Domain 3

Question 1

Which of the following is an example of security control?

Answer 1

Firewall

Question 2

Subject definition

Answer 2

any entity that requests
access to asset. May be a user, program, etc., is active in initiating the request for services, and should have some level of clearance

Question 3

Object definition

Answer 3

an entity that responds to a request for service. May be a building, file, etc., provides service to a user, is passive in the request, do not have their own access control logic, and may have a classification

Question 4

Rules definition

Answer 4

an instruction developed to
allow or deny access to an object by comparing the validated identity
of the subject to an
access control list

Question 5

What is the definition of an object in the context of access controls?

Answer 5

An entity that responds to a request for service

Question 6

Derrick logs on to a system to read a file.

In this example, Derrick is the ______.

Answer 6

Subject

Question 7

Which of the following is a subject?

Answer 7

User

Question 8

What is the strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of an organization?

Answer 8

Layered Defense

Question 9

How does privileged access management implement the principle of least privilege?

Answer 9

By granting each user access only to the items they need

Question 10

Physical access controls are

Answer 10

tangible methods or mechanisms that
limit someone from getting access to an
area or asset

Question 11

Logical access controls are

Answer 11

electronic methods that limit someone
from getting access to systems, and
sometimes even to tangible assets or areas, including passwords, biometrics, etc.

Question 12

Which of the following is an example of a logical access control method?

Answer 12

Biometrics on a smartphone

Question 13

Limiting access to data on the network would be considered which of the following controls?

Answer 13

Logical or technical controls

Question 14

A control serves to

Answer 14

reduce the risk
according to where it falls within
the risk tolerance of the individual
or organization

Question 15

What would be considered an administrative control in the context of seat belt usage?

Answer 15

Passing a law requiring seat belt use

Question 16

What would be considered a physical control in the context of seat belt usage?

Answer 16

The seat belt itself would be considered a physical control

Question 17

What alternative control could be used if biometric locks on multiple doors are not necessary and access does not need to be audited?

Answer 17

deadbolt locks

Question 18

In what type of environment does role-based access control work well?

Answer 18

High-staff turnover and similar access requirements

Question 19

Role-based access control provides

Answer 19

each worker
privileges based on what role
they have in the organization

Question 20

What term is used to describe the situation where someone inherits expanded permissions that are not appropriate for their role in Role-based Access Control (RBAC)?

Answer 20

Privilege creep

Question 21

What is the key feature of just-in-time privileged access management?

Answer 21

Role-based subsets of privileges

Question 22

Privileged accounts are

Answer 22

those with
permissions beyond those of normal users,
such as managers and administrators

Question 23

In Mandatory Access Control (MAC), what determines the level of access to certain areas in certain government agencies?

Answer 23

Government policy and security clearance

Question 24

With Mandatory Access Control, who
assigns access rights or permissions?

Answer 24

security administrators

Question 25

With Discretionary Access Control, who
assigns access rights or permissions?

Answer 25

the object owner

Question 26

Who can modify security rules in a system governed by Mandatory Access Control (MAC)?

Answer 26

Trusted subjects designated as security administrators

Question 27

Which of these combinations of physical security controls share a single point of failure?

Answer 27

High-illumination lighting and cameras

A power failure will disable both the cameras and the lights.

Question 28

What challenges do small and medium businesses face regarding technical controls in payroll systems?

Answer 28

Insufficient personnel for duty separation

Question 29

Which of the following is an example of a physical access control?

Answer 29

Motion detectors

Question 30

Separation of duties is based on

Answer 30

the security practice that no one person should control
an entire high-risk transaction from start to finish.

Question 31

Collusion is when

Answer 31

two individuals willfully work together to bypass the separation of duties to jointly commit fraud

Question 32

Duncan and Mira work in the data center at Triffid, Inc. There is a policy in place that requires both to be present in the data center at the same time.

If one has to leave for any reason, the other must step out, too, until they can both re-enter.

This is called ________.

Answer 32

Two-person integrity

Question 33

Why is Discretionary Access Control (DAC) not considered very scalable?

Answer 33

It relies on the discretion of individual object owners

Question 34

What is the two-person rule in the context of security strategy?

Answer 34

Two people must be in an area together