Domain 4 – Section B Review: Information Security Principles

Frameworks guide structure.
Awareness shapes behavior.
Continuity sustains operations.
Privacy governs use.

Domain 4 Section B tests whether you understand:

• How security principles reduce exposure
• How frameworks provide governance structure
• How awareness changes behavior
• How continuity protects operations
• How privacy governs data use
• How governance integrates all of these

These questions require enterprise-level thinking — not technical memorization.

10 scenario-based questions

Question 1

An organization adopts a security framework but does not integrate it into governance processes or monitor compliance.

What is the PRIMARY weakness?

A. Strong standardization
B. Framework adoption without operational integration
C. Reduced inherent risk
D. Improved KPI tracking

Question 2

An organization maintains documented security policies but does not enforce violations or monitor adherence.

What governance principle is MOST compromised?

A. Defense in depth
B. Enforcement and oversight discipline
C. Availability
D. Risk identification

Question 3

Security awareness training is completed annually with high participation rates, but phishing click rates remain unchanged.

What is the MOST significant concern?

A. Strong compliance
B. Lack of behavioral effectiveness measurement
C. Reduced inherent risk
D. Improved KCI

Question 4

Executives are exempt from mandatory awareness training to avoid scheduling conflicts.

What governance principle is MOST compromised?

A. Segregation of duties
B. Tone at the top and cultural alignment
C. Data minimization
D. Risk aggregation

Question 5

A Business Impact Analysis identifies a process MTD of 8 hours, but the current recovery capability requires 24 hours.

What does this indicate?

A. Strong resilience
B. Misalignment between impact tolerance and recovery capability
C. Excessive mitigation
D. Lower inherent risk

Question 6

BCM plans exist but have not been updated after a major organizational restructuring that changed reporting lines and process ownership.

What risk emerges?

A. Strong governance
B. Outdated dependency and process assumptions
C. Reduced inherent risk
D. Improved monitoring

Question 7

Customer data is retained indefinitely because “storage is cheap” and the data “might be useful later.”

What privacy principle is MOST directly violated?

A. Confidentiality
B. Data minimization and purpose limitation
C. Availability
D. Defense in depth

Question 8

A cloud vendor processes personal data on behalf of the organization. The contract does not define data destruction procedures upon termination.

What is the PRIMARY governance gap?

A. Strong resilience
B. Lack of third-party privacy and disposal governance
C. Reduced inherent risk
D. Improved KPI

Question 9

An organization applies the same level of encryption to all systems regardless of data sensitivity or risk exposure.

What principle may be violated?

A. Least privilege
B. Risk-based proportionality
C. Segregation of duties
D. Availability

Question 10

An organization maintains strong technical security controls but cannot identify where personal data resides across its systems.

What risk remains MOST significant?

A. Strong mitigation
B. Lack of data visibility and governance control
C. Reduced inherent risk
D. Improved monitoring

Section B master pattern

When answering Domain 4 Section B questions, remember:

• Frameworks must be integrated, not symbolic.
• Enforcement matters more than documentation.
• Awareness must change behavior, not just achieve completion.
• Leadership must model compliance.
• BCM must align recovery capability to impact tolerance.
• Continuity plans must reflect current structure.
• Privacy governs data use, not just protection.
• Over-retention increases liability.
• Vendor accountability cannot be outsourced.
• Controls must be proportionate to risk.

This domain rewards enterprise-level resilience thinking — not technical memorization.