Skip to content

Quiz: Compliance & Audit

← Back to quiz index

3 questions

L1 (2 questions)

1. What are the five levels of compliance maturity, and what level should a production environment target?

Show answer Level 0 (Manual): spreadsheets and screenshots. Level 1 (Scripted): one-off scan scripts before audit. Level 2 (Scheduled): cron-based weekly scans. Level 3 (Pipeline): compliance checks in CI/CD that block bad builds. Level 4 (Continuous): real-time monitoring plus auto-remediation. Level 5 (Codified): compliance profiles versioned in git with auditable diffs. Production should target Level 3 minimum, Level 4-5 for regulated environments.

2. Why is scanning only at build time insufficient for compliance, and what should you do instead?

Show answer Build-time scanning verifies the golden image, but production drifts from that image over time through configuration changes, package updates, and manual interventions. You should run compliance scans continuously in production, not just in CI. Additionally, every evidence artifact must have a timestamp, hostname, and scan profile version — an undated scan result is worthless to an auditor.

L2 (1 questions)

1. What are STIG severity categories (CAT I, II, III), and how should each be treated?

Show answer CAT I (High): direct data loss or system compromise — must fix with no exceptions without a formal waiver (e.g., no password on root). CAT II (Medium): potential degraded security — should fix, waivers possible with justification (e.g., audit log not configured). CAT III (Low): minor security concerns — fix when practical (e.g., warning banner not displayed). Do not ignore CAT III findings — 50 unfixed ones signal systemic neglect to auditors.