nerdexam
(ISC)2

CISSP · Question #817

During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-

The correct answer is D. Notate the information and move on. When a unit is already fully compliant with the applicable regulation (HIPAA), the CISO's appropriate action during a risk assessment is to note the finding and continue, rather than escalating unnecessarily.

Submitted by carlos_mx· Mar 5, 2026Security and Risk Management

Question

During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant. What is the best approach for the CISO?

Options

  • ADocument the system as high risk
  • BPerform a vulnerability assessment
  • CPerform a quantitative threat assessment
  • DNotate the information and move on

How the community answered

(27 responses)
  • A
    11% (3)
  • B
    7% (2)
  • C
    26% (7)
  • D
    56% (15)

Why each option

When a unit is already fully compliant with the applicable regulation (HIPAA), the CISO's appropriate action during a risk assessment is to note the finding and continue, rather than escalating unnecessarily.

ADocument the system as high risk

Documenting the system as high risk is inappropriate because the college is fully HIPAA-compliant; classifying a compliant system as high risk would misrepresent the actual risk posture and skew the overall risk register.

BPerform a vulnerability assessment

Performing a vulnerability assessment is a more invasive and resource-intensive action that is not warranted at this stage simply because PHI is involved, especially when compliance has already been confirmed.

CPerform a quantitative threat assessment

A quantitative threat assessment attempts to assign numerical values to threats and losses, which is an unnecessary level of effort for a system that is already demonstrated to be compliant with the governing regulation.

DNotate the information and move onCorrect

Since the college is already fully aware of HIPAA requirements and is fully compliant, no immediate remediation or escalation is needed. The CISO should document/notate the existence of PHI data collection and its compliant status in the risk assessment record, then continue assessing other areas. Escalating a compliant system consumes resources better directed at actual risks.

Concept tested: Risk assessment decision-making for compliant systems

Source: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

Topics

#risk assessment#HIPAA compliance#PHI#risk management decision

Community Discussion

No community discussion yet for this question.

Full CISSP Practice