Skip to content

Quiz: Compliance, Risk Management, and Security

Test your understanding of regulatory frameworks, audit trails, risk assessment, RBAC, and graph-based compliance verification with these review questions.

1. Why does graph traversal provide a fundamental advantage over multi-table SQL joins when answering HIPAA compliance questions such as "Which systems process electronic protected health information (ePHI)?"

  1. Graph databases store ePHI classification directly in node labels, while relational databases require a separate classification table that must be joined for every query
  2. Graph traversal performs constant-time O(1) operations per hop regardless of total graph size, while SQL joins degrade exponentially as hop count increases—enabling millisecond responses to complex multi-hop compliance queries
  3. Graph databases automatically enforce HIPAA access control rules during traversal, while SQL databases require custom stored procedures to apply these rules during query execution
  4. Graph traversal is simpler to audit than SQL execution plans, which satisfies the HIPAA requirement that compliance queries must be understandable by non-technical auditors
Show Answer

The correct answer is B. HIPAA compliance questions require tracing ePHI through multiple layers of infrastructure—from databases through APIs through applications through servers through network devices. In a relational database, each layer requires an additional JOIN operation, and performance degrades exponentially as hop count grows. A 6-hop query that traces ePHI from a database through its full infrastructure stack may time out entirely in SQL. Graph traversal using index-free adjacency completes the same traversal in milliseconds, enabling real-time compliance checking rather than periodic batch analysis.

Concept Tested: Regulatory Compliance / HIPAA

2. GDPR's "right to erasure" (right to be forgotten) creates a significant technical challenge for organizations. How does an IT management graph enable organizations to respond to deletion requests effectively?

  1. The graph stores a copy of all personal data alongside system metadata, enabling direct deletion of personal data from a single location without searching multiple databases
  2. Graph traversal from a personal data category node identifies every database, application, and system that stores or processes that individual's data, creating a comprehensive deletion checklist across the entire IT estate
  3. The graph enforces GDPR deletion policies by automatically purging nodes tagged as personal data after the maximum retention period, without requiring manual deletion requests
  4. The graph monitors incoming deletion requests and routes them to the appropriate data steward based on the data classification of the requested records
Show Answer

The correct answer is B. Responding to an erasure request requires knowing every location where an individual's personal data exists across a complex, distributed application landscape. Without complete data lineage, organizations risk missing copies in backup systems, analytics databases, or third-party integrations—leaving them technically non-compliant even after attempting to honor the request. Graph traversal starting from a personal data category node and following all data flow relationships systematically identifies every system that must be updated, providing the comprehensive coverage that manual searches and spreadsheet inventories cannot reliably achieve.

Concept Tested: GDPR / Regulatory Compliance

3. The Digital Operational Resilience Act (DORA) requires EU financial institutions to manage third-party ICT concentration risk. Which graph capability most directly addresses this requirement?

  1. Graph databases support multi-tenancy, allowing financial institutions to store ICT registers for multiple subsidiaries in separate graph instances without data commingling
  2. Graph traversal from third-party vendor nodes identifies every financial application, business process, and critical service that depends on each vendor—enabling concentration risk assessment and outage impact modeling
  3. Graph databases enforce data residency requirements by automatically routing third-party dependency data to storage nodes located within the EU jurisdiction
  4. Graph databases generate DORA-compliant reports automatically using built-in regulatory reporting templates that are updated when the regulation changes
Show Answer

The correct answer is B. DORA's concentration risk requirement asks: "If this third-party cloud provider or technology vendor fails, what is the impact?" This is fundamentally a blast radius calculation. Graph traversal from a vendor node (e.g., a major cloud provider) upward through all hosted applications and services to dependent business processes produces a complete impact map in milliseconds. If that traversal reveals that 60% of critical financial services depend on a single provider, regulators and executives can see the concentration risk directly. This visibility enables informed decisions about diversification and contingency planning that spreadsheet-based vendor registers cannot support.

Concept Tested: DORA / Digital Operational Resilience Act

4. An audit trail records the "who, what, when, where, and why" of system activities. Why does representing audit events as graph nodes connected to resource nodes provide advantages over storing audit logs in a separate relational log table?

  1. Graph-based audit storage uses less disk space than relational audit tables because graph nodes are compressed more efficiently than relational rows
  2. Representing audit events as nodes connected to resources enables traversal queries such as "Show all access events for this database and all databases it replicates to"—queries that require complex joins across multiple tables in a relational system
  3. Graph databases support automatic expiration policies that delete audit records after regulatory retention periods, while relational audit tables require manual purge scripts
  4. Graph databases can store audit events with millisecond precision timestamps, while relational databases are limited to second-level timestamp granularity
Show Answer

The correct answer is B. The advantage of graph-based audit trails lies in relationship-aware queries. When an auditor asks "Show all access to this database, including through any applications or APIs that connect to it," a graph traversal follows the edges: database node → connected applications → their access logs → users who triggered those accesses. In a relational system, this requires joining the audit log table against application tables, then against API tables, then against user tables—multiple joins that grow complex and slow as query scope expands. The graph model makes relationship-traversing audit queries both natural to express and fast to execute.

Concept Tested: Audit Trail

5. A healthcare organization generates a compliance report for auditors showing all systems processing ePHI and their associated security controls. What data quality property must the IT management graph maintain for this evidence to remain credible over time?

  1. The graph must implement JSON Schema validation on all incoming records to ensure ePHI-tagged nodes conform to the defined schema structure
  2. The graph must maintain current accuracy through continuous automated discovery that detects new systems connecting to ePHI data stores and reflects decommissioned systems—so reports represent actual infrastructure rather than outdated documentation
  3. The graph must store audit trail records for all compliance report queries so auditors can verify the provenance of each data point in the generated report
  4. The graph must enforce mandatory access controls that prevent compliance reports from being generated by users without the Compliance Analyst role
Show Answer

The correct answer is B. Compliance evidence is only credible if it reflects reality. An IT management graph that was accurate six months ago but has not been updated since new systems were deployed will generate reports that omit those systems—potentially concealing compliance gaps from auditors. The credibility of graph-based compliance reporting depends on maintaining current accuracy through automated discovery, regular reconciliation with authoritative sources, and continuous drift detection. Organizations that demonstrate continuous graph maintenance as part of their compliance program build auditor trust; those whose graphs are known to be stale face skepticism even when the reports show favorable results.

Concept Tested: Compliance Reporting / Audit Trail

6. Risk assessment methodologies use likelihood and impact scores to prioritize risks. How does graph-based risk modeling enhance quantitative risk assessment beyond what a standalone risk register spreadsheet can provide?

  1. Graph databases perform automatic statistical calculations of likelihood percentages by analyzing historical incident data stored in the graph
  2. Graph traversal enables scenario analysis: starting from a threat node, traversal identifies all connected assets, evaluates existing control effectiveness, and aggregates impact across all affected business services—automatically recalculating residual risk when controls change
  3. Graph databases enforce consistent scoring scales by preventing risk entries that use non-standard likelihood or impact values outside the defined range
  4. Graphs visualize risk registers as network diagrams, making it easier for non-technical executives to understand risk relationships compared to spreadsheet rows
Show Answer

The correct answer is B. A risk register spreadsheet captures likelihood and impact scores for individual risks but cannot model the relationships between risks, assets, controls, and business impacts. When a new security control is implemented that reduces the likelihood of a threat, a spreadsheet requires manual updates to all affected risks. A graph where risks, assets, controls, and business services are connected nodes allows traversal to automatically identify which risks are mitigated by a given control and recalculate residual risk scores. Scenario analysis ("what if this control fails?") involves removing a control node and re-running risk calculations—a graph query, not a manual spreadsheet update.

Concept Tested: Risk Assessment / Risk Management

7. An organization applying RBAC requires that employees who approve financial transactions cannot also audit those same transactions. Which RBAC concept directly addresses this requirement?

  1. Least privilege — limiting each role to only the minimum permissions needed prevents any single user from accumulating both approval and audit capabilities
  2. Role hierarchy — creating a senior role that inherits both approval and audit permissions ensures only designated individuals can perform both functions
  3. Separation of duty — a constraint preventing users from being assigned to conflicting roles that together would enable fraud or control circumvention
  4. Attribute-Based Access Control — adding a "transaction_type" attribute to resource nodes blocks access when the requesting user's role matches the approver role for that transaction
Show Answer

The correct answer is C. Separation of duty (segregation of duties) is a security principle that prevents any single individual from controlling all phases of a sensitive process. In RBAC, this is implemented as a constraint that prevents a user from holding two mutually exclusive roles simultaneously—"Financial Approver" and "Financial Auditor" in this case. Graph databases can represent these constraints as REQUIRES_MUTUAL_EXCLUSION relationships between role nodes, automatically enforced when user-to-role assignments are made. This is a direct compliance control for fraud prevention required by frameworks like SOX (Sarbanes-Oxley Act).

Concept Tested: Role-Based Access Control / RBAC / Security Model

8. Graph traversal can answer the access control question "Can User A access Resource B?" in microseconds. What graph path does a correctly modeled RBAC system follow to answer this question?

  1. User A → IS_MEMBER_OF → Access Control List → CONTAINS → Resource B
  2. User A → HAS_ROLE → Role → CAN_ACCESS → Resource B, checking that the permission property on the CAN_ACCESS relationship includes the requested operation type
  3. User A → EMPLOYED_BY → Department → OWNS → Resource B, checking that the department's ownership includes authorization for the requested operation
  4. Resource B → PROTECTED_BY → Security Policy → PERMITS → User A, checking that the policy grants access to users with User A's attributes
Show Answer

The correct answer is B. In a standard RBAC graph model, the access check traversal follows: User node → HAS_ROLE relationship → Role node → CAN_ACCESS relationship → Resource node. The CAN_ACCESS relationship carries a permission property (READ, WRITE, DELETE, ADMIN), and the traversal filters for the specific operation being requested. This two-hop traversal executes in microseconds because it follows direct pointers rather than scanning tables. Complex scenarios like role hierarchies add one more hop (Role → MEMBER_OF → Parent Role → CAN_ACCESS → Resource) but remain fast due to index-free adjacency.

Concept Tested: RBAC / Access Control

9. A security team uses graph traversal to identify all users who have access to systems containing both personal data and financial data simultaneously. Why is this query valuable from a compliance and risk perspective?

  1. It identifies users who should be promoted to senior data steward roles because their broad access demonstrates they are the most knowledgeable about the organization's data assets
  2. It identifies excessive privilege combinations that create elevated compliance and fraud risk—access to both personal and financial data together enables more damaging breaches and may violate separation of duty requirements
  3. It identifies users whose accounts should be consolidated to reduce the total number of active user accounts that must be managed by the IT security team
  4. It identifies which access control policies are working correctly by verifying that only appropriately authorized users have access to sensitive data categories
Show Answer

The correct answer is B. Cross-domain access—users with privileges spanning both sensitive personal data and financial data—represents higher risk than access to either domain alone. A compromised account or malicious insider with both access types can cause damage across multiple regulatory domains simultaneously (GDPR violation and financial fraud). Regulations like GDPR and PCI DSS require that access to sensitive data is limited to those with a business need, and combined access to multiple sensitive domains requires particularly strong justification. Graph queries that intersect access permissions across data classification domains reveal these risk concentrations that role-by-role reviews would miss.

Concept Tested: Security Model / RBAC / Risk Assessment

10. An organization preparing for a DORA audit answers the question "Which critical ICT systems depend on third-party cloud providers?" in under one minute using graph traversal, compared to four weeks using manual spreadsheet analysis. Which structural property of the IT management graph makes this transformation possible?

  1. The graph database stores all data in memory rather than on disk, providing the speed improvement that enables sub-minute queries across millions of records
  2. The graph explicitly models third-party vendor relationships as typed edges (HOSTED_BY, CONTRACTED_FROM) connecting ICT system nodes to vendor nodes, so traversal from any vendor node immediately reveals all dependent systems without joining multiple separate data tables
  3. The graph uses compression algorithms that reduce the storage footprint of vendor relationship data, enabling faster retrieval than equivalent data stored in normalized relational tables
  4. The graph database parallelizes the query across multiple cluster nodes, distributing the scanning workload in a way that relational databases cannot replicate for multi-hop queries
Show Answer

The correct answer is B. The speed improvement comes from graph structure, not hardware. When vendor relationships are modeled as explicit edges (HOSTED_BY, CONTRACTED_FROM) between system nodes and vendor nodes, answering "Which systems depend on this vendor?" is a single traversal: start at the vendor node, follow all incoming HOSTED_BY or CONTRACTED_FROM edges, collect the connected system nodes. No JOIN operations are required, no spreadsheets must be searched, and no emails need to be sent to application owners. The graph's explicit relationship model makes the connections directly queryable, transforming what was a weeks-long evidence-gathering exercise into a millisecond database operation.

Concept Tested: Compliance Reporting / DORA / Regulatory Compliance