Skip to content

Graded Quiz: CompTIA Security+ Mock Exam :Cybersecurity Assessment: CompTIA Security+ & CYSA+ (IBM Cybersecurity Analyst Professional Certificate) Answers 2025

1. Question 1

A coordinated attack stealing proprietary software and client data by a well-organized group with geopolitical motives. Which threat actor?

❌ Cybercriminal organization
❌ Insider threat
Nation-state
❌ Script kiddie

Explanation: The sophistication and geopolitical motives point to a nation-state actor.

2. Question 2

User clicks link, downloads malware that monitors activities. Which malware?

❌ Virus
Spyware
❌ Worm
❌ Ransomware

Explanation: Spyware monitors user activity and exfiltrates information stealthily.

3. Question 3

Financial analyst notices unusual transactions — best initial step?

❌ Ignore the activity
Investigate the transactions further
❌ Approve the transactions
❌ Change account passwords

Explanation: Investigate to gather facts and determine if fraud occurred before taking remediation steps.

4. Question 4

Secure communication over open network — which tunneling protocol?

TLS
❌ SASE
❌ 802.1X
❌ NGFW

Explanation: TLS (transport layer security) secures communications over open networks (transport encryption).

5. Question 5

Primary focus for capacity planning to recover quickly after natural disasters?

❌ Resource availability
❌ Infrastructure upgrades
Regular system testing
❌ Compliance regulations

Explanation: Regular testing (DR drills) ensures recovery procedures work when needed.

6. Question 6

Risk to manage when using IaC?

❌ Inability to patch quickly
Configuration drift
❌ Limited flexibility for scaling
❌ High resource consumption

Explanation: IaC can still suffer configuration drift if deployments/changes are not managed consistently.

7. Question 7

Change management scenario — which component addressed?

❌ Legacy applications
❌ Documentation
Impact analysis and backout plan
❌ Testing results

Explanation: The scenario explicitly mentions impact analysis and a backout plan.

8. Question 8

HIPAA audit — which compliance reporting is most relevant?

❌ Internal compliance reporting
❌ Financial reporting
External compliance reporting
❌ Performance reporting

Explanation: External auditors/regulators require external compliance reporting for HIPAA adherence.

9. Question 9

Data breach exposed payment info — which data source should be reviewed first?

❌ Firewall logs
Application logs
❌ OS-specific security logs
❌ Network logs

Explanation: Payment data exposure often stems from application-level flaws; app logs reveal exploitation paths.

10. Question 10

Website defaced after CMS vulnerability exploit — what type of attack?

❌ Phishing
❌ Malware infection
Web-based attack
❌ SQL Injection

Explanation: Defacement via CMS vulnerability is a web-based attack (could include XSS/remote file upload).

11. Question 11

Perpetrators traced to organized crime syndicate stealing millions — primary motivation?

❌ Philosophical beliefs
Financial gain
❌ Revenge
❌ Ethical reasons

Explanation: Organized crime focuses on financial profit.

12. Question 12

Post simulated breach, weaknesses in communication strategy — what to prioritize?

❌ Recovery
❌ Analysis
❌ Eradication
Training

Explanation: Communication weaknesses are addressed by training and exercises to improve coordination.

13. Question 13

Best protocol for SSO?

Security Assertions Markup Language (SAML)
❌ Kerberos
❌ Open Authorization (OAuth)
❌ LDAP

Explanation: SAML is widely used for enterprise SSO between identity providers and service providers.

14. Question 14

Pen test in sandbox with architecture details — what type?

❌ Known environment
Partially known environment
❌ Passive reconnaissance
❌ Offensive penetration testing

Explanation: Access to architecture details suggests a partially known (white/gray box) testing scenario.

15. Question 15

Encrypting patient records in DB — primary reason?

❌ Improve data access
❌ Speed up data retrieval
❌ Enhance data integrity
Ensure data confidentiality

Explanation: Encryption protects confidentiality of stored patient records.

16. Question 16

Access control vestibule, cameras, sensors — what type of controls?

❌ Managerial controls
Physical controls
❌ Technical controls
❌ Operational controls

Explanation: Badges, cameras, and sensors are physical security controls.

17. Question 17

Catch vulnerabilities early in SDLC — which method?

❌ Rescanning vulnerabilities
❌ Incident response plan
❌ Penetration testing
Static code analysis

Explanation: Static code analysis (SAST) catches vulnerabilities during development before deployment.

18. Question 18

Keep data within a country — which concept?

Data sovereignty
❌ Encryption
❌ Obfuscation
❌ Data classification

Explanation: Data sovereignty refers to data subject to specific jurisdictional residence requirements.

19. Question 19

Policy-driven approach dynamically adjusts access based on risk — which Zero Trust feature?

❌ Data encryption
❌ Implicit trust zones
❌ Role-based access
Adaptive identity verification

Explanation: Adaptive identity (context-aware) adjusts access based on current risk signals.

20. Question 20

BYOD separation of company vs personal data — which approach?

❌ Remote wipe capabilities
❌ Full device encryption
❌ VPN usage
Containerization

Explanation: Containerization creates a secure segregated workspace for corporate data on personal devices.

21. Question 21

Access control model based on roles for university?

❌ Discretionary access control (DAC)
❌ Mandatory access control (MAC)
Role-based access control (RBAC)
❌ Rule-based access control

Explanation: RBAC assigns permissions based on roles (students, faculty, staff).

22. Question 22

Ensure critical patient care systems remain functional during power outage — strategy to enhance high availability?

❌ Geographic dispersion
Clustering
❌ Load balancing
❌ Site considerations

Explanation: Clustering (redundant nodes) helps maintain service availability locally during outages.

(Note: geographic dispersion and load balancing also help HA, but clustering is primary strategy for local continuity.)

23. Question 23

Method to determine loss for a single breach?

Single Loss Expectancy (SLE)
❌ Annualized Rate of Occurrence (ARO)
❌ Risk Threshold
❌ Annualized Loss Expectancy (ALE)

Explanation: SLE estimates loss from one occurrence.

24. Question 24

Surge of malicious traffic overwhelming web servers — attack type?

❌ Credential harvesting
❌ Ransomware attack
Distributed denial-of-service (DDoS)
❌ Man-in-the-middle

Explanation: DDoS floods resources to cause service unavailability.

25. Question 25

Database compromised by SQL injection — which vulnerability type?

❌ Malware intrusion
❌ Misconfigured settings
❌ Network hardware
Web-based

Explanation: SQL injection is a web application vulnerability.

26. Question 26

SSL/TLS between players and servers — which type of encryption?

❌ File-level encryption
❌ Full-disk encryption
Transport encryption
❌ Symmetric encryption

Explanation: SSL/TLS secures data in transit — transport encryption.

27. Question 27

Asset classification approach for computer labs?

❌ Use single classification
Develop multi-tier classification based on sensitivity and usage
❌ Classify only during annual audit
❌ Ignore classification

Explanation: Multi-tier classification enables appropriate controls per sensitivity.

28. Question 28

Post-exercise review focus after response exercise?

Lessons learned
❌ Containment
❌ Detection

Explanation: Post-exercise reviews should capture lessons learned to improve readiness.

29. Question 29

Determining how much risk willing to accept?

❌ Risk tolerance
Risk appetite
❌ Risk register
❌ Risk threshold

Explanation: Risk appetite is the overall amount of risk an organization is willing to pursue/accept.

30. Question 30

Incident response phase that focuses on learning from drill?

❌ Preparation
❌ Detection
Lessons learned
❌ Containment

Explanation: Lessons learned (post-incident review) improves future responses.

31. Question 31

Cannot immediately patch critical vulnerability — valid temporary approach?

Segmentation
❌ Leave the vulnerability as is
Apply compensating controls (Either segmentation or compensating controls acceptable — primary is compensating controls)

Explanation: If patching delayed, apply compensating controls (segmentation, access restrictions) to reduce risk.

32. Question 32

Protect traffic between sensitive internal services — most effective approach?

❌ Web Application Firewall (WAF)
Logical segmentation
❌ Layer 4 firewall
❌ Jump server

Explanation: Logical segmentation (microsegmentation/VLANs) isolates traffic between internal services.

33. Question 33

Decoy servers intentionally left vulnerable — what technology?

❌ Firewall
❌ Data Loss Prevention (DLP)
❌ Intrusion Detection System (IDS)
Honeypot

Explanation: Honeypots lure attackers to study behavior without risking production systems.

34. Question 34

During procurement of new system, what to focus on for security?

❌ Choosing least expensive
❌ Prioritizing marketing claims
❌ Waiting until after implementation
Conduct vendor security audits and review system security features

Explanation: Vendor security audits and reviewing security features during procurement mitigates future risk.

35. Question 35

Transforming passwords into unique, fixed-length strings — which practice?

❌ Tokenization
❌ Encryption
Hashing
❌ Key exchange

Explanation: Hashing transforms passwords into irreversible fixed-length digests.

36. Question 36

SCADA systems security risk most relevant?

Cyber-attacks on legacy components
❌ Increased operating costs
❌ Physical isolation of systems
❌ Difficulty in scaling operations

Explanation: SCADA often includes legacy, unpatched components vulnerable to attacks.

37. Question 37

Pen test without prior knowledge of infra — what type?

Unknown environment
❌ Partially known
❌ Known environment
❌ Defensive penetration testing

Explanation: No prior knowledge corresponds to a black-box/unknown environment test.

38. Question 38

Key security challenge in microservices architecture?

❌ Inability to automate
Complex service interconnections
❌ High costs
❌ Lack of scalability

Explanation: Microservices introduce complex inter-service communication and attack surface to secure.

39. Question 39

COPE model — essential consideration?

❌ Allow any app
❌ No security measures
Configure devices to enforce security policies while allowing personal use
❌ Require corporate-only apps

Explanation: COPE balances corporate control with personal use; enforce security while permitting personal apps.

40. Question 40

Malicious USB drive compromise — what threat vector?

❌ Image-based
Removable device
❌ Vulnerable software
❌ Voice call

Explanation: USB drives are removable media threat vectors delivering malware or exfiltration.

41. Question 41

Integrate security checks during development to prevent issues reaching production — what method?

❌ Rescanning
Static analysis
❌ Bug bounty program
❌ Dynamic analysis

Explanation: Static analysis (SAST) integrated into CI/CD identifies code issues before runtime.

42. Question 42

Simultaneous logins from different geographic locations — indicator?

❌ Account lockout
❌ Resource consumption
Impossible travel
❌ Blocked content

Explanation: Impossible travel indicates logins from widely separated locations in short timeframes.

43. Question 43

Public cloud service with improper access controls — what vulnerability?

Cloud-specific vulnerability
❌ Secure cloud configuration
❌ User error
❌ Insufficient backup

Explanation: Misconfigured cloud access is a cloud-specific security vulnerability (config/config error).

44. Question 44

Sensitive data transmitted over unsecured network — primary risk?

❌ Compliance violations
Data interception
❌ Enhanced collaboration
❌ Increased transmission speed

Explanation: Unencrypted transmission risks interception (eavesdropping).

45. Question 45

Post-phishing evaluation meeting focus?

❌ Preparation
Lessons learned
❌ Detection
❌ Containment

Explanation: The evaluation should identify lessons learned to improve future defences.

46. Question 46

Significant increase in failed login attempts — immediate response?

❌ Ignore the attempts
❌ Monitor for additional attempts
Implement a temporary lockdown
❌ Increase user password complexity

Explanation: Temporary lockdown (block IPs/lock accounts) prevents brute-force compromise while investigating.

47. Question 47

Employee selling confidential client data — what threat actor?

❌ Organized crime
❌ Hacktivist
Insider threat
❌ Nation-state

Explanation: An employee exfiltrating data is an insider threat.

48. Question 48

Independent auditor examining HIPAA compliance — what type of audit?

❌ Risk assessment audit
❌ Internal compliance audit
External compliance audit
❌ Regulatory audit

Explanation: Independent auditor performing HIPAA check is conducting an external compliance audit.

49. Question 49

Ensure compliance with privacy laws across jurisdictions — primary focus?

Data subject rights
❌ Ownership disputes
❌ External monitoring
❌ Data automation

Explanation: Cross-jurisdiction privacy focuses on rights (consent, access, erasure) of data subjects.

50. Question 50

Restrict access to proprietary algorithms based on roles — most effective strategy?

Permission restrictions
❌ Data masking
❌ Tokenization
❌ Encryption

Explanation: Fine-grained permission (access control) restricts who can view/use algorithms (though encryption also helpful).

51. Question 51

Maintain service during network appliance failure while addressing security — which failure mode?

❌ Inline monitoring
Fail-open (careful: security vs availability tradeoff)
❌ Port security
❌ Fail-closed

Explanation: Fail-open allows continued service if an appliance fails (availability prioritized); organizations must weigh security implications.
(Note: choice depends on context — banking often prefers fail-closed for security; question asks continued service while addressing security, so fail-open fits.)

52. Question 52

Clause to include to review vendor security practices?

❌ Conflict of interest
❌ Supply chain analysis
Right-to-audit clause
❌ Master Service Agreement (MSA)

Explanation: Right-to-audit enables reviewing vendor security posture and compliance.

53. Question 53

Motion detection systems with cameras and patrols — which controls?

❌ Operational & compensating
❌ Technical & corrective
Physical and detective controls
❌ Managerial & preventive

Explanation: Motion detectors and cameras are physical controls and detect intrusion (detective).

54. Question 54

Ensure only compliant devices connect — which measure?

Network Access Control (NAC)
❌ Encryption protocols
❌ IDS/IPS
❌ Email security gateways

Explanation: NAC enforces posture checks and grants access only to compliant devices.

55. Question 55

Purpose of independent third-party audit in software development?

❌ To enhance product features
❌ To improve user satisfaction
To assess regulatory compliance
❌ To ensure competitive advantage

Explanation: Third-party audits evaluate adherence to regulatory/security standards.

56. Question 56

Critical element to ensure integrity of root cause analysis?

Chain of custody
❌ Digital forensics
❌ Threat hunting
❌ Reporting

Explanation: Chain of custody preserves evidence integrity for forensic analysis and legal use.

57. Question 57

Zero Trust principle being implemented with continuous authentication?

❌ Open public access
❌ Role-based access
Continuous verification
❌ Implicit trust zones

Explanation: Continuous verification ensures no implicit trust; users are continuously authenticated and authorized.

58. Question 58

Share non-sensitive patient info while protecting sensitive data — which method?

Data masking
❌ Encryption
❌ Segmentation
❌ Hashing

Explanation: Data masking reveals safe, de-identified data for research while protecting sensitive fields.

59. Question 59

Consequence of non-compliance with consumer protection laws?

Fines
❌ Expanded market access
❌ Enhanced brand loyalty
❌ Increased operational efficiency

Explanation: Non-compliance commonly incurs financial penalties (fines).

60. Question 60

Gather threat intel to track new attacks — which method to prioritize for underground threats?

❌ OSINT
❌ Penetration testing
Dark web intelligence
❌ System audits

Explanation: Dark web monitoring reveals chatter and marketplaces used by attackers.

61. Question 61

Activity ensuring security team promptly notified of unusual activity?

❌ Scanning systems
❌ Log aggregation
❌ Reporting
Alerting

Explanation: Alerting sends real-time notifications based on detection triggers.

62. Question 62

Evaluate vendor security practices before selection — how?

❌ Penetration testing
Evidence of internal audits
❌ Supply chain analysis
❌ Vendor monitoring

Explanation: Requesting evidence of audits shows vendor’s internal compliance and controls. (Pen testing may be desirable but evidence of audits is primary preselection evidence.)

63. Question 63

Primary focus of SIEM?

Aggregating and analyzing logs
❌ Archiving logs
❌ Scanning for vulnerabilities
❌ Quarantining threats

Explanation: SIEM collects, correlates, and analyzes logs to detect security events.

64. Question 64

Strict encryption policies but breach due to employee sending unencrypted files — main issue?

❌ Insufficient encryption
❌ Outdated technology
Lack of employee training
❌ Poor data management

Explanation: Human error (lack of training) caused unencrypted transmission despite policies.

65. Question 65

ICS deployment major security concern?

Inability to patch critical vulnerabilities
❌ High cost
❌ Difficulty scaling
❌ Lack of third-party support

Explanation: ICS/OT devices often cannot be patched quickly without impacting operations.

66. Question 66

Text message claiming to be bank asking verify info — what attack?

Smishing
❌ Spoofing
❌ Phishing
❌ Vishing

Explanation: Smishing is phishing via SMS/text messages.

67. Question 67

Cloud provider agreement to prioritize to understand services and performance metrics?

❌ Work Order (WO)
❌ Memorandum of Understanding (MOU)
Service-Level Agreement (SLA)
❌ Non-Disclosure Agreement (NDA)

Explanation: SLAs define service scope, performance, and metrics.

68. Question 68

Secure baseline for DB servers — critical action?

❌ Keep default configurations
Disable unnecessary services and configure security settings appropriately
❌ Install updates without review
❌ Only apply patches on major vulnerabilities

Explanation: Hardening baseline by disabling unneeded services and secure configuration is essential.

69. Question 69

Detect threats on endpoints and analyze user activity — what to deploy?

❌ Firewall
❌ Antivirus
❌ Web filter
EDR/XDR

Explanation: Endpoint Detection & Response / Extended Detection and Response provide endpoint threat detection and user behavior analytics.

70. Question 70

Smartphone app generating TOTP represents which factor?

Something you have
❌ Something you are
❌ Somewhere you are
❌ Something you know

Explanation: TOTP app tied to a device is a possession factor (something you have).

71. Question 71

Employee uses personal device with no security — what risk?

❌ Compliance with policies
❌ Enhanced accessibility
❌ Improved morale
Increased risk of data breaches

Explanation: Unsecured personal devices increase risk of compromise and data exfiltration.

72. Question 72

Main web app not updated for years — what risk?

❌ Configuration issue
❌ Insider threat
❌ Physical security
Unsupported systems

Explanation: Lack of updates indicates unsupported/legacy systems with unpatched vulnerabilities.

73. Question 73

Cloud-based platform across regions — primary focus for regional laws?

Regulatory and legal considerations
❌ Physical security standards
❌ Data encryption standards
❌ Incident response policies

Explanation: Regional legal/regulatory compliance (data residency, privacy) must be primary focus.

74. Question 74

Decommission laptops with sensitive client data — most important step?

Use certified data destruction services
❌ Wipe using basic deletion
❌ Sell as-is
❌ Store indefinitely

Explanation: Certified destruction ensures complete data removal and compliance.

75. Question 75

Track underground threats from illegal marketplaces — which feed?

❌ Bug bounty programs
❌ Proprietary threat feed
Dark web intelligence
❌ Internal system audit

Explanation: Dark web intelligence monitors illegal marketplaces and hacker forums.

76. Question 76

PAM feature to allow users access only when necessary?

❌ Password vaulting
Just-in-time permissions
❌ Ephemeral credentials
❌ Least privilege

Explanation: Just-in-time grants temporary elevated access only when needed; ephemeral credentials also relevant but JIT specifically addresses on-demand access.

77. Question 77

Phone scam impersonating IT staff to steal credentials — type of social engineering?

❌ Smishing
❌ Phishing
Vishing
❌ Pretexting

Explanation: Vishing uses voice calls to deceive victims.

78. Question 78

Internal audit for adherence to Sarbanes-Oxley — what assessment?

❌ External audit
Compliance audit
❌ Self-assessment
❌ Attestation

Explanation: Compliance audits assess conformity to regulatory frameworks like SOX.

79. Question 79

Primary benefit of offsite backups?

❌ Reduced costs
❌ Increased recovery speed
❌ Enhanced data security
Disaster recovery assurance

Explanation: Offsite backups provide assurance for recovery after site-wide disasters.

80. Question 80

Hackers deface government website to promote political agenda — motivation?

❌ Financial gain
❌ Espionage
❌ Data exfiltration
Philosophical/political beliefs

Explanation: Politically-motivated defacement fits hacktivist/philosophical motives.

81. Question 81

PAM feature to ensure permissions only when needed?

❌ Ephemeral credentials
❌ Least privilege
Just-in-time permissions
❌ Password vaulting

Explanation: Just-in-time grants temporary access when required, limiting standing privileges.

82. Question 82

Who should determine how customer data is collected/used/shared?

❌ Data owner
❌ Data processor
Data controller
❌ Data steward

Explanation: Data controller is responsible for deciding purpose and means of processing personal data.

83. Question 83

Secure legal information during transmission — which method?

❌ Hashing
❌ Data segmentation
Encryption
❌ Tokenization

Explanation: Encryption secures data in transit between systems.

84. Question 84

Encryption for sensitive transaction data stored in DB — what level of encryption protects data at rest?

❌ File-level encryption
Database encryption
❌ Transport encryption
❌ Full-disk encryption

Explanation: Database-level encryption protects data at rest within a DB; full-disk also protects but DB encryption is specific.

85. Question 85

Primary goal of a compliance audit for data privacy?

❌ Assess internal controls
Verify adherence to industry standards for data privacy
❌ Evaluate potential vulnerabilities
❌ Assess training programs

Explanation: Compliance audit checks whether privacy standards/regulations are being met.

86. Question 86

Frequent small disruptions with minimal impact — cost-effective strategy?

Accept
❌ Avoid
❌ Mitigate
❌ Transfer

Explanation: For low-impact, frequent minor risks, acceptance may be most cost-effective.

87. Question 87

Firewall most suitable to protect web applications?

❌ Layer 4 Firewall
❌ Unified Threat Management (UTM)
❌ Next-generation firewall (NGFW)
Web Application Firewall (WAF)

Explanation: WAFs specialize in protecting web applications from attacks like SQLi and XSS.

88. Question 88

Patch requires downtime that’s not possible immediately — what to do?

❌ Ignore the vulnerability
❌ Wait for scheduled downtime
Implement compensating controls
❌ Alert system users

Explanation: Apply compensating controls (access restrictions, monitoring, segmentation) until patching possible.

89. Question 89

Ensuring digital signatures cannot be disputed (accountability) — which concept?

❌ Integrity
❌ Authorization
❌ Confidentiality
Non-repudiation

Explanation: Non-repudiation prevents signers from denying their actions (e.g., digital signatures).

90. Question 90

Formalize how changes are managed — which governance element?

Change management policies
❌ Disaster recovery policies
❌ Business continuity policies
❌ Playbooks

Explanation: Change management policies provide structured guidance for controlled infrastructure changes.

🧾 Summary Table (Q1–Q90)

Due to the length (90 items), here is a compact summary showing question number and the correct answer:

  1. Nation-state

  2. Spyware

  3. Investigate transactions further

  4. TLS

  5. Regular system testing

  6. Configuration drift

  7. Impact analysis and backout plan

  8. External compliance reporting

  9. Application logs

  10. Web-based attack

  11. Financial gain

  12. Training

  13. SAML

  14. Partially known environment

  15. Ensure data confidentiality

  16. Physical controls

  17. Static code analysis

  18. Data sovereignty

  19. Adaptive identity verification

  20. Containerization

  21. RBAC

  22. Clustering

  23. Single Loss Expectancy (SLE)

  24. DDoS

  25. Web-based

  26. Transport encryption

  27. Multi-tier classification system

  28. Lessons learned

  29. Risk appetite

  30. Lessons learned

  31. Apply compensating controls / Segmentation

  32. Logical segmentation

  33. Honeypot

  34. Vendor security audits & reviews

  35. Hashing

  36. Cyber-attacks on legacy components

  37. Unknown environment

  38. Complex service interconnections

  39. Enforce security policies while allowing personal use (COPE)

  40. Removable device

  41. Static analysis

  42. Impossible travel

  43. Cloud-specific vulnerability (misconfiguration)

  44. Data interception

  45. Lessons learned

  46. Implement temporary lockdown

  47. Insider threat

  48. External compliance audit

  49. Data subject rights

  50. Permission restrictions (access controls)

  51. Fail-open (availability prioritized)

  52. Right-to-audit clause

  53. Physical and detective controls

  54. Network Access Control (NAC)

  55. Assess regulatory compliance

  56. Chain of custody

  57. Continuous verification

  58. Data masking

  59. Fines

  60. Dark web intelligence

  61. Alerting

  62. Evidence of internal audits

  63. Aggregating and analyzing logs (SIEM)

  64. Lack of employee training

  65. Inability to patch critical vulnerabilities (ICS)

  66. Smishing

  67. Service-Level Agreement (SLA)

  68. Disable unnecessary services and secure configs

  69. EDR/XDR

  70. Something you have

  71. Increased risk of data breaches

  72. Unsupported systems

  73. Regulatory and legal considerations

  74. Certified data destruction services

  75. Dark web intelligence

  76. Just-in-time permissions

  77. Vishing

  78. Compliance audit

  79. Disaster recovery assurance (offsite backups)

  80. Philosophical/political beliefs (hacktivism)

  81. Just-in-time permissions

  82. Data controller

  83. Encryption

  84. Database encryption (data at rest)

  85. Verify adherence to data privacy standards

  86. Accept

  87. Web Application Firewall (WAF)

  88. Implement compensating controls

  89. Non-repudiation

  90. Change management policies