Risk, Compliance, Audit, Data Locality, PCI, and GDPR
Key Takeaways
- Asset, vulnerability, threat, exploit, and risk are distinct terms the exam tests with precise wording.
- Risk = likelihood x impact; CVSS scores (0.0-10.0) help prioritize but the org sets the scoring method.
- Audits produce evidence; passing an audit proves a point-in-time state, not the absence of all risk.
- Data locality and data sovereignty govern where data is stored, processed, replicated, and legally controlled.
- PCI DSS protects cardholder data; GDPR protects EU residents' personal data with up to 4% global-revenue fines.
Risk and Compliance Language
Objective 4.2 expects you to separate security terms that sound similar but mean different things, then apply them to a scenario. Memorize the precise definitions; the exam loves to swap vulnerability for exploit in a distractor.
Core Terms
| Term | Meaning | Example |
|---|---|---|
| Asset | Something of value | Customer database, edge router, WAN circuit |
| Vulnerability | A weakness that could be used | Unpatched VPN appliance |
| Threat | A potential cause of harm | Attacker, malicious insider, storm, fat-finger config |
| Threat actor | The entity behind a threat | Nation-state, hacktivist, script kiddie, insider |
| Exploit | A method/code that abuses a vulnerability | Public proof-of-concept against the VPN flaw |
| Risk | Loss from a threat exploiting a vulnerability | VPN compromise leading to internal access |
| Likelihood | Probability of occurrence | Higher when Internet-facing and actively targeted |
| Impact | Harm if it occurs | Data exposure, outage, unsafe process, fine |
Risk = likelihood x impact. A critical, Internet-exposed system with active exploit activity outranks a low-impact internal issue with no realistic path to harm. The CVSS (Common Vulnerability Scoring System) rates severity from 0.0 to 10.0 (Critical = 9.0-10.0), a common input to that prioritization, though each organization still sets its own risk-acceptance method.
CIA Impact Mapping
| CIA area | Network scenario |
|---|---|
| Confidentiality | Packet capture reveals clear-text credentials |
| Integrity | DNS poisoning silently redirects users to a fake site |
| Availability | DDoS traffic blocks customers from reaching a service |
Many incidents touch more than one pillar; the question wording points to the primary impact. "Users cannot connect" = availability. "Records were altered" = integrity. "Sensitive data was read" = confidentiality.
Audit and Compliance
An audit checks whether controls, processes, or evidence meet a requirement. Compliance means the organization meets a defined standard, regulation, contract, or policy at a point in time. Security is broader than compliance, yet compliance drives much of the documentation a network team must produce.
| Evidence type | Example artifact |
|---|---|
| Access | User access review, group export, VPN approval record |
| Configuration | Firewall rule review, secure baseline, change ticket |
| Logging | Retention settings, sample events, admin activity logs |
| Vulnerability | Scan results, remediation tickets, exception approvals |
| Segmentation | Network diagrams, ACL/rule tables, validation test results |
Data Locality, Sovereignty, PCI DSS, and GDPR
Data locality means data is stored or processed in a specific physical/legal location. Data sovereignty is the principle that data is subject to the laws of the jurisdiction where it resides or where the subject lives. These shape cloud region choices, backups, logging, replication, and remote support.
| Requirement cue | Network implication |
|---|---|
| PCI DSS | Segment the cardholder data environment, restrict access, log, encrypt transmission |
| GDPR | Protect EU personal data; lawful basis, retention limits, cross-border transfer rules |
| Data locality | Pin cloud regions and backup targets to approved geographies |
| Audit request | Produce evidence the controls were in force during the review window |
GDPR can levy fines up to EUR 20 million or 4% of global annual revenue, whichever is higher, so a backup replicated to an unapproved region is a real compliance event, not a footnote. Do not treat regulation names as magic answers: read what the scenario asks. Card systems on a flat network with guest Wi-Fi point to segmentation; backups landing in the wrong country point to data locality.
Worked Example: Prioritizing Two Findings
A quarterly scan returns two items. Finding A is a critical-severity flaw (CVSS 9.8) on an Internet-facing load balancer with a public exploit in the wild. Finding B is a medium flaw (CVSS 5.4) on an isolated lab server with no inbound path from the Internet and no exploit available. Risk = likelihood x impact tells you to remediate A first: high impact (perimeter compromise) and high likelihood (exposed plus active exploitation). B may even be a candidate for a documented risk acceptance with a compensating control such as keeping it off the routed network.
The exam frequently presents exactly this two-finding choice and expects the exposed, actively-exploited asset to win.
How PCI DSS Shapes the Network
PCI DSS is the most concrete compliance cue on the exam because its requirements translate directly into network controls. A merchant must isolate the CDE (cardholder data environment) with firewalls and segmentation so that systems handling primary account numbers do not share a broadcast domain with general workstations or guest Wi-Fi. Effective segmentation also reduces audit scope: only the in-scope CDE segment must meet the full control set, which is both a security and a cost argument.
Other PCI-driven network controls include restricting inbound and outbound traffic by least privilege, logging access to cardholder data, and encrypting transmission across open or public networks. When a scenario describes payment terminals reachable from the same VLAN as the lobby kiosk, the intended answer is segmentation plus access control, not a vague "improve security."
Common Traps
- A vulnerability is the weakness; the exploit is the method that abuses it.
- A threat can exist before it ever succeeds.
- Passing an audit does not eliminate risk; it documents a point in time.
- Data locality applies to logs and backups, not just production databases.
- A higher CVSS number does not automatically mean "fix first" if there is no path to the asset; weigh exposure too.
- Sound risk decisions weigh asset value, exposure, likelihood, impact, and compensating controls together.
An Internet-facing VPN appliance is missing a patch, and attackers are actively using publicly published code to compromise similar systems. That public code is best described as which term?
Database backups containing EU customers' personal data are found replicated to a cloud region in an unapproved country. Which concern is most directly involved?
Match each risk term to its best description.
Match each item on the left with the correct item on the right