CHAPTER SUMMARY

This chapter provided information on different types of controls. Effective controls will reduce or neutralize threats or vulnerabilities to an acceptable level. In-place controls are operating. Planned controls have a planned implementation date.

When considering additional controls, they can be evaluated in specific families. NIST SP 800-53 provides detailed guidance on 20 families of controls. Controls can also be considered as procedural, technical, and physical. Evaluating controls in all families and categories is important. For example, technical controls alone cannot address all risks.

KEY CONCEPTS AND TERMS

Advanced Encryption Standard (AES)

certificate

certificate authority (CA)

corrective control

detective control

digital signature

nonrepudiation

preventive control

rules of behavior

sniffer

web of trust

CHAPTER 9 ASSESSMENT

  1. A ________ will reduce or eliminate a threat or vulnerability.
  2. Controls can be identified based on their function. The functions are preventive, detective, and corrective.
    1. True
    2. False
  3. What are the primary objectives of a control?
    1. Prevent, control, and attack
    2. Prevent, respond, and log
    3. Prevent, recover, and detect
    4. Detect, recover, and attack
  4. What type of control is an intrusion detection system (IDS)?
    1. Preventive
    2. Detective
    3. Corrective
    4. Recovery
  5. Controls are often categorized based on how they are implemented. What are the three common methods of implementing controls?
    1. Preventive, detective, and corrective
    2. Administrative, technical, and operational
    3. Technical, administrative, and environmental
    4. Procedural, technical, and physical
  6. A(n) ________ control is used to ensure that users have the rights and permissions they need to perform their jobs and no more.
  7. Logon identifiers help ensure that users cannot deny taking a specific action, such as deleting a file. What is this called?
    1. Digital signature
    2. Encryption
    3. Nonrepudiation
    4. PKI
  8. What should be used to ensure that users understand what they can and cannot do on systems within the network?
    1. Acceptable use banner
    2. Data range checks
    3. Rules of behavior
    4. Audit trails
  9. What can be used to ensure confidentiality of sensitive data?
    1. Encryption
    2. Hashing
    3. Digital signature
    4. Nonrepudiation
  10. What should be logged in an audit log?
    1. All system events
    2. All security-related events
    3. The details of what happened for an event
    4. Who, what, when, and where details of an event
  11. An organization wants to issue certificates for internal systems, such as an internal web server. A ________ will need to be installed to issue and manage certificates.
  12. Which of the following is a procedural control?
    1. Session time-out
    2. Reasonableness check
    3. Water detection
    4. DRP
  13. Which of the following is a technical control?
    1. PKI
    2. Awareness and training
    3. Guards
    4. Electrical grounding
  14. Which of the following is a physical control?
    1. Logon identifiers
    2. CCTV
    3. Encryption
    4. BCP
  15. The web of trust has a centralized trust model.
    1. True
    2. False
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.172.252