Question 423 of 529
Security and Risk ManagementhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to initiate legal proceedings against the vendor to enforce the liability clause and recover costs. This is correct because the vendor’s negligence directly caused the breach of Protected Health Information, and the contract explicitly holds them liable for such incidents, allowing you to challenge their limitation of liability cap in court under HIPAA’s requirement that business associates safeguard PHI. On the CISSP exam, this tests your understanding of risk transference through contractual remedies and the interplay between legal enforcement and insurance exclusions—a common trap is choosing to accept the insurance deductible or renegotiate, which fails to address the vendor’s explicit negligence. Remember the mnemonic “Liability Over Limitation” to recall that explicit negligence clauses can override damage caps when regulatory compliance is at stake.

CISSP Security and Risk Management Practice Question

This CISSP practice question tests your understanding of security and risk management. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Initiate legal proceedings against the vendor to enforce the liability clause and recover costs.

Option D is the best course of action because the vendor's negligence caused the breach, and the contract explicitly holds the vendor liable for such incidents. Initiating legal proceedings to enforce the liability clause is the most direct way to recover the full $500,000 in costs, as the vendor's limitation of liability clause ($100,000 cap) may be challenged in court, especially given HIPAA's requirement for covered entities to ensure business associates safeguard PHI. This approach aligns with risk management principles by transferring the financial risk back to the responsible party, rather than accepting the loss or relying on insurance that explicitly excludes vendor negligence.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • File a claim under your cyber insurance policy and pay the deductible to cover the costs.

    Why it's wrong here

    Insurance may deny the claim due to vendor negligence exclusion.

  • Negotiate with the vendor to split the costs and update the contract to remove the liability cap.

    Why it's wrong here

    The vendor has no incentive to negotiate after the breach.

  • Accept the loss and implement additional vendor oversight to prevent future incidents.

    Why it's wrong here

    Accepting the full loss may not be in the organization's best interest.

  • Initiate legal proceedings against the vendor to enforce the liability clause and recover costs.

    Why this is correct

    Correct - Legal action may force the vendor to pay, and the limitation of liability may be deemed invalid.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may assume insurance is the primary risk transfer tool, but the exclusion for vendor negligence and the existence of a contractual liability clause make legal enforcement the superior option, as insurance cannot cover risks explicitly excluded in the policy.

Detailed technical explanation

How to think about this question

Under HIPAA, the organization as a covered entity must ensure its business associate (the EHR vendor) has appropriate safeguards; a misconfigured database indicates a failure of the vendor's administrative and technical controls (e.g., improper access controls per 45 CFR § 164.312). The limitation of liability clause is a contractual risk transfer mechanism, but courts may void such caps if they violate public policy (e.g., HIPAA's non-waivable liability for negligence) or if the vendor's actions constitute gross negligence. Cyber insurance policies often have sub-limits and exclusions for third-party negligence, requiring careful review of the 'vendor negligence' exclusion wording, which typically bars coverage when the loss is caused by a business associate's failure.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CISSP practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CISSP practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CISSP question test?

Security and Risk Management — This question tests Security and Risk Management — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Initiate legal proceedings against the vendor to enforce the liability clause and recover costs. — Option D is the best course of action because the vendor's negligence caused the breach, and the contract explicitly holds the vendor liable for such incidents. Initiating legal proceedings to enforce the liability clause is the most direct way to recover the full $500,000 in costs, as the vendor's limitation of liability clause ($100,000 cap) may be challenged in court, especially given HIPAA's requirement for covered entities to ensure business associates safeguard PHI. This approach aligns with risk management principles by transferring the financial risk back to the responsible party, rather than accepting the loss or relying on insurance that explicitly excludes vendor negligence.

What should I do if I get this CISSP question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CISSP practice question is part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CISSP exam.