Quiz: Security Compliance and Governance

Test your understanding of compliance frameworks, risk management, and regulatory requirements for security testing.

Question 1. PCI DSS is enforced through which mechanism?

A) Federal law (enforced by the Department of Justice) B) State regulations (enforced by state attorneys general) C) Contractual obligations through payment card brand relationships with acquiring banks D) International treaty (enforced by the United Nations)

Question 2. Which HIPAA Security Rule section requires covered entities to conduct a risk analysis of ePHI systems?

A) Section 164.312(a) --- Access Controls B) Section 164.308(a)(1) --- Security Management Process C) Section 164.312(e) --- Transmission Security D) Section 164.310(a) --- Facility Access Controls

Question 3. A SOC 2 Type II report evaluates what?

A) The design of controls at a single point in time B) The operating effectiveness of controls over a period (typically 12 months) C) The organization's compliance with all applicable laws D) The results of a penetration test

Question 4. Under NIST CSF 2.0, which function was newly added that was not present in CSF 1.1?

A) Detect B) Respond C) Govern D) Recover

Question 5. Which CIS Control specifically addresses penetration testing?

A) Control 7 B) Control 13 C) Control 16 D) Control 18

Question 6. In the 2013 Target breach, what was the fundamental lesson about compliance?

A) Compliance certifications guarantee security B) An organization can be compliant with a standard yet still have exploitable security gaps C) PCI DSS is an ineffective standard D) Penetration testing cannot identify real-world attack paths

Question 7. Which regulation requires threat-led penetration testing (TLPT) for significant financial entities in the EU at least every three years?

A) GDPR B) NIS2 C) PCI DSS D) DORA

Question 8. Under GDPR Article 32, organizations are required to implement:

A) Annual penetration testing by a CREST-certified firm B) Appropriate technical and organisational measures, including regular testing of their effectiveness C) A specific set of security technologies defined by the EU Commission D) Encryption of all personal data at all times

Question 9. What is the maximum administrative fine under GDPR for serious violations?

A) $1 million B) 2% of annual global turnover or 10 million euros C) 4% of annual global turnover or 20 million euros (whichever is higher) D) 10% of annual global turnover

Question 10. In the three lines of defense model, which line typically commissions penetration tests?

A) First line (business operations) B) Second line (risk management and compliance) C) Third line (internal audit) D) External regulators

Question 11. NY DFS Cybersecurity Regulation (23 NYCRR 500) requires covered financial institutions to perform penetration testing at what frequency?

A) Quarterly B) Every six months C) Annually D) Every two years

Question 12. Which ISO 27001:2022 Annex A control specifically addresses management of technical vulnerabilities?

A) A.5.1 --- Policies for Information Security B) A.8.8 --- Management of Technical Vulnerabilities C) A.5.35 --- Independent Review of Information Security D) A.8.1 --- User Endpoint Devices

Question 13. Under NIS2, a hospital in the EU would most likely be classified as what type of entity?

A) Non-regulated entity B) Important entity C) Essential entity D) Critical entity

Question 14. When penetration testing results indicate that a specific risk cannot be remediated, what is the appropriate governance response?

A) Remove the finding from the report B) Formally document a risk acceptance decision with appropriate approval and time limitation C) Conduct additional testing until a different result is achieved D) Transfer the finding to a different compliance framework

Question 15. DORA's Digital Operational Resilience Testing requirements include which three levels?

A) Basic, intermediate, and advanced B) Basic testing, advanced testing (TLPT), and third-party testing C) Vulnerability scanning, penetration testing, and red teaming D) Internal testing, external testing, and compliance testing

Question 16. What is the primary difference between NIST CSF and CIS Controls in their approach to security?

A) CSF is mandatory while CIS Controls are voluntary B) CSF provides a strategic framework for risk management while CIS Controls provide a prioritized set of tactical actions C) CSF focuses only on US government while CIS Controls focus on private sector D) CSF covers only technical controls while CIS Controls cover administrative and physical

Question 17. A penetration tester conducting an assessment for a GDPR-covered organization is acting in what data protection role?

A) Data controller B) Data processor C) Data subject D) Supervisory authority

Question 18. At which security maturity level would you expect an organization to have continuous testing, red team programs, and metrics-driven security management?

A) Level 2: Managed B) Level 3: Defined C) Level 4: Quantitatively Managed / Level 5: Optimizing D) Level 1: Initial

Answer Key

  1. C) Contractual obligations through payment card brand relationships with acquiring banks. PCI DSS is not a law; it is a contractual requirement imposed by the payment card brands through their relationships with acquiring banks and merchants.

  2. B) Section 164.308(a)(1) --- Security Management Process. This section requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI.

  3. B) The operating effectiveness of controls over a period (typically 12 months). SOC 2 Type II evaluates whether controls not only exist (design) but actually work effectively over time.

  4. C) Govern. NIST CSF 2.0 added the Govern function to address organizational cybersecurity strategy, expectations, and policy, expanding from the original five functions.

  5. D) Control 18. CIS Control 18 specifically addresses penetration testing, including establishing a testing program and conducting periodic external and internal tests.

  6. B) An organization can be compliant with a standard yet still have exploitable security gaps. Target passed its PCI DSS assessment but was breached three months later, demonstrating that compliance is a baseline, not a guarantee of security.

  7. D) DORA. The Digital Operational Resilience Act requires significant financial entities to conduct TLPT using the TIBER-EU framework at least every three years.

  8. B) Appropriate technical and organisational measures, including regular testing of their effectiveness. GDPR Article 32 requires a process for regularly testing, assessing, and evaluating security measures, without prescribing specific technologies.

  9. C) 4% of annual global turnover or 20 million euros (whichever is higher). This is the maximum fine for the most serious GDPR violations.

  10. B) Second line (risk management and compliance). The second line of defense, comprising security and risk management functions, typically commissions penetration tests as part of their risk assessment activities.

  11. C) Annually. 23 NYCRR 500 requires annual penetration testing and bi-annual vulnerability assessments for covered financial institutions.

  12. B) A.8.8 --- Management of Technical Vulnerabilities. This control requires organizations to obtain information about technical vulnerabilities, evaluate exposure, and take appropriate measures.

  13. C) Essential entity. Under NIS2, healthcare (including hospitals) is classified under essential entities, which face the stricter requirements.

  14. B) Formally document a risk acceptance decision with appropriate approval and time limitation. Risk acceptance must be documented, approved by appropriate authority, time-limited, and monitored.

  15. B) Basic testing, advanced testing (TLPT), and third-party testing. DORA defines these three levels, with TLPT required for significant entities and basic testing for all.

  16. B) CSF provides a strategic framework for risk management while CIS Controls provide a prioritized set of tactical actions. CSF is a high-level risk management framework; CIS Controls are specific, ordered, implementable actions.

  17. B) Data processor. The penetration testing firm processes personal data on behalf of the client (data controller) and should have a Data Processing Agreement in place.

  18. C) Level 4: Quantitatively Managed / Level 5: Optimizing. These highest maturity levels are characterized by metrics-driven management, continuous testing, and continuous improvement programs.