SYBBA (SEM 4)

Cyber Security for Managers

Question Paper Format
Total Marks-40
Duration: 90 Mins
Section A -1 Case study (compulsory)- Two Subquestions 5 marks each (Total 10 marks)
Section B – Answer any 3 out of 5 questions-10 marks each (Two Sub Questions in each
question -5 Marks each) (Total 30 marks)
Practice Questions

All Modules
1. What best security practices could have helped reduce the risk of data breach
caused by a misconfigured firewall?

Answer:

• Firewall Audits: Conducting regular reviews of firewall configurations helps identify

and fix misconfigurations that could expose the network to threats.
• Continuous Network Monitoring: Using intrusion detection systems (IDS) or SIEM
tools enables early detection of unusual activity and potential intrusions.
• Multi-Factor Authentication (MFA): MFA ensures that access to critical systems is
granted only after verifying user identity through multiple steps.
• Penetration Testing: Routine simulated attacks help uncover hidden vulnerabilities
and verify the effectiveness of existing controls.
• Cybersecurity Training: Educating staff about evolving threats reduces the risk of
accidental misconfigurations and social engineering attacks.

Example: A Mumbai-based fintech startup faced a data breach when an open RDP port on
their firewall was exploited by attackers. Post-incident, they implemented automated
firewall audits using Indian cybersecurity tools, enforced multi-factor authentication for
internal systems, and trained their IT staff. This proactive approach greatly reduced future
risks and strengthened compliance with RBI security norms.

2. After a data exposure incident, what corrective steps should be taken to rebuild
trust with stakeholders and enhance overall cybersecurity resilience?

Answer:

• Immediate Incident Response: Activate the Cybersecurity Incident Response Plan

(CIRP) to contain and eliminate the threat. This includes isolating affected systems,
eradicating malware, and restoring data from secure backups.
• Communication Strategy: Deploy a clear crisis communication plan—inform
stakeholders promptly with transparency about the nature and impact of the breach.
• Post-Incident Analysis: Conduct a "lessons learned" review to identify how the breach
occurred, and which vulnerabilities were exploited.
• Policy Updates and Training: Update security policies and train employees to recognize
threats like phishing or social engineering to prevent recurrence.
• Reputation and Trust Recovery: Offer support to affected stakeholders (e.g., credit
monitoring services) and demonstrate ongoing improvements through public updates and
third-party audits.
Example:
After a major data exposure affecting Aadhaar-linked customer records, an Indian retail
chain immediately issued breach notifications via SMS and press releases. They offered
victims free credit monitoring and updated their cyber response policies. Public
transparency and compliance with CERT-In reporting guidelines helped restore stakeholder
trust.
3. What measures can be taken to strengthen HIPAA compliance and implement
better safeguards to prevent future data security incidents?

Answer:

• Administrative Safeguards: Establish internal policies and designate a Data

Protection Officer (DPO) to oversee compliance.
• Technical Safeguards: Implement encryption, access controls, and system audit logs
to secure electronic Protected Health Information (ePHI).
• Physical Safeguards: Restrict physical access to data servers and install surveillance
systems.
• Training and Awareness: Regular staff training to ensure they understand and follow
HIPAA guidelines.
• Breach Notification: Create a rapid notification plan to inform patients and regulators
in case of data leaks.

Example:
A private hospital in Bengaluru faced a breach involving leaked patient test results through
insecure email systems. To enhance HIPAA compliance, the hospital introduced strong
encryption, implemented RBAC in its Hospital Management System (HMS), and appointed
a Data Protection Officer. These steps improved patient data handling and reduced
regulatory risk.

4. What preventive security practices can an online retailer adopt to ensure proper
data classification and safeguard sensitive customer information from
unauthorized access?

Answer:

• Data Classification: Establish a policy to classify data as public, internal, confidential,

or restricted, and apply controls accordingly.
• Access Control: Use RBAC to limit access to sensitive data based on job roles.
• Encryption: Encrypt all customer data, both during storage and transmission.
• Secure Backups: Maintain regular encrypted backups of critical data in case of breach
or loss.
• Staff Training: Train staff to follow best practices in data handling and recognize
phishing threats.

Example: An Indian e-commerce firm classified its payment data as "restricted" after
internal audits revealed poor access control practices. They applied AES encryption to
customer card details and introduced RBAC in their warehouse and billing systems. These
changes helped prevent data exposure from insider threats and aligned with Indian IT Act
recommendations.
 5. After a data breach has occurred, what immediate actions and long-term
strategies should an organization implement to limit the impact and rebuild trust?

Answer:

• Immediate Containment: Quickly isolate affected systems to halt ongoing attacks and
prevent further damage.
• Root Cause Analysis: Conduct a thorough investigation to identify how the breach
occurred and what data was compromised.
• Timely Notification: Inform customers, partners, and regulatory bodies transparently
and within legal timeframes.
• Data Restoration & Security Hardening: Use secure backups to restore lost data and
update security configurations based on findings.
• Strengthen Future Preparedness: Enhance the incident response plan, train staff, and
regularly test recovery procedures to improve resilience.

Example: When a Noida-based food delivery app experienced a breach, it quickly took
servers offline, restored data from secure backups, and reported the incident to CERT-In.
Over time, it implemented SIEM tools, improved staff awareness, and hired cybersecurity
auditors. These efforts boosted resilience and helped regain customer confidence.

6. How can organizations effectively apply GDPR principles to handle and respond
to data breaches involving personal and sensitive information?

Answer:

• Lawful and Transparent Processing: Ensure all data handling is documented and
complies with GDPR’s transparency obligations.
• Breach Notification: Notify the supervisory authority within 72 hours of becoming
aware of a breach and inform affected individuals if there’s a high risk to their rights.
• Data Minimization and Purpose Limitation: Collect only the data necessary and use
it strictly for declared purposes to reduce exposure in case of a breach.
• Data Protection Officer (DPO): Appoint a DPO to oversee GDPR compliance and
coordinate breach response efforts.
• Risk-Based Security Measures: Implement encryption, access controls, and regular
risk assessments to safeguard personal data.

Example:
A health-tech firm in Pune offering services to European clients detected unauthorized access
to user records. In line with GDPR, they informed the EU Data Protection Authority within 72
hours and notified all affected users. This swift action not only avoided penalties but also
reinforced trust among international customers.
 Module 2

1. As your company grows internationally, how can you use encryption to keep
online transactions secure and make sure you are following global security
standards?

Answer:

• Adopt End-to-End Encryption (E2EE): Protect customer data from the moment it
leaves their device until it reaches your servers.
• Use TLS/SSL Protocols: Secure your website and payment gateways using TLS for
encrypted communication over the internet.
• Encrypt Data at Rest and in Transit: Ensure all transactional and customer data is
encrypted when stored and while moving across networks.
• Implement Strong Key Management: Store and manage encryption keys securely
using hardware security modules (HSMs) or cloud-based key management services.
• Comply with International Regulations: Follow GDPR, PCI DSS, and other global
standards that mandate encryption for sensitive financial data.
• Conduct Regular Security Audits: Verify encryption implementation and address any
misconfigurations or outdated protocols.
Example:
Amazon uses TLS (Transport Layer Security) encryption during the checkout process
to secure payment data from interception. Additionally, all credit card information is
encrypted at rest using strong encryption algorithms. These practices ensure the
company adheres to PCI DSS globally, protecting customer trust and meeting
international compliance obligations.
2. What are the different ways to classify data, and how do these classifications help
keep information safe? Give example.

Answer:

• Content-Based Classification: Labels data based on its content—e.g., documents with

credit card numbers are automatically flagged as sensitive.
• Context-Based Classification: Classifies data based on how, when, and where it was
created—such as internal meeting notes or project plans.
• User-Based Classification: Depends on the user's role; for instance, HR staff may
classify employee records as confidential.
• Improves Data Governance: Enables consistent handling of data across departments.
• Supports Access Control & Compliance: Helps enforce policies for who can access,
modify, or share data, improving security and regulatory compliance.
• Reduces Data Breach Risk: Ensures that critical or sensitive data is protected with
stronger controls.
Example:
A leading Indian bank deploys automated data classification software to scan emails
for keywords like “account number” or “PAN.” Once detected, the system classifies
the email as “Confidential” and blocks external forwarding. This protects sensitive
financial data and ensures compliance with RBI and GDPR regulations.
3. If hackers are trying to steal your company’s sensitive data like financial reports
or intellectual property, how would you create a strong system to classify and
protect that kind of information?

Answer:

• Establish a Data Classification Framework: Define data categories like public,

internal, confidential, and restricted based on sensitivity.
• Label and Tag Critical Data: Use automated tools to label high-value data like
financial records, source code, and patents.
• Role-Based Access Control (RBAC): Limit access to sensitive files based on
employees’ job responsibilities.
• Encrypt Highly Classified Data: Apply strong encryption techniques to protect data
at rest and in transit.
• Monitor Access Logs and Audit Trails: Track who accessed which data, when, and
from where to identify suspicious activity.
• Educate Employees: Train staff to correctly handle and classify data as per policy.
Example:
A tech company developing a new product classifies its design blueprints as “Restricted”
and stores them on a dedicated encrypted server. Only senior engineers have role-based
access with two-factor authentication. All access attempts are logged and reviewed weekly
by the security team to detect unauthorized activity.

4. A healthcare provider just found a security gap that might expose private patient
data. What category should this kind of data fall into, and what steps should be
taken to protect it from future threats?

Answer:

• Data Category: This data falls into the “Restricted” or “High Sensitivity” category, as
it involves Protected Health Information (PHI).
• Apply HIPAA & GDPR Standards: Ensure compliance with legal requirements for
storing and processing health data.
• Encrypt PHI: Use encryption to secure patient records, both in databases and during
transmission.
• Restrict Access with MFA: Only authorized medical staff should access records, using
secure login procedures.
• Implement Logging and Monitoring: Track access to PHI and detect anomalies using
SIEM tools.
• Conduct Regular Risk Assessments: Identify vulnerabilities and update safeguards
periodically.

Example:
After discovering a misconfigured database exposing patient lab reports, a private hospital
immediately encrypted its EHR system and applied role-based access control. Doctors and
authorized medical staff now use MFA for login, and the system logs all access attempts
for audit. These updates help align with HIPAA and India’s health data protection
guidelines.
5. Your company isn’t making the best use of its data. As the Business Analytics
Manager, how would you use different types of analytics like descriptive,
diagnostic, predictive, and prescriptive to turn that data into smart business
decisions?

Answer:

• Descriptive Analytics: Summarize historical sales and customer trends using

dashboards to understand what happened.
• Diagnostic Analytics: Investigate why certain patterns occurred—e.g., a sudden drop
in website conversions traced to a broken checkout link.
• Predictive Analytics: Use forecasting models to predict future sales, demand spikes,
or customer churn rates.
• Prescriptive Analytics: Recommend the best actions—like optimizing inventory or
pricing—based on simulation or optimization models.
• Integrate Real-Time Data: Combine sales, marketing, and operations data for quicker
decisions.
• Create Visual Dashboards: Present insights clearly to management for better strategic
alignment.
Example:
A retail chain analyzes past sales to understand which products sell during monsoon season
(descriptive), investigates why a recent campaign failed (diagnostic), forecasts demand for
raincoats (predictive), and uses linear programming to decide how to distribute stock across
cities (prescriptive). These insights help reduce overstock and increase regional sales.

6. An AI-powered analytics system at a company is raising concerns about customer

privacy. What’s the best way to collect and use customer data ethically, while
staying transparent and following data protection laws?

Answer:

• Informed Consent: Clearly explain how customer data will be used and obtain explicit
permission before collection.
• Data Minimization: Collect only necessary data relevant to the business purpose (e.g.,
shipping address for delivery).
• Anonymization and Pseudonymization: Remove identifiable information before
analysis to protect individual privacy.
• Transparency: Publish privacy policies that are easy to understand and accessible to
users.
• Comply with Legal Frameworks: Follow GDPR, CCPA, and other laws to avoid fines
and maintain customer trust.
• Implement Data Access Rights: Allow customers to view, modify, or delete their data
on request.

Example:
A fashion e-commerce brand tracks customer browsing behavior to recommend products.
However, it now shows a clear GDPR-compliant consent popup before enabling tracking
and anonymizes all user data before analysis. Customers can also manage their data via an
online privacy dashboard, ensuring legal compliance and transparency.
 Module 3

1. How can a company apply GDPR principles to handle a data breach effectively
and respond in a way that meets compliance requirements?

Answer:

• Timely Breach Notification: Notify supervisory authorities within 72 hours of

discovering a breach, as per Article 33 of GDPR.
• Inform Affected Individuals: If the breach poses high risk, inform impacted
individuals with clear guidance on how to protect themselves.
• Data Protection by Design: Apply encryption and pseudonymization to reduce
impact.
• Appoint a Data Protection Officer (DPO): Ensure a DPO manages compliance,
breach response, and communication.
• Maintain Records of Processing Activities: Keep documentation of data handling,
risk assessments, and incident response.

Example:
An Indian fintech startup operating in the EU region through digital wallets discovers
unauthorized access to user email addresses. As per GDPR, their DPO files a breach report
with the EU Data Protection Authority within 72 hours and notifies affected users through
in-app messages and emails. The company also updates its encryption and vendor contracts,
ensuring full compliance and transparency with European regulators.

2. A recent cyberattack exposed gaps in your company’s security setup, how would
you use tools like GRC systems and privacy software to improve compliance and
strengthen overall cybersecurity?

Answer:

• GRC Platforms: Use tools like RSA Archer or MetricStream to manage governance,
assess risks, and track compliance across departments.
• Automated Privacy Tools: Deploy OneTrust or TrustArc to map personal data flows,
manage consent, and conduct Data Protection Impact Assessments (DPIAs).
• Vulnerability Scanners: Use Nessus or Qualys to continuously detect
misconfigurations and unpatched systems.
• Threat Intelligence Systems: Leverage platforms like CrowdStrike to stay updated on
emerging cyber threats.
• Audit & Reporting Features: Automate audit trails and compliance reports for GDPR,
HIPAA, and ISO standards.
Example:
After a cyberattack hit a Bengaluru-based hospital chain, the IT team deployed RSA Archer
to track risks across branches and meet audit requirements under India’s IT Act and HIPAA
(for international patients). They also used TrustArc to automate patient consent
management and monitor data access patterns—boosting privacy compliance and
operational security.
3. What are the main components of the Risk Management Process, and how do steps
like identification, assessment, mitigation, and monitoring risks help a company
make better decisions?

Answer:

• Risk Identification: Spot potential internal and external threats to systems, data,
operations, or reputation.
• Risk Assessment: Analyze risks based on likelihood and impact, allowing
prioritization of high-risk areas.
• Risk Mitigation: Implement safeguards like firewalls, encryption, and access controls
to reduce risk levels.
• Monitoring and Review: Continuously evaluate controls, adjust strategies, and
respond to new threats or compliance updates.
• Improved Decision-Making: Enables better resource allocation and informed business
continuity planning.
Example:
A government health department in Maharashtra performs a risk assessment and flags the
use of outdated antivirus in district hospitals. After evaluating the potential for ransomware
attacks, they update their endpoint security, establish an incident response plan, and begin
routine audits. These risk management steps help them secure patient records and maintain
healthcare continuity during emergencies like COVID-19.

4. What are the criminal aspects of IT law? How do these laws tackle cybercrimes
including investigation and legal redressal ?

Answer:

• Recognition of Cybercrimes: Laws like the IT Act (India), CFAA (U.S.), and
Budapest Convention define offenses like hacking, identity theft, phishing, and
cyberterrorism.
• Penalties: Legal provisions outline fines, imprisonment, or both, depending on the
crime's severity.
• Investigation Agencies: Cyber Cells, CERTs, and Interpol’s Cybercrime Unit help
track down digital criminals.
• Evidence Gathering: Involves forensic imaging, IP tracing, log analysis, and
cooperation from service providers.
• Cross-Border Collaboration: Treaties like the Budapest Convention allow countries
to share data and coordinate enforcement.
Example:
In the 2018 Aadhaar data access controversy, several journalists and ethical hackers
highlighted unauthorized access to Aadhaar records via public portals. Though UIDAI
denied a breach, the government launched an investigation under the IT Act, and new
safeguards were introduced. This incident showed how Indian cyber laws address digital
crimes and how investigative bodies like CERT-In and cybercrime cells respond to
national-level IT incidents.
5. How does an IT Officer in a global company ensure adherence to data protection
laws like GDPR and HIPAA? Give an example.

Answer:

• Monitor Legal Obligations: Stay updated on international regulations such as GDPR,

HIPAA, and CCPA.
• Implement Data Governance Policies: Ensure proper data classification, retention
schedules, and access protocols.
• Conduct Training & Audits: Educate staff and run internal compliance checks.
• Coordinate with DPOs and Legal Teams: Guide breach reporting, DPIAs, and
contract reviews.
• Lead Incident Response: Oversee breach handling, ensuring timely notification and
documentation.
Example:
In 2018, Aadhaar data was allegedly exposed through third-party websites. Though
UIDAI denied direct breach, concerns triggered audits and reinforced compliance checks
under the IT Act. Several government departments revised access controls, updated
authentication policies, and applied stricter encryption for handling Aadhaar data—
reflecting coordinated legal and regulatory compliance.

6. What steps can an organization take to implement safeguards to improve HIPAA

compliance to prevent future security breaches?

Answer:

• Administrative Safeguards: Create formal policies for data access, employee

responsibilities, and breach response.
• Physical Safeguards: Secure servers in restricted areas with surveillance and
controlled physical access.
• Technical Safeguards: Use strong encryption, two-factor authentication, and
automatic logoff features.
• Training Programs: Conduct regular HIPAA awareness sessions for all healthcare
staff.
• Regular Risk Assessments: Identify vulnerabilities and update systems accordingly.
• Audit Controls: Track and review access to ePHI using automated audit logs.
Example:
After a breach, a hospital installed biometric access for server rooms, restricted USB ports,
and encrypted emails containing patient data—boosting HIPAA readiness.
 Module 4

1. What are some effective cloud security strategies a company can use to protect
itself from future breaches?

Answer:

• Shared Responsibility Model: Understand what the cloud provider secures

(infrastructure) and what the customer must secure (data, users, endpoints).
• Data Encryption: Encrypt sensitive data at rest and in transit using AES-256 or similar
strong algorithms.
• Identity and Access Management (IAM): Implement role-based access controls to
limit data access only to authorized users.
• Regular Security Audits: Conduct vulnerability scans and compliance checks to
ensure misconfigurations are detected early.
• Cloud Access Security Brokers (CASBs): Use CASBs to enforce security policies,
monitor cloud usage, and prevent shadow IT.
Example:
After experiencing a breach due to misconfigured cloud storage, an Indian fintech firm
integrated a Cloud Access Security Broker (CASB) to automatically detect public access
permissions, enforce encryption, and monitor suspicious user behavior. This helped prevent
further data leaks and ensured compliance with data protection guidelines.

2. As the Cybersecurity Officer at a company, what essential security tools would

you put in place to safeguard customer information and the company’s digital
assets?

Answer:

• Firewall & Next-Gen Firewalls: Monitor and filter incoming/outgoing traffic to block
unauthorized access.
• Intrusion Detection Systems (IDS): Detect unusual activity like port scans or brute-
force login attempts.
• Antivirus/Anti-malware: Protect endpoints from ransomware and other malicious
attacks.
• Data Loss Prevention (DLP): Prevent unauthorized transfer or copying of sensitive
customer data.
• Security Information & Event Management (SIEM): Aggregate logs, detect threats,
and issue real-time alerts.
Example:
Company deployed a SIEM system to monitor all login and transaction activity in real time,
combined with DLP tools that prevented unauthorized sharing of sensitive customer
information like payment details. This reduced internal threats and supported compliance
with PCI DSS.
3. As an IT Security manager, how would you make sure remote employees have safe
network connections? What kind of VPN and other security measures would you
use?

Answer:

• Use Enterprise-Grade VPNs: Deploy solutions like Cisco AnyConnect or OpenVPN

with strong encryption protocols (e.g., IPSec).
• Multi-Factor Authentication (MFA): Require MFA for VPN and email access to
prevent credential theft.
• Endpoint Security: Ensure devices have updated antivirus and disk encryption (e.g.,
BitLocker).
• Device and OS Compliance Checks: Block VPN access from devices without up-to-
date patches or unauthorized software.
• Split Tunneling Management: Disable split tunneling to ensure all remote traffic
flows through the secure VPN.
Example:
Remote workers use company-issued laptops configured with Cisco AnyConnect VPN and
multi-factor authentication. Access is restricted to devices with up-to-date software and
endpoint protection. This setup prevents data interception and ensures secure delivery
operations.

4. As the Risk Management Manager at a Bank, how would you evaluate different
cloud models for storing and managing sensitive financial data?

Answer:

• Public Cloud: Offers scalability but may pose higher risks if not properly secured. Best
for non-sensitive services.
• Private Cloud: Provides dedicated infrastructure with better control—ideal for storing
customer financial data.
• Hybrid Cloud: Combines public and private cloud—sensitive data stays private, while
less sensitive processes run in public cloud.
• Security Standards Compliance: Choose providers that meet ISO 27001, SOC 2, and
RBI guidelines for financial data.
• Risk Assessment: Evaluate provider history, physical security, SLA terms, and data
residency laws.
Example:
Bank adopted a hybrid cloud strategy where critical financial data and core banking
applications are hosted in a private cloud, while customer engagement apps operate in the
public cloud. This balances security and performance, complying with RBI and ISO 27001
standards.
5. What kinds of access control strategies can a company use to strengthen its cloud
security? How do specific tools help stop unauthorized access to important digital
resources?

Answer:

• Role-Based Access Control (RBAC): Grant access based on user roles, reducing risk
of privilege misuse.
• Attribute-Based Access Control (ABAC): Define access rules based on user
attributes like location, device, or time.
• Just-In-Time (JIT) Access: Provide temporary access only when needed—limits
exposure windows.
• Zero Trust Model: Verify every access attempt, regardless of network location.
• Access Tools: IAM platforms (like Azure AD, Okta) allow policy enforcement, access
reviews, and SSO integrations.
Example:
An Indian SaaS company uses Okta for identity and access management, enforcing RBAC
and geo-location-based restrictions. Users must verify identity using MFA, and access to
production environments is time-bound and logged for audit purposes—greatly minimizing
insider and external threats.

6. As the IT Security Administrator at hospital, how would you set up secure

authentication and access control for remote staff who need to access patient
records?

Answer:

• Virtual Private Network (VPN): Provide secure, encrypted connections for staff
accessing internal systems.
• Multi-Factor Authentication (MFA): Require login confirmation via OTP, app-based
verification, or biometrics.
• Role-Based Access Control (RBAC): Limit EHR access based on job role (e.g., nurse,
doctor, admin).
• Audit Logging: Enable logging of all access to Electronic Health Records (EHRs) to
ensure traceability.
• Session Timeout & Auto-Logout: Ensure inactive sessions automatically log out to
prevent misuse.
• Endpoint Hardening: Allow access only from pre-approved, patched, and encrypted
devices.
Example:
Hospital provides remote doctors with secure laptops connected via VPN and protected
with MFA. Access to EHR systems is role-based, with full audit logging. After a successful
compliance audit, the system was recognized as HIPAA-ready and aligned with India’s
health data guidelines.
 Module 5

1. How would you evaluate the effectiveness of the six-step incident response process
in minimizing the impact of cybersecurity incidents?
Answer: Assessing the effectiveness of the six-step incident response process involves
evaluating each phase's contribution to mitigating cybersecurity incidents
• Preparation – Verify if policies, tools, and training effectively equip the team for quick
responses.
• Identification – Assess how accurately and swiftly threats are detected to minimize
damage.
• Containment – Evaluate short-term and long-term containment strategies to prevent
further spread.
• Eradication – Check if root causes are identified and eliminated to avoid recurring
incidents.
• Recovery – Measure system restoration efficiency and verify that business operations
resume securely.
• Lessons Learned – Analyse post-incident reviews to ensure continuous improvement
in future responses.
Example: At a Bengaluru-based IT firm, a malware outbreak was quickly detected through
their SIEM system and contained within hours, thanks to regular staff drills and defined
CIRP roles. A forensic audit traced the cause to outdated endpoint protection, which was
swiftly updated across all devices. During the “lessons learned” phase, leadership
implemented stricter patch management policies, leading to faster incident handling and
zero downtime during a similar attack later that year.

2. How did implementing a Cybersecurity Incident Response Plan help a company

deal with a ransomware attack? What were the main steps they took to contain,
respond, and recover?
Answer: Having a well-defined Cybersecurity Incident Response Plan (CIRP) enabled
the company to react swiftly and minimize damage during a ransomware attack. The CIRP
guided the team through a structured process:

• Preparation: Prior to the attack, the company ensured it had reliable, regularly updated
backups stored offline. Employees were trained to recognize suspicious emails,
reducing the risk of phishing-based infections. This proactive stance enabled quick
recognition and response when the attack occurred.
• Detection and Analysis: The IT team noticed system irregularities such as encrypted
files and ransom notes, prompting immediate investigation. They assessed the scope of
the breach, identified affected machines, and confirmed that it was a ransomware
incident, allowing for a targeted response.
• Containment: The affected systems were quickly isolated from the network to prevent
the ransomware from spreading further. Temporary containment controls, such as
network segmentation and disabling remote access, were implemented to limit the blast
radius of the malware.
• Eradication and Recovery: After containing the threat, the team removed the
ransomware from all infected systems using specialized tools. Systems were cleaned
and then restored using the secure offline backups. This step ensured business
operations could resume quickly with minimal data loss or downtime.
• Post-Incident Activity: Following recovery, the company conducted a detailed review
of the incident. This included root cause analysis, updates to security protocols (e.g.,
 improved email filters and endpoint detection tools), and refresher training for
employees. Lessons learned from the incident were documented to refine the CIRP for
future incidents.
Example:
An employee had unknowingly clicked a malicious email attachment. The IT team
immediately followed the CIRP: they isolated the machine, cleaned the system, restored
operations using backups, and implemented new safeguards. As a result, the organization
avoided paying the ransom and strengthened its future defence posture.

3. As the Cybersecurity Manager, how would you implement a CIRP to effectively

handle a ransomware attack?
Answer: As a Cybersecurity Manager, implementing and executing the Cybersecurity
Incident Response Plan (CIRP) for a ransomware attack involves:

• Preparation – Ensure regular data backups, employee training, and incident response
team readiness.
• Detection & Identification – Use security monitoring tools to quickly detect
ransomware activity and assess affected systems.
• Containment – Isolate infected devices, disconnect compromised networks, and
prevent further spread.
• Eradication – Remove malicious files, patch vulnerabilities, and conduct forensic
analysis to identify the attack vector.
• Recovery – Restore systems from clean backups, verify data integrity, and monitor for
residual threats.
• Lessons Learned – Analyze the incident, update CIRP, and enhance security measures
to prevent future attacks.
• A well-executed CIRP minimizes downtime, protects data integrity, and strengthens
the organization’s cybersecurity posture.
Example: In early 2024, Zenith Systems company office experienced a ransomware attack
after an employee clicked on a malicious attachment disguised as a GST invoice. The
cybersecurity team activated the CIRP, isolated affected machines, and restored systems
using offline backups stored in a secure data center in Bengaluru. After forensic analysis
revealed an unpatched vulnerability in email filters, the CIRP was updated, and mandatory
cybersecurity refresher training was rolled out to all staff.

4. What are the main advantages of conducting a post-incident review after a

ransomware attack?
Answer:

• Identifying Root Causes: Helps pinpoint how the attack occurred, such as the phishing
email that triggered the breach
• Improving Response: Provides valuable insights to refine and optimize the incident
response process for future incidents
• Updating Security Policies: Encourages revisiting and strengthening security
measures, such as access controls and email filtering
• Enhancing Employee Training: Highlights areas where additional awareness and
training are necessary to prevent similar attacks
• Building Resilience: Contributes to overall organizational preparedness and minimizes
the impact of future cybersecurity incidents.
 Example: Following a ransomware attack that encrypted servers at Zenith Systems
company, a post-incident review identified the root cause as a phishing email mimicking
an Income Tax Department notice. The review led to stronger email security, stricter RBAC
enforcement, and targeted employee awareness workshops. The updated strategy helped
detect and stop a similar phishing attempt just two months later, demonstrating the value
of post-attack learning.

5. As the Chief Risk Officer, how would you bring together risk assessment, business
impact analysis, and a disaster recovery plan to keep essential operations running
during a crisis?
Answer: As the Chief Risk Officer, I would ensure a unified and proactive approach to
crisis management by integrating Risk Assessment, Business Impact Analysis (BIA), and
a Disaster Recovery Plan (DRP) to maintain operational continuity:

• Risk Assessment: I would begin by identifying all potential threats that could
disrupt operations—such as cyberattacks, data breaches, natural disasters, or system
failures. This process would involve assessing both internal and external risks,
prioritizing them based on likelihood and potential impact. For example, systems
handling customer transactions and financial records would be classified as high-
risk.
• Business Impact Analysis (BIA): Using the results of the risk assessment, I would
conduct a BIA to evaluate which business processes are critical to daily operations.
This includes determining the acceptable downtime (Recovery Time Objectives -
RTOs) and data loss thresholds (Recovery Point Objectives - RPOs) for each
function. Functions like payment processing, compliance reporting, and customer
service would typically have strict recovery targets.
• Disaster Recovery Plan (DRP): I would then design a DRP outlining specific
procedures to recover affected IT systems and data based on BIA priorities. This
plan would include backup strategies, system failover mechanisms, roles and
responsibilities, and communication protocols. For instance, critical systems would
be backed up daily to a secure offsite or cloud location and restored using automated
scripts.
• Integration and Testing: These three components must be continuously aligned.
The findings from risk assessments would inform the BIA, and the DRP would be
designed to support the most crucial business functions identified. I would establish
a regular testing schedule for the DRP—through tabletop exercises and live
simulations—to ensure it remains effective and up to date with changes in
technology or business structure.
Example: During a ransomware incident, our pre-assessment had flagged financial
systems as high-risk. The BIA had shown payroll and regulatory reporting as top priorities.
Thanks to a tested DRP, we quickly switched to cloud-based backups and restored services
within hours, ensuring employees were paid on time and compliance deadlines were met—
demonstrating the value of an integrated approach.
6. As the Crisis Communication Manager, what steps would you take to build an
effective communication strategy after a major data breach?
Answer:
As the Crisis Communication Manager, I would establish a focused and transparent
communication strategy using the following key steps:
1. Appoint a Spokesperson: Designate a calm, trained, and media-savvy individual as
the official voice of the company. This person will communicate clearly and confidently
in public statements and press briefings.

2. Identify Stakeholders: Assess and list all potentially impacted parties—customers,

employees, business partners, media, and regulators. Tailor communication for each
group, addressing their specific concerns.

3. Develop Key Messages: Craft clear, honest, and factual messages that explain:

o What happened
o What kind of data was affected
o What actions are being taken to mitigate the damage
o What support is being offered to affected individuals (e.g., credit monitoring)
4. Timely Communication: Issue an initial statement promptly (ideally within 24 hours)
to avoid misinformation. Continue with regular updates through trusted channels like
the company website, emails, and social media.

5. Follow Communication Best Practices:

Do:

o Acknowledge the issue truthfully

o Provide verified information
o Show empathy and accountability
Don’t:

o Speculate or shift blame

o Delay responses or minimize the breach’s seriousness
By combining clarity, empathy and speed, this strategy can help protect the company’s
reputation and rebuild stakeholder trust.

Module 6

1. As the Compliance Officer, how would you improve Identity and Access
Management to stay aligned with regulatory requirements across various digital
platforms?

Answer:
I’d implement enhanced Identity and Access Management (IAM) strategies as followed:

• Enforce robust authentication: Implement multi-factor authentication and single

sign-on to secure access across platforms
• Adopt role-based access control (RBAC): Ensure users have only the permissions
necessary for their roles, minimizing potential exposure
 • Automate provisioning and de-provisioning: Streamline user management processes
to promptly adjust access based on role changes or departures
• Continuous compliance monitoring: Regularly audit access logs and permissions to
detect and address any deviations from regulatory standards
• Integrate with compliance tools: Use IAM solutions that seamlessly integrate with
monitoring tools to ensure ongoing adherence to industry regulations
Example: During an internal audit, an organization discovered that a former software
developer still had admin access to backend APIs. This was flagged as a compliance risk
under RBI guidelines. The firm responded by integrating automated de-provisioning with
their IAM tool and implementing role-based access, ensuring only current employees with
valid roles could access sensitive UPI systems.

2. As the Chief Security Officer at a company, how would you set up a Zero Trust
Architecture to make sure remote access stays secure?

Answer: I’d implement Zero Trust Architecture to ensure secure access for remote
employees as followed:

• Enforce strict identity verification: Use multi-factor authentication and context-

aware policies to verify each remote login
• Adopt least privilege access: Limit user access strictly to the resources they need for
their role
• Utilize continuous monitoring: Implement real-time monitoring tools to continuously
assess user behavior and access patterns
• Segment networks: Divide the network into micro-segments to reduce the risk of
lateral movement if a breach occurs
• Regular policy reviews: Continuously update and adjust security policies based on
emerging threats and access trends
Example: An IT Company, operating across India, noticed suspicious login attempts to its
payroll servers from an IP in Eastern Europe. Their Zero Trust model, which included MFA
and network segmentation, immediately blocked access and alerted the SOC team. A follow-
up revealed compromised credentials of a remote contractor in Nagpur—thanks to strict access
control, no data was compromised.

3. As the Cloud Security officer, how would you use a Cloud Access Security Broker
to effectively monitor and manage security across multiple cloud environments?

Answer: As a Cloud Security Officer., I’d implement a Cloud Access Security Broker
(CASB) to monitor and control multi-cloud environments as followed:

• Centralize cloud security management: Deploy a CASB to oversee and enforce

security policies across all cloud services
• Enforce data loss prevention: Use the CASB to monitor data flows and prevent
unauthorized data transfers
• Monitor user activity: Integrate real-time analytics to detect abnormal or suspicious
activities across cloud platforms
• Ensure compliance: Configure the CASB to continuously check for compliance with
healthcare and data protection regulations
 • Automate policy enforcement: Utilize automated remediation features to address
misconfigurations or policy violations immediately.
Example: A junior analyst at One Cloud Services, while working from Ahmedabad,
mistakenly uploaded internal audit reports to a personal Google Drive account. Their
CASB solution immediately identified the data policy violation, blocked the transfer, and
generated an alert. The incident led to stricter DLP rules and enhanced training on data
handling across their Indian cloud workforce.

4. As the Network Security Manager, how would you use micro-segmentation to

reduce lateral movement and protect sensitive data if a breach occurs?

Answer: As a Network Security Manager, I’d implement micro-segmentation as followed:

• Segment the network: Divide the network into smaller, isolated zones based on
business functions or data sensitivity
• Implement strict access controls: Define clear access rules for each segment to ensure
only authorized users can communicate across zones
• Monitor inter-segment traffic: Continuously observe network traffic to quickly detect
and isolate any suspicious behavior
• Utilize software-defined networking (SDN): Dynamically enforce segmentation
policies that can adapt to network changes
• Regular audits: Periodically review segmentation policies to ensure they remain
effective against evolving threats
Example: After a targeted phishing attack compromised a marketing employee’s credentials
at the company’s Hyderabad office, the attacker attempted lateral movement towards the
finance systems. However, micro-segmentation policies ensured the attacker was restricted to
the marketing zone. Using software-defined networking (SDN), the breach was isolated, and
sensitive financial data remained protected.

5. As a Cyber Risk Analyst, how would you leverage AI and machine learning to
detect unusual activity and respond to security threats in real time?

Answer: I’d implement AI/ML-based anomaly detection as followed:

• Deploy advanced analytics: Integrate AI/ML systems that learn normal network
behavior and flag deviations
• Automate threat detection: Enable automated alerting and incident response based on
AI-generated insights
• Leverage predictive analytics: Use historical data to predict potential threats before
they escalate
• Continuously train models: Regularly update the AI models with new threat
intelligence to improve accuracy.
• Integrate with existing tools: Ensure seamless integration with SIEM and other
security infrastructure for coordinated responses.
Example: A Bengaluru-based healthtech firm used AI-powered analytics to detect a
sudden spike in outbound traffic from a research subnet. The system automatically flagged
the anomaly, blocked the transmission, and isolated the affected device. Upon
investigation, it was found to be a zero-day malware, and AI's timely response helped
prevent a major data leak involving patient brain-scan records.