Risk, Compliance, Audit, Data Locality, PCI, and GDPR
Key Takeaways
- A vulnerability is a weakness, a threat is a potential cause of harm, and an exploit is a method that uses a weakness.
- Risk considers likelihood and impact to confidentiality, integrity, and availability.
- Audits and compliance requirements create evidence needs, but compliance does not automatically equal security.
- Data locality and data sovereignty affect where data is stored, processed, backed up, and accessed.
- PCI DSS and GDPR are common scenario cues for payment card data and personal data protection requirements.
Risk and Compliance Language
Network+ expects you to distinguish security terms and apply them to practical scenarios. These words are related, but they are not interchangeable.
Core Terms
| Term | Meaning | Example |
|---|---|---|
| Asset | Something valuable | Customer database, router, application, data center link |
| Vulnerability | Weakness that could be used | Unpatched VPN appliance |
| Threat | Potential cause of harm | Attacker, insider, storm, misconfiguration |
| Exploit | Method that uses a vulnerability | Code or technique that abuses the VPN flaw |
| Risk | Possibility of loss from threat exploiting vulnerability | Remote compromise of VPN leading to internal access |
| Impact | Harm if the event occurs | Data exposure, outage, unsafe process, financial penalty |
| Likelihood | Chance of occurrence | Higher if exposed to the Internet and actively targeted |
Risk is commonly discussed as likelihood multiplied by impact. The exact scoring method varies by organization, but the reasoning is consistent: a critical exposed system with known exploit activity should be prioritized ahead of a low-impact internal issue with no realistic path to harm.
CIA Impact
| CIA area | Network scenario |
|---|---|
| Confidentiality | Packet capture exposes clear-text credentials |
| Integrity | DNS poisoning sends users to an attacker-controlled site |
| Availability | DDoS traffic prevents customers from reaching a service |
Many incidents affect more than one part of CIA. The question wording usually points to the primary impact. If users cannot connect, availability is central. If records were altered, integrity is central. If sensitive data was read by an unauthorized party, confidentiality is central.
Audit and Compliance
An audit checks whether controls, processes, or evidence meet a requirement. Compliance means the organization meets a defined standard, regulation, contract, or policy at a point in time. Security is broader than compliance, but compliance requirements often drive network controls and documentation.
| Evidence type | Example |
|---|---|
| Access evidence | User access review, group membership export, VPN access approval |
| Configuration evidence | Firewall rule review, secure baseline, change ticket |
| Logging evidence | Retention settings, sample events, administrator activity logs |
| Vulnerability evidence | Scan results, remediation tickets, exception approvals |
| Segmentation evidence | Network diagrams, rule tables, test results |
Data Locality, PCI, and GDPR
Data locality means data is stored or processed in a specific physical or legal location. Data sovereignty is the idea that data may be subject to the laws of the jurisdiction where it resides or where the data subject is located. These issues affect cloud regions, backups, logging, replication, remote support, and monitoring.
| Requirement cue | Network implication |
|---|---|
| PCI DSS | Segment cardholder data environments, restrict access, log activity, secure transmission |
| GDPR | Protect personal data, consider lawful processing, retention, cross-border transfer, and data subject rights |
| Data locality | Choose approved cloud regions and backup locations |
| Audit request | Produce evidence that controls were in place during the review period |
Do not treat regulation names as magic answers. Read what the scenario asks. If the problem is payment card systems sharing a flat network with guest Wi-Fi, segmentation and access control are likely relevant. If the problem is backups replicated to an unapproved country, data locality is likely relevant.
Common Traps
- A vulnerability is not the same thing as an exploit.
- A threat can exist even before it succeeds.
- Passing an audit does not mean all risks are eliminated.
- Data locality can apply to logs and backups, not only production databases.
- Risk decisions should include asset value, exposure, likelihood, impact, and compensating controls.
An Internet-facing VPN appliance is missing a patch, and attackers are actively using public code to compromise similar systems. What is the public code best described as?
A company discovers that database backups containing customer personal data are replicated to an unapproved country. Which concern is most directly involved?
Match each term to its best description.
Match each item on the left with the correct item on the right