Test yourself
Compliance as code
Final exam · 60 questions · answers explained as you pick
Frameworks & controls
12 questions
01A CIS Benchmark provides…
Correct — Concrete, checkable settings for OS, cloud, and services.
Incorrect — That is unrelated to CIS Benchmarks.
Incorrect — Not a cipher.
Incorrect — Unrelated.
02SOC 2 is built around…
Incorrect — It is criteria-based, tailored to the service.
Correct — You demonstrate controls meeting the selected criteria.
Incorrect — Not a technical config standard.
Incorrect — Unrelated.
03The difference between SOC 2 Type I and Type II is…
Correct — Type II requires continuous evidence across months.
Incorrect — Type II is the more rigorous, period-based report.
Incorrect — They differ in scope and duration.
Incorrect — Both are for service organizations.
04PCI-DSS applies to…
Incorrect — It is specific to payment card data.
Correct — Prescriptive controls for the card data environment.
Incorrect — That is closer to FedRAMP.
Incorrect — That is HIPAA.
05NIST 800-53 provides…
Correct — A control library many frameworks map to.
Incorrect — Unrelated.
Incorrect — Not a tool.
Incorrect — Not a control catalog’s function.
06Controls are commonly categorized as…
Incorrect — Not a control taxonomy.
Correct — Stop it, spot it, or fix it after.
Incorrect — That is a status, not a control type.
Incorrect — Deployment location is not the taxonomy.
07Control mapping is valuable because…
Correct — MFA enforced once maps to SOC 2, PCI, ISO, and NIST at once.
Incorrect — The point is to avoid duplication.
Incorrect — Not a control-mapping function.
Incorrect — It relates them; it does not remove them.
08The goal of compliance as code is to…
Incorrect — The opposite — it makes controls checkable.
Correct — Compliance becomes continuous and verifiable, not a manual scramble.
Incorrect — It implements frameworks more effectively.
Incorrect — It supports auditors with better evidence.
09A control owner is…
Correct — Clear ownership is essential for a real program.
Incorrect — The auditor assesses; the owner operates.
Incorrect — Unrelated.
Incorrect — Not a person/role.
10ISO 27001 centers on…
Incorrect — Unrelated to a language.
Correct — A management-system standard with an Annex A control set.
Incorrect — Not a technology product.
Incorrect — Irrelevant.
11FedRAMP is primarily about…
Correct — Built on NIST 800-53 baselines.
Incorrect — That is PCI.
Incorrect — That is HIPAA.
Incorrect — Unrelated.
12Treating a framework as "checkable controls" rather than a document lets you…
Incorrect — The opposite — you implement it rigorously.
Correct — The foundation of everything else in this course.
Incorrect — Not a meaningful action.
Incorrect — It makes audits smoother, not absent.
12 questions · explanations appear as you answer
Policy as code
12 questions
01Policy as code means…
Correct — A wiki standard becomes an executable, gating check.
Incorrect — That is exactly what it replaces.
Incorrect — Unrelated to crypto.
Incorrect — Not a product.
02OPA (Open Policy Agent) evaluates policy written in…
Incorrect — OPA’s language is Rego, though input is often JSON/YAML.
Correct — You describe what a violation looks like in the document.
Incorrect — Rego, not Python.
Incorrect — Not SQL.
03Conftest is used to…
Correct — Catch a non-compliant config in CI before it ships.
Incorrect — That is Trivy/Grype.
Incorrect — That is cosign.
Incorrect — Unrelated.
04Encoding a control as policy-as-code beats a written standard because…
Incorrect — Length is not the value.
Correct — A failing check does not get ignored like a doc does.
Incorrect — Policy evolves with the environment.
Incorrect — Policy is code and should be reviewed.
05Gatekeeper and Kyverno enforce compliance policy at…
Correct — e.g. require labels, block privileged pods, mandate encryption.
Incorrect — Unrelated.
Incorrect — Not an admission function.
Incorrect — Unrelated.
06Policy-as-code should be tested because…
Incorrect — They do — untested policy is untested code.
Correct — Prove it allows the good and blocks the bad with fixtures.
Incorrect — Not a function of testing.
Incorrect — Testing is about correctness, not speed.
07The same policy engine can enforce a control at multiple points, e.g.…
Correct — One Rego rule can gate the pipeline and the cluster.
Incorrect — It can also run at admission and audit.
Incorrect — Shift-left runs it earlier too.
Incorrect — Multi-point enforcement is a strength.
08A policy exception (waiver) should always carry…
Incorrect — Silent permanent exceptions make policy meaningless.
Correct — Exceptions are deliberate, reviewed, and temporary.
Incorrect — Attribution without expiry still rots the policy.
Incorrect — Not necessarily relevant.
09Managing policy-as-code in git gives you…
Correct — You can prove how and when a control changed.
Incorrect — Git does not grant compliance by itself.
Incorrect — Unrelated.
Incorrect — Irrelevant.
10Policy-as-code turns a control from "documented" to "enforced" by…
Incorrect — A poster is not enforcement.
Correct — The check is the control; the gate is the enforcement.
Incorrect — Advisory, not enforcing.
Incorrect — Not an enforcement mechanism.
11IaC scanners like Checkov and tfsec relate to policy-as-code by…
Correct — They evaluate Terraform/CloudFormation against compliance rules.
Incorrect — They check policy, not just style.
Incorrect — That is cosign.
Incorrect — Unrelated.
12The strength of policy-as-code for compliance is that it is…
Incorrect — The opposite — it is objective and automated.
Correct — The run itself becomes evidence the control operated.
Incorrect — It runs continuously, unlike a manual audit.
Incorrect — It is version-controlled like any code.
12 questions · explanations appear as you answer
Evidence & continuous audit
12 questions
01Evidence automation means…
Correct — The evidence assembles itself instead of a pre-audit scramble.
Incorrect — The opposite — you preserve evidence.
Incorrect — Unrelated.
Incorrect — A doc is not evidence a control operated.
02Continuous compliance differs from a point-in-time audit because it…
Incorrect — That is the point-in-time model it replaces.
Correct — No gap between assessments for issues to hide in.
Incorrect — It implements them continuously.
Incorrect — It verifies them constantly.
03A yearly audit snapshot is insufficient because…
Correct — Continuous evaluation closes that blind window.
Incorrect — Auditors still matter; the cadence is the issue.
Incorrect — It is too infrequent, not too fast.
Incorrect — Not the relevant point.
04AWS Config rules (or GCP/Azure equivalents) support compliance by…
Incorrect — They evaluate configuration, not traffic.
Correct — A stream of control evidence and drift signals.
Incorrect — Unrelated.
Incorrect — Not their function.
05A control that runs as automated policy produces evidence in the form of…
Correct — The run log is auditable proof the control operated over time.
Incorrect — Not durable, verifiable evidence.
Incorrect — Point-in-time and manual — the weak form.
Incorrect — Automated controls generate rich evidence.
06SOC 2 Type II specifically requires…
Incorrect — That is closer to Type I.
Correct — Exactly what continuous, automated evidence provides.
Incorrect — It is evidence-heavy.
Incorrect — Design docs alone do not satisfy Type II.
07Mapping automated checks to control IDs lets you…
Correct — Traceability from control to running evidence.
Incorrect — It documents them, not skips them.
Incorrect — Unrelated.
Incorrect — You still version the mapping.
08Immutable, centralized log storage supports compliance evidence by…
Incorrect — The opposite — immutability preserves integrity.
Correct — Evidence integrity is an architecture decision.
Incorrect — It supports, not reduces, evidence.
Incorrect — Not the purpose.
09Continuous compliance turns audit prep from a scramble into…
Correct — The evidence exists year-round instead of being assembled last-minute.
Incorrect — Exactly what automation eliminates.
Incorrect — You keep them running.
Incorrect — Automation makes it deterministic.
10The risk of purely manual evidence collection is…
Incorrect — It is error-prone, not too accurate.
Correct — A screenshot from audit week says nothing about the rest of the year.
Incorrect — It runs too rarely.
Incorrect — Irrelevant.
11Compliance-as-code tooling (Vanta/Drata-style or self-built) primarily…
Correct — Automates the evidence and gap-tracking a program needs.
Incorrect — Not its function.
Incorrect — Irrelevant.
Incorrect — That is supply-chain tooling.
12The through-line of evidence automation is…
Incorrect — The opposite of the automated approach.
Correct — Enforcement and evidence become the same artifact.
Incorrect — Evidence is central to compliance.
Incorrect — You provide continuous evidence to them.
12 questions · explanations appear as you answer
Drift & IaC gates
12 questions
01Configuration drift is…
Correct — Someone changed a resource out-of-band from the IaC.
Incorrect — Unrelated to drift.
Incorrect — Upgrading the CLI is not drift.
Incorrect — That fails validation, not drift.
02Drift is a compliance signal because…
Incorrect — It often weakens a control.
Correct — Drift from the baseline can silently break compliance.
Incorrect — Unexplained change is exactly what you watch.
Incorrect — It can directly affect compliance.
03The standard drift tripwire is…
Correct — e.g. a cron terraform plan or Config rule flags the change.
Incorrect — Formatting detects nothing.
Incorrect — Destructive, not detection.
Incorrect — Too infrequent and unreliable.
04An IaC compliance gate in CI…
Incorrect — The point is to check before deploy.
Correct — The public bucket is blocked in the PR, not in prod.
Incorrect — It evaluates policy, not style.
Incorrect — Unrelated.
05Shift-left compliance means…
Correct — Cheaper and safer than fixing in production.
Incorrect — That is shift-right/reactive.
Incorrect — The opposite of shift-left.
Incorrect — Late and error-prone.
06Checkov, tfsec, Terrascan, and KICS are…
Incorrect — They are IaC scanners.
Correct — They evaluate infra code against CIS/PCI/etc.
Incorrect — Not SIEMs.
Incorrect — Unrelated.
07Running the SAME policy pre-deploy (CI) and post-deploy (Config/CSPM) gives…
Correct — IaC gates miss console changes; runtime evaluation catches them.
Incorrect — They cover different gaps.
Incorrect — The opposite — layered coverage.
Incorrect — Irrelevant.
08When drift is detected, the first step is to…
Incorrect — A blind apply can revert a legitimate emergency fix.
Correct — Understand intent before overwriting.
Incorrect — Unexplained drift can be an incident.
Incorrect — Rarely the right first move.
09Auto-remediation of a compliance violation should be…
Correct — Auto-enable encryption is safe; auto-delete could break things.
Incorrect — That risks breaking legitimate configurations.
Incorrect — It is valuable for the safe cases.
Incorrect — Automation helps for clear-cut fixes.
10Preventing drift entirely is best done by…
Incorrect — Hope is not a control.
Correct — Block the out-of-band change from being possible.
Incorrect — IaC is the baseline you protect.
Incorrect — Insufficient at scale.
11IaC gates make compliance cheaper because…
Correct — The earlier you catch it, the lower the cost and risk.
Incorrect — Irrelevant.
Incorrect — Not their function.
Incorrect — They enforce controls.
12Drift detection plus IaC gates together give you…
Incorrect — Drift detection adds the post-deploy half.
Correct — Gate the change in, then watch for out-of-band drift.
Incorrect — IaC gates add the pre-deploy half.
Incorrect — Together they are comprehensive.
12 questions · explanations appear as you answer
Compliance at scale
12 questions
01Preventive guardrails (SCPs / Org Policy) support compliance by…
Correct — Prevention beats detection for the non-negotiables.
Incorrect — That is detective, not preventive.
Incorrect — They act at request time.
Incorrect — They are hard limits.
02A secure-by-default landing zone helps compliance because…
Incorrect — The opposite — controls are pre-applied.
Correct — Compliance is a property of provisioning, not a later scramble.
Incorrect — It enables it by default.
Incorrect — That would be non-compliant.
03Embedding compliance in DevSecOps means…
Correct — Compliance shifts left and becomes continuous.
Incorrect — That is the bottleneck DevSecOps removes.
Incorrect — The opposite — they are built in.
Incorrect — Too late; shift left.
04Preparing for an audit is far easier when…
Incorrect — Error-prone and stressful.
Correct — You pull existing evidence rather than assemble it.
Incorrect — Documentation and evidence are essential.
Incorrect — That removes evidence.
05A control that is enforced by policy AND produces evidence on each run gives auditors…
Correct — The enforcement is the control; the run log is the evidence.
Incorrect — It is ideal audit evidence.
Incorrect — It provides operating evidence too.
Incorrect — Automation increases trust when tested.
06Working with auditors is smoother when engineering provides…
Incorrect — Not durable evidence.
Correct — Auditors can verify the mapping and the running evidence.
Incorrect — They need evidence access.
Incorrect — Insufficient for period-based audits.
07Compliance at scale across many accounts/clusters relies on…
Correct — Set guardrails once; every account inherits them.
Incorrect — Unscalable and drift-prone.
Incorrect — Not a control.
Incorrect — Too infrequent at scale.
08Framework overlap (one control, many frameworks) means you should…
Incorrect — Wasteful duplication.
Correct — MFA, encryption, logging map across SOC 2, PCI, ISO, NIST.
Incorrect — You still must meet each in scope.
Incorrect — Not meaningful.
09A compliance program is measured by…
Correct — Outcomes and continuous posture, not a binder’s thickness.
Incorrect — Documents are not effectiveness.
Incorrect — Frequent checking is better.
Incorrect — Headcount is not a maturity measure.
10The relationship between security and compliance is that…
Incorrect — Overlapping but not the same.
Correct — Compliance-as-code makes real controls double as audit evidence.
Incorrect — Compliance without real controls is theater.
Incorrect — You still need to evidence and map controls.
11The failure mode "compliant but not secure" happens when…
Correct — Tick-box compliance without genuine controls is a false sense of security.
Incorrect — That is the opposite — real and effective.
Incorrect — Continuous evidence supports real security.
Incorrect — Auditors are not the cause.
12The unifying theme of compliance as code is…
Incorrect — The opposite.
Correct — Enforcement, evidence, and audit-readiness from one automated system.
Incorrect — It replaces that model.
Incorrect — It implements them more effectively.
12 questions · explanations appear as you answer