(ISC)2 CC Practice Exam 1 Questions With
100% Correct Answers 2024, 250 Questions and
Answers, With Complete Solution.
Sensitivity is a measure of the ...:
... importance assigned to information by its owner, or the purpose of representing its
need for protection.
(Sensitivity is also defined as the measure of the importance assigned to information by
its owner, or the purpose of representing its need for protection)
The process of verifying or proving the user's identification is known as:
Authentication
(Authentication is the verification of the identity of a user, process or device, as a
prerequisite to allowing access to the resources in a given system. In contrast,
authorization refers to the permission granted to users, processes or devices to access
specific assets. Confidentiality and integrity are properties of information and systems,
not processes.)
Which of the following Cybersecurity concepts guarantees that information is
accessible only to those authorized to access it?
Confidentiality
(Confidentiality, Integrity and Availability are known as the CIA triad, from the model that
guides policies for information security. Confidentiality is the property of data or
information not being made available or disclosed, which leads to sensitive information
being protected from unauthorized access. Integrity refers to the preservation of the
consistency, accuracy and trustworthiness of data. Availability is the property of data
being consistently and readily accessible to the parties authorized to access it. Finally,
non-repudiation refers to the inability to deny the production, approval or transmission of
information.)
Which of the following areas is connected to PII?
Confidentiality
(Confidentiality is the most distinctive property of personally identifiable information (see
ISC2 study guide, Module 1, under CIA Deep Dive). The remaining options apply to all
types of data. All data requires integrity to be usable. Non-repudiation refers to the
inability to deny the production, approval, or transmission of information. Authentication
refers to the access to information.)
Which of the following properties is NOT guaranteed by Digital Signatures?
Confidentiality
(The correct answer is B. A digital signature is the result of a cryptographic
transformation of data which is useful for providing: data origin authentication, data
integrity, and non-repudiation of the signer (see NIST SP 800-12 Rev. 1 under Digital
,Signature). However, digital signatures cannot guarantee confidentiality (i.e. the
property of data or information not being made available or disclosed).)
Which of the following areas is the most distinctive property of PHI?
Confidentiality
(Confidentiality is the most distinctive property of protected health information (see ISC2
Study Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types
of data. All data requires integrity to be usable. Non-repudiation refers to the inability to
deny the production, approval, or transmission of information. Authentication refers to
guaranteeing that systems and information are accessed by persons and systems that
are who they claim to be.)
In risk management, the highest priority is given to a risk where:
The frequency of occurrence is low, and the expected impact value is high
(The highest priority is given to risks estimated to have high impact and low probability
over high probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In
qualitative risk analysis, the 'expected probability of occurrence' and the 'frequency of
occurrence' refer to the same thing. The same goes for the concepts of expected impact
value (NIST SP 800-30 Rev. 1 under Impact Value) and potential impact (NIST SP 800-
60 Vol. 1 Rev. 1 under Potential Impact).)
The magnitude of the harm expected as a result of the consequences of an
unauthorized disclosure, modification, destruction, or loss of information, is
known as the:
Impact
(The sentence matches the definition of the concept of impact (see NIST SP 800-60
Vol. 1 Rev. 1 under Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines
likelihood as the probability that a potential vulnerability may be exploited. A threat is
defined as a circumstance or event that can adversely impact organizational operations.
A vulnerability is a weakness that a threat can exploit.)
An entity that acts to exploit a target organization's system vulnerabilities is a:
Threat Actor
(A Threat Actor is defined as an individual or a group posing a threat (according to NIST
SP 800-150 under Threat Actor). A Threat Vector is a means by which a Threat Actor
gains access to systems (for example: phishing, trojans, baiting, etc.). An Attacker is
always an individual, but a Threat Actor can be either a group or an entity. A Threat is a
circumstance or event that can adversely impact organizational operations that a Threat
Actor can potentially explore through a Threat Vector.)
Risk Management is:
The identification, evaluation and prioritization of risk
(Risk Management is the process of identifying, assessing and mitigating risks (ISC2
Study Guide, chapter 1, module 2). "Impact and likelihood of a threat" is a definition of
risk. "Creating an incident response team" and "assessing the potential impact of a
, threat" can be considered Risk Management actions, but are not in themselves Risk
Management.)
An exploitable weakness or flaw in a system or component is a:
Vulnerability
(A Vulnerability is a weakness in an information system, system security procedures,
internal controls or implementation that could be exploited by a Threat source (NIST SP
800-30 Rev 1). The Threat is the circumstance or event that can adversely impact
operations. A Risk is a possible event that can negatively impact the organization. A
Bug is a flaw causing an application to produce an unintended or unexpected result that
may be exploitable.)
Which of the following is NOT an example of a physical security control?
Firewalls
(Firewalls are a type of electronic equipment which connects to a network that filters
inbound traffic arriving from the Internet, and, thus are a type of technical security
controls. Security cameras, biometric access control and electronic locks, though
connected to a network, control access to physical facilities, and thus are types of
physical security controls. (ISC2 Study Guide, Chapter 1, Module 3))
The implementation of Security Controls is a form of:
Risk reduction
(The implementation of Security Controls involves taking actions to mitigate risk, and
thus is a form of risk reduction. Risk acceptance will take no action, risk avoidance will
modify operations in order to avoid risk entirely, and risk transference will transfer the
risk to another party.)
Which of the following is an example of a technical security control?
Access Control Lists
(An access control list is a type of technical security control. Bollards, fences and
turnstiles control access to physical facilities, and thus are types of physical security
controls. (ISC2 Study Guide, Chapter 1, Module 3))
A Security safeguard is the same as a:
Security control
(Security safeguards are approved security measures taken to protect computational
resources by eliminating or reducing the risk to a system. These can be measures like
hardware and software mechanisms, policies, procedures, and physical controls (see
NIST SP 800-28 Version 2, under safeguard). This definition matches the definition of
security control as the means of managing risk, including policies, procedures,
guidelines, practices, or organizational structures, which can be of an administrative,
technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev. 1 under
control).)
Which of the following is an example of an administrative security control?
Acceptable Use Policies
100% Correct Answers 2024, 250 Questions and
Answers, With Complete Solution.
Sensitivity is a measure of the ...:
... importance assigned to information by its owner, or the purpose of representing its
need for protection.
(Sensitivity is also defined as the measure of the importance assigned to information by
its owner, or the purpose of representing its need for protection)
The process of verifying or proving the user's identification is known as:
Authentication
(Authentication is the verification of the identity of a user, process or device, as a
prerequisite to allowing access to the resources in a given system. In contrast,
authorization refers to the permission granted to users, processes or devices to access
specific assets. Confidentiality and integrity are properties of information and systems,
not processes.)
Which of the following Cybersecurity concepts guarantees that information is
accessible only to those authorized to access it?
Confidentiality
(Confidentiality, Integrity and Availability are known as the CIA triad, from the model that
guides policies for information security. Confidentiality is the property of data or
information not being made available or disclosed, which leads to sensitive information
being protected from unauthorized access. Integrity refers to the preservation of the
consistency, accuracy and trustworthiness of data. Availability is the property of data
being consistently and readily accessible to the parties authorized to access it. Finally,
non-repudiation refers to the inability to deny the production, approval or transmission of
information.)
Which of the following areas is connected to PII?
Confidentiality
(Confidentiality is the most distinctive property of personally identifiable information (see
ISC2 study guide, Module 1, under CIA Deep Dive). The remaining options apply to all
types of data. All data requires integrity to be usable. Non-repudiation refers to the
inability to deny the production, approval, or transmission of information. Authentication
refers to the access to information.)
Which of the following properties is NOT guaranteed by Digital Signatures?
Confidentiality
(The correct answer is B. A digital signature is the result of a cryptographic
transformation of data which is useful for providing: data origin authentication, data
integrity, and non-repudiation of the signer (see NIST SP 800-12 Rev. 1 under Digital
,Signature). However, digital signatures cannot guarantee confidentiality (i.e. the
property of data or information not being made available or disclosed).)
Which of the following areas is the most distinctive property of PHI?
Confidentiality
(Confidentiality is the most distinctive property of protected health information (see ISC2
Study Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types
of data. All data requires integrity to be usable. Non-repudiation refers to the inability to
deny the production, approval, or transmission of information. Authentication refers to
guaranteeing that systems and information are accessed by persons and systems that
are who they claim to be.)
In risk management, the highest priority is given to a risk where:
The frequency of occurrence is low, and the expected impact value is high
(The highest priority is given to risks estimated to have high impact and low probability
over high probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In
qualitative risk analysis, the 'expected probability of occurrence' and the 'frequency of
occurrence' refer to the same thing. The same goes for the concepts of expected impact
value (NIST SP 800-30 Rev. 1 under Impact Value) and potential impact (NIST SP 800-
60 Vol. 1 Rev. 1 under Potential Impact).)
The magnitude of the harm expected as a result of the consequences of an
unauthorized disclosure, modification, destruction, or loss of information, is
known as the:
Impact
(The sentence matches the definition of the concept of impact (see NIST SP 800-60
Vol. 1 Rev. 1 under Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines
likelihood as the probability that a potential vulnerability may be exploited. A threat is
defined as a circumstance or event that can adversely impact organizational operations.
A vulnerability is a weakness that a threat can exploit.)
An entity that acts to exploit a target organization's system vulnerabilities is a:
Threat Actor
(A Threat Actor is defined as an individual or a group posing a threat (according to NIST
SP 800-150 under Threat Actor). A Threat Vector is a means by which a Threat Actor
gains access to systems (for example: phishing, trojans, baiting, etc.). An Attacker is
always an individual, but a Threat Actor can be either a group or an entity. A Threat is a
circumstance or event that can adversely impact organizational operations that a Threat
Actor can potentially explore through a Threat Vector.)
Risk Management is:
The identification, evaluation and prioritization of risk
(Risk Management is the process of identifying, assessing and mitigating risks (ISC2
Study Guide, chapter 1, module 2). "Impact and likelihood of a threat" is a definition of
risk. "Creating an incident response team" and "assessing the potential impact of a
, threat" can be considered Risk Management actions, but are not in themselves Risk
Management.)
An exploitable weakness or flaw in a system or component is a:
Vulnerability
(A Vulnerability is a weakness in an information system, system security procedures,
internal controls or implementation that could be exploited by a Threat source (NIST SP
800-30 Rev 1). The Threat is the circumstance or event that can adversely impact
operations. A Risk is a possible event that can negatively impact the organization. A
Bug is a flaw causing an application to produce an unintended or unexpected result that
may be exploitable.)
Which of the following is NOT an example of a physical security control?
Firewalls
(Firewalls are a type of electronic equipment which connects to a network that filters
inbound traffic arriving from the Internet, and, thus are a type of technical security
controls. Security cameras, biometric access control and electronic locks, though
connected to a network, control access to physical facilities, and thus are types of
physical security controls. (ISC2 Study Guide, Chapter 1, Module 3))
The implementation of Security Controls is a form of:
Risk reduction
(The implementation of Security Controls involves taking actions to mitigate risk, and
thus is a form of risk reduction. Risk acceptance will take no action, risk avoidance will
modify operations in order to avoid risk entirely, and risk transference will transfer the
risk to another party.)
Which of the following is an example of a technical security control?
Access Control Lists
(An access control list is a type of technical security control. Bollards, fences and
turnstiles control access to physical facilities, and thus are types of physical security
controls. (ISC2 Study Guide, Chapter 1, Module 3))
A Security safeguard is the same as a:
Security control
(Security safeguards are approved security measures taken to protect computational
resources by eliminating or reducing the risk to a system. These can be measures like
hardware and software mechanisms, policies, procedures, and physical controls (see
NIST SP 800-28 Version 2, under safeguard). This definition matches the definition of
security control as the means of managing risk, including policies, procedures,
guidelines, practices, or organizational structures, which can be of an administrative,
technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev. 1 under
control).)
Which of the following is an example of an administrative security control?
Acceptable Use Policies
