Topic 1B: InfoSec Controls

Question 1

A Security Control

Answer 1

Provides an asset or system with CIA

Question 2

Three major control types

Answer 2

Technical, Operational, Management

Question 3

Technical controls

Answer 3

Implemented as hardware, software, or firmware. AKA logic controls

Question 4

Operational controls

Answer 4

Implemented as people performing processes or tasks, such as reviewing logs or providing training

Question 5

Management controls

Answer 5

Oversee the controls themselves, such risk assessment or review

Question 6

Control functional types

Answer 6

Preventive, Detective, Corrective, Physical, Deterrent, Compensating

Question 7

Preventive control

Answer 7

Eliminates or reduces likelihood of success

Question 8

Detective control

Answer 8

Identifies and records something happening

Question 9

Corrective control

Answer 9

Eliminates or reduces impact

Question 10

Physical control

Answer 10

Tangible objects, such as locks or guards

Question 11

Deterrent

Answer 11

Warnings which discourage attempts

Question 12

Compensating controls

Answer 12

Substitute for a specific control of equal or greater protection

Question 13

ISO 27000 series

Answer 13

A series of security frameworks

Question 14

ISO 31000 series

Answer 14

A series of enterprise risk management frameworks

Question 15

SOC2

Answer 15

Evaluates Trust Services Criteria when storing or processing customer data

Question 16

SOC2 Type 1 report

Answer 16

Measures control design

Question 17

SOC2 Type 2 report

Answer 17

Measures control performance during a span of time

Question 18

Benchmarks

Answer 18

Published by non-profits like CIS or product vendors, they establish criteria for specific configuration and settings to protect an asset

Question 19

Framework

Answer 19

Provides generic industry best-practices