Security Practice Questions – CIA and AAA

As you delve into this section of the practice tests, prepare to be challenged on your comprehension of the fundamental tenets of information security. Often referred to as the six pillars, these principles—Confidentiality, Integrity, Availability, Authentication, Authorization, and Accounting—form the bedrock of secure information systems.

Each question has been crafted to gauge your understanding of how these principles interplay in various scenarios, ensuring that you not only know their definitions but can also apply them in real-world contexts. Dive in, think critically, and solidify your expertise in these essential areas of information security. These Set of questions will test your knowledge of the six pillars of information security.

1. Sarah is responsible for managing access to a database. She ensures that users only have the permissions they need to perform their jobs. Which principle is she emphasizing?
a) Authentication
b) Authorization
c) Confidentiality
d) Accounting

Answer: b) Authorization
Explanations:
a) Authentication: Verifying the identity of a user. Sarah isn’t verifying their identities; she’s assigning permissions.
b) Authorization: Determining what a user has access to. This is what Sarah is doing by managing permissions.
c) Confidentiality: Keeping data secret. Sarah isn’t necessarily keeping the data secret; she’s managing who has access to what.
d) Accounting: Tracking user activities. The scenario doesn’t mention Sarah monitoring user actions.

2. John received an email with a link. The email claims it’s from his bank, but when he hovers over the link, it directs to a suspicious website. Which principle is potentially being violated?
a) Authentication
b) Integrity
c) Availability
d) Confidentiality

Answer: a) Authentication
Explanations:
a) Authentication: Ensuring that entities are who they claim to be. The email is not genuinely from the bank, violating this principle.
b) Integrity: Ensures data hasn’t been altered. The data here (the email) is deceptive but not altered in transit.
c) Availability: Ensuring data is accessible. The email doesn’t mention data access issues.
d) Confidentiality: Protecting data from unauthorized access. John’s data hasn’t been disclosed or accessed in the scenario.

3. A hospital’s patient information system goes offline for maintenance during peak hours, causing delays in patient care. Which security principle is directly impacted?
a) Authorization
b) Availability
c) Confidentiality
d) Accounting

Answer: b) Availability
Explanations:
a) Authorization: This principle isn’t mentioned as permissions and rights are not the concern.
b) Availability: Ensures systems and data are accessible when needed. The system going offline impacts this principle directly.
c) Confidentiality: There’s no indication that patient data was exposed.
d) Accounting: The scenario doesn’t touch on tracking user activities.

4. During an audit, IT staff cannot determine which users accessed a particular file last month. Which principle is lacking implementation?
a) Integrity
b) Accounting
c) Authentication
d) Authorization

Answer: b) Accounting
Explanations:
a) Integrity: The scenario doesn’t mention data alteration.
b) Accounting: This deals with tracking user activities. The lack of logs indicates a failure in implementing this principle.
c) Authentication: Identifying users. This isn’t the focus of the scenario.
d) Authorization: Assigning permissions. The scenario isn’t about permissions.

5. A developer insists on having access to the production environment, although his job doesn’t require it. Granting this access would violate which principle?
a) Authorization
b) Confidentiality
c) Authentication
d) Non-repudiation

Answer: a) Authorization
Explanations:
a) Authorization: Ensures users have only the permissions they need. Giving the developer access he doesn’t need violates this.
b) Confidentiality: This could also be impacted if the developer views confidential data, but the main issue here is permissions.
c) Authentication: The scenario doesn’t involve verifying the developer’s identity.
d) Non-repudiation: Ensures actions can’t be denied. This isn’t the issue in the scenario.

6. Data is transferred between two systems. To ensure the data remains unchanged during transfer, which principle should be enforced?
a) Integrity
b) Availability
c) Authorization
d) Confidentiality

Answer: a) Integrity
Explanations:
a) Integrity: Ensures data remains unchanged and trustworthy. This is the principle to uphold when data is transferred between systems.
b) Availability: This relates to system and data access, not data alteration.
c) Authorization: Permissions aren’t the concern in this scenario.
d) Confidentiality: While important, the focus here is on unchanged data, not keeping it secret.

7. After a recent breach, a company decides to require two forms of identification before allowing access to its systems. Which principle are they emphasizing?
a) Authentication
b) Accounting
c) Authorization
d) Availability

Answer: a) Authentication
Explanations:
a) Authentication: Verifying user identity. Requiring two forms of identification strengthens this principle.
b) Accounting: Tracking user actions isn’t the focus of the scenario.
c) Authorization: The company is trying to confirm user identities, not assign permissions.
d) Availability: The scenario isn’t about system uptime or data access.

8. A database administrator sets up a system to log all queries and changes made to a database. What principle is being emphasized?
a) Confidentiality
b) Authorization
c) Integrity
d) Accounting

Answer: d) Accounting
Explanations:
a) Confidentiality: The scenario isn’t about keeping data secret.
b) Authorization: Permissions aren’t the main concern here.
c) Integrity: While ensuring data remains unchanged is important, the scenario focuses on logging activities.
d) Accounting: This is about tracking and logging user actions, which aligns with the scenario.

9. A company encrypts its sensitive documents to ensure only specific employees can read them. Which principle is this company prioritizing?
a) Integrity
b) Confidentiality
c) Availability
d) Authorization

Answer: b) Confidentiality
Explanations:
a) Integrity: While important, the company’s focus is on ensuring data secrecy, not ensuring it remains unchanged.
b) Confidentiality: Ensuring data remains hidden from those without the necessary permissions or keys. This is the principle being emphasized.
c) Availability: The scenario doesn’t touch on data access or system uptime.
d) Authorization: Although permissions are involved, the primary focus is on keeping data secret, not assigning permissions.

10. IT staff noticed that a user was authorised and accessed a system but failed to perform multi-factor authentication. To prevent unauthorized access in the future, the company should improve which principle?
a) Accounting
b) Availability
c) Authentication
d) Authorization

Answer: c) Authentication
Explanations:
a) Accounting: This refers to logging user actions, not strengthening access controls.
b) Availability: The scenario doesn’t relate to system uptime or data access.
c) Authentication: Verifying user identity. The failure in multi-factor authentication shows a need to bolster this principle.
d) Authorization: The concern here is confirming the user’s identity, not the permissions they have.

11. A system administrator regularly rotates cryptographic keys and requires longer passphrases for system access. Which two principles are being prioritized?
a) Confidentiality & Authentication
b) Authorization & Integrity
c) Availability & Authorization
d) Accounting & Authentication

Answer: a) Confidentiality & Authentication
Explanations:
a) Confidentiality & Authentication: Rotating cryptographic keys ensures data remains confidential, and requiring longer passphrases strengthens authentication.
b) Authorization & Integrity: These principles aren’t directly related to the actions described.
c) Availability & Authorization: The scenario doesn’t mention system uptime or access permissions.
d) Accounting & Authentication: While authentication is a focus, accounting (tracking/loging activities) isn’t mentioned.

12. After several DDOS attacks, a company decides to distribute its resources to multiple locations to ensure continuous service. Which principle does this action underscore?
a) Availability
b) Confidentiality
c) Accounting
d) Authentication

Answer: a) Availability
Explanations:
a) Availability: Distributing resources ensures systems remain accessible even under attack.
b) Confidentiality: The scenario doesn’t discuss keeping data secret.
c) Accounting: The scenario doesn’t mention tracking user actions.
d) Authentication: The company isn’t focusing on verifying user identities here.

13. A finance company ensures that any transaction over $10,000 is logged and alerts the security team. This emphasizes which principle?
a) Accounting
b) Authorization
c) Availability
d) Integrity

Answer: a) Accounting
Explanations:
a) Accounting: Logging transactions is central to the accounting principle.
b) Authorization: The focus isn’t on user permissions.
c) Availability: The scenario doesn’t relate to system uptime or data access.
d) Integrity: Data alteration isn’t the scenario’s concern.

14. To ensure that a file hasn’t been tampered with during transfer, a company uses a method to compare the file’s value before and after the transfer. What is this method called?
a) Authorization Check
b) Encryption
c) Multi-factor Authentication
d) Hashing

Answer: d) Hashing
Explanations:
a) Authorization Check: This pertains to user permissions, not data integrity.
b) Encryption: While it secures data, it doesn’t specifically ensure data remains unchanged.
c) Multi-factor Authentication: This verifies user identity, not data integrity.
d) Hashing: This creates a unique value for data. By comparing hashes before and after transfer, integrity can be verified.

15. Users complain they cannot access a shared document because another person is editing it. This issue affects which security principle?
a) Confidentiality
b) Authentication
c) Availability
d) Authorization

Answer: c) Availability
Explanations:
a) Confidentiality: The scenario isn’t about keeping data secret.
b) Authentication: The scenario doesn’t touch on verifying user identities.
c) Availability: This principle ensures that resources are available when needed. The document being locked affects its availability.
d) Authorization: The problem isn’t about user permissions.

16. An organization implements a system where employees can only access the server room using a combination of a key card and fingerprint scan. This is an example of?
a) Single-factor Authentication
b) Dual-factor Authentication
c) Multi-level Authorization
d) Biometric Accounting

Answer: b) Dual-factor Authentication
Explanations:
a) Single-factor Authentication: Only one method of verification is used, whereas the scenario mentions two.
b) Dual-factor Authentication: Using two methods (key card and fingerprint) emphasizes this principle.
c) Multi-level Authorization: This isn’t a standard term, and the scenario is about authentication, not permissions.
d) Biometric Accounting: While biometrics are used, accounting (tracking activities) isn’t the focus here.

17. A company’s system keeps track of failed login attempts and automatically locks accounts after three failures. Which principles are being emphasized?
a) Authentication & Accounting
b) Availability & Authorization
c) Integrity & Availability
d) Authorization & Integrity

Answer: a) Authentication & Accounting
Explanations:
a) Authentication & Accounting: Verifying user identities (by monitoring login attempts) and tracking user actions are the focuses.
b) Availability & Authorization: The scenario doesn’t discuss system uptime or user permissions.
c) Integrity & Availability: Data alteration and system uptime aren’t the main concerns.
d) Authorization & Integrity: The scenario isn’t centered on permissions or ensuring data remains unchanged.

18. Before accessing sensitive data, a user must provide a password, a smart card, and a retinal scan. This is an example of?
a) Triple-factor Authentication
b) Multi-factor Authorization
c) Biometric Encryption
d) Triple-level Integrity

Answer: a) Triple-factor Authentication
Explanations:
a) Triple-factor Authentication: Using three methods to verify identity emphasizes this principle.
b) Multi-factor Authorization: The scenario focuses on authentication (verifying identity) not permissions.
c) Biometric Encryption: While biometrics are used, encryption isn’t the primary focus.
d) Triple-level Integrity: This isn’t a standard term and doesn’t relate to the scenario.

19. During an audit, a company discovers unauthorized access but struggles to ascertain which employee accessed the system. This situation highlights a deficiency in which principle?
a) Integrity
b) Authentication
c) Availability
d) Accounting

Answer: d) Accounting
Explanations:
a) Integrity: Data alteration isn’t the primary concern.
b) Authentication: The issue isn’t about verifying user identity but tracking actions.
c) Availability: The scenario doesn’t mention system uptime or access problems.
d) Accounting: A lack of logs or tracking emphasizes a shortfall in this principle.

20. An IT department implements a digital signature to ensure the source and content of a message remain unchanged during transmission. Which principles are being prioritized?
a) Confidentiality & Integrity
b) Authorization & Authentication
c) Accounting & Availability
d) Authentication & Integrity

Answer: d) Authentication & Integrity
Explanations:
a) Confidentiality & Integrity: While ensuring data remains unchanged is a focus, the scenario doesn’t emphasize keeping data secret.
b) Authorization & Authentication: Verifying the source of a message (authentication) is one focus, but permissions (authorization) aren’t.
c) Accounting & Availability: The scenario doesn’t touch on tracking user actions or system uptime.
d) Authentication & Integrity: Verifying the message’s source and ensuring its content remains unchanged are the main focuses.

21. A user can view and edit a document but cannot delete it. This scenario is governed by which principle?
a) Availability
b) Authentication
c) Authorization
d) Integrity

Answer: c) Authorization
Explanations:
a) Availability: The scenario doesn’t relate to system uptime or access problems.
b) Authentication: The issue isn’t about verifying user identity.
c) Authorization: Permissions, like viewing, editing, and deleting, fall under this principle.
d) Integrity: The scenario doesn’t focus on ensuring data remains unchanged.

22. To ensure employees don’t unintentionally modify data, a company makes regular backups and checks data consistency using algorithms. Which principle is being prioritized?
a) Confidentiality
b) Integrity
c) Authorization
d) Authentication

Answer: b) Integrity
Explanations:
a) Confidentiality: The actions taken aren’t about keeping data secret.
b) Integrity: Regular backups and consistency checks ensure data remains unchanged, emphasizing this principle.
c) Authorization: The scenario doesn’t center on user permissions.
d) Authentication: The actions don’t relate to verifying user identities.

23. A system requires users to change their passwords every 30 days. This practice emphasizes which principle?
a) Confidentiality
b) Integrity
c) Authentication
d) Authorization

Answer: c) Authentication
Explanations:
a) Confidentiality: The focus isn’t on keeping data secret.
b) Integrity: The scenario isn’t about ensuring data remains unchanged.
c) Authentication: Regular password changes strengthen user identity verification.
d) Authorization: The focus isn’t on user permissions.

24. To monitor resource usage and identify potential breaches, an organization keeps detailed logs of user activity and analyzes them regularly. This emphasizes which principle?
a) Authorization
b) Authentication
c) Accounting
d) Availability

Answer: c) Accounting
Explanations:
a) Authorization: User permissions aren’t the scenario’s focus.
b) Authentication: The actions don’t center on verifying user identities.
c) Accounting: Keeping and analyzing detailed logs falls squarely under this principle.
d) Availability: The scenario doesn’t touch on system uptime or access problems.

25. A company restricts access to its main server by using biometric measures, ensuring only authorized personnel can enter. This underscores which principle?
a) Authentication
b) Authorization
c) Availability
d) Integrity

Answer: b) Authorization
Explanations:
a) Authentication: While biometric measures verify identity, the focus is on who has access.
b) Authorization: Restricting server room access based on permissions emphasizes this principle.
c) Availability: The scenario doesn’t discuss system uptime.
d) Integrity: The scenario doesn’t focus on ensuring data remains unchanged.

26. Before sending sensitive information, a company encrypts the data, ensuring only the intended recipient can decrypt it. This practice underscores which principle?
a) Integrity
b) Confidentiality
c) Authentication
d) Authorization

Answer: b) Confidentiality
Explanations:
a) Integrity: The scenario isn’t about ensuring data remains unchanged.
b) Confidentiality: Encrypting data to ensure only certain individuals can access it emphasizes this principle.
c) Authentication: The actions don’t center on verifying user identities.
d) Authorization: The scenario doesn’t discuss user permissions in depth.

27. An application checks user permissions before granting access to certain modules, ensuring only those with the right permissions can use them. This process demonstrates which principle?
a) Authentication
b) Authorization
c) Accounting
d) Confidentiality

Answer: b) Authorization
Explanations:
a) Authentication: The application isn’t primarily verifying user identity.
b) Authorization: Checking permissions before granting access to modules underscores this principle.
c) Accounting: The scenario doesn’t discuss tracking user actions.
d) Confidentiality: While there’s an element of keeping data from unauthorized users, the main focus is on permissions.

28. A company uses a combination of username/password and hardware token for access to a secure system. This combination aims to improve which security principle?
a) Authentication
b) Authorization
c) Accounting
d) Availability

Answer: a) Authentication
Explanations:
a) Authentication: Using multiple methods to verify identity emphasizes this principle.
b) Authorization: The scenario doesn’t focus on user permissions.
c) Accounting: The actions taken aren’t about tracking user activities.
d) Availability: The scenario doesn’t relate to system uptime or access.

29. A system where employees clock in and out using a biometric fingerprint scanner aims to ensure the accuracy and reliability of attendance data. This scenario prioritizes which principle?
a) Integrity
b) Authentication
c) Authorization
d) Availability

Answer: a) Integrity
Explanations:
a) Integrity: Ensuring the accuracy and reliability of data emphasizes this principle.
b) Authentication: While the system verifies identity, its main purpose is to ensure data accuracy.
c) Authorization: The scenario isn’t centered on user permissions.
d) Availability: The system’s uptime or access isn’t the main focus.

30. After noticing a spike in resource use, an IT team traces the anomaly to a specific user. However, further investigation reveals that the user’s credentials were stolen. This breach affected which security principles?
a) Authentication & Authorization
b) Availability & Integrity
c) Accounting & Authentication
d) Confidentiality & Authorization

Answer: a) Authentication & Authorization
Explanations:
a) Authentication & Authorization: Stolen credentials directly compromise the verification of identity and potentially grant unauthorized permissions.
b) Availability & Integrity: While resource use was affected, the main breach was unauthorized access.
c) Accounting & Authentication: The focus isn’t on tracking user actions.
d) Confidentiality & Authorization: While unauthorized access was granted, the data’s secrecy wasn’t the primary concern.

Cover Image by WangXiNa on Freepik

Scroll to Top