[CCCure CISSP] Qs4 Access Control: cccure QuizEngn doubts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[CCCure CISSP] Qs4 Access Control: cccure QuizEngn doubts

Amlan Deb
Hello everyone,
I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you could take out some time and help me with them. Request you to please provide a quick reply as I need to appear for the exam in the month of July.




1.     Question: 887 | Difficulty: 5/5 | Relevancy: 3/3

Which of the following is NOT a compensating measure for access violations?

o      Backups

o      Business continuity planning

o      Insurance

o     Security awareness

You did not provide any answer to this question. Please review details below.

Security awareness is a preventive measure, not a compensating measure for access violations.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 50).

Contributor: Christian Vezina

Covered topic: <A title="Control types - Controls are implemented to mitigate risk and reduce the potential for loss. There can be many types of controls. They can be deterrent, detective, preventive, corrective, compensating, and they can be administrative, technical, logical an" href="javascript:void(0)">Control types


My doubt:


#1: I realize that we need to stay in the context of the question in hand (given Qs + 4 options = your world) but for my understanding please clarify what kind of control are these:


Backup – (is it a Recovery control)

BCP - (is it a Recovery control)

Insurance - ?

(Security Awareness = Preventive control as confirmed by the explanation as well)



#2: As per Shon Harris AIO 5th Edition (Pg 239): Any control can really end up being a compensating control. An organization would choose a compensating control if another control is too expensive but protection is still needed.


So no control is a Compensating control to begin with and at all times. Then how do we really determine which Control is a compensating control and which one is not?


You can find the list archive at:

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below: