Domain 5 – Full Cross-Topic Review: Security Program Management and Oversight
This review integrates:
- Governance Structures and Policies
- Risk Identification and Assessment
- Risk Analysis (qualitative and quantitative)
- Third-Party and Supply Chain Risk Management
- Compliance and Regulatory Requirements
- Audits and Assessments
- Security Awareness and Training Programs
Expect questions that require connecting governance decisions to risk outcomes and compliance obligations.
Question 1
An organization's security policy has not been updated in three years. During that time, the company has migrated to cloud services, adopted remote work, and onboarded 50 new SaaS vendors.
What is the PRIMARY governance concern?
A. The security policy does not reflect the current technology environment, creating gaps between policy and practice
B. The security team needs more staff
C. Cloud services are inherently more secure than on-premises, so policy updates are unnecessary
D. SaaS vendors manage their own security, so the organization has no policy obligations
Answer & reasoning
Correct: A
Governance requires policies that reflect the actual operating environment. A three-year gap during major technology shifts creates situations where operational practices have no policy coverage. Cloud, remote work, and SaaS vendor usage all introduce risks that require explicit policy guidance. The organization retains responsibility for data protection regardless of hosting model.
Question 2
A risk assessment identifies that a critical web application has a 30% probability of being breached within the next year. If breached, the estimated financial impact is $2,000,000.
What is the Annualized Loss Expectancy (ALE)?
A. $2,000,000
B. $600,000
C. $6,000,000
D. $200,000
Answer & reasoning
Correct: B
ALE = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO). SLE = $2,000,000, ARO = 0.30. ALE = $2,000,000 x 0.30 = $600,000. This quantitative value helps justify security investments: controls costing less than $600,000 annually that reduce this risk are cost-effective.
Question 3
A vendor provides a SOC 2 Type I report to demonstrate its security posture. The organization's compliance team requests a SOC 2 Type II report instead.
Why is Type II preferred?
A. Type II is less expensive to produce
B. Type I does not address security controls
C. Type II evaluates the design AND operating effectiveness of controls over a period of time, not just at a point in time
D. Type II is only required for government contractors
Answer & reasoning
Correct: C
SOC 2 Type I evaluates control design at a specific point in time. SOC 2 Type II evaluates both design and operational effectiveness over a period (typically 6-12 months). Type II provides stronger assurance because it demonstrates controls actually function correctly over time, not just that they are designed properly on paper.
Question 4
A company's security awareness program consists of a single annual training video. Phishing simulation results show a 35% click rate with no improvement year-over-year.
What should be changed?
A. Implement continuous, role-based training with frequent phishing simulations, immediate feedback, and metrics-driven improvement
B. Increase the length of the annual training video
C. Replace video training with a written policy document
D. Eliminate the awareness program since it is not reducing click rates
Answer & reasoning
Correct: A
Annual-only training produces compliance but not behavioral change. Effective awareness programs use continuous reinforcement (monthly or quarterly), role-based content (finance gets BEC scenarios, developers get secure coding), frequent simulations with immediate feedback, and metrics to track improvement. A single annual event does not create lasting behavioral change.
Question 5
An organization identifies a risk and decides to purchase cyber insurance to address the potential financial impact.
What risk treatment strategy is being applied?
A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance
Answer & reasoning
Correct: C
Cyber insurance transfers the financial impact of a risk to a third party (the insurer). The risk itself still exists, but the financial consequence is shared. Risk avoidance eliminates the activity, mitigation reduces likelihood or impact through controls, and acceptance means taking no action. Transference is appropriate when residual financial risk exceeds the organization's tolerance.
Question 6
A third-party vendor that processes customer PII suffers a data breach. The organization's customers demand accountability.
Who bears ultimate responsibility for protecting the customer data?
A. The vendor, because they were processing the data at the time of breach
B. The organization (data owner), because they are responsible for ensuring adequate protection of data they entrust to third parties
C. The customers, because they consented to data collection
D. The auditor who assessed the vendor
Answer & reasoning
Correct: B
The data owner (the organization that collected the data) retains ultimate accountability for data protection, even when processing is delegated to a third party. This includes due diligence in vendor selection, contractual security requirements, ongoing monitoring, and incident response coordination. The vendor has operational responsibility, but accountability flows to the data owner.
Question 7
During an internal audit, the auditor discovers that access review certifications are signed quarterly by managers, but the managers admit they approve all access without actually reviewing it.
What compliance issue does this represent?
A. The access review frequency is too high
B. Managers should not be responsible for access reviews
C. The access review process exists on paper but lacks substantive execution, creating a false sense of compliance
D. The audit was conducted too frequently
Answer & reasoning
Correct: C
Rubber-stamping access reviews creates a compliance checkbox without actual risk reduction. The control exists procedurally but is not operating effectively. This is a common audit finding that indicates a gap between control design and control execution. Effective access reviews require managers to actively validate each user's access against their current role requirements.
Question 8
A qualitative risk assessment categorizes a risk as "High likelihood, Medium impact." A quantitative risk assessment of the same risk calculates an ALE of $50,000.
Why might an organization use both approaches?
A. Qualitative and quantitative assessments always produce contradictory results
B. Quantitative is always more accurate than qualitative
C. Qualitative assessments are only used when data is available
D. Qualitative provides rapid prioritization and stakeholder communication; quantitative provides financial justification for specific control investments
Answer & reasoning
Correct: D
Qualitative assessments (High/Medium/Low) enable rapid categorization and are easier for non-technical stakeholders to understand. Quantitative assessments (ALE, cost-benefit analysis) provide financial data needed to justify budget requests and compare control costs against expected losses. Using both provides comprehensive risk communication across different audiences.
Question 9
An organization must comply with GDPR, HIPAA, and PCI DSS simultaneously. Each regulation has different data protection requirements.
What is the MOST efficient governance approach?
A. Implement separate security programs for each regulation
B. Map all regulatory requirements to a unified control framework and identify overlapping controls
C. Comply only with the strictest regulation and ignore the others
D. Hire separate compliance teams for each regulation
Answer & reasoning
Correct: B
A unified control framework (such as NIST CSF or ISO 27001) maps multiple regulatory requirements to common controls. Many requirements overlap (encryption, access control, logging). This approach reduces duplication, ensures comprehensive coverage, and simplifies audit preparation. Separate programs create inefficiency and inconsistency. Complying with only one regulation leaves gaps in the others.
Question 10
A vendor risk assessment reveals that a critical SaaS provider has no documented business continuity plan. The vendor stores data essential to the organization's operations.
What is the MOST appropriate action?
A. Require the vendor to develop and test a BCP as a contractual obligation, and establish the organization's own contingency plan for vendor failure
B. Accept the risk since the vendor's services are critical
C. Immediately terminate the vendor relationship
D. Transfer all data to on-premises systems within 24 hours
Answer & reasoning
Correct: A
Third-party risk management requires contractual security requirements, including BCP. The organization should require the vendor to develop and test a BCP while also establishing its own contingency plan in case the vendor fails. Accepting the risk without mitigation is negligent, immediate termination may not be feasible for a critical vendor, and 24-hour data migration is unrealistic.
Question 11
An organization's board asks the CISO to present the current risk posture. The CISO presents a list of 500 individual vulnerabilities sorted by CVSS score.
What is wrong with this approach?
A. CVSS scores are inaccurate
B. The CISO should never present to the board
C. Board-level risk communication should aggregate technical findings into business risk categories with financial impact context, not list individual vulnerabilities
D. 500 vulnerabilities is too few to present
Answer & reasoning
Correct: C
Board members need business-level risk communication: what are the top enterprise risks, what is the potential business impact, and what actions are being taken. A raw vulnerability list is operational detail that does not convey strategic risk posture. Effective CISO board presentations use risk categories, trend analysis, and business impact language.
Question 12
A penetration test reveals critical findings. The report is delivered to the security team, who fixes the issues. Six months later, a follow-up assessment reveals the same vulnerabilities have reappeared.
What governance gap does this indicate?
A. Penetration testing is ineffective
B. The root cause was not addressed; remediation fixed symptoms without updating processes, configurations, or baselines to prevent recurrence
C. The penetration testers used different tools
D. Vulnerability recurrence is normal and expected
Answer & reasoning
Correct: B
Recurrence indicates that while individual findings were fixed, the underlying cause (insecure defaults, missing hardening baselines, lack of configuration management) was not addressed. Effective remediation includes root cause analysis and updating standards, baselines, or processes to prevent the same vulnerabilities from recurring in future deployments.
Question 13
An organization conducts a risk assessment and identifies that a legacy application processes sensitive data but cannot support modern encryption. The application will be retired in 18 months.
What risk treatment is MOST appropriate?
A. Accept the risk entirely without any additional controls
B. Retire the application immediately regardless of business impact
C. Implement modern encryption on the application despite the vendor stating it is not supported
D. Implement compensating controls (network isolation, enhanced monitoring, access restrictions) with a documented risk acceptance for the residual risk during the retirement timeline
Answer & reasoning
Correct: D
This scenario requires a combination of mitigation (compensating controls to reduce risk) and documented risk acceptance (acknowledging residual risk during the planned retirement window). Full acceptance without controls is negligent, immediate retirement may have severe business impact, and forcing unsupported encryption creates instability. The documented acceptance creates accountability and a timeline for resolution.
Question 14
A new data privacy regulation requires organizations to respond to consumer data deletion requests within 30 days. The organization has no process for identifying where consumer data resides across its systems.
What must be established FIRST?
A. A comprehensive data inventory and classification that maps where consumer data is stored, processed, and transmitted
B. A data deletion automation tool
C. A legal team to respond to requests
D. An encrypted database for all consumer data
Answer & reasoning
Correct: A
You cannot delete data you cannot find. A data inventory and classification exercise identifies where consumer data resides across all systems, databases, backups, and third-party platforms. This foundational step is required before any deletion process, automation tool, or response procedure can function. Legal teams and encryption do not address the data location gap.
Question 15
An external auditor issues a finding that the organization lacks separation of duties for its financial application. The same administrator who configures user access also approves financial transactions.
What governance principle is being violated, and what is the correct remediation?
A. Least privilege; reduce the administrator's permissions
B. Defense in depth; add more firewalls
C. Need to know; restrict the administrator's data access
D. Separation of duties; assign access configuration and transaction approval to different individuals
Answer & reasoning
Correct: D
Separation of duties prevents a single individual from having control over all phases of a critical process. When one person can both configure access and approve transactions, they could create unauthorized accounts and approve fraudulent payments. The remediation requires splitting these functions between different individuals with appropriate oversight.
Question 16
An organization's risk register has not been reviewed in 12 months. During that time, the company expanded into three new markets, adopted two major cloud platforms, and acquired a subsidiary.
What is the impact of the stale risk register?
A. No impact; risk registers only need annual updates
B. The risk register does not reflect current threats, assets, and exposures, leading to uninformed risk decisions and potential compliance gaps
C. The risk register automatically updates based on business changes
D. Risk registers are only used during audits, not for decision-making
Answer & reasoning
Correct: B
A risk register must reflect the current operating environment. Major business changes (new markets, cloud adoption, acquisitions) introduce new threats, assets, regulatory obligations, and attack surfaces. A stale register means leadership is making decisions based on outdated risk information. Risk registers should be reviewed whenever material changes occur, not just on a fixed schedule.
Question 17
A supply chain risk assessment reveals that a critical hardware vendor sources components from a country subject to trade restrictions. The vendor has not disclosed this in their supply chain documentation.
What should the organization do?
A. Ignore the finding since the hardware functions correctly
B. Stop using all hardware from the vendor immediately without an alternative
C. Report the vendor to law enforcement without further investigation
D. Engage the vendor for supply chain transparency, assess regulatory compliance exposure, and evaluate alternative vendors
Answer & reasoning
Correct: D
Supply chain transparency is a governance requirement. The organization must understand its regulatory exposure (trade restrictions may create compliance violations), demand disclosure from the vendor, and evaluate alternatives. Immediate cessation without alternatives disrupts operations, and law enforcement reporting may be premature without understanding the full scope. The lack of disclosure itself is a vendor trust issue.
Question 18
An organization trains developers on secure coding practices. Six months later, a code review reveals that SQL injection vulnerabilities are still present in new code.
What improvement is needed in the awareness program?
A. Training alone is insufficient; implement mandatory secure code reviews, automated static analysis in the CI/CD pipeline, and hands-on secure coding exercises
B. The training was sufficient; developers are intentionally writing insecure code
C. Replace all developers with more experienced staff
D. Stop training developers since it is not working
Answer & reasoning
Correct: A
Awareness training creates knowledge but does not guarantee behavioral change. Effective programs combine training with enforcement mechanisms: mandatory code reviews catch issues before deployment, automated static analysis tools flag vulnerabilities in the CI/CD pipeline, and hands-on exercises build practical skills. Knowledge without process enforcement produces inconsistent results.
Question 19
An organization performs a business impact analysis (BIA) and determines that its email system has an RTO of 4 hours and its ERP system has an RTO of 1 hour.
What does this tell the security program about resource allocation?
A. Both systems should receive equal DR investment
B. The email system is more critical because email affects more users
C. The ERP system requires more robust DR infrastructure (higher investment) because its shorter RTO demands faster recovery capability
D. RTO has no impact on resource allocation decisions
Answer & reasoning
Correct: C
Shorter RTOs require more expensive DR solutions (hot standby, real-time replication, automated failover) to meet recovery targets. The 1-hour ERP RTO demands significantly more investment than the 4-hour email RTO. BIA results directly drive DR resource allocation by quantifying how quickly each system must be restored and the business impact of exceeding that window.
Question 20
A compliance audit reveals that the organization has documented policies for data classification, access control, and incident response. However, interviews with staff reveal that most employees are unaware these policies exist.
What governance gap does this represent?
A. The policies are well-written; no gap exists
B. Employees do not need to know about security policies
C. The auditor is asking the wrong questions
D. Policy exists without effective communication, training, and enforcement, making it governance theater rather than operational security
Answer & reasoning
Correct: D
Policies that exist only in documentation provide audit evidence but not operational security. Effective governance requires communication (employees know policies exist), training (employees understand their responsibilities), and enforcement (compliance is monitored and deviations are addressed). Policy without awareness is governance theater: it satisfies checkboxes without reducing risk.
Domain 5 Pattern Summary
In Security+ Domain 5:
- Governance starts with policy, but policy without communication, training, and enforcement is ineffective.
- Risk treatment has four options: avoid, mitigate, transfer, accept. Each has specific conditions where it is appropriate.
- Quantitative risk analysis (ALE = SLE x ARO) provides financial justification; qualitative provides rapid prioritization.
- Third-party risk does not transfer accountability; the data owner retains ultimate responsibility.
- Compliance requires mapping multiple regulations to unified control frameworks, not separate parallel programs.
- Audits test whether controls operate effectively, not just whether they exist on paper.
- Awareness programs must combine knowledge transfer with process enforcement and metrics tracking.
If an answer treats policy documentation alone as sufficient without execution and enforcement, it is usually wrong.