Domain 5 – Section B Review: Compliance and Awareness
This section integrates:
- Regulatory Compliance and Privacy
- Audits and Penetration Testing
- Security Awareness Programs
Security+ expects you to understand compliance obligations, the difference between audits and penetration tests, and how security awareness programs reduce human risk.
1. Regulatory Compliance and Privacy
Compliance is about meeting legal and regulatory obligations:
Compliance is not optional. Regulations carry penalties.
Privacy is a right. Data protection is an obligation.
- GDPR — European data protection regulation with strict consent and breach notification requirements.
- HIPAA — protects healthcare information in the United States.
- PCI DSS — protects payment card data for organizations that process transactions.
- SOX — financial reporting integrity requirements for publicly traded companies.
- Data sovereignty — data must reside in the jurisdiction where it was collected.
Privacy principles include data minimization (collect only what is needed), purpose limitation (use data only for stated purposes), and right to erasure (individuals can request data deletion).
2. Audits and Penetration Testing
Audits and penetration tests serve different but complementary purposes:
- Internal audit — performed by the organization to verify control effectiveness.
- External audit — performed by an independent third party for objectivity and compliance.
- Penetration test — simulated attack to prove vulnerabilities are exploitable.
- Vulnerability assessment — identifies weaknesses but does not exploit them.
Audits verify compliance with standards.
Penetration tests verify that defenses actually work.
Penetration testing types:
- Black box — tester has no prior knowledge of the environment.
- White box — tester has full knowledge (source code, architecture diagrams).
- Gray box — tester has partial knowledge.
3. Security Awareness Programs
Technology alone cannot prevent human error. Awareness programs reduce the human risk factor:
- Phishing simulations — test employee ability to recognize phishing attempts.
- Role-based training — tailored content for different job functions.
- New hire training — security awareness during onboarding.
- Annual refresher — keeps security top-of-mind.
- Metrics — click rates, reporting rates, and training completion track program effectiveness.
Awareness creates recognition. Training creates capability.
Measure results, not just participation.
Section B Decision Pattern
When unsure in Domain 5 Section B:
- Match the regulation to the data type (health data = HIPAA, payment data = PCI DSS).
- Audits verify compliance; penetration tests verify exploitability.
- External audits provide independence; internal audits provide ongoing monitoring.
- Awareness programs address the human element that technology cannot control.
- Privacy requirements override convenience — data minimization and consent are non-negotiable.
Section B – Practice Questions
Question 1
A European customer requests that a US-based company delete all personal data the company holds about them. Which regulation gives the customer this right?
A. HIPAA
B. PCI DSS
C. GDPR
D. SOX
Answer & reasoning
Correct: C
The GDPR (General Data Protection Regulation) includes the right to erasure (right to be forgotten), which allows individuals to request deletion of their personal data. HIPAA covers healthcare data, PCI DSS covers payment card data, and SOX covers financial reporting.
Question 2
A security team conducts a simulated attack against the organization's web application with full access to source code and architecture documentation. What type of penetration test is this?
A. White box
B. Black box
C. Gray box
D. Red team
Answer & reasoning
Correct: A
A white box penetration test gives the tester full knowledge of the environment, including source code and architecture. This allows for thorough testing of all attack paths. Black box provides no knowledge, and gray box provides partial knowledge.
Question 3
After deploying a phishing simulation, 35% of employees clicked the malicious link. What should the security team do NEXT?
A. Terminate the employees who clicked
B. Block all external emails
C. Disable email access for all employees
D. Send a follow-up training focused on identifying phishing indicators
Answer & reasoning
Correct: D
Phishing simulations are educational tools, not punitive measures. A high click rate indicates a training gap. The appropriate response is targeted training that teaches employees how to identify phishing indicators. Punishing employees discourages reporting and creates fear.
Question 4
A healthcare organization stores patient records but has never conducted a HIPAA compliance audit. What is the PRIMARY risk?
A. Regulatory penalties and legal liability
B. Reduced system performance
C. Increased hardware costs
D. Loss of competitive advantage
Answer & reasoning
Correct: A
HIPAA compliance is mandatory for organizations handling protected health information. Failure to comply can result in significant fines, legal action, and reputational damage. Without auditing, the organization cannot verify it meets regulatory requirements.
Question 5
An organization needs to verify that its security controls are effective for PCI DSS compliance. An external firm is hired to review controls and provide an attestation report. What type of assessment is this?
A. Internal audit
B. Vulnerability assessment
C. External audit
D. Penetration test
Answer & reasoning
Correct: C
An external audit conducted by an independent firm that produces an attestation report is required for PCI DSS compliance. The independence of the assessor ensures objectivity. Internal audits cannot fulfill this requirement because they lack independence.
Question 6
An application collects a user's name, email, phone number, home address, employer, and date of birth to create a free newsletter subscription. What privacy principle is being violated?
A. Purpose limitation
B. Data minimization
C. Right to access
D. Data sovereignty
Answer & reasoning
Correct: B
Data minimization requires collecting only the data necessary for the stated purpose. A newsletter subscription needs an email address and possibly a name. Collecting home address, employer, phone number, and date of birth exceeds what is necessary and violates data minimization principles.
Question 7
A penetration tester discovers a critical SQL injection vulnerability during a test. The tester is able to extract the entire customer database. What should the tester do FIRST?
A. Publish the finding on social media to warn customers
B. Exploit additional systems to expand the finding
C. Document the finding and notify the organization through agreed-upon channels
D. Attempt to fix the vulnerability directly
Answer & reasoning
Correct: C
Penetration testers must follow the rules of engagement. Critical findings should be documented and reported through the agreed communication channels immediately. Expanding the attack beyond scope, making changes to production systems, or disclosing publicly all violate professional ethics and the engagement agreement.
Question 8
A company's security awareness program includes annual training only. Phishing success rates remain high throughout the year. What improvement would be MOST effective?
A. Make the annual training longer
B. Add a written exam at the end of annual training
C. Replace training with stricter email filters
D. Implement continuous training with regular phishing simulations
Answer & reasoning
Correct: D
Annual training alone is insufficient because knowledge fades over time. Continuous training with regular phishing simulations keeps security awareness current, provides practice with real-world scenarios, and allows measurement of improvement over time. Frequency matters more than duration.
Question 9
A company processes credit card transactions and needs to demonstrate PCI DSS compliance. A vulnerability assessment finds no critical issues, but no penetration test has been performed. Is the company compliant?
A. No — PCI DSS requires both vulnerability assessments and penetration testing
B. Yes — vulnerability assessments are sufficient
C. Yes — penetration testing is optional under PCI DSS
D. No — only penetration testing is required, not vulnerability assessments
Answer & reasoning
Correct: A
PCI DSS requires both regular vulnerability assessments and annual penetration testing. Vulnerability assessments identify weaknesses; penetration tests prove they are exploitable. Both are mandatory requirements for PCI DSS compliance.
Question 10
A new employee in the finance department receives role-specific security training that covers handling sensitive financial data, recognizing business email compromise, and secure wire transfer procedures. What type of awareness training is this?
A. General awareness training
B. Role-based training
C. Compliance certification
D. Incident response training
Answer & reasoning
Correct: B
Role-based training is tailored to the specific responsibilities and risks of a job function. Finance employees face unique threats (BEC, wire fraud) that require specialized training beyond general awareness. Role-based training is more effective because it addresses the actual scenarios employees will encounter.