CISSP Domain 2 – Information Risk Management Practice Test

The principle of "defense in depth" primarily focuses on a security strategy that utilizes multiple layers of controls to protect information and assets. This approach recognizes that no single security measure is sufficient to safeguard systems against all types of threats. Instead, by implementing a series of defenses, organizations can create a more resilient posture where if one layer of protection fails, additional layers remain in place to mitigate potential risks.

This multifaceted strategy encompasses various types of security measures, such as technical controls (firewalls, intrusion detection systems), administrative controls (policies, procedures), and physical controls (security guards, locks), all working together to create a comprehensive defense network. The goal is to ensure that attackers must overcome multiple obstacles to gain unauthorized access or cause harm, thereby reducing the overall risk of a successful breach.

Other options presented do not align with the core of the "defense in depth" concept. For instance, relying on a single control undermines the very essence of this principle, as it exposes the organization to significant vulnerabilities. Focusing solely on physical security measures limits the effectiveness of security as it ignores essential digital or administrative aspects. Lastly, labeling it as a financial strategy does not accurately describe the layered security intent, which specifically addresses the technical, administrative,