Question 1: A hospital discovers that a former employee copied 5,000 patient medical records containing treatment histories and insurance information onto a USB drive before leaving the organization. The records include patient names, social security numbers, and dates of birth. Which data classification best describes this compromised information?
Public
PII
Sensitive
Intellectual property
Question 1 Explanation: Public data can be freely shared and has no protection requirements.
PII or Personally Identifiable Information includes names, social security numbers, and dates of birth that identify individuals. This is the correct classification for patient medical records.
Sensitive is a general term but PII is more specific.
Intellectual property refers to trade secrets, not patient records.
Question 2: A tech startup has just suffered a data breach where sensitive customer financial data was stolen. The Chief Executive Officer (CEO) has an immediate concern about the tangible penalties the company will face. What is the CEO primarily concerned with in this situation?
Fines
Reputational damage
Policy updates
Negative reviews
Question 2 Explanation: Fines are the tangible financial penalties that regulators impose for data breaches, which is the CEO's immediate concern. This question is asking about "tangible" penalties. Something tangible is something clear and definite, like fines or financial costs, whereas intangible is about less clear factors like bad reviews or reputational damage.
Reputational damage is important but not a tangible penalty.
Policy updates are actions taken after a breach, not immediate penalties.
Negative reviews are possible but not the primary legal penalty.
Question 3: A multi-national corporation stores customer data in the United States, the European Union, and China. They learn that data protection laws differ significantly between these locations. They need to comply with the laws in all locations. What principle describes this legal requirement?
Data classification
Right to be forgotten
Data retention policy
Data sovereignty
Question 3 Explanation: Data classification organizes data by sensitivity level and type of data.
Right to be forgotten is an individual's right to delete personal data under GDPR.
Data retention policy defines how long to keep data for.
Data sovereignty means data is subject to the laws of the country where it is physically stored, requiring compliance with multiple countries' laws.
Question 4: Under GDPR, a European customer contacts a social media company and formally requests that all their personal data, including posts, messages, and profile information, be permanently deleted from the company's systems. Which right is the customer using?
Right to data access
Right to data correction
Right to be forgotten
Right to data portability
Question 4 Explanation: Right to data access allows viewing personal data.
Right to data correction fixes mistakes in data.
Right to be forgotten (or right to deletion) allows individuals to request permanent removal of their personal data under GDPR.
Right to data portability transfers your data to another company or service.
Question 5: A software development company discovers that several developers have installed unlicensed software downloaded from piracy websites to save costs. What is the PRIMARY risk associated with the use of unlicensed software?
Loss of reputation
Malware and lack of official security updates
Decreased software performance
Worse compatibility with company systems
Question 5 Explanation: Loss of reputation is a secondary concern.
Unlicensed software from piracy websites often contains malware and does not receive official security updates, creating security vulnerabilities. This is the primary security risk of pirated software.
Decreased performance and compatibility issues are not the primary risks.
Question 6: An organization implements a mandatory policy requiring all employees to lock their computer screens when away from their desks, store sensitive documents in locked drawers, and erase whiteboards containing confidential information at the end of each day. Which personnel security control does this policy represent?
Separation of duties
Clean desk policy
Mandatory vacation requirement
Job rotation protocol
Question 6 Explanation: Separation of duties divides responsibilities between people, which is not described in this question.
Clean desk policy requires locking screens, securing documents, and clearing whiteboards to prevent unauthorized access to sensitive information.
Mandatory vacation requires employees to take time off, so fraud and errors can be detected.
Job rotation moves employees between positions to reduce the risk of corruption or bribery
Question 7: A bank's security team discovers that a single employee has been processing expenses claims and approving them too, allowing them to authorize fraudulent expenses payments to their personal bank account. Which control should the bank implement to prevent this type of fraud in the future?
Separation of duties
Security awareness training
Clean desk policy
Phishing simulations
Question 7 Explanation: Separation of duties separates authorization and approval responsibilities, preventing one person from completing fraudulent transactions alone.
Security awareness training educates employees about threats.
Clean desk policy secures physical documents and files on screen.
Phishing simulations test email security.
Question 8: A company wants to improve employee security behavior and reduce successful phishing attacks. They implement a program where employees receive points and badges for completing security training modules, with a leaderboard showing top performers. Which training technique is being used?
Capture the Flag
Phishing awareness
Phishing campaigns
Gamification
Question 8 Explanation: Capture the Flag is a technical security competition that involves practical exercises.
Phishing awareness is general education about email threats.
Phishing campaigns send test emails to employees.
Gamification uses points, badges, and leaderboards to motivate employees and make security training more engaging.
Question 9: A healthcare organization currently stores patient medical records forever. The company's Data Protection Officer (DPO) is concerned about potential consequences. What is their PRIMARY concern?
Retaining data for longer than necessary can lead to fines and legal penalties
Retaining too much data can increase the scope of a breach
Loss of customer confidence and trust
The company's systems will become too slow because of large amounts of data
Question 9 Explanation: Retaining data longer than legally required can lead to regulatory fines and legal penalties for non-compliance with data protection laws. Data retention is an important factor in the data lifecycle.
While it is true that retaining too much data makes breaches worse, it is not the primary legal concern if you consider the job title involved here, which is a Data Protection Officer. Their primary concern is legal and regulatory compliance.
Customer confidence is important but not the primary concern.
System slowness is a technical issue, not a legal risk.
Question 10: A company is concerned that it is too dependent on a small number of critical employees. It wishes to test its resilience to disasters and serious incidents. They propose a new policy where critical employees take enforced breaks from their current roles, while other employees take over their duties, and check their work for mistakes and fraud. What is the BEST description of this policy?
Organizational fortitude
Management infrastructure replication
Separation of duties
Mandatory vacation
Question 10 Explanation: Organizational fortitude is not a standard term.
Management infrastructure replication is not a standard security policy.
Separation of duties divides responsibilities but does not involve enforced breaks.
Mandatory vacation requires critical employees to take extended time off while others perform their duties, which helps detect fraud and errors.