1B: Compare and Contrast Security Control and Framework Types

Question 1

After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?

Answer 1

Corrective

Question 2

What cyber security framework (CSF) focuses exclusively on IT security, rather than IT service provisioning?

Answer 2

National Institute of Standards and Technology (NIST)

Question 3

The _____ requires federal agencies to develop security policies for computer systems that process confidential information.

Answer 3

Computer Security Act (1987)

Question 4

The ____ mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.

Answer 4

Sarbanes-Oxley Act (2002)

Question 5

The _____ governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program

Answer 5

Federal Information Security Management Act (2002)

Question 6

The ______ is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.

Answer 6

Gramm-Leach-Bliley Act (1999)

Question 7

The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. What ideas are consistent with industry definitions?

Answer 7

-Deploy a technical control to enforce network access policies.
-Schedule quarterly security awareness workshops as a preventive control to prevent social engineering attacks.
-Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.

Question 8

What is a technical control?

Answer 8

A technical control is enforced by computer hardware and software, such as an access control list (ACL) configured on a network firewall.

Question 9

What is an Operational control?

Answer 9

Operational controls are categorized as those performed by people, such as security guards.

Question 10

What is a preventive control?

Answer 10

A preventive control such as user education and training is one that eliminates or reduces the likelihood of an attack before it can take place

Question 11

What is a corrective control?

Answer 11

A corrective control such as backup is used following an attack to eliminate or mitigate its impact.

Question 12

What is a managerial control?

Answer 12

Monitoring of risk and compliance is a type of managerial control

Question 13

A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Which broad class of security control that accurately demonstrates the purpose of the audit?

Answer 13

Managerial

Question 14

You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?

Answer 14

It is a technical type of control (implemented in software) and acts as a preventive measure.

Question 15

A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?

Answer 15

It would be classed as a physical control and its function is both detecting and deterring.

Question 16

A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What THREE functions are the security control performing?

Answer 16

Detective, corrective, and preventative.

Question 17

If a security control is described as operational and compensating, what can you determine about its nature and function?

Answer 17

That the control is enforced by a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.

Question 18

What term is used to describe the property of a secure network where a sender cannot deny having sent a message?

Answer 18

Non-repudiation

Question 19

What is CIS?

Answer 19

Center for Internet Security

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

Question 20

What is Cloud Security Alliance?

Answer 20

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.

Question 21

What is a compensating control?

Answer 21

A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

Question 22

What is a corrective control?

Answer 22

A type of security control that acts after an incident to eliminate or minimize its impact.

Question 23

What is a detective control?

Answer 23

A type of security control that acts during an incident to identify or record that it is happening.

Question 24

What is a deterrent control?

Answer 24

A type of security control that discourages intrusion attempts.

Question 25

What is the GDPR (General Data Protection Regulation)?

Answer 25

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US’s Privacy Shield requirements.

Question 26

What is the GLBA (Gramm-Leach-Bliley Act)?

Answer 26

A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual’s financial information that is held by financial institutions.

Question 27

What is ISO/IEC 27K (International Organization for Standardization 27000 Series)?

Answer 27

A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.

Question 28

What is ISO/IEC 31K (International Organization for Standardization 31000 Series)?

Answer 28

A comprehensive set of standards for enterprise risk management.

Question 29

What is OWASP (Open Web Application Security Project)?

Answer 29

A charity and community publishing a number of secure application development resources.

Question 30

What is PCI DSS (Payment Card Industry Data Security Standard)

Answer 30

Information security standard for organizations that process credit or bank card payments.?

Question 31

SSAE SOC (Statements on Standards for Attestation Engagements Service Organization Control)

Answer 31

Audit specifications designed to ensure that cloud/hosting providers meet professional standards

Question 32

What is a SOC2 Type II report for?

Answer 32

A SOC2 Type II report is created for a restricted audience

Question 33

What is a SOC3 report for?

Answer 33

SOC3 reports are provided for general consumption.

Question 34

What is SOX (Sarbanes-Oxley Act)?

Answer 34

A law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.

Question 35

What is a physical control?

Answer 35

A type of security control that acts against in-person intrusion attempts.

Question 36

What is a security control?

Answer 36

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Question 37

What is a technical control?

Answer 37

A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.

Question 38

Explain how a client/server model works, and how it might be attacked?

Answer 38

This means that part of the application is a client software program, installed and run on separate hardware to the server application code. The client interacts with the server over a network.

Attacks can therefore be directed at the local client code, at the server application, or at the network channel between them.