CERTIFIED-IN-CYBERSECURITY Question #492: Real Exam Question with Answer & Explanation

Question

In the context of information security, what is a definition for 'control'?

Options

• AAn encryption technique for data at rest
• BA protocol for protected communication
• CA safeguard conceived to guarantee the CIA of data
• DA document outlining the security policies

Explanation

A "control" refers to the measures or safeguards put in place to ensure the confidentiality, integrity, and availability (CIA) of data. These controls can be technical (such as firewalls or encryption), physical (such as locks or access cards), or administrative (such as policies or procedures). For example, a control might be a password policy that requires complex passwords and regular password changes to ensure the confidentiality and integrity of user accounts, or a firewall that protects a network from unauthorized access, thereby ensuring the confidentiality and integrity of data (see the ISC2 Study Guide, Chapter 3, Module 1). The remaining options, while related to the concepts of security controls, do not fully capture the concept. A secure communications protocol, such as SSL/TLS, is a method of securing data transmission, but it is not a "control" in and of itself. An encryption technique for data at rest is a specific type of control, but it does not encompass the full meaning of "control" in information security. A security policy document is a policy, not a control. It sets the rules for what controls should be in place, but it is not a control itself.

No community discussion yet for this question.