Skip to content

Module quiz: Laws and standards :Cybersecurity Management and Compliance (Microsoft Cybersecurity Analyst Professional Certificate) Answers 2025

1. Question 1

What is the primary purpose of FISMA?

  • ❌ To create standardized cloud services for federal agencies.

  • To bolster the security framework around federal information systems.

  • ❌ To regulate private sector companies and their data security.

Explanation:
FISMA focuses on strengthening the security of federal information systems through standards and risk management.

2. Question 2

Primary purpose of the NIST Framework?

  • ❌ It is a set of regulations companies must legally follow.

  • ❌ It is solely focused on technological aspects.

  • It provides a comprehensive structure to manage and mitigate cybersecurity risks.

Explanation:
NIST CSF is a voluntary, flexible risk-management framework.

3. Question 3

True or False: One primary component of NIST Framework is the “Risk Management Tier.”

  • ❌ True

  • False

Explanation:
NIST Framework components are Core, Implementation Tiers, and Profiles — not “Risk Management Tier.”

4. Question 4

True or False: SOX Section 404 mandates evaluating external marketing strategies.

  • ❌ True

  • False

Explanation:
Section 404 is about internal control over financial reporting (ICFR), not marketing.

5. Question 5

GDPR – How does Microsoft assist as a data processor?

  • ❌ Microsoft will assess privacy risks and notify DPA.

  • ❌ Microsoft will delete all data.

  • Microsoft will notify you of the breach unless data accessed is unintelligible (e.g., encrypted).

Explanation:
Under GDPR, processors must notify controllers of data breaches unless the data is protected and unreadable.

6. Question 6

ISO 27001 controls — select all that apply

  • ✅ Vendor management

  • ✅ Business continuity management

  • ❌ Employee training programs

  • ✅ Information security policies

Explanation:
Employee training is important but not listed as a standalone ISO 27001 control. The others are official Annex A control domains.

7. Question 7

Azure service to enforce compliant deployments?

  • Azure Blueprints

  • ❌ Azure Storage

  • ❌ ARM templates

Explanation:
Azure Blueprints allow packaging policies, RBAC, and templates to ensure compliance across deployments.

8. Question 8

ISACA guide to evaluate Azure services for compliance?

  • ❌ COBIT Performance Management System

  • ❌ COBIT Design and Implementation Guides

  • Azure Audit Program

Explanation:
Azure Audit Program contains cloud-specific audit steps and control evaluation guidance.

9. Question 9

Best recommendation for privacy evaluation of Azure deployment?

  • ❌ Ignore COBIT

  • Use the Azure Audit Program for detailed control statements and testing procedures

  • ❌ Only focus on the NIST Privacy Framework

Explanation:
Azure Audit Program is specifically built for auditing Azure services, including privacy aspects.

10. Question 10

Purpose of a Privacy Risk Assessment (PRA)?

  • ❌ Only to ensure GDPR/HIPAA compliance

  • Identify, analyze, evaluate, and address privacy risks for personal data in cloud environments

  • ❌ Evaluate technical capabilities of the cloud provider

Explanation:
PRA is a holistic privacy risk identification and mitigation process.

🧾 Summary Table

Q No. Correct Answer Key Concept
1 To bolster security framework FISMA purpose
2 NIST manages & mitigates cyber risk NIST Framework
3 False NIST Components
4 False SOX Section 404
5 Microsoft notifies controller GDPR processor responsibility
6 Vendor mgmt, Business continuity, InfoSec policies ISO 27001 controls
7 Azure Blueprints Compliance enforcement
8 Azure Audit Program ISACA cloud auditing
9 Azure Audit Program Cloud privacy audit
10 Systematic privacy risk identification PRA