SANS SEC 301 FINAL TEST PAPER 2026
COMPLETE QUESTIONS AND CORRECT
ANSWERS GRADED A+
●● The cornerstone of all security: Everyting done in security addresses
one or more of these three things
Confidentiality, Integrity, availability
Confidentiality - Only those who need to access something can; ties into
principle of least privilege
Integrity - data is edited correctly and by the right people. Failure ex.:
Delta $5 tickets round trip tickets to anywhere Delta flies/attach on
pricing database
Availability - If you cannot use it, why do you have it?.
Answer: CIA Triad
●● Pharmaceuticals and government, research.
Answer: Confidentiality
●● Financials maintained in part by confidentiality.
Answer: Integrity
,●● eCommerce Ex. Amazon make $133,000/per minute thus denial of
service is critical business impact; power company need to keep lights
on = availability issue.
Answer: Availability
●● Authentication, Authorization, Accountability.
Answer: AAA
●● Detailed steps to make policy happen.
Answer: Procedure
●● Policy, Procedure and Training.
Answer: PPT
●● Users must know what policies and procedures say to follow them..
Answer: Training
●● Broad general statement of management's intent to protect
information.
Answer: Policy
●● A security professional needs to be:
1/3 technologist
,1/3 manager
1/3 lawyer
-Tkhis is the perfect summation of the career field.
-Technology supports security efforts
-Management decisions (and budgets) drive security
-Legal issues mandate security requirements.
Answer: Security by Thirds
●● Senior Mgmt:
-Has legal responsibility to protect the assets of the org:
That give him the ultimate responsibility for security
-Authority can be delegated - responsibility cannot be
Data owner - person or office with primary responsibility for data;
owners determine classification, protective measures and more
Data custodian - the person/group that implement the controls; make the
decisions of the owner happens
Users - use data; are also automatically data custodians.
Answer: Security Roles and Responsiblities
●● safety of people.
Answer: Number 1 Goal of Security
●● years ago: teenagers
, today: we face organized crime and nation states
-well funded
-highly motivated
disgruntled insider: difficult to counter; tends to be subtle; often
damaging or even devastating
Accidental insider: common; also tend to be subtle; in aggregate - even
ore damaging
Outsider threat source - inside threat actor: a growing proble, the current
most-common attack vector
2014 - 47% of U. S. adults had private data compromised in a breach
(NBC News)
FBI can prove it was North Korea that attacked Sony.
Answer: Nature of the Threat
●● .
Answer: Security Policy
COMPLETE QUESTIONS AND CORRECT
ANSWERS GRADED A+
●● The cornerstone of all security: Everyting done in security addresses
one or more of these three things
Confidentiality, Integrity, availability
Confidentiality - Only those who need to access something can; ties into
principle of least privilege
Integrity - data is edited correctly and by the right people. Failure ex.:
Delta $5 tickets round trip tickets to anywhere Delta flies/attach on
pricing database
Availability - If you cannot use it, why do you have it?.
Answer: CIA Triad
●● Pharmaceuticals and government, research.
Answer: Confidentiality
●● Financials maintained in part by confidentiality.
Answer: Integrity
,●● eCommerce Ex. Amazon make $133,000/per minute thus denial of
service is critical business impact; power company need to keep lights
on = availability issue.
Answer: Availability
●● Authentication, Authorization, Accountability.
Answer: AAA
●● Detailed steps to make policy happen.
Answer: Procedure
●● Policy, Procedure and Training.
Answer: PPT
●● Users must know what policies and procedures say to follow them..
Answer: Training
●● Broad general statement of management's intent to protect
information.
Answer: Policy
●● A security professional needs to be:
1/3 technologist
,1/3 manager
1/3 lawyer
-Tkhis is the perfect summation of the career field.
-Technology supports security efforts
-Management decisions (and budgets) drive security
-Legal issues mandate security requirements.
Answer: Security by Thirds
●● Senior Mgmt:
-Has legal responsibility to protect the assets of the org:
That give him the ultimate responsibility for security
-Authority can be delegated - responsibility cannot be
Data owner - person or office with primary responsibility for data;
owners determine classification, protective measures and more
Data custodian - the person/group that implement the controls; make the
decisions of the owner happens
Users - use data; are also automatically data custodians.
Answer: Security Roles and Responsiblities
●● safety of people.
Answer: Number 1 Goal of Security
●● years ago: teenagers
, today: we face organized crime and nation states
-well funded
-highly motivated
disgruntled insider: difficult to counter; tends to be subtle; often
damaging or even devastating
Accidental insider: common; also tend to be subtle; in aggregate - even
ore damaging
Outsider threat source - inside threat actor: a growing proble, the current
most-common attack vector
2014 - 47% of U. S. adults had private data compromised in a breach
(NBC News)
FBI can prove it was North Korea that attacked Sony.
Answer: Nature of the Threat
●● .
Answer: Security Policy
