Scope chapter quiz
Scope chapter quiz
Pick the answer that best matches the methodology.
A confirmed compromise of a system processing payment card data is detected. The technical investigation will take days. What does Scope require the analyst to do about timing?
PCI breach-notification timelines run independently of the technical investigation. Scope is the phase where regulatory obligations are recognized, and engaging compliance early lets those clocks run in parallel with technical work rather than serially after.
An alert looks like phishing-driven intrusion. What is the typical historical window for the investigation?
Phishing-driven intrusion typically progresses within days, but ruling out earlier staging requires a longer look on the primary entities. The two-window pattern (short primary + extended look on primaries) is a common Scope decision for this threat type.
The Subject phase identified seven identities connected to the alert. How many should be primary in scope?
Primary entities are those directly involved in the alert. Secondary entities are connected but not in the alert. The split keeps investigation depth proportional to evidence rather than spending equal time on every identity in the map.
An investigation needs in-app activity from a SaaS platform, but the SOC only has authentication logs and gross API metrics. What does Scope require?
Naming what cannot be seen is part of Scope. It prevents wasted effort on impossible queries, and it lets the analyst submit vendor or external-team requests early so the data arrives in parallel.
A HIPAA investigation hits Tier 3 (full PHI access). What approval is required, and how long does access last?
HIPAA's tiered model escalates approval and constrains time as access expands. Tier 1 (metadata only) is team lead, 24 hours. Tier 2 (partial PHI) is security manager, 72 hours. Tier 3 (complete PHI) requires both CISO and Privacy Officer authorization and is bounded to 5 days. The escalation is what makes the minimum-necessary principle operational.
During Scope, the analyst confirms that a compromised account assumed a cloud role during the investigation window. The decision-tree response is...
The IF/THEN decision-tree pattern is Scope's structured way of evolving the boundary. A cloud-role assumption is evidence; the methodology says incorporate it now and document the three-line justification (evidence, risk, required actions) so the expansion is defensible. Waiting for Uncover to surface it would mean Uncover queries outside its own scope to find what Scope should have already framed.
A PCI investigation requires de-tokenized cardholder data samples. Which tier of access is appropriate, and what controls apply?
PCI's four-tier model maps access depth to scrutiny. De-tokenized samples are Tier 3, which requires manager approval, 12-hour time-boxing, and biometric authentication. The methodology refuses to default to Tier 4 (full CDE) because each ascending tier adds operational and audit cost, and triage should demonstrate need at lower tiers first.
The Scope handoff to Uncover should include investigative questions. Why?
Need a nudge?
Think about what makes the difference between focused triage and unstructured exploration.
Uncover's depth comes from working through specific investigative questions. How did the attacker get in? What systems were touched? Was data moved? Is persistence active? Scope frames those questions before the data is pulled, which is what keeps Uncover from running broad queries and hoping. The questions are how the methodology converts a boundary into actionable analytical effort.