codify yesterday's consensus while attackers iterate weekly. - B) Compliance is illegal. - C) Audits always cover every system in existence. - D) Certifications never expire.

Q14. [Sec+] The single highest-leverage move to reduce both PCI-DSS audit burden and real attack surface is: - A) buying a more expensive firewall. - B) scope reduction — shrinking the CDE through segmentation and not storing card data you don't need. - C) hiring more auditors. - D) extending the audit window.

Q15. [CISSP] NIST CSF organizes security outcomes into high-level Functions. In CSF 2.0 these are: - A) Confidentiality, Integrity, Availability. - B) Govern, Identify, Protect, Detect, Respond, Recover. - C) Plan, Do, Check, Act. - D) People, Process, Technology.

True / False (with justification)

For each, state True or False and justify in one sentence.

Q16. [Sec+] A clean SOC 2 Type II report guarantees the vendor cannot be breached.

Q17. "Addressable" in the HIPAA Security Rule means the same thing as "optional."

Q18. [CISSP] Data and systems that are outside an obligation's scope are exactly where a compliant organization is often least watched, making them attractive to attackers.

Q19. Because two frameworks both require "access control," a single MFA implementation with a single piece of evidence can satisfy that requirement in both — so crosswalking lets you reuse the evidence.

Q20. [Sec+] A control marked "✓" in a crosswalk across five frameworks is proven to be effective against attackers.

Q21. A vulnerability or weakness you find yourself in a gap assessment and a finding the auditor records are functionally identical in their consequences for your audit result.

Short answer

Q22. [CISSP] In two or three sentences, distinguish certification from attestation, and name which of ISO/IEC 27001 and SOC 2 produces each.

Q23. [Sec+] A company is fully PCI-DSS compliant, yet attackers steal a customer-support database containing names and emails but no card data. Explain, using the concept of scope, why PCI-DSS did not "fail" — and which regime(s) are more likely in play.

Q24. Give the two-part claim about compliance ("necessary but not sufficient") and describe the failure mode of an organization that grabs only the first half.

Q25. [CISSP] An auditor asks Meridian to prove it reviews user access quarterly. Name one artifact that would fail this (shows design only) and one that would satisfy it (shows the control operated over time).

Answer Key

Click to reveal answers and explanations

**Q1 — C.** Compliance is the floor, not the ceiling: necessary (baselines, budget leverage) but not sufficient (it checks existence, not effectiveness against your actual adversary). *(Theme 5.)* **Q2 — C.** PCI-DSS is a contractual standard imposed by the card brands. HIPAA and GDPR are laws; SOX governs financial-reporting integrity. **Q3 — B.** 27001 certifies a functioning ISMS — a managed, risk-driven *process* for selecting, operating, and improving controls — not the perfection of any single control, and certainly not that you'll never be breached. **Q4 — B.** Type II assesses operating effectiveness over a period (commonly 6–12 months); Type I assesses design at a point in time. Enterprises demand Type II because design without sustained operation proves little. **Q5 — B.** Scope is the defined boundary of what an obligation covers. (Attack surface is related but is the set of points an attacker could use, not a compliance boundary.) **Q6 — B.** The Cardholder Data Environment. Note it includes connected/affecting systems, which is why scope reduction (segmentation) is so powerful. **Q7 — B.** "Addressable" is not optional — you implement it or document a reasoned alternative/justification. This is one of the most commonly misunderstood points in HIPAA. **Q8 — C.** Without undue delay and, where feasible, within 72 hours. (Frame as operational practice; legal counsel sets the final determination of what qualifies.) **Q9 — B.** Control mapping / crosswalking. It lets one control and one artifact satisfy many obligations. **Q10 — B.** 27001 → certificate (certification, a pass/fail credential from an accredited body); SOC 2 → a CPA's report (attestation, a professional opinion the reader judges). **Q11 — A.** An artifact is a concrete piece of evidence. Auditors credit what you can *show* (artifacts), not what you *say*. **Q12 — B.** A gap assessment is you auditing yourself first, converting would-be findings into gaps you remediate before the external audit. **Q13 — A.** Frameworks lag the threat. (Other true structural reasons: checks existence not effectiveness; scope is a seam; point-in-time validation drifts; the map is not the territory.) **Q14 — B.** Scope reduction. Every system legitimately removed from the CDE is one that can no longer bridge an attacker into cardholder data — a cost saving *and* a security control. **Q15 — B.** Govern, Identify, Protect, Detect, Respond, Recover. (CIA triad and PDCA are different models; PDCA underpins ISO 27001's improvement cycle.) **Q16 — False.** A SOC 2 Type II reports on a bounded set of controls operating over a past window; it is real assurance but not a guarantee against novel attacks, scoped-out controls, or post-window regressions. **Q17 — False.** "Addressable" means implement-or-justify, not skip-freely. (See Q7.) **Q18 — True.** Out-of-scope data is least monitored; an attacker who understands your scope aims there. Scope is a boundary, and attackers love boundaries. **Q19 — True.** This is exactly the efficiency crosswalking buys: shared controls produce shared evidence, generated once and filed against many frameworks. **Q20 — False.** A crosswalk proves the control *exists* across frameworks; it is silent on whether the control is *good*. Five "✓"s can describe phishable MFA an attacker defeats. **Q21 — False.** They are opposite in consequence: a *gap* is something you found and can remediate on your own timeline before the audit; a *finding* is the auditor's recorded shortfall on your result. The whole audit-readiness strategy is converting findings into gaps by getting there first. **Q22.** A *certification* (ISO/IEC 27001) is a pass/fail credential issued by an accredited body — you are certified or not. An *attestation* (SOC 2) is an independent professional's report describing what they examined, any exceptions, and their opinion, which the reader evaluates for themselves. 27001 → certification; SOC 2 → attestation. **Q23.** The support database held no cardholder data, so it was *outside the CDE* and thus outside PCI-DSS scope entirely — PCI-DSS protects only cardholder data within the CDE and was never engaged for this data. The breach is more likely a matter for GDPR (if EU personal data) and state breach-notification laws. This is the floor-vs-ceiling theme: fully PCI-compliant and still breached, because the standard's scope didn't cover the stolen data. **Q24.** Compliance is *necessary but not sufficient* for security. An organization that grabs only "necessary" becomes compliance-obsessed — it passes every audit and gets breached anyway, mistaking the floor for the ceiling and never building the controls that defeat its actual adversary (the §28.2 war story and the J1 "compliant breach"). **Q25.** *Fails (design only):* the written access-review policy, or a screenshot of the review tool's configuration — proves intent, not operation. *Satisfies (operated over time):* the actual completed quarterly access-review records for the past several quarters, with reviewer names, dates, and decisions — evidence the control ran, which is what a Type II / mature audit demands.

Topics to review by question

Compliance vs. security / floor-vs-ceiling (Theme 5): Q1, Q13, Q16, Q20, Q24, and the J1 challenge in exercises.md. Re-read §28.6.
The frameworks and what triggers them: Q2, Q3, Q4, Q7, Q8, Q15. Re-read §28.1–28.3; memorize the comparison table in key-takeaways.md.
Certification vs. attestation: Q3, Q10, Q22. Re-read §28.2.
Scope and the CDE: Q5, Q6, Q14, Q18, Q23. Re-read §28.3 and §28.5.
Crosswalking: Q9, Q19, Q20. Re-read §28.4 and try the Project Checkpoint code by hand.
Audit, evidence, gap assessment: Q11, Q12, Q21, Q25. Re-read §28.5 and the audit-readiness workflow (Figure 28.3).