Questions

While data exfiltration is the mechanism, the "Primary Risk" to a healthcare organization is the legal consequence (fines, loss of license, and lawsuits) of violating strict privacy laws like HIPAA. Because the data is being stored in an unknown region and used for training (violating the "purpose limitation" of privacy), the organization has lost its legal "chain of custody" over Protected Health Information (PHI). - Model Hallucinations: This is a serious Operational/Safety risk. However, from a Domain 1 Risk Management perspective, "Regulatory Non-Compliance" is almost always viewed as a more systemic and existential threat to the enterprise's ability to operate than individual errors in transcription. - Financial Loss (Licensing): This is a "Business Management" issue, but rarely a "Security" priority. CISSP focuses on protecting the CIA Triad (Confidentiality, Integrity, and Availability). Saving a few dollars on a license doesn't outweigh a catastrophic privacy breach. - Network Bandwidth: This is a Domain 4 (Network Security) technical concern. While Shadow AI does use bandwidth, in the context of a healthcare provider handling sensitive data, the "Performance" impact is negligible compared to the "Privacy" impact.

RPO defines the maximum acceptable data loss, which is 5 minutes here. With hourly incremental backups, the company risks losing up to 60 minutes of data, which violates the RPO. Backups must occur at least every 5 minutes (or use replication/log shipping). - The current backup strategy meets RPO because incremental backups reduce data loss compared to full backups.Incrementals help, but hourly frequency still exceeds the 5-minute data loss tolerance. - The current backup strategy meets RPO because recovery time is within one hour as required by the business Confuses RPO with RTO; recovery time (RTO) is irrelevant to data loss requirements. - The current backup strategy partially meets RPO because full backups ensure complete data restoration regardless of timing. Full backups ensure completeness, not recency; timing still determines data loss exposure.

Job Rotation is a powerful administrative control. First, it detects fraud because a 'collusion' or secret exploit is often uncovered when a new person takes over the desk and notices anomalies. Second, it supports 'Business Continuity' because it ensures that multiple employees are trained to perform critical tasks, meaning the organization isn't crippled if one person leaves unexpectedly.

SAML replay attacks happen when assertions are reused. Proper validation of timestamps (NotBefore/NotOnOrAfter) and unique IDs prevents reuse. - Encryption protects confidentiality, not replay. Even encrypted assertions can be replayed if not validated. - Certificate validation ensures trust in the IdP, but the issue here is reuse of a valid assertion, not trust establishment. - MFA strengthens authentication but does not prevent replay of an already valid SAML response.

SCIM (B) is specifically designed to automate identity lifecycle management across different systems. Manual reconciliation is too slow. OIDC handles authentication, not provisioning. MFA protects accounts but doesn't remove 'orphans.'

Governance is proactive, not reactive. Even without a mandated deadline, a governance body is responsible for assessing changes in the regulatory and threat landscape. By performing a review and presenting a risk-informed timeframe to leadership, the organization balances the need for security with the business's need for operational stability. - Just because a "deadline" hasn't been set doesn't mean the risks addressed by the new standard don't exist. Waiting for a mandate before acting is a failure of leadership and leaves the organization exposed to known vulnerabilities. - Governance must weigh security against the organization's mission. Abruptly changing standards without a transition plan or risk assessment can cause more harm than good. - Governance is a top-down responsibility exercised by the board and executive management. Delegating the decision to technical teams without formal oversight removes accountability and fails to ensure that the changes align with the organization's broader strategic goals.

In general (for licenses management and beyond) "move" operations are usually the most complicated because they require to revoke some access rights and , at the same time, assign new ones. "Merge" is not standard IAM jargon.

Rotating employees between different roles helps reduce fraud and collusion by preventing people from having unchecked control for too long. This is especially useful when staff numbers are limited. - Request implementation of mandatory vacancies. Almost correct but less practical. Leaving positions empty temporarily can reduce fraud but may not be feasible with limited personnel and can disrupt operations. - Review access logs regularly. Reviewing logs is important to detect suspicious activity, but it is more of a detective control than a preventive one. - Check if policies enforce the principle of least privilege. Least privilege limits access to only what’s necessary, which helps prevent fraud, but this is part of a broader access control strategy rather than the immediate step to prevent collusion.

Governance is the "framework" that ensures the right people are answering for the results. - While governance "ensures the business focuses on core activities," limiting all activities strictly to revenue streams is too restrictive and tactical. Governance provides the direction, but management handles the specific limitations of deployment. - Evaluating performance is a part of governance, but focusing on "daily operational performance and processing speed" is a Management/Operations task (SLAs), not a Governance task (Strategic oversight). - "Step-by-step technical roles" and "procedural manuals" fall under Management and Procedures. Governance sets the Policy (the "what"), while Management creates the Procedures (the "how").

TPM 2.0 uses a chain of trust starting from the Root of Trust for Measurement (RTM). If the initial measurement is already compromised, the TPM will extend and report a trusted but incorrect state, making attestation appear valid. - TPM does not store measurements statically; it uses PCR extensions, which are cumulative and cannot simply be overwritten in the way described. - Secure Boot strengthens trust but is not required for TPM measurements. The issue is not about enabling/disabling Secure Boot. - TPM absolutely measures firmware and stores hashes in Platform Configuration Registers (PCRs). The problem is when the measurement starts, not what is measured.