CND MODULE 3 QUESTIONS AND ANSWERS
What are the three elements of network security? - CORRECT ANSWER✅✅Network Security Controls,
Network Security Protocols, Network Security Devices
What are network security controls? - CORRECT ANSWER✅✅The security features that should be
appropriately configured and implemented to ensure network security. The cornerstones of any
systematic discipline of security. Security controls work together to allow or restrict access to
organization's resources based on identity management.
What are network security protocols? - CORRECT ANSWER✅✅Protocols implement security related
operations to ensure the security and integrity of data in transit. Ensure the security of data passing
through the network. Implement methods that restrict unauthorized users from accessing the network.
Use encryption and cryptographic techniques to maintain security of messages passing through the
network.
What are network security devices? - CORRECT ANSWER✅✅Devices that are deployed to protect
computer networks from unwanted traffic and threats. These devices can be categorized into active
devices, passive devices, and preventative devices. Also consists of UTM, which combines features of all
the devices.
What are the 7 network security controls? - CORRECT ANSWER✅✅Access Control, Identification,
Authentication, Authorization, Accounting, Cryptography, Security Policy
What are access controls? - CORRECT ANSWER✅✅The selective restriction of access to a place or other
system/network resource. Protects information assets by determining who can an cannot access them.
Involves user identification, authentication, authorization, and accountability. Method for reducing the
risk of data getting affected by providing limited access to users for accessing computer resources. Helps
maintain integrity, confidentiality, and availability of information. Grants permissions based on user's
access permissions and associated roles. Includes file permissions, program permissions, and data rights.
What are the 4 main access control terms? - CORRECT ANSWER✅✅Subject, Object, Reference Monitor,
Operation
What is an access control subject? - CORRECT ANSWER✅✅User or process, which attempts to access
the objects. Subjects are those entities that perform certain actions on the system.
,What is an access control object? - CORRECT ANSWER✅✅An explicit resource on which access
restriction is imposed. Access controls implemented on the objects further control actions performed by
the user.
What is an access control reference monitor? - CORRECT ANSWER✅✅Monitors the restrictions
imposed according to certain access control rules. Implements a set of rules on the ability of the subject
to perform certain actions on the object.
What is an access control operation? - CORRECT ANSWER✅✅An action performed by the subject on
the object. For example, user trying to delete a file. Here, the user is the subject, delete is the operation,
and file is the object.
What are the access control principles? What are the general steps in access control? - CORRECT
ANSWER✅✅Deals with restricting or allowing the access controls to users or processes. Step 1. Users
have user have to provide their credentials while logging into the system. Step 2. System validates users
with the provided credentials such as password, fingerprint, etc. with the database. Step 3. Once the
identification is successful, the system provides the user with access to the system. 4. The system then
allows the user to perform only those operations or access only those resources for which the user is
authorized.
what are the 3 main parts for an access control instruction? - CORRECT ANSWER✅✅Target -
Permissions are set for certain attributes and entities. These attributes and entities are known as
targets. Permissions - Permissions set for the target explains the actions allowed or denied for those
targets. Bind Rule - Specifies the subject to access control instructions.
What are the 9 administrative access controls? - CORRECT ANSWER✅✅Security Policy, Monitoring and
supervising, Separation of duties, Job rotation, Information classification, Personnel procedures,
Investigations, Testing, Security awareness and training.
What is security policy and procedure (access controls)? - CORRECT ANSWER✅✅Determine the method
of implementing security practices in an organization. These specify the extent to which the company
can accept a risk and specifies the level of actions allows in the organization.
, What is personnel controls/procedures (access controls)? - CORRECT ANSWER✅✅Determine the
methods by which employees may handle the security principles. Personnel controls specify the steps
taken in the case of any non-compliance issue. The change of security determines the steps taken right
from the hiring of an employee until the employee leaves or shift to any other department.
What is supervisory structure (access controls)? - CORRECT ANSWER✅✅Supervisory structure consists
of members that are responsible for the actions performed by the other employees in the organization
in the context of security.
What is security awareness and training (access controls)? - CORRECT ANSWER✅✅Trains employees I
an organization about the importance of access control. The training assists the employees to limit the
attacks in the network and assists them in detecting and controlling the viruses and worms.
What is testing (access controls)? - CORRECT ANSWER✅✅Testing of the access controls brings out the
weaknesses in the network, checks if all the access controls are working properly and evaluate the
procedures and policies aligned for the proper functioning of the organization.
What is job rotation (access controls)? - CORRECT ANSWER✅✅Job rotation improves error detection
and fraud disclosures. Job rotation policy along with separation of duties is a good administrative access
control. However, job rotation prevents employees to take up multiple roles at a time, which adds
overhead to access control system. One needs to be aware of the impact of job rotation on access
control system.
What is separation of duties (access controls)? - CORRECT ANSWER✅✅Separation of duties comes into
play when a single operation requires more than one person to complete it. When one individual is
responsible for completing a task, it gives them more power and the security risk is high. Whereas, if the
same task is accomplished by a team of people, proper checks and balances are maintained and there is
less chance for errors.
What is information classification (access controls)? - CORRECT ANSWER✅✅Implementing access
control is impossible without information classification. The information can be classified as: public,
private, secret, proprietary, confidential, etc. Process of information classification: 1. Understand data
classification project goals. 2. Build data classification policy. 3. Build data classification standards. 4.
Create tools to support the process. 5. Determine application owners. 6. Determine data owners and
data owner delegates. 7. Categorize information. 8. Define the audit process. 9. Save information in a
repository. 10. Give user training. 11. Review and update information classification at regular intervals.
What are the three elements of network security? - CORRECT ANSWER✅✅Network Security Controls,
Network Security Protocols, Network Security Devices
What are network security controls? - CORRECT ANSWER✅✅The security features that should be
appropriately configured and implemented to ensure network security. The cornerstones of any
systematic discipline of security. Security controls work together to allow or restrict access to
organization's resources based on identity management.
What are network security protocols? - CORRECT ANSWER✅✅Protocols implement security related
operations to ensure the security and integrity of data in transit. Ensure the security of data passing
through the network. Implement methods that restrict unauthorized users from accessing the network.
Use encryption and cryptographic techniques to maintain security of messages passing through the
network.
What are network security devices? - CORRECT ANSWER✅✅Devices that are deployed to protect
computer networks from unwanted traffic and threats. These devices can be categorized into active
devices, passive devices, and preventative devices. Also consists of UTM, which combines features of all
the devices.
What are the 7 network security controls? - CORRECT ANSWER✅✅Access Control, Identification,
Authentication, Authorization, Accounting, Cryptography, Security Policy
What are access controls? - CORRECT ANSWER✅✅The selective restriction of access to a place or other
system/network resource. Protects information assets by determining who can an cannot access them.
Involves user identification, authentication, authorization, and accountability. Method for reducing the
risk of data getting affected by providing limited access to users for accessing computer resources. Helps
maintain integrity, confidentiality, and availability of information. Grants permissions based on user's
access permissions and associated roles. Includes file permissions, program permissions, and data rights.
What are the 4 main access control terms? - CORRECT ANSWER✅✅Subject, Object, Reference Monitor,
Operation
What is an access control subject? - CORRECT ANSWER✅✅User or process, which attempts to access
the objects. Subjects are those entities that perform certain actions on the system.
,What is an access control object? - CORRECT ANSWER✅✅An explicit resource on which access
restriction is imposed. Access controls implemented on the objects further control actions performed by
the user.
What is an access control reference monitor? - CORRECT ANSWER✅✅Monitors the restrictions
imposed according to certain access control rules. Implements a set of rules on the ability of the subject
to perform certain actions on the object.
What is an access control operation? - CORRECT ANSWER✅✅An action performed by the subject on
the object. For example, user trying to delete a file. Here, the user is the subject, delete is the operation,
and file is the object.
What are the access control principles? What are the general steps in access control? - CORRECT
ANSWER✅✅Deals with restricting or allowing the access controls to users or processes. Step 1. Users
have user have to provide their credentials while logging into the system. Step 2. System validates users
with the provided credentials such as password, fingerprint, etc. with the database. Step 3. Once the
identification is successful, the system provides the user with access to the system. 4. The system then
allows the user to perform only those operations or access only those resources for which the user is
authorized.
what are the 3 main parts for an access control instruction? - CORRECT ANSWER✅✅Target -
Permissions are set for certain attributes and entities. These attributes and entities are known as
targets. Permissions - Permissions set for the target explains the actions allowed or denied for those
targets. Bind Rule - Specifies the subject to access control instructions.
What are the 9 administrative access controls? - CORRECT ANSWER✅✅Security Policy, Monitoring and
supervising, Separation of duties, Job rotation, Information classification, Personnel procedures,
Investigations, Testing, Security awareness and training.
What is security policy and procedure (access controls)? - CORRECT ANSWER✅✅Determine the method
of implementing security practices in an organization. These specify the extent to which the company
can accept a risk and specifies the level of actions allows in the organization.
, What is personnel controls/procedures (access controls)? - CORRECT ANSWER✅✅Determine the
methods by which employees may handle the security principles. Personnel controls specify the steps
taken in the case of any non-compliance issue. The change of security determines the steps taken right
from the hiring of an employee until the employee leaves or shift to any other department.
What is supervisory structure (access controls)? - CORRECT ANSWER✅✅Supervisory structure consists
of members that are responsible for the actions performed by the other employees in the organization
in the context of security.
What is security awareness and training (access controls)? - CORRECT ANSWER✅✅Trains employees I
an organization about the importance of access control. The training assists the employees to limit the
attacks in the network and assists them in detecting and controlling the viruses and worms.
What is testing (access controls)? - CORRECT ANSWER✅✅Testing of the access controls brings out the
weaknesses in the network, checks if all the access controls are working properly and evaluate the
procedures and policies aligned for the proper functioning of the organization.
What is job rotation (access controls)? - CORRECT ANSWER✅✅Job rotation improves error detection
and fraud disclosures. Job rotation policy along with separation of duties is a good administrative access
control. However, job rotation prevents employees to take up multiple roles at a time, which adds
overhead to access control system. One needs to be aware of the impact of job rotation on access
control system.
What is separation of duties (access controls)? - CORRECT ANSWER✅✅Separation of duties comes into
play when a single operation requires more than one person to complete it. When one individual is
responsible for completing a task, it gives them more power and the security risk is high. Whereas, if the
same task is accomplished by a team of people, proper checks and balances are maintained and there is
less chance for errors.
What is information classification (access controls)? - CORRECT ANSWER✅✅Implementing access
control is impossible without information classification. The information can be classified as: public,
private, secret, proprietary, confidential, etc. Process of information classification: 1. Understand data
classification project goals. 2. Build data classification policy. 3. Build data classification standards. 4.
Create tools to support the process. 5. Determine application owners. 6. Determine data owners and
data owner delegates. 7. Categorize information. 8. Define the audit process. 9. Save information in a
repository. 10. Give user training. 11. Review and update information classification at regular intervals.
