Effective CISSP Questions

The HIPAA Security Rule defines certain safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Which of the following best describes the category or type of the safeguard mentioned above?
A. Directive
B. Management
C. Technical
D. Logical

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Technical.

I design this question as a reminder for the importance of the context and glossary. This question sets the context in the HIPAA Security Rule, so you should have some background knowledge of the HIPAA Security Rule to build the glossary for this context.

Even so, if you merely know the three categories of safeguards: administrative, physical, and technical, you can still rule out answer options, A, B, and D, and identify the answer, C.


According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), it defines three categories of safeguard: administrative, physical, and technical.

Security Rule

The Centers for Medicare & Medicaid Services (CMS) issues regulations, known as the Privacy Rule and Security Rule, to define and specify safeguards applicable to those entities covered by HIPAA.

The Privacy Rule, primarily, addresses how PHI (Protected Health Information) can be used and disclosed, while the Security Rule, as a subset of the Privacy Rule, applies specifically to electronic PHI or ePHI.

Technical Safeguards

The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

Does the definition surprise you? It conflicts the common understanding of CISSP aspirants. Most people think of the policy and procedures as administrative controls. However, the Security Rule defines them from the perspective of assets to be protected. Generally speaking, technical safeguards protect “information” while physical safeguards protect “systems and facilities,” and administrative safeguards influence “people.” please refer to the post, HIPAA Safeguards, for details.


As a CISSP aspirant, you must be aware of the following:

  • Security controls or controls for short, safeguards, or countermeasures are used interchangeably.
  • There are three categories/types of (access) controls: administrative (directive/management), technical (logical), and physical if you have read the official boot camp student guide, the CBK, or official study guide (Sybex).

If someone asks you the following questions:

  1. “Administrative controls” or “Administrative access controls”
  2. “Control categories” or “Control types”
  3. Why are technical controls also known as “logical” controls?
  4. How do you define technical controls and physical controls?

What’s your answer?


4 thoughts on “CISSP PRACTICE QUESTIONS – 20191221

  1. C and D are interchangeable – so rule those out.

    I’ve not heard of Management as a control type or a category.

    So I’ll go with A: Directive… although I probably would have chosen ‘Administrative’ if that was an option.

    • I totally agree with you!
      Some textbook says that there exists three types of Controls:
      1. Technical/logical controls
      2. Administrative controls
      3. Physical controls

      But there exists many categories of controls such as, Directive, Protective, Deterrent, Detective, Corrective, Recovery, and so on.

      Since this question asks which category this safeguard belongs to, it makes more sense to go with Directive, IMO

      • There are various systems of control taxonomy. This question is specific in the context of HIPAA, which defines safeguards per the HIPAA “Security Rule.” It’s different from the definitions of CISSP study guides. I designed this question just to highlight the differences. Most sources classify policies and procedures as management, administrative, or directive controls.

  2. Pingback: Control Objectives by Wentz Wu, CISSP-ISSMP,ISSAP,ISSEP/CCSP/CSSLP/CISM/CISA/CEH/PMP/CBAP

Leave a Reply