Compliance, Auditing & Reporting Flashcards
Checking access...
Test your understanding of the Compliance, Auditing & Reporting module. Click a card to flip it between question and answer. Use the arrows, keyboard (← →), or swipe on mobile to move through the deck.
What are the three categories of IAM compliance controls?
Click to reveal answer
Preventive controls (least privilege, SoD, MFA) — stop incidents before they occur. Detective controls (logging, certification, monitoring) — detect incidents after they occur. Corrective controls (deprovisioning, rotation, notification) — respond to and remediate incidents.
Click to see question
Which compliance frameworks mandate IAM controls?
Click to reveal answer
SOX (US public companies), GDPR (EU data protection), PCI DSS (global payment data), HIPAA (US healthcare), ISO 27001 (global ISMS), and NIST SP 800-53 (US federal). Each has specific IAM requirements with defined penalties.
Click to see question
What is the maximum penalty for GDPR non-compliance?
Click to reveal answer
Up to €20 million or 4% of global annual revenue, whichever is higher.
Click to see question
What does PCI DSS require for privileged access?
Click to reveal answer
Requirement 7 restricts access to cardholder data by business need-to-know. Requirement 8 mandates MFA for non-console administrative access. Requirement 9 requires periodic access review.
Click to see question
What is the IAM compliance stack?
Click to reveal answer
Regulatory Frameworks (SOX, GDPR, PCI DSS) → Control Objectives (access control, audit trail, SoD) → IAM Implementation (IGA, PAM, SSO/MFA) → Evidence and Reporting (certification reports, audit logs, dashboards).
Click to see question
What is compliance automation in IAM?
Click to reveal answer
Using policy-as-code, continuous monitoring, automated evidence collection, and self-service audit portals to transform compliance from a periodic manual audit scramble into a continuous, predictable process.
Click to see question
What are the key IAM controls required by SOX?
Click to reveal answer
Internal controls over financial reporting — access certification for financial systems, segregation of duties (SoD) analysis, privileged access management for finance applications, and audit trails for all privileged actions.
Click to see question
What are the HIPAA technical safeguard requirements for IAM?
Click to reveal answer
45 CFR §164.312(a)(1) mandates access control policies for ePHI, including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption controls.
Click to see question
What is ISO 27001 Annex A.9 about?
Click to reveal answer
Annex A.9 covers access control — A.9.2.1 (user access provisioning), A.9.2.3 (management of privileged access rights), and A.9.2.5 (regular review of user access rights).
Click to see question
What is the role of IAM in incident response and forensics?
Click to reveal answer
Identity forensics provides user attribution for security events, access analysis during breach investigation, and the ability to trace who accessed what system when — critical for understanding breach scope and impact.
Click to see question
What is audit readiness in the context of IAM?
Click to reveal answer
Building an audit-ready IAM program with preventive controls (reducing risk), detective controls (identifying issues), and evidence management that proves controls are operating effectively — including pre-audit preparation and auditor workflow management.
Click to see question
What is the most common driver for IAM and PAM investments?
Click to reveal answer
Compliance is often the primary driver. Regulatory frameworks mandate specific controls over who can access what, how access is monitored, and how organisations prove that their access controls are operating effectively.
Click to see question
Tip
Review any cards you got wrong by navigating to the corresponding module page for a deeper explanation.