{
  "question_text": "Under Advanced Compliance Technology, Inc.'s information security controls, within what timeframe must critical security patches be applied to systems processing nonpublic personal information?",
  "options": [
    "Within 72 hours of release",
    "Within 24 hours of release",
    "Within 30 days of release",
    "Within 7 days of release"
  ],
  "correct_answer": "Within 72 hours of release",
  "correct_response": "Correct. Critical security patches must be applied within 72 hours of release. This requirement applies to all systems processing nonpublic personal information and is part of the broader patch management controls required under the information security program.",
  "incorrect_response": "Critical security patches must be applied within 72 hours of release — not 24 hours, not 7 days. The 24-hour timeline applies to a different requirement: revoking system access after employee termination or role change.",
  "unsure_response": null,
  "question_bank": [
    {
      "question_text": "Under Advanced Compliance Technology, Inc.'s information security program, how often must the information security program be reviewed at minimum?",
      "options": [
        "Annually and following any material change in operations or systems",
        "Annually only, on a fixed schedule",
        "Every two years or following a confirmed breach",
        "Monthly, in conjunction with access log reviews"
      ],
      "correct_answer": "Annually and following any material change in operations or systems",
      "correct_response": "Correct. The information security program must be reviewed annually. It must also be reviewed following any material change in operations or systems — not just on the annual schedule.",
      "incorrect_response": "The information security program must be reviewed annually AND after any material change in operations or systems. An annual review alone is not sufficient if significant changes occur between scheduled reviews.",
      "unsure_response": null
    },
    {
      "question_text": "When the retention period for records containing nonpublic personal information expires, what is required for the disposal of digital media?",
      "options": [
        "Electronic wiping using a certified process or physical destruction, with each disposal logged and verified",
        "Deletion of all files and reformatting of the storage device",
        "Submission to a document storage vendor for secure disposal",
        "Physical destruction only — electronic wiping is not an accepted method"
      ],
      "correct_answer": "Electronic wiping using a certified process or physical destruction, with each disposal logged and verified",
      "correct_response": "Correct. Digital media must be disposed of by certified electronic wiping or physical destruction. Crucially, each disposal must be logged and verified — creating an auditable record that records were not improperly retained or disclosed.",
      "incorrect_response": "Digital media containing NPI must be destroyed by certified electronic wiping or physical destruction, and each disposal must be logged and verified. Standard file deletion or formatting does not meet this standard because data can be reconstructed.",
      "unsure_response": null
    }
  ],
  "enrichment_content": "<p><strong>Several specific timelines govern Advanced Compliance Technology, Inc.'s security controls:</strong></p><ul><li><strong>Critical security patches:</strong> Must be applied within <strong>72 hours of release</strong> to all systems processing nonpublic personal information.</li><li><strong>Program review:</strong> Required <strong>annually</strong> and after any <strong>material change</strong> in operations or systems.</li><li><strong>Record disposal:</strong> Paper documents must be cross-cut shredded; digital media must be electronically wiped (certified process) or physically destroyed — with each disposal <strong>logged and verified</strong>.</li></ul>"
}