nerdexam
(ISC)2

CISSP · Question #1402

Which of the following BEST represents a defense in depth concept?

The correct answer is C. Endpoint security management, network intrusion detection system (NIDS), Network Access. Defense in depth requires layering multiple, distinct security controls across different domains (endpoint, network, and access control) to create overlapping protection. The best answer combines controls spanning host, network detection, and access enforcement layers.

Submitted by rohit_dlh· Mar 5, 2026Security Architecture and Engineering

Question

Which of the following BEST represents a defense in depth concept?

Options

  • ANetwork-based data loss prevention (DLP), Network Access Control (NAC), network-based
  • BHost-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity
  • CEndpoint security management, network intrusion detection system (NIDS), Network Access
  • DWeb application firewall (WAF), Gateway network device tuning, Database firewall, Next-

How the community answered

(32 responses)
  • A
    3% (1)
  • B
    6% (2)
  • C
    88% (28)
  • D
    3% (1)

Why each option

Defense in depth requires layering multiple, distinct security controls across different domains (endpoint, network, and access control) to create overlapping protection. The best answer combines controls spanning host, network detection, and access enforcement layers.

ANetwork-based data loss prevention (DLP), Network Access Control (NAC), network-based

Network-based DLP and NAC both operate primarily at the network layer, meaning this option lacks diversity across security domains and does not truly represent layered defense in depth.

BHost-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity

Host-based DLP, endpoint anti-malware, and host-based integrity monitoring are all endpoint/host-layer controls, making this a single-layer approach rather than a multi-layered defense in depth strategy.

CEndpoint security management, network intrusion detection system (NIDS), Network AccessCorrect

Endpoint security management, NIDS, and Network Access Control (NAC) represent true defense in depth by combining a host-level control (endpoint security), a network detection control (NIDS), and a network enforcement/access control mechanism (NAC). These three controls operate at distinct layers-endpoint, network monitoring, and network access enforcement-ensuring that if one layer fails, others remain to detect or block threats. This multi-layer, multi-domain approach is the defining characteristic of defense in depth.

DWeb application firewall (WAF), Gateway network device tuning, Database firewall, Next-

While WAF, gateway tuning, database firewall, and next-generation firewall span some layers, they are predominantly perimeter and application-layer network controls focused on traffic filtering, lacking a distinct host/endpoint layer component for comprehensive depth.

Concept tested: Defense in depth multi-layer security control strategy

Source: https://learn.microsoft.com/en-us/azure/architecture/guide/security/security-start-here#defense-in-depth

Topics

#defense in depth#layered security#security architecture#NIDS

Community Discussion

No community discussion yet for this question.

Full CISSP Practice