Module 2: Protect Organizational Assets


Coursera Study Guide

INTRODUCTION – Protect Organizational Assets

In this extensive overview, participants will concentrate on the crucial topic of security controls that form the bedrock of safeguarding organizational assets. The module goes beyond mere protection to explore the intersection of privacy and asset security, delving into the profound impact privacy considerations have on the overall security framework. Participants will gain a nuanced understanding of the pivotal role encryption plays in preserving the privacy of digital assets, equipping them with the knowledge to implement robust privacy measures.

Furthermore, the module dives into the intricate mechanisms of authentication and authorization systems, shedding light on how these critical components serve to verify a user’s identity. Participants will grasp the fundamental principles and practical applications of these security measures, ensuring a comprehensive comprehension of their significance in maintaining the integrity and confidentiality of organizational assets. As participants progress through this module, they will not only acquire theoretical knowledge but also gain practical insights, fostering a well-rounded skill set essential for navigating the complex landscape of asset security within organizational contexts.

Learning Objectives

  • Identify effective data handling processes.
  • Identify how security controls mitigate risk.
  • Discuss the role encryption and hashing play in securing assets.
  • Describe how to effectively use authentication as a security control.
  • Describe effective authorization practices that verify user access.


1. What are the categories of security controls? Select all that apply.

  • Managerial (CORRECT)
  • Operational (CORRECT)
  • Privacy
  • Technical (CORRECT)

Categories of security controls include technical, operational, and managerial. Technical controls include the technologies used to protect assets. Operational controls relate to maintaining the day-to-day security environment. And managerial controls are centered around how technical and operational controls reduce risk.

2. Fill in the blank: A data _____ decides who can access, edit, use, or destroy their information.

  • owner (CORRECT)
  • handler
  • protector
  • custodian

A data owner decides who can access, edit, use, or destroy their information.

3. A writer for a technology company is drafting an article about new software features that are being released. According to the principle of least privilege, what should the writer have access to while drafting the article? Select all that apply.

  • The software they are reviewing (CORRECT)
  • Software developers who are knowledgeable about the product (CORRECT)
  • Other new software that is in development
  • Login credentials of the software users

The writer should have access to the software they are reviewing and the software developers who can help them understand what information is appropriate to share with readers.

4. Which privacy regulations influence how organizations approach data security? Select three answers.

  • Payment Card Industry Data Security Standard (PCI DSS) (CORRECT)
  • Health Insurance Portability and Accountability Act (HIPAA) (CORRECT)
  • Infrastructure as a Service (IaaS)
  • General Data Protection Regulation (GDPR) (CORRECT)

GDPR, PCI DSS, and HIPAA are notable privacy regulations that influence how organizations approach their information security.

5. What are the three types of security controls? Select three answers.

  • Operational (CORRECT)
  • Technical (CORRECT)
  • Managerial (CORRECT)
  • Regulatory

The three types of security controls are technical, operational, and managerial. Each type of security control plays a key role in effective information privacy.


1. Which of the following elements are required when using encryption? Select all that apply.

  • Cipher (CORRECT)
  • Key (CORRECT)
  • Token
  • Certificate

A cipher and a key are required when using encryption. This enables secure information exchange.

2. Which technologies are used in public key infrastructure (PKI) to securely exchange information online? Select two answers.

  • General Data Protection Regulation (GDPR)
  • Digital certificates (CORRECT)
  • Platform as a service (PaaS)
  • Encryption algorithms (CORRECT)

PKI uses encryption algorithms and digital certificates to securely exchange information online. Asymmetric and symmetric algorithms are used first to quickly and securely encrypt data. Digital certificates are used second as a way of signaling trust between the sender and receiver when exchanging encrypted data online.

3. Fill in the blank: _____ encryption produces a public and private key pair.

  • Salting
  • Asymmetric (CORRECT)
  • Symmetric
  • Hashing

Asymmetric encryption produces a public and private key pair that are used to encrypt and decrypt information. The public key is shared with others while the data owner manages the private key.

4. An attacker gains access to a database where user passwords are secured with the SHA-256 hashing algorithm. Can the attacker decrypt the user passwords?

  • Yes. Hash algorithms produce a decryption key.
  • No. Hash algorithms do not produce decryption keys. (CORRECT)

The attacker cannot decrypt the user passwords because they are stored as a hash value that is irreversible. Only symmetric and asymmetric encryption algorithms produce decryption keys.

5. What term describes being unable to deny that information is authentic?

  • Non-repudiation (CORRECT)
  • Availability
  • Confidentiality
  • Integrity

Non-repudiation means that the authenticity of information cannot be denied. It also confirms that the sender of data is who they claim to be.

6. Fill in the blank: _____ is the process of transforming information into a form that unintended readers cannot understand.

  • Cryptography (CORRECT)
  • Decryption
  • Algorithm
  • Cipher

Cryptography is the process of transforming information into a form that unintended readers cannot understand. In cryptography, a cipher is used to hide, or encrypt, information.

7. Public key infrastructure (PKI) is a two-step process that includes the exchange of encrypted information. What other step is involved in the PKI process?

  • The decryption of secret keys
  • The authentication controls of Caesar’s cipher
  • The establishment of trust using digital certificates (CORRECT)
  • The storage of public information

The PKI process involves the exchange of encrypted information and the establishment of trust using digital certificates. In PKI, data can be encrypted using asymmetric encryption, symmetric encryption, or both. Then, a digital certificate binds the data’s public key to the verified identity of a website, individual, organization, device, or server.

8. Fill in the blank: Hash values are primarily used to determine the _____ of files and applications.

  • digest
  • function
  • availability
  • integrity (CORRECT)

Hash values are primarily used as a way to determine the integrity of files and applications. Hashes also keep information confidential because they can’t be decrypted.


1. What factors do authentication systems use to verify a user’s identity? Select three answers.

  • Knowledge (CORRECT)
  • Characteristic (CORRECT)
  • Authorization
  • Ownership (CORRECT)

Knowledge, ownership, and characteristic are the three factors used by authentication systems to verify a user’s identity.

2. How do businesses benefit from implementing single sign-on (SSO) technology? Select two answers.

  • By requiring multiple forms of identification
  • By simplifying their user management (CORRECT)
  • By providing a better user experience (CORRECT)
  • By streamlining HTTP traffic between servers

Providing a better user experience and simplifying their user management are ways that businesses benefit from implementing SSO.

3. A retail company has one employee that’s in charge of purchasing goods, another employee that’s in charge of approving new purchases, and a third employee that’s in charge of paying invoices. What security principle is the retail company implementing?

  • Non-repudiation
  • Separation of duties (CORRECT)
  • Authentication, authorization, and accounting (AAA)
  • Least privilege

The retail company is implementing the separation of duties principle. Separation of duties is the security principle that users should not be given levels of authorization that would allow them to misuse a system.

4. What are the categories of access controls? Select three answers.

  • Authentication (CORRECT)
  • Administration
  • Accounting (CORRECT)
  • Authorization (CORRECT)

The three categories of access controls are authentication, authorization, and accounting.

5. What credential does OAuth use to authenticate users?

  • An application programming interface (API) token (CORRECT)
  • A digital certificate
  • A session cookie
  • A one-time passcode (OTP)

OAuth uses an API token to authenticate users. An API token is a digital credential that is shared between a platform and a service provider to verify a user’s identity.

6. What are the three factors of authentication? Select three answers.

  • Knowledge (CORRECT)
  • Characteristic (CORRECT)
  • Algorithm
  • Ownership (CORRECT)

The three factors of authentication are: characteristic, ownership, and knowledge. Ownership is used to verify a user’s identity using something the user possesses, like a one-time passcode.

7. Authorization controls are linked to two security principles. One is the principle of least privilege. What is the other?

  • OAuth
  • The AAA framework
  • Separation of duties (CORRECT)
  • HTTP basic auth

Authorization controls are linked to the separation of duties and the principle of least privilege. Separation of duties is the principle that users should not be given levels of authorization that would allow them to misuse a system.


1. Which of the following examples are categories of security controls? Select three answers.

  • Compliance
  • Operational (CORRECT)
  • Technical (CORRECT)
  • Managerial (CORRECT)

2. A paid subscriber of a news website has access to exclusive content. As a data owner, what should the subscriber be authorized to do with their account? Select three answers.

  • Review their username and password (CORRECT)
  • Update their payment details (CORRECT)
  • Stop their subscription (CORRECT)
  • Edit articles on the website

3. What do symmetric encryption algorithms use to encrypt and decrypt information?

  • A single secret key (CORRECT)
  • A hash value
  • A public and private key pair
  • A digital certificate

4. A security analyst is investigating a critical system file that may have been tampered with. How might the analyst verify the integrity of the system file?

  • By brute forcing the system file using a rainbow table.
  • By comparing the system files hash value to a known, trusted hash value. (CORRECT)
  • By decrypting the system files secret key using Advanced Encryption Standard (AES).
  • By opening the system file in word processing application and checking its version history.

5. Which of the following steps are part of the public key infrastructure process? Select two answers.

  • Establish trust using digital certificates (CORRECT)
  • Transfer hash digests
  • Exchange of public and private keys
  • Exchange of encrypted information (CORRECT)

6. What factors do authentication systems use to verify a user’s identity? Select three answers.

  • Ownership (CORRECT)
  • Accounting
  • Characteristic (CORRECT)
  • Knowledge (CORRECT)

7. A business has one person who receives money from customers at the register. At the end of the day, another person counts that money that was received against the items sold and deposits it. Which security principles are being implemented into business operations? Select two answers.

  • Least privilege (CORRECT)
  • Separation of duties (CORRECT)
  • Single sign-on
  • Multi-factor authentication

8. What is the purpose of security controls?

  • Encrypt information for privacy
  • Create policies and procedures
  • Establish incident response systems
  • Reduce specific security risks (CORRECT)

9. A large hotel chain collects customer email addresses as part of a national sweepstakes. As data custodians, what are the hotel chain’s responsibilities to protect this information? Select three answers.

  • To safely handle the data when it’s accessed (CORRECT)
  • To securely transport the data over networks (CORRECT)
  • To protect the data while in storage (CORRECT)
  • To edit the data when necessary

10. You send an email to a friend. The service provider of your inbox encrypts all messages that you send. What happens to the information in your email when it’s encrypted?

  • It’s converted from plaintext to ciphertext. (CORRECT)
  • It’s converted from ciphertext to plaintext.
  • It’s converted from Caesar’s cipher to plaintext.
  • It’s converted from a hash value to ciphertext.

11. Fill in the blank: A _____ is used to prove the identity of users, companies, and networks in public key infrastructure.

  • digital signature
  • access token
  • access key
  • digital certificate (CORRECT)

12. What is an advantage of using single sign-on (SSO) systems to authenticate users?

  • It prevents credential stuffing attacks.
  • Users lose access to multiple platforms when the system is down.
  • It makes the login process faster. (CORRECT)
  • Users must set multiple passwords.

13. What types of user information does an API token contain? Select two answers.

  • A user’s site permissions (CORRECT)
  • A user’s identity (CORRECT)
  • A user’s secret key
  • A user’s password

14. A customer of an online retailer has complained that their account contains an unauthorized purchase. You investigate the incident by reviewing the retailer’s access logs. Which component of the user’s session that you might review?

  • Session certificate
  • Session algorithm
  • Session API key
  • Session cookie (CORRECT)

15. Which functions would fall under the category of operational security controls? Select two answers.

  • Establishing trust using digital certificates
  • Providing security awareness training (CORRECT)
  • Exchanging encrypted information
  • Responding to an incident alert (CORRECT)

16. An employee reports that they cannot log into the payroll system with their access credentials. The employee does not recall changing their username or password. As a security analyst, you are asked to review access logs to investigate whether a breach occurred. What information are you able to review as a data custodian in this situation? Select two answers.

  • The IP address of the computer used to log in (CORRECT)
  • Any coworkers’ contact information
  • Any payroll access credentials the user has stored on the server
  • The time the user signed in and out (CORRECT)

17. How is hashing primarily used by security professionals?

  • To store data in the cloud
  • To make data quickly available
  • To decrypt sensitive data
  • To determine data integrity (CORRECT)

18. What is a disadvantage of using single sign-on (SSO) technology for user authentication?

  • Employees are more vulnerable to attack.
  • Customers receive an improved user experience.
  • Username and password management is streamlined.
  • Stolen credentials can give attackers access to multiple resources. (CORRECT)

19. A shipping company imports and exports materials around the world. Their business operations include purchasing goods from suppliers, receiving shipments, and distributing goods to retailers. How should the shipping company protect their assets under the principle of separation of duties? Select two answers.

  • Have one employee approve purchase orders (CORRECT)
  • Have one employee file purchase orders (CORRECT)
  • Have one employee receive shipments and distribute goods
  • Have one employee select goods and submit payments

20. What is the practice of monitoring the access logs of a system?

  • Authorization
  • Accounting (CORRECT)
  • Authentication
  • Auditing

21. What is a key advantage of multi-factor authentication compared to single sign-on?

  • It can grant access to multiple company resources at once.
  • It is faster when authenticating users.
  • It streamlines the authentication process.
  • It requires more than one form of identification before granting access to a system. (CORRECT)

22. The main responsibility of a receptionist at a healthcare company is to check-in visitors upon arrival. When visitor’s check-in, which kinds of information should the receptionist be able to access to complete their task? Select two answers.

  • Their billing information
  • Their medical history
  • A photo ID (CORRECT)
  • The patient being visited (CORRECT)

23. What are common authorization tools that are designed with the principle of least privilege and separation of duties in mind? Select three answers.

  • OAuth (CORRECT)
  • Basic auth (CORRECT)
  • API Tokens (CORRECT)
  • SHA256

24. What are the two most common forms of identification used by authentication systems? Select two answers.

  • Username (CORRECT)
  • Facial scan
  • Fingerprint
  • Password (CORRECT)

CONCLUSION – Protect Organizational Assets

In conclusion, this module serves as a comprehensive exploration of the multifaceted realm of asset security, encompassing various aspects crucial to protecting organizational resources. Participants have delved into the intricate landscape of security controls, understanding how these measures are instrumental in safeguarding both physical and digital assets. The exploration extends to the nuanced relationship between privacy and asset security, emphasizing the role of encryption in preserving the confidentiality of digital resources.

Moreover, participants have gained valuable insights into authentication and authorization systems, unraveling the mechanisms that verify user identities and contribute to a robust security framework. This module not only equips participants with theoretical knowledge but also provides practical applications, ensuring they develop a well-rounded skill set essential for implementing effective asset security measures in real-world organizational scenarios. As participants conclude this module, they emerge with a heightened understanding of asset security’s complexities and the tools required to navigate this critical aspect of cybersecurity.