Exam CISSP topic 1 question 43 discussion

CISSP Official Study Guide pg 73 - Defense in depth includes administrative, technical (logical) and physical controls. What's listed is only physical controls. Answer is D.

MFA + physical layer. (defense in depth)

While defense-in-depth includes perimeter security, the description focuses specifically on the outer layer of security: physical barriers, card/PIN access, cameras, alarms, and guards. These elements work together to control and monitor access to a secured area, which is the core concept of a security perimeter. Defense-in-depth would encompass multiple layers of security beyond just the perimeter.

The correct answer is: C. Defense-in-depth Explanation: The scenario describes multiple layers of security controls designed to protect an organization's assets. This approach is known as defense-in-depth, which involves implementing various types of security measures at different levels to create overlapping defenses. The goal is to ensure that if one security measure is bypassed, others remain in place to mitigate the risk. Breakdown of Components in the Scenario: Physical barriers: Prevent unauthorized access to facilities. Card and PIN access systems: Provide an additional layer of authentication. Cameras and alarms: Detect and deter unauthorized activities. Security guards: Act as a human layer of enforcement and monitoring. Each of these components contributes to an overall strategy of layering security to protect against a range of threats.

In my opinion, the correct answer is “A” – Access control. SIEM is not dealing with physical controls and instead focuses on data collection and analysis, regarding a completely different layer. Defense-in-depth describes a concept of multiple layers of security controls that provides security in case of the failure of one or more layers. I can’t see this approach here. Security perimeter would describe the subset of physical access controls that are described here (e.g. physical barriers), but overall I’d say that “Access control” would be the broader definition to include all of the mentioned measurements.

Defense-in-depth is a comprehensive security strategy that employs multiple layers of security controls across various levels of an organization to protect against threats. The idea is to create a layered defense, so if one security measure fails, other layers still provide protection. The components mentioned—physical barriers, card and PIN access systems, cameras, alarms, and security guards—are all elements of physical security and access control, which are part of a broader defense-in-depth strategy. These measures work together to provide redundancy, so even if one layer is bypassed, others are still in place to protect the organization.

Defense-in-depth, does indeed encompass the elements described in option D, Security perimeter, along with additional layers of security measures.

C is the correct answer, A security perimeter example is a firewall,

Defense-in-depth is a security strategy that employs multiple layers of security controls to protect an organization's assets. The use of physical barriers, card and PIN access systems, cameras, alarms, and security guards exemplifies this approach, as it combines various security measures to provide a comprehensive defense against unauthorized access or threats. The other options are less accurate in this context: A. Access control focuses specifically on the policies and procedures for granting or denying access to resources. B. Security information and event management (SIEM) refers to systems that aggregate and analyze security data from various sources, which is not directly related to physical security measures. D. Security perimeter typically refers to the boundary around an organization’s physical or network environment but does not encompass the multi-layered nature of defense-in-depth.

I feel like C is most appropriate. A perimeter is just one layer, more like a fence. Imagine walking in to a facility with all these controls mentioned as you approach from the gate, to the parking lot, and finally the building entrance.

A. Access control: This refers specifically to mechanisms that manage who or what is allowed to access resources, which would include card and PIN systems but not necessarily the broader range of physical security measures mentioned. B. Security information and event management (SIEM): This involves the collection, analysis, and reporting of security data from various sources, primarily focused on digital events rather than physical security measures. C. Defense-in-depth: This is a comprehensive strategy that integrates multiple layers of security, including both physical and logical controls. The description given fits this approach as it includes multiple layers of physical security measures. D. Security perimeter: This generally refers to the boundary that separates a secured area from a non-secured area. While it can include some of the elements mentioned, it does not fully encapsulate the range of security measures described.

Def in depth. physical barrier and knowing a PIN number is already different controls.

C. Defense-in-depth The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards best describes a defense-in-depth security approach. Defense-in-depth is a layered security strategy that employs multiple, overlapping security measures to protect assets. This approach ensures that if one security measure fails, others are in place to provide continued protection. By implementing a variety of security controls across different layers (physical, technical, and administrative), organizations can better safeguard their resources against various threats.

I was tempted to go with A, but after reading the CBK Reference book, I concluded the answer is D. The key phrase is "security approach." While all those mentioned are access control methods, when applied together, it is a defense-in-depth security approach.

Don't overthink it

I agree with C:, however, Microsoft Co-Pilot states it's D.

From OSG (pg. 1006). The existence of zero-day vulnerabilities makes it critical that you have a defense-in-depth approach to cybersecurity that incorporates a varied set of --'overlapping security controls'.