Skip to main content

Skillber v1.0 is here!

Learn more
On this page

    Compliance, Auditing & Reporting Flashcards

    Checking access...

    Test your understanding of the Compliance, Auditing & Reporting module. Click a card to flip it between question and answer. Use the arrows, keyboard (← →), or swipe on mobile to move through the deck.

    1 / 0
    Question

    What are the three categories of IAM compliance controls?

    Click to reveal answer

    Answer

    Preventive controls (least privilege, SoD, MFA) — stop incidents before they occur. Detective controls (logging, certification, monitoring) — detect incidents after they occur. Corrective controls (deprovisioning, rotation, notification) — respond to and remediate incidents.

    Click to see question

    Question

    Which compliance frameworks mandate IAM controls?

    Click to reveal answer

    Answer

    SOX (US public companies), GDPR (EU data protection), PCI DSS (global payment data), HIPAA (US healthcare), ISO 27001 (global ISMS), and NIST SP 800-53 (US federal). Each has specific IAM requirements with defined penalties.

    Click to see question

    Question

    What is the maximum penalty for GDPR non-compliance?

    Click to reveal answer

    Answer

    Up to €20 million or 4% of global annual revenue, whichever is higher.

    Click to see question

    Question

    What does PCI DSS require for privileged access?

    Click to reveal answer

    Answer

    Requirement 7 restricts access to cardholder data by business need-to-know. Requirement 8 mandates MFA for non-console administrative access. Requirement 9 requires periodic access review.

    Click to see question

    Question

    What is the IAM compliance stack?

    Click to reveal answer

    Answer

    Regulatory Frameworks (SOX, GDPR, PCI DSS) → Control Objectives (access control, audit trail, SoD) → IAM Implementation (IGA, PAM, SSO/MFA) → Evidence and Reporting (certification reports, audit logs, dashboards).

    Click to see question

    Question

    What is compliance automation in IAM?

    Click to reveal answer

    Answer

    Using policy-as-code, continuous monitoring, automated evidence collection, and self-service audit portals to transform compliance from a periodic manual audit scramble into a continuous, predictable process.

    Click to see question

    Question

    What are the key IAM controls required by SOX?

    Click to reveal answer

    Answer

    Internal controls over financial reporting — access certification for financial systems, segregation of duties (SoD) analysis, privileged access management for finance applications, and audit trails for all privileged actions.

    Click to see question

    Question

    What are the HIPAA technical safeguard requirements for IAM?

    Click to reveal answer

    Answer

    45 CFR §164.312(a)(1) mandates access control policies for ePHI, including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption controls.

    Click to see question

    Question

    What is ISO 27001 Annex A.9 about?

    Click to reveal answer

    Answer

    Annex A.9 covers access control — A.9.2.1 (user access provisioning), A.9.2.3 (management of privileged access rights), and A.9.2.5 (regular review of user access rights).

    Click to see question

    Question

    What is the role of IAM in incident response and forensics?

    Click to reveal answer

    Answer

    Identity forensics provides user attribution for security events, access analysis during breach investigation, and the ability to trace who accessed what system when — critical for understanding breach scope and impact.

    Click to see question

    Question

    What is audit readiness in the context of IAM?

    Click to reveal answer

    Answer

    Building an audit-ready IAM program with preventive controls (reducing risk), detective controls (identifying issues), and evidence management that proves controls are operating effectively — including pre-audit preparation and auditor workflow management.

    Click to see question

    Question

    What is the most common driver for IAM and PAM investments?

    Click to reveal answer

    Answer

    Compliance is often the primary driver. Regulatory frameworks mandate specific controls over who can access what, how access is monitored, and how organisations prove that their access controls are operating effectively.

    Click to see question

    Swipe or use arrows

    Tip

    Review any cards you got wrong by navigating to the corresponding module page for a deeper explanation.