{
  "question_text": "Under Rapido Facil Exchange Co.'s information security program, how frequently must access logs for systems holding customer or compliance data be reviewed?",
  "options": [
    "Monthly",
    "Weekly",
    "Annually",
    "Only following a suspected security incident"
  ],
  "correct_answer": "Monthly",
  "correct_response": "Correct. Access logs for all systems holding customer or compliance data must be reviewed monthly. Regular log review is what allows unauthorized access to be detected before it escalates to a reportable breach.",
  "incorrect_response": "Access logs must be reviewed monthly — not annually, not only when an incident is suspected. Monthly review is what enables Rapido Facil Exchange Co. to detect unauthorized access early, before it becomes a reportable breach.",
  "unsure_response": null,
  "question_bank": [
    {
      "question_text": "Under Rapido Facil Exchange Co.'s vendor oversight requirements, when must vendor security controls be reviewed?",
      "options": [
        "Annually and at each contract renewal",
        "At contract renewal only",
        "Every two years",
        "After any security incident involving a vendor"
      ],
      "correct_answer": "Annually and at each contract renewal",
      "correct_response": "Correct. Vendor security controls must be reviewed annually and at each contract renewal. Vendors that cannot demonstrate adequate controls must be replaced before the next contract term begins.",
      "incorrect_response": "Vendor security controls must be reviewed both annually and at each contract renewal — not just at renewal. Vendors that fail to demonstrate adequate controls must be replaced before the next contract term begins.",
      "unsure_response": null
    },
    {
      "question_text": "Which data classification at Rapido Facil Exchange Co. requires encrypted storage and restricts access to the BSA/AML Compliance Officer and specifically designated personnel?",
      "options": [
        "Restricted data",
        "Confidential data",
        "Internal data",
        "Compliance data"
      ],
      "correct_answer": "Restricted data",
      "correct_response": "Correct. Restricted data — which includes government IDs, SSNs, check images, transaction records, and SAR/CTR workpapers — must be stored encrypted and is accessible only to the BSA/AML Compliance Officer and personnel they designate.",
      "incorrect_response": "Restricted data requires encrypted storage and limits access to the BSA/AML Compliance Officer and designated personnel. Confidential data — like customer names and check cashing history — has a broader but still limited audience: operational staff with a documented need to know.",
      "unsure_response": null
    }
  ],
  "enrichment_content": "<p><strong>Key security controls and their timelines:</strong></p><ul><li><strong>Access log review:</strong> Monthly, for all systems holding customer or compliance data. Investigate any anomalies.</li><li><strong>Critical security patches:</strong> Applied within 72 hours of release.</li><li><strong>Vendor security reviews:</strong> Annually and at each contract renewal. Replace vendors that cannot demonstrate adequate controls.</li><li><strong>Program review:</strong> Annually and after any material change in operations or systems.</li></ul>"
}