ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A healthcare organization runs a patient portal on-premises. A third-party telemedicine vendor provides a JavaScript widget that must be embedded in the portal pages to enable video visits. The widget needs to call the vendor's REST API and read basic patient demographics stored in the portal's backend database. Security policy requires zero trust for third-party code, minimal attack surface, and continued compliance with HIPAA. Which strategy BEST satisfies the requirements?
Allow the widget to run inside the main portal origin, grant it database read access via shared session cookies, and restrict vendor API calls using CORS rules.
Containerize the widget as a microservice in the same Kubernetes pod as the portal backend, share a service account that can query the database, and proxy vendor API traffic through the portal backend.
Host the widget in an isolated subdomain, have it call the vendor API directly from the browser, and expose patient data through a new public API secured with OAuth 2.0 access tokens scoped to the required fields only.
Deliver the widget through the vendor's CDN, place the entire portal behind the vendor's reverse proxy, and let the vendor issue and validate tokens when the widget needs patient data.
Isolating the widget on its own subdomain prevents it from accessing cookies, DOM objects, or storage that belong to the primary application, honoring a zero-trust stance toward third-party code. Exposing only the specific demographic data through a narrowly scoped OAuth 2.0 protected API lets the portal grant time-limited, least-privilege access without revealing database credentials or broad tables, aiding HIPAA's minimum-necessary requirement. The other options either place untrusted code in the same origin, share service accounts, or push all traffic through the vendor's infrastructure, each of which expands the attack surface and violates the principle of least privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OAuth 2.0 and how does it enhance security in this context?
Open an interactive chat with Bash
What is a subdomain and why is it relevant for isolating third-party code?
Open an interactive chat with Bash
How does the REST API interact with the backend database while ensuring HIPAA compliance?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Access Controls
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .