1. Which of the following best describes the control that access to data or resources is necessary for the performance of official duties?
    A. Separation of Duties
    B. Need-to-Know
    C. Least Privilege
    D. Job Rotation
  2. Which of the following best ensures that a person has been determined to be trustworthy?
    A. Security clearance
    B. Identification
    C. Need-to-Know
    D. Access Control
  3. Which of following is of most concern when determining if a HIDS or NIDS should be implemented as a safeguard?
    A. Analysis of the frequency of network attacks
    B. The effectiveness of the solution
    C. The risk exposure of being breached
    D. Identify, analyze, and evaluate the risks

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

On question #1, my recommended answer is Need-to-Know.

  • It emphasizes on “necessary” and “data or resources”, while least privilege is about the “most restrictive” set of privileges.
  • Need-to-Know comes first for access authorization based on the necessity of performing duties, then comes the least privilege to determine the most restricted extent or scope of authorization.
  • One must be qualified for authorization based on official duties first, or need-to-know. If not, the least privilege principle won’t be applied.

On question #2, my recommended answer is Security clearance.

  • “A security clearance is a status granted to individuals allowing them access to classified information (state or organizational secrets) or to restricted areas, after completion of a thorough background check.
  • The term “security clearance” is also sometimes used in private organizations that have a formal process to vet employees for access to sensitive information.” (wikipedia)

On question #3, my recommended answer is The effectiveness of the solution.

  • Risk mitigation is one of the four common risk treatment options or risk response strategies. Risk assessment (risk identification, risk analysis, and risk evaluation) is conducted before risk treatment or response.
  • Implementing safeguards, e.g. NIDS or HIDS, is one way to mitigate risks; or broadly speaking, risk treatment. Options A, C, and D are conducted before risk treatment.
  • When mitigating risks, you have to consider the effectiveness of the solution first, then the cost/benefit.

Leave a Reply