Chapter 1 - Types of security controls

Question 1

A company has guards at the gate, guards at the entrance to its main building, and an access control vestibule inside the building. Access to the office where the company’s data resides is controlled through two additional doors that use RFID (radio frequency identification) locks. Which controls are being adopted by the company? (Select TWO.)
A. Preventive
B. Deterrent
C. Corrective
D. Physical

Answer 1

B. Detterant
D. Physical

All the controls described in the scenario are physical controls. They are set up as deterrent controls to prevent access of unauthorized personnel to the office.

Question 2

One of the file servers of an organization has suffered an attack. The organization’s IT administrator is searching the log files to understand what happened. What type of control are they implementing when carrying out the investigation?
A. Operational
B. Technical
C. Detective
D. Operational

Answer 2

C. Detective

Detective controls help in uncovering issues and anomalies that have already occurred. Therefore, log files being searched is a detective control.

Question 3

During a monthly team meeting, an IT manager tasks both the mail administrator and the network administrator with creating a standard operating procedure. What type of control describes the mail administrator and network administrator’s task?
A. Directive
B. Managerial
C. Operational
D. Technical

Answer 3

A. Directive

Directive control provides specific instructions or guidelines.

Question 4

Which control type focuses on eliminating or minimizing potential threats before they can cause harm?
A. Preventive
B. Compensating
C. Deterrent
D. Corrective

Answer 4

A. Preventive

Preventive controls are designed to prevent problems or risks from occurring by eliminating or minimizing potential threats.

Question 5

An organization has been sent information by Microsoft that a critical update for Windows 11 has just been released. The organization’s cybersecurity team immediately applies this latest update to all of its Windows 11 computers. What type of control have they carried out?
A. Preventive
B. Compensating
C. Deterrent
D. Corrective

Answer 5

D. Corrective

Because the Windows 11 computers were vulnerable, the cybersecurity team needed to take corrective action by patching each computer to harden it and prevent attacks.

Question 6

An organization suffered a ransomware attack, where one of the technical controls was compromised. What type of control should a company implement to prevent a reoccurrence?
A. Preventive
B. Compensating
C. Detective
D. Corrective

Answer 6

B. Compensating

Compensating controls are alternative measures implemented when primary controls are not feasible or sufficient. In this case, the primary control needs to be replaced by a secondary control.

Question 7

Which of the following physical controls would deter someone from entering a quarry? (Select TWO.)
A. Bollards
B. Guards
C. Barrier
D. Signs
E. Lights

Answer 7

B. Guards
C. Barrier

Using a barrier and guards at the entrance to the quarry could prevent unauthorized personnel from entering the quarry. Once the guard has checked the identification of the personnel, they can raise the barrier to allow entry. The bollards are not useful, as they would prevent everyone from entering the quarry, including people who worked there.

Question 8

Within the spectrum of control categories, which one is tasked with establishing protocols and guidelines to enhance the effectiveness of organizational oversight?
A. Technical
B. Managerial
C. Operational
E. Physical

Answer 8

B. Managerial

Top-level executives, including the CEO or president, may set the overall policy direction for the organization. They might also be involved in creating high-level policies that align with the company’s mission, vision, and strategic goals. These are known as managerial controls.

Question 9

Following a third-party compliance audit, a company has been recommended that additional instructions need to be included in the current compliance policies. What type of control BEST describes the recommended action?
A. Operational
B. Directive
C. Deterrent
D. Corrective

Answer 9

B. Directive

directive controls provide specific instructions or guidelines for compliance with policies and procedures.

Question 10

A cybersecurity administrator has decided to use homomorphic encryption to protect data so that they can read the data without needing to decrypt it. What type of control BEST describes the action carried out by the cybersecurity administrator?
A. Managerial
B. Technical
C. Operational
D. Physical

Answer 10

B. Technical

The cybersecurity administrator uses a Technical control, which is a control that relies on technology to protect and secure data.