(ISC)2 Certified in Cybersecurity Practice Exam

The assertion that you are required to report security incidents to law enforcement if you believe a law may have been violated is not universally true, which supports the choice of false. Reporting obligations can vary widely depending on the jurisdiction, the type of incident, and the specific laws that may apply.

In many cases, organizations may have discretion regarding whether to report certain incidents to law enforcement based on their internal policies, the nature of the violation, or the potential impact of the incident. For example, if sensitive personal information is exposed, there may be legal obligations to notify affected individuals but not necessarily law enforcement unless a crime is clearly evident.

Additionally, factors such as the severity of the incident, the potential for ongoing harm, and the organization's specific compliance requirements can also influence whether a report is made. These nuances reflect how different situations may dictate different responses, highlighting the importance of understanding legal obligations in cybersecurity practices.

Thus, reporting to law enforcement is not a blanket requirement but rather a decision that may depend on a variety of situational factors. This reinforces the choice to consider the statement false.