Domain 3

Question 1

Which of the following is an example of security control?

Answer 1

Firewall

Question 2

Subject definition

Answer 2

any entity that requests
access to asset. May be a user, program, etc., is active in initiating the request for services, and should have some level of clearance

Question 3

Object definition

Answer 3

an entity that responds to a request for service. May be a building, file, etc., provides service to a user, is passive in the request, do not have their own access control logic, and may have a classification

Question 4

an instruction developed to allow or deny access to an object by comparing the validated identity of the subject to an access control list

Answer 4

Rules

Question 5

What is the definition of an object in the context of access controls?

Answer 5

An entity that responds to a request for service

Question 6

Derrick logs on to a system to read a file.

In this example, Derrick is the ______.

Answer 6

Subject

Question 7

Which of the following is a subject?

Answer 7

User

Question 8

What is the strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of an organization?

Answer 8

Layered Defense

Question 9

How does privileged access management implement the principle of least privilege?

Answer 9

By granting each user access only to the items they need

Question 10

Physical access controls are

Answer 10

tangible methods or mechanisms that
limit someone from getting access to an
area or asset

Question 11

Logical access controls are

Answer 11

electronic methods that limit someone
from getting access to systems, and
sometimes even to tangible assets or areas, including passwords, biometrics, etc.

Question 12

Which of the following is an example of a logical access control method?

Answer 12

Biometrics on a smartphone

Question 13

Limiting access to data on the network would be considered which of the following controls?

Answer 13

Logical or technical controls

Question 14

A control serves to

Answer 14

reduce the risk
according to where it falls within
the risk tolerance of the individual
or organization

Question 15

What would be considered an administrative control in the context of seat belt usage?

Answer 15

Passing a law requiring seat belt use

Question 16

What would be considered a physical control in the context of seat belt usage?

Answer 16

The seat belt itself would be considered a physical control

Question 17

What alternative control could be used if biometric locks on multiple doors are not necessary and access does not need to be audited?

Answer 17

Replacing doors with deadbolt locks

Question 18

In what type of environment does role-based access control work well?

Answer 18

High-staff turnover and similar access requirements

Question 19

Role-based access control provides

Answer 19

each worker
privileges based on what role
they have in the organization

Question 20

What term is used to describe the situation where someone inherits expanded permissions that are not appropriate for their role in Role-based Access Control (RBAC)?

Answer 20

Privilege creep

Question 21

What is the key feature of just-in-time privileged access management?

Answer 21

Role-based subsets of privileges

Question 22

Privileged accounts are

Answer 22

those with
permissions beyond those of normal users,
such as managers and administrators

Question 23

In Mandatory Access Control (MAC), what determines the level of access to certain areas in certain government agencies?

Answer 23

Government policy and security clearance

Question 24

With Mandatory Access Control, who
assigns access rights or permissions?

Answer 24

security administrators

Question 25

With Discretionary Access Control, who
assigns access rights or permissions?

Answer 25

the object owner

Question 26

Who can modify security rules in a system governed by Mandatory Access Control (MAC)?

Answer 26

Trusted subjects designated as security administrators

Question 27

Which of these combinations of physical security controls share a single point of failure?

Answer 27

High-illumination lighting and cameras

A power failure will disable both the cameras and the lights.

Question 28

What challenges do small and medium businesses face regarding technical controls in payroll systems?

Answer 28

Insufficient personnel for duty separation

Question 29

Which of the following is an example of a physical access control?

Answer 29

Motion detectors

Question 30

Separation of duties is based on

Answer 30

the security practice that no one person should control
an entire high-risk transaction from start to finish.

Question 31

Collusion is when

Answer 31

two individuals willfully work together to bypass the separation of duties to jointly commit fraud

Question 32

Duncan and Mira work in the data center at Triffid, Inc. There is a policy in place that requires both to be present in the data center at the same time.

If one has to leave for any reason, the other must step out, too, until they can both re-enter.

This is called ________.

Answer 32

Two-person integrity

Question 33

Why is Discretionary Access Control (DAC) not considered very scalable?

Answer 33

It relies on the discretion of individual object owners

Question 34

What is the two-person rule in the context of security strategy?

Answer 34

Two people must be in an area together

Question 35

Audit

Answer 35

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures

Question 36

Crime Prevention through Environmental Design (CPTED)

Answer 36

An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity

Question 37

Defense in Depth

Answer 37

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization

Question 38

Discretionary Access Control (DAC)

Answer 38

A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be

Question 39

Firewalls

Answer 39

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules

Question 40

Insider Threat

Answer 40

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service

Question 41

iOS

Answer 41

An operating system manufactured by Apple Inc. Used for mobile devices.

Question 42

Layered Defense

Answer 42

The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.

Question 43

Linux

Answer 43

An operating system that is open source, making its source code legally available to end users.

Question 44

Log Anomaly

Answer 44

A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.

Question 45

Logging

Answer 45

Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks

Question 46

Logical Access Control Systems

Answer 46

Logical Access Control Systems
An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization

Question 47

Mandatory Access Control

Answer 47

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies

Question 48

Mantrap

Answer 48

An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time

Question 49

Object

Answer 49

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains

Question 50

Physical Access Controls

Answer 50

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks

Question 51

Principle of Least Privilege

Answer 51

The principle that users and programs should have only the minimum privileges necessary to complete their tasks.

Question 52

Privileged Account

Answer 52

An information system account with approved authorizations of a privileged user

Question 53

Ransomware

Answer 53

A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid

Question 54

Role-based access control (RBAC)

Answer 54

An access control system that sets up user permissions based on roles.

Question 55

Rule

Answer 55

An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.

Question 56

Segregation of Duties

Answer 56

The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties

Question 57

Subject

Answer 57

Generally an individual, process or device causing information to flow among objects or change to the system state

Question 58

Technical Controls

Answer 58

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

Question 59

Turnstile

Answer 59

A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.

Question 60

Unix

Answer 60

An operating system used in software development

Question 61

User Provisioning

Answer 61

The process of creating, maintaining and deactivating user identities on a system

Question 62

Why is it recommended to disable accounts for a period before deletion when an employee leaves the company?

Answer 62

To preserve the integrity of audit trails or files

Question 63

Lakshmi presents a user ID and a password to a system to log on.

Which of the following characteristics must the password have?

Answer 63

Confidential

Question 64

What is user provisioning in identity management?

Answer 64

Managing access to resources and information systems

Question 65

Which of the following is the responsibility of systems administrators who use privileged accounts?

Answer 65

Operating systems and applications

Question 66

What does behavioral biometrics measure?

Answer 66

User actions, such as voiceprints and keystroke dynamics

Question 67

Which of the following is an example of a monitoring tool?

Answer 67

Cameras

Question 68

Which is a physical control that prevents “piggybacking” or “tailgating,” when an unauthorized person follows an authorized person into a controlled area?

Answer 68

Turnstile