Chapter 1 Β· Quiz

Security Controls Quiz

Multiple choice, matching, analysis, and evaluation questions. Click an option to answer.

Part A β€” Multiple Choice

Q1
A company installs firewalls, enables antivirus, and configures OS-level permissions. Which category of security control does this represent?
βœ… Correct: C β€” Technical. Firewalls, antivirus, and OS controls are all technology-based systems β€” the defining characteristic of technical controls.
Q2
An organization posts "Warning: All activity on this system is monitored" on its login screen. What type of control is this?
βœ… Correct: D β€” Deterrent. The warning discourages malicious activity but does NOT actually prevent access. Key clue: the attacker can still log in β€” it just makes them think twice.
Q3
After a ransomware attack, the IT team restores all affected systems from clean backups. What type of security control is this?
βœ… Correct: C β€” Corrective. Corrective controls are applied AFTER an incident to restore systems and minimize downtime.
Q4
A security team cannot patch a legacy application but adds a firewall rule to block specific exploits targeting it. This is an example of which control type?
βœ… Correct: B β€” Compensating. Compensating controls are used when the ideal control (patching) can't be applied. The firewall blocks the threat through an alternative means.
Q5
Which of the following is the WEAKEST type of security control?
βœ… Correct: C β€” Directive. Directive controls (signs, training, policies) only guide behavior β€” they don't physically or technically prevent, detect, or correct anything.

Part B β€” Matching

Match each scenario (left column) to its control type (right column). Click a scenario, then click its matching type.

SCENARIOS

CCTV cameras record entry attempts
Security awareness training for employees
Locked server room door
Incident response contacts law enforcement

CONTROL TYPES

Detective
Directive
Preventive
Corrective

Part C β€” Analysis Questions

Q6 β€” Analyze
An organization has badge readers on all exterior doors (physical), a policy requiring badge use at all times (managerial), guards who verify ID at the entrance (operational), and cameras inside the building (technical). Which control type is MOST likely missing from this setup to create a complete lifecycle?
βœ… Best Answer: B β€” Corrective. The scenario has preventive, deterrent, detective, and directive elements. The missing piece is a corrective response plan: what happens AFTER an unauthorized access occurs? Without it, the organization can't recover and resume operations efficiently.
Q7 β€” Analyze
A CISO argues that security awareness training is the most important investment the company can make. From a security controls perspective, what is the strongest argument AGAINST this being the primary security strategy?
βœ… Correct: B. Training is a directive control β€” the weakest type. It guides behavior but doesn't technically stop, detect, or fix threats. Layering stronger controls (technical preventive, detective) must accompany any training initiative.

Part D β€” Evaluation Questions

Q8 β€” Evaluate
A security team is evaluating whether to deploy multi-factor authentication (MFA), install a SIEM system, or create a more detailed incident response policy. If the organization has NO existing incident detection capability, which should be the highest priority and why?
βœ… Best Answer: B β€” SIEM. Without detective capability, the organization cannot know when a breach occurs. MFA is valuable, but attackers bypass it. An IR policy (directive/corrective) is useless if you don't know you've been attacked. Detection enables all other responses β€” it's the prerequisite for a functioning security lifecycle.
0/8
Questions Answered Correctly