Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Quizzes for Business > Technology

Take the Information Security Controls Quiz

Test Your Cybersecurity Controls Skills Today

Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art depicting elements related to Information Security Controls Quiz

This Information Security Controls Quiz helps you practice applying administrative, technical, and physical safeguards to real-world situations. Answer 15 multiple‑choice questions to check gaps before an exam or audit, then build your base with the fundamentals quiz or sharpen habits with the security awareness quiz .

Which of the following is an example of a physical security control?
Firewalls that block unauthorized network traffic
Encryption of data in transit
Antivirus software scanning for malware
Closed-circuit television cameras monitoring access points
A physical security control protects the physical environment, such as CCTV cameras monitoring entry points. Firewalls and antivirus are technical controls, while encryption is a technical control for protecting data confidentiality.
Which principle ensures users have only the minimum access rights necessary to perform their jobs?
Defence in depth
Principle of least privilege
Mandatory access control
Separation of duties
The principle of least privilege restricts users to the minimal set of permissions they need, reducing the attack surface. Other principles like separation of duties help distribute tasks but do not directly minimize privileges.
Which authentication factor is categorized as "something you have"?
Retina scan
Fingerprint scan
Password or PIN
Smart card or security token
Something you have refers to a physical object like a smart card or security token used for authentication. Fingerprint and retina scans are biometric factors ("something you are") and passwords are "something you know."
What is the primary security goal of encryption?
Integrity of system configurations
Physical protection of hardware
Confidentiality of information
Data availability during outages
Encryption transforms data to prevent unauthorized disclosure, protecting confidentiality. Availability and integrity require different controls like backups and checksums, and physical protection addresses hardware security.
Which of the following is an example of an administrative security control?
Biometric access locks
Hardware firewalls
Data encryption software
Security policy and procedure documentation
Administrative controls include policies, procedures, and guidelines that govern security practices. Firewalls, biometrics, and encryption are technical or physical controls rather than administrative measures.
Which control is most appropriate to protect sensitive data at rest on employee laptops?
Full disk encryption
Transport Layer Security for email
Network firewall with content filtering
Host-based intrusion detection system
Full disk encryption secures all data stored on a laptop's hard drive, preventing unauthorized access if the device is lost or stolen. Other options protect data in transit or detect intrusions but do not encrypt data at rest.
Which process involves evaluating threats, vulnerabilities, and the effectiveness of existing controls?
Risk assessment
Incident response
Security awareness training
Continuous monitoring
Risk assessment systematically analyzes threats, vulnerabilities, and control efficacy to determine risk levels. Incident response addresses active incidents, while continuous monitoring tracks security posture over time.
Which access control model grants permissions based on dynamic attributes of users and resources?
Attribute-Based Access Control (ABAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Discretionary Access Control (DAC)
ABAC uses attributes (such as user department, time of day, or resource classification) to make access decisions. RBAC and MAC use predefined roles or labels, while DAC relies on resource owners to assign permissions.
To mitigate a brute force attack on user accounts, which control should be implemented?
Transport Layer Security
Endpoint antivirus scanning
Data Loss Prevention solution
Account lockout policy after failed login attempts
An account lockout policy temporarily disables accounts after repeated failed attempts, preventing attackers from guessing passwords. TLS protects data in transit, while DLP and antivirus focus on data leakage and malware, respectively.
Which activity is part of an ongoing monitoring program for security controls?
Designing network segmentation architecture
Reviewing configuration change logs and system health metrics
Developing security policies
Installing initial security baseline
Ongoing monitoring involves reviewing logs, metrics, and configurations to detect deviations or failures in controls. Designing architectures or developing policies are planning activities, while baseline installation is a setup task.
Which control measure most effectively reduces the risk of SQL injection attacks?
Segregating databases on separate VLANs
Applying complex password policies
Implementing parameterized queries
Encrypting the database storage
Parameterized queries ensure user input is treated as data rather than executable code, preventing SQL injection. Encryption, password policies, and network segmentation do not address injection at the application layer.
What type of encryption uses a public key and a private key pair?
Hashing
Asymmetric encryption
Symmetric encryption
Steganography
Asymmetric encryption uses a public key for encryption and a private key for decryption, enabling secure key exchange. Symmetric encryption uses the same key for both operations, and hashing is a one-way function.
What is the primary purpose of adopting a security framework like ISO 27001?
To detect incidents in real time
To replace firewalls and antivirus solutions
To provide a structured approach for managing and improving security controls
To encrypt all organizational data by default
ISO 27001 offers a structured Information Security Management System (ISMS) to identify, implement, and improve security controls. It does not focus on real-time detection or mandate specific technologies like encryption.
Which type of vulnerability assessment tests an application from an external perspective without any credentials?
Black-box testing
Grey-box testing
Internal vulnerability scan
White-box testing
Black-box testing simulates an external attacker with no prior knowledge or credentials, assessing vulnerabilities from the outside. White-box and grey-box tests use varying degrees of internal knowledge.
What is a best practice for securely storing user passwords?
Storing passwords as unsalted hashes
Using strong salted hashing functions
Storing plaintext passwords in a secure database
Encrypting passwords with reversible encryption
Using salted hashing functions adds unique salt to each password before hashing, preventing attackers from using precomputed lookup tables. Reversible encryption or storing plaintext does not provide adequate protection.
Implementing a Security Information and Event Management (SIEM) system to correlate logs and detect anomalies is an example of which type of control?
Detective control
Corrective control
Preventive control
Deterrent control
A SIEM system analyzes logs to identify suspicious activities after they occur, making it a detective control. Preventive controls aim to stop incidents before they happen, while corrective controls remediate issues.
In a patch management lifecycle, during which phase should patches be applied in a non-production environment to confirm stability before deployment?
Identification
Testing
Deployment
Review
The testing phase of patch management involves applying patches in a controlled, non-production environment to verify compatibility and stability. Deployment follows testing once the patches are validated.
Which preventive control specifically helps mitigate cross-site scripting (XSS) vulnerabilities in web browsers?
Parameterized SQL queries
Content Security Policy headers
Input validation on the server side
Web Application Firewall installed on the network perimeter
Content Security Policy (CSP) headers instruct the browser to block or only allow content from trusted sources, reducing the risk of XSS attacks. Input validation and WAFs provide layers of defense but CSP specifically directs browser behavior.
Within an ISO 27001 Information Security Management System, which document lists all the controls selected and their implementation status?
Security Policy Handbook
Business Continuity Plan
Statement of Applicability
Risk Treatment Plan
The Statement of Applicability (SoA) identifies which ISO 27001 Annex A controls are selected, implemented, or excluded, and justifies their status. Other documents serve different purposes in the ISMS.
Which standard or framework is designed to automate configuration compliance checking using standardized checklists and scoring?
Center for Internet Security Controls (CIS Controls)
Common Vulnerabilities and Exposures (CVE)
International Organization for Standardization 9001 (ISO 9001)
Security Content Automation Protocol (SCAP)
SCAP provides standardized formats for expressing security configurations and vulnerability information, enabling automated compliance checking. CVE catalogs vulnerabilities, CIS Controls provide best practices, and ISO 9001 addresses quality management.
0
{"name":"Which of the following is an example of a physical security control?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Which of the following is an example of a physical security control?, Which principle ensures users have only the minimum access rights necessary to perform their jobs?, Which authentication factor is categorized as \"something you have\"?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Identify key administrative, technical, and physical security controls
  2. Evaluate the effectiveness of controls in various risk scenarios
  3. Apply best practices for access control and encryption implementation
  4. Analyse vulnerabilities and recommend suitable control measures
  5. Demonstrate understanding of security control frameworks and compliance
  6. Master ongoing monitoring and maintenance of protective controls

Cheat Sheet

  1. Grasp the CIA Triad - Confidentiality keeps sensitive data private, integrity ensures information remains unaltered, and availability guarantees you can access your data whenever you need it. Think of it as the three pillars holding up your fortress of data defenses! suridata.ai Infosec Guide to Information Security Controls
  2. Differentiate security control types - Administrative controls are the policies and procedures you draft, technical controls are the software and hardware solutions you deploy, and physical controls are the locks and cameras protecting the door. Knowing who does what strengthens your layered defense strategy. UMass Dartmouth Information Security Controls
  3. Know ISO/IEC 27001 - This international standard lays out how to build and maintain an Information Security Management System (ISMS), guiding you step by step toward robust data protection. It's like a recipe book for baking the perfect secure environment! ISO/IEC 27001 on Wikipedia
  4. Explore NIST SP 800-53 - Dive into the detailed catalog of security and privacy controls designed for federal systems, offering a playbook on risk management and compliance. It's a treasure trove of best practices to fortify any organization. NIST SP 800-53 on Wikipedia
  5. Learn the NIST Cybersecurity Framework - Identify, Protect, Detect, Respond, and Recover: these five core functions guide your cybersecurity journey from spotting threats to bouncing back from breaches. Think of it as your cyber survival roadmap. NIST Cybersecurity Framework on Wikipedia
  6. Recognize data encryption - Encryption scrambles your data into an unreadable format, ensuring only those with the right key can make sense of it. Whether your info is at rest or in transit, encryption is your trusty invisibility cloak. Infosec Institute Data Security Controls
  7. Master access control mechanisms - From passwords to multi-factor authentication, access controls keep unauthorized users at bay and ensure only the right people get in. Strong authentication is like having a digital bouncer for your systems. Infosec Institute Data Security Controls
  8. Study all security control categories - Preventive, detective, corrective, deterrent, compensating, and more each play a unique role in risk management. A well-rounded strategy uses multiple control types to cover all angles. College Sidekick Security Control Types
  9. Emphasize ongoing monitoring - Security controls aren't "set and forget." Regular audits, scans, and updates help you stay ahead of emerging threats and keep your defenses in top shape. ISO/IEC 27004 on Wikipedia
  10. Value compliance and frameworks - Aligning with standards like ISO/IEC 27001 or NIST frameworks helps you meet legal, regulatory, and industry requirements. It's not just paperwork - it's proof you're serious about security. ISO/IEC 27001 on Wikipedia
Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Technology Quizzes

Powered by: Quiz Maker