The (ISC)² Code of Ethics is structured around four mandatory canons that all members must adhere to. The official canons are:

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.

2. Act honorably, honestly, justly, responsibly, and legally.

3. Provide diligent and competent service to principals.

4. Advance and protect the profession.

Option B states, "Provide active and qualified service to principal." While similar in intent to the third canon, the official wording is "diligent and competent," not "active and qualified." This distinction makes option B not an official canon of the (ISC)² Code of Ethics.

A. This is a direct statement of the first canon of the (ISC)² Code of Ethics.

C. This is a direct statement of the fourth canon of the (ISC)² Code of Ethics.

D. This is a direct statement of the second canon of the (ISC)² Code of Ethics.

1. (ISC)². (2024). Code of Ethics. (ISC)² Official Documentation. Retrieved from https://www.isc2.org/Ethics. The four canons are listed in the "Preamble" and "Canons" sections.

2. University of Washington. (n.d.). Professional Codes of Ethics. UW Information Technology. Retrieved from https://itconnect.uw.edu/work/professional-development/professional-codes-of-ethics/. This page explicitly lists the four (ISC)² Code of Ethics canons under the "(ISC)²" section.

The main purpose of an Acceptable Use Policy (AUP) is to serve as a foundational administrative control that clearly communicates an organization's expectations to users. It defines the rules, responsibilities, and acceptable behaviors for individuals accessing and using corporate information technology (IT) resources, such as networks, computers, and data. The AUP explicitly outlines what activities are permitted and prohibited, thereby establishing a clear standard of conduct. This policy is crucial for managing risk, protecting organizational assets, and providing a formal basis for enforcing security rules and taking disciplinary action in case of violations.

B. Monitoring is a technical or procedural control used to enforce policies like the AUP, not the primary purpose of the policy document itself.

C. This describes a Password Policy, a specific document that sets standards for password creation and management, which is often referenced within a broader AUP.

D. While an AUP is a critical component that contributes to security, its specific purpose is to govern user behavior, not to be the sole mechanism that "ensures" security.

1. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 5

Security and Privacy Controls for Information Systems and Organizations. Control PL-4

"Rules of Behavior

" directly corresponds to the function of an AUP. The control states that an organization must "establish and make readily available to individuals requiring access to the system the rules that describe their responsibilities and expected behavior with regard to information and system usage." This directly supports that the purpose is to inform users of expectations.

2. National Institute of Standards and Technology (NIST) Special Publication 800-12

Revision 1

An Introduction to Information Security. In Section 4.2.1

"Policies

" it is stated that "Policies are the documents that codify an organization’s security requirements

responsibilities

and expectations." This aligns with the AUP's role in communicating expectations for system use.

3. Stanford University

Administrative Guide Memo 6.2.1

Computer and Network Usage Policy. The "Purpose" section of this policy states its goal is to "ensure that use of these resources is consistent with the university's educational goals and legal obligations." This exemplifies how an AUP's primary function is to define the expected and appropriate use of systems.

Detective access controls are implemented to identify and alert on security incidents or policy violations after they have occurred or as they are occurring. An Intrusion Detection System (IDS) is a quintessential detective tool. Its primary function is to monitor network traffic or system activities for suspicious patterns, known attack signatures, or anomalies. When a potential threat is identified, the IDS generates an alert, enabling security personnel to investigate and respond. This directly strengthens an organization's ability to detect unauthorized access and other security events.

A. Patches: This is a preventive and corrective control. It fixes known vulnerabilities to prevent them from being exploited in the first place.

B. Backups: This is a corrective and recovery control. It is used to restore data and systems to a known-good state after a security incident has caused damage or loss.

D. Encryption: This is a preventive control. It renders data unreadable to unauthorized parties, thereby preventing a breach of confidentiality, but it does not detect access attempts.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5). Section 3.3

Control SI-4

"System Monitoring

" describes the function of monitoring systems to "detect attacks and indicators of potential attacks" and "unauthorized local

network

and remote connections

" which is the core purpose of an IDS as a detective control. (p. 299).

2. Bauer

L. (2019). 18-730: Introduction to Computer Security

Lecture 2: Security Policies & Controls. Carnegie Mellon University. Slide 19

"Types of Controls

" explicitly categorizes "Intrusion detection systems" under the "Detective" control type.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM

18(7)

387–408. This foundational paper discusses security principles. While it doesn't use the modern "detective" term

it describes the principle of "audit trail" (Section I.A.5)

which is the basis for detective controls like IDS that analyze activity logs to detect intrusions. DOI: https://doi.org/10.1145/361011.361062

The Payment Card Industry Data Security Standard (PCI-DSS) is a global information security standard created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB). Its primary and explicit objective is to enhance the security of cardholder data and promote a secure environment for accepting, processing, storing, or transmitting credit card information. The standard provides a baseline of technical and operational requirements designed to protect account data and prevent credit card fraud.

A. Change Management is a specific procedural requirement within the PCI-DSS framework (e.g., Requirement 6), not the overall objective of the standard itself.

B. While cardholder data is a type of Personally Identifiable Information (PII), the scope of PCI-DSS is narrowly focused on payment card data, not all forms of PII.

C. Protected Health Information (PHI) is the specific focus of healthcare regulations such as the Health Insurance Portability and Accountability Act (HIPAA), not PCI-DSS.

1. PCI Security Standards Council. Payment Card Industry (PCI) Data Security Standard

Requirements and Testing Procedures

Version 4.0. (March 2022). Page 8

Section "Introduction." The document states

"The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally."

2. Carnegie Mellon University

Information Security Office. PCI DSS Compliance. The university's official documentation states

"The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept

process

store or transmit credit card information maintain a secure environment."

3. Cornell University

IT Security & Policy. Regulated Data Chart. The chart explicitly defines PCI as applying to "Credit/debit card numbers..." and distinguishes it from PII and PHI

which are governed by different regulations. This clarifies the distinct and primary focus of the standard.

Software as a Service (SaaS) is a cloud computing model that delivers complete, ready-to-use software applications to end-users over the internet. In this model, the cloud provider hosts and manages the entire technology stack, including the application, underlying servers, storage, and networking. A ready-to-use email service, such as Gmail or Microsoft 365, is a quintessential example of SaaS. The user simply accesses the service through a web browser or client application without any responsibility for maintaining or managing the infrastructure or the email platform itself.

A. CaaS: Communications as a Service (CaaS) is a specialized subset of SaaS. While email is a communication tool, SaaS is the broader, fundamental service category for a complete software application.

B. PaaS: Platform as a Service (PaaS) provides a platform and environment for developers to build, deploy, and manage applications, not a finished, ready-to-use application like an email service.

D. IaaS: Infrastructure as a Service (IaaS) provides fundamental computing resources like virtual servers and storage. The user would be responsible for installing and managing the operating system and the email server software.

1. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (NIST Special Publication 800-145). National Institute of Standards and Technology. In Section 2

"Service Models

" SaaS is defined as the capability for a consumer "to use the provider’s applications running on a cloud infrastructure." The document notes that this model means the consumer does not manage the underlying infrastructure. Web-based email is a commonly cited example of this model.

2. Buyya

R.

Vecchiola

C.

& Thamarai Selvi

S. (2013). Mastering Cloud Computing: Foundations and Applications Programming. Morgan Kaufmann. In Chapter 3

"Cloud Computing Architecture

" Section 3.3.3

"Software as a Service (SaaS)

" the authors explicitly list "web-based e-mail" as a characteristic example of a SaaS application.

3. Armbrust

M.

Fox

A.

et al. (2009). Above the Clouds: A Berkeley View of Cloud Computing (Technical Report No. UCB/EECS-2009-28). EECS Department

University of California

Berkeley. On page 2

the report defines SaaS and lists Google Apps (which includes Gmail) as a prime example of an application delivered as a service.

VLAN (Virtual Local Area Network) segmentation is a technology used to logically partition a single physical network into multiple, distinct broadcast domains. In a unified cloud storage environment, this allows administrators to group servers and storage resources into separate virtual networks. For instance, servers handling sensitive patient records can be placed in one VLAN, while those with administrative data are in another. Access Control Lists (ACLs) and routing policies can then be applied to strictly control or prevent traffic between these VLANs, effectively separating access to the different data types without requiring separate physical network infrastructure.

A. Screened subnet: This is a perimeter network (DMZ) designed to separate an internal network from an untrusted, external network, not for segmenting data types internally.

C. Zero trust zone: This is a strategic security model or architecture, not a specific technology for network segmentation. VLANs can be a tool used to implement a zero-trust model.

D. An intranet: This refers to the entire private, internal network of an organization, not the method used to create logical separations within it.

1. Cisco Systems

Inc.

"Virtual LANs (VLANs)

" Internetworking Technology Handbook. In Chapter 50

the document states

"VLANs logically segment a LAN into different broadcast domains... VLANs provide a mechanism to partition a single switched network so that traffic is contained within that partition." This directly supports the use of VLANs for logical separation.

2. Stallings

W. (2016). Foundations of Modern Networking: SDN

NFV

and Cloud Computing. Pearson Education

Inc. In Chapter 6.3

"Virtual LANs (VLANs)

" it is explained that "The logical separation of devices provides a degree of security. Departments can be separated into their own VLANs so that they cannot directly communicate with each other." This aligns with separating patient and administrative data access.

3. Stanford University

CS144: Introduction to Computer Networking

Fall 2013

Lecture 10 - "Switching." The lecture notes describe VLANs as a mechanism where "a single physical switch can be partitioned into multiple 'virtual' switches

" which is the core concept required to solve the problem in the question.

Data Loss Prevention (DLP) is a security technology designed to discover, monitor, and protect sensitive data wherever it resides. A key function of endpoint DLP solutions is to scan data at rest, such as files stored on hard drives, to identify content that violates organizational policies. By using content-aware detection methods like regular expressions or data fingerprinting, DLP can effectively detect the unauthorized storage of sensitive information (e.g., personally identifiable information, intellectual property) on user workstations and servers. This capability directly addresses the requirement of the question.

B. IDS: An Intrusion Detection System (IDS) monitors network or system activity for malicious patterns or policy violations but is not designed to scan the contents of files on a hard drive.

C. TLS: Transport Layer Security (TLS) is a cryptographic protocol that provides security for data in transit over a network; it does not address the detection of data stored at rest.

D. IPS: An Intrusion Prevention System (IPS) is an active security device that detects and blocks network-based attacks; its function is not to discover sensitive data stored on local drives.

---

1. National Institute of Standards and Technology (NIST). (2018). NIST Internal Report 8202: Data Loss Prevention Practices. Section 2.1

"DLP systems are tools that can be configured to detect and prevent the unauthorized use and transmission of sensitive information... DLP systems can be used to protect data in any of its three states: data in use

data in motion

and data at rest."

2. Carnegie Mellon University

Software Engineering Institute. (2017). A Look at Data Loss Prevention. CERT/CC. Page 2

"For data at rest

DLP solutions can scan file systems

databases

and other data repositories for sensitive data. This capability is useful for discovering where sensitive data resides within the organization..."

3. Vaidya

T.

& Soni

D. (2013). Data Leakage Prevention System. International Journal of Engineering Research & Technology (IJERT)

2(12)

2990-2994. Section III.A

"Data-at-rest DLP typically involves a client-based agent that runs on end-user workstations or servers. The agent can be configured to scan the local hard drive to discover sensitive information and report back to a central management server."

Discretionary Access Control (DAC) is the model where control over an object is at the discretion of its owner. The creator of an object is typically its initial owner and has the authority to define access permissions for other subjects (users or groups). This includes the ability to grant, revoke, and delegate permissions, such as read, write, or execute rights. This model is identity-based, where access control lists (ACLs) specify which users are allowed to access the object. The owner's ability to delegate permissions is a fundamental characteristic of DAC.

A. RBAC: Access is determined by a user's assigned role(s), which are centrally managed by an administrator, not by the object's creator.

B. MAC: A central authority enforces access based on system-wide security labels and clearances; individual creators cannot alter these mandatory rules.

D. ABAC: Access is granted based on policies combining subject, object, and environmental attributes, which are typically defined by an administrator, not the object's owner.

1. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-192: Verification and Test Methods for Access Control Policies/Models. Section 2.2

"Discretionary Access Control (DAC)

" Page 4. "In a system with DAC

the owner of an object can decide which other subjects are allowed to access the object and what operations they are allowed to perform."

2. Hu

V. C.

Ferraiolo

D.

Kuhn

R.

Schnitzer

A.

Sandlin

K.

Miller

R.

& Scarfone

K. (2013). NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Section 2.3.1

"Discretionary Access Control

" Page 6. "DAC is a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject."

3. Myers

A. C.

& Schneider

F. B. (2014). CS 5430: System Security

Lecture 5: Access Control. Cornell University. Page 4. "Discretionary Access Control (DAC): Owner of an object specifies which subjects can access the object."

A fundamental security property of a cryptographic hash function is that it must be a one-way function, meaning it is computationally infeasible to reverse. This property, formally known as pre-image resistance, ensures that an original input (e.g., a password) cannot be derived from its resulting hash value. Therefore, being "reversible" is explicitly NOT a feature of a cryptographic hash function. The other options are essential features: they must be deterministic (same input always produces the same output), unique in practice (collision-resistant), and useful for applications like data integrity verification and digital signatures.

A. Useful: Cryptographic hash functions are highly useful for verifying data integrity, storing passwords securely, and creating digital signatures.

B. Deterministic: A hash function must be deterministic, meaning a specific input will always generate the exact same hash output.

D. Unique: This refers to collision resistance, a critical property where it is computationally infeasible to find two different inputs that produce the same hash.

1. National Institute of Standards and Technology (NIST) Special Publication 800-107 Revision 1

Recommendation for Applications Using Approved Hash Algorithms

August 2012.

Section 4

"Properties of Hash Functions

" page 4: "Three properties are of particular importance...: pre-image resistance

second pre-image resistance

and collision resistance." Pre-image resistance is the formal term for the one-way (non-reversible) property.

2. Katz

J.

& Lindell

Y. (2014). Introduction to Modern Cryptography (2nd ed.). Chapman and Hall/CRC.

Chapter 5

Section 5.2.1

"Preimage Resistance

" page 158: Defines pre-image resistance (one-wayness) as a core security property

stating that for a given hash output y

it is infeasible to find any input x such that H(x) = y. This directly contradicts the concept of reversibility.

3. Massachusetts Institute of Technology (MIT) OpenCourseWare

6.857 Computer and Network Security

Fall 2017.

Lecture 5 Notes: Hashing

page 1: Lists the desired properties of a cryptographic hash function H as: "1. H is deterministic... 3. H is one-way (preimage resistant)... 4. H is collision-resistant." This explicitly states that being one-way (non-reversible) and deterministic are required features.

Security controls are categorized into three main types: administrative, technical, and physical. Technical controls are safeguards implemented and executed by a computer system through hardware, software, or firmware. A Closed-Circuit Television (CCTV) system is a technological system composed of hardware (cameras, recorders) and software used to monitor and record activity, thereby functioning as a technical control. In contrast, administrative controls are based on policies, procedures, and training, which manage human behavior. Options A, B, and D all represent administrative controls, as they are policies or training programs, not technological systems.

A. Establishing an acceptable usage policy is an administrative control that defines rules for users; it is a document, not a technology.

B. Conducting user security awareness training is an administrative control focused on educating personnel and influencing behavior.

D. Establishing a BYOD policy is an administrative control that sets guidelines and procedures for using personal devices.

1. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. Section 2.2

"Control Structure

" categorizes controls into Management

Operational

and Technical classes. The Physical and Environmental Protection (PE) family

which includes video surveillance (PE-6)

contains numerous technical implementations.

2. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-12 Revision 1: An Introduction to Information Security. Section 4.2

"Security Controls

" defines technical controls as those "primarily implemented and executed by the information system through mechanisms contained in the hardware

software

or firmware components of the system." This definition encompasses a CCTV system.

3. (ISC)². (2022). CC Certified in Cybersecurity Official Study Guide. Chapter 2

"Incident Response

Business Continuity and Disaster Recovery

" p. 45. This source defines administrative controls as including "policies

procedures

standards

and guidelines" and "awareness and training

" which directly corresponds to options A

B

and D.