Session 10 Module A - Test Solutions¶
Advanced Security & Compliance - Answer Key¶
Question 1: GDPR Legal Basis Implementation¶
Correct Answer: C) Consent
Explanation: Consent is the most complex legal basis to implement under GDPR because it requires explicit, informed, and freely given agreement that can be withdrawn at any time. Article 7 mandates that consent withdrawal must be as easy as giving consent, requiring sophisticated consent management systems that track granular consent records, support easy withdrawal mechanisms, and implement cascade effects when consent is withdrawn. Other legal bases like contract or legal obligation have clearer boundaries and don't require the same level of dynamic management.
# Consent requires complex withdrawal cascade handling
if not consent_given:
await self._handle_consent_withdrawal_cascade(data_subject_id, purpose)
Question 2: Zero-Trust Architecture Principle¶
Correct Answer: B) Never trust, always verify
Explanation: Zero-trust architecture operates on the fundamental principle of "never trust, always verify." This means every access request, regardless of source, location, or user authentication status, must be validated against current security policies. Unlike traditional perimeter-based security that trusts users inside the network, zero-trust assumes no implicit trust and continuously validates every interaction. This approach is essential for modern enterprise security where the traditional network perimeter has dissolved.
# Zero-trust validates every request regardless of authentication
token_validation = await self._validate_session_token(session_token)
if not token_validation['valid']:
return {'authorized': False, 'error': 'Invalid session token'}
Question 3: K-Anonymity Purpose¶
Correct Answer: B) To ensure each individual cannot be distinguished from at least k-1 others
Explanation: K-anonymity is a privacy protection technique that ensures each individual in a dataset cannot be distinguished from at least k-1 other individuals based on quasi-identifiers (attributes that could be used for re-identification). By grouping records with identical quasi-identifier combinations and ensuring each group has at least k members, k-anonymity protects against re-identification attacks. Records that don't meet the k-threshold are either generalized (reducing precision) or suppressed (removed) to maintain privacy protection.
# K-anonymity groups records by quasi-identifiers
for signature, records in groups.items():
if len(records) >= k_value:
# Group meets k-anonymity requirement
anonymized_dataset.extend(records)
Question 4: ABAC Attribute Types¶
Correct Answer: D) Network attributes
Explanation: ABAC (Attribute-Based Access Control) typically evaluates four main attribute categories: Subject attributes (about the user), Object attributes (about the resource), Environment attributes (about the context like time, location), and Action attributes (about what operation is being performed). Network attributes are not a standard ABAC category, though network-related information might be included within environment attributes. The ABAC model focuses on these four core attribute types to make fine-grained authorization decisions.
# ABAC evaluates subject, object, environment, and action attributes
subject_attrs = request_context.get('subject_attributes', {})
object_attrs = request_context.get('object_attributes', {})
environment_attrs = request_context.get('environment_attributes', {})
action = request_context.get('action')
Question 5: Enterprise Key Rotation Strategy¶
Correct Answer: C) Generate new key and provide grace period for old key
Explanation: Proper key rotation requires generating a new key while providing a grace period for the old key to ensure no data becomes inaccessible during the transition. This approach allows time for all systems to update their key references and for any pending operations using the old key to complete. Immediate replacement without grace period risks data loss, while never rotating keys compromises long-term security. The grace period (typically 30 days) balances security with operational continuity.
# Key rotation with grace period for operational continuity
self.encryption_keys[new_key.key_id] = new_key
old_key.expires_at = datetime.now() + timedelta(days=30) # Grace period
Question 6: GDPR DPIA Requirements¶
Correct Answer: D) Article 35
Explanation: Article 35 of GDPR mandates Data Protection Impact Assessments (DPIA) for processing activities that are likely to result in high risk to individuals' rights and freedoms. This includes systematic monitoring, processing of sensitive data at large scale, or use of new technologies. DPIAs must assess necessity, proportionality, risks to data subjects, and safeguards. High-risk assessments require consultation with supervisory authorities, making Article 35 compliance critical for enterprise systems processing personal data.
# Article 35 compliance requires DPIA for high-risk processing
if data_element.is_sensitive or data_element.category == "biometric":
await self._trigger_pia_assessment(data_element, data_subject_id)
Question 7: Field-Level Encryption Advantages¶
Correct Answer: B) Granular protection allowing different encryption policies per field
Explanation: Field-level encryption's primary advantage is granular protection that enables different encryption policies for different data types within the same record. This allows organizations to apply stronger encryption to highly sensitive fields (like SSNs) while using lighter protection for less sensitive data, optimize performance by encrypting only necessary fields, and implement role-based access where different users can decrypt different fields. This granularity is impossible with full-record encryption.
# Field-level encryption allows granular protection policies
for field_name, key_id in field_encryption_map.items():
if field_name in record:
encryption_result = await self.encrypt_sensitive_data(
field_value, key_id, "field_level"
)
Performance Benchmarks: - 7/7 correct: Expert-level understanding of enterprise security - 5-6 correct: Advanced comprehension with minor gaps - 3-4 correct: Intermediate understanding, review recommended - Below 3: Fundamental concepts need reinforcement