Skip to content

Chapter 13 Quiz: Security Governance, Privacy, and Risk

Test your knowledge of security governance, privacy regulations, and risk management for security operations.

Questions

1. Which document in the policy hierarchy defines how a requirement must be implemented, as opposed to what must be done?

  • A) Policy
  • B) Standard
  • C) Procedure
  • D) Guideline
Answer

B — Standard

The hierarchy is: Policy (WHAT) → Standard (HOW to comply with the policy) → Procedure (step-by-step HOW) → Guideline (best practices, optional). Standards define the specific, measurable requirements for implementing policies.

2. A European organization builds an insider threat detection system that logs all employee browser activity, every application used, and correlates patterns over time. Which GDPR principle is most clearly violated?

  • A) Lawful basis
  • B) Data minimization
  • C) Storage limitation
  • D) Data subject rights
Answer

B — Data minimization

GDPR's data minimization principle requires collecting only the personal data necessary for the stated security purpose. Logging all browser activity and application usage when less-invasive methods could achieve the security objective violates this principle. (The curiosity hook in Chapter 13 is based on a real DPA case involving exactly this scenario.)

3. Per the Nexus SecOps detection change control process (Nexus SecOps-203), what is the minimum required period for a detection rule to remain in staging before production promotion?

  • A) 24 hours
  • B) 3 days
  • C) 7 days
  • D) 30 days
Answer

C — 7 days

Rules MUST be deployed at low severity in staging for 7 days to measure the false positive rate before promotion to full production severity. The false positive rate is then monitored for 30 days post-promotion.

4. Under the NIST AI RMF, which function involves cataloging all AI/ML tools in use and assessing the risk associated with each deployment?

  • A) Govern
  • B) Map
  • C) Measure
  • D) Manage
Answer

B — Map

MAP involves identifying and contextualizing AI risks, including inventorying AI systems, assessing dependencies, and categorizing risks per deployment. GOVERN establishes policies; MEASURE assesses and benchmarks; MANAGE responds to risks.

5. Which of the following is an example of a lagging indicator in security operations?

  • A) Detection coverage percentage
  • B) Training completion rate
  • C) Mean Time to Detect (MTTD) trend
  • D) Playbook testing frequency
Answer

C — Mean Time to Detect (MTTD) trend

Lagging indicators measure past performance outcomes. MTTD is measured after an incident occurs. Leading indicators (detection coverage %, training completion, playbook testing) predict future performance and allow early intervention.

6. Security operations log data containing employee identity information is exported to an HR system to support a performance review. Which GDPR principle does this most directly violate?

  • A) Storage limitation
  • B) Purpose limitation
  • C) Data minimization
  • D) Security
Answer

B — Purpose limitation

Security data collected under a legitimate interest basis for security monitoring cannot be repurposed for HR functions without a new legal basis. This is purpose limitation: data collected for one specific purpose cannot be used for another incompatible purpose.

7. An organization has a well-written incident response policy but no documented triage procedure for their analysts to follow. Which governance failure mode does this represent?

  • A) Change control bypass
  • B) Policy-procedure gap
  • C) AI deployed without governance
  • D) Compliance mapping outdated
Answer

B — Policy-procedure gap

A policy-procedure gap occurs when high-level policy exists but is not translated into operational procedures. The result is "compliance theater" — the organization appears compliant on paper but staff have no practical guidance.

8. Who typically owns Security Standards in the policy hierarchy?

  • A) Board of Directors
  • B) CISO
  • C) Security Architecture team
  • D) SOC Manager
Answer

C — Security Architecture team

Policies are owned by the CISO/Board; Standards are owned by Security Architecture; Procedures are owned by the SOC Manager or team leads; Guidelines are owned by individual teams.

9. Which of the following represents a compliance mapping methodology step that occurs AFTER mapping controls to regulatory requirements?

  • A) Identify applicable regulations
  • B) Extract security operations requirements
  • C) Identify gaps
  • D) Map Nexus SecOps controls to requirements
Answer

C — Identify gaps

The compliance mapping methodology is: (1) Identify applicable regulations → (2) Extract requirements → (3) Map to Nexus SecOps controls → (4) Identify gaps → (5) Document evidence → (6) Maintain mapping. Gap identification follows mapping, not precedes it.

10. A SOAR playbook is urgent and a team lead deploys it without peer review, citing the urgency. Which principle does this violate?

  • A) Data minimization
  • B) Automation change control (Nexus SecOps-204)
  • C) Automation change control (Nexus SecOps-204) / detection change control
  • D) The principle is acceptable for urgent changes
Answer

C — Automation change control

Per Nexus SecOps-204, SOAR playbook changes require peer review for all high-impact actions, testing in non-production, and a documented rollback procedure before deployment — regardless of urgency. Emergency bypasses must be documented and ratified post-hoc.

Scoring

Score Performance
9–10 Expert — Governance concepts fully internalized
7–8 Proficient — Ready to contribute to governance work
5–6 Developing — Review Chapter 13 policy hierarchy and GDPR sections
<5 Foundational — Re-read Chapter 13 before proceeding

Return to Chapter 13 | Next: Chapter 14