ISC2 CC EXAM QUESTIONS AND ANSWERS
Triffid Corporation has a rule that all employees working with sensitive hardcopy
documents must put the documents into a safe at the end of the workday, where they
are locked up until the following workday. What kind of control is the process of putting
the documents into the safe? (D1, L1.3.1)
A) Administrative
B) Tangential
C) Physical
D) Technical - Answers :A is the correct answer. The process itself is an administrative
control; rules and practices are administrative. The safe itself is physical, but the
question asked specifically about process, not the safe, so C is incorrect. Neither the
safe nor the process is part of the IT environment, so this is not a technical control; D is
incorrect. B is incorrect; "tangential" is not a term commonly used to describe a
particular type of security control, and is used here only as a distractor.
The Triffid Corporation publishes a policy that states all personnel will act in a manner
that protects health and human safety. The security office is tasked with writing a
detailed set of processes on how employees should wear protective gear such as
hardhats and gloves when in hazardous areas. This detailed set of processes is a
_________. (D1, L1.4.1)
A)Policy
B)Procedure
C)Standard
D)Law - Answers :B is correct. A detailed set of processes used by a specific
organization is a procedure. A is incorrect; the policy is the overarching document that
requires the procedure be created and implemented. C is incorrect. The procedure is
not recognized and implemented throughout the industry; it is used internally. D is
incorrect; the procedure was created by Triffid Corporation, not a governmental body.
Chad is a security practitioner tasked with ensuring that the information on the
organization's public website is not changed by anyone outside the organization. This
task is an example of ensuring _________. (D1, L1.1.1)
A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - Answers :B is correct. Preventing unauthorized modification is the
definition of integrity. A is incorrect because the website is not meant to be secret; it is
open to the public. C is incorrect because Chad is not tasked with ensuring the website
is accessible, only that the information on it is not changed. D is incorrect because
"confirmation" is not a typical security term, and is used here only as a distractor.
,The Payment Card Industry (PCI) Council is a committee made up of representatives
from major credit card providers (Visa, Mastercard, American Express) in the United
States. The PCI Council issues rules that merchants must follow if the merchants
choose to accept payment via credit card. These rules describe best practices for
securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____.
(D1, L1.4.2)
A)Law
B)Policy
C)Standard
D)Procedure - Answers :C is correct. This set of rules is known as the Data Security
Standard, and it is accepted throughout the industry. A is incorrect, because this set of
rules was not issued by a governmental body. B is incorrect, because the set of rules is
not a strategic, internal document published by senior leadership of a single
organization. D is incorrect, because the set of rules is not internal to a given
organization and is not limited to a single activity.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on
different platforms, the vendor publishes several sets of instructions on how to install it,
depending on which platform the customer is using. This is an example of a ________.
(D1, L1.4.2)
A)Law
B)Procedure
C)Standard
D)Policy - Answers :B is correct. This is a set of instructions to perform a particular task,
so it is a procedure (several procedures, actually—one for each platform). A is incorrect;
the instructions are not a governmental mandate. C is incorrect, because the
instructions are particular to a specific product, not accepted throughout the industry. D
is incorrect, because the instructions are not particular to a given organization.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit,
Olaf is asked whether Triffid is currently following a particular security practice. Olaf
knows that Triffid is not adhering to that standard in that particular situation, but that
saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A)Tell the auditors the truth
B)Ask supervisors for guidance
C)Ask (ISC)² for guidance
D)Lie to the auditors - Answers :A is the best answer. The (ISC)² Code of Ethics
requires that members "act honorably, honestly, justly, responsibly" and also "advance
and protect the profession." Both requirements dictate that Olaf should tell the truth to
the auditors. While the Code also says that Olaf should "provide diligent and competent
service to principals," and Olaf's principal is Triffid in this case, lying does not serve
, Triffid's best long-term interests, even if the truth has some negative impact in the short
term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst.
Yesterday, Siobhan got a parking ticket while shopping after work. What should
Siobhan do? (D1, L1.5.1)
A)Inform (ISC)²
B)Pay the parking ticket
C)Inform supervisors at Triffid
D)Resign employment from Triffid - Answers :B is the best answer. A parking ticket is
not a significant crime, besmirchment of character or moral failing, and has nothing to
do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics requires that
members act "legally," and "protect the profession," a parking ticket does not reflect
poorly on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however,
pay the ticket.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak
is asked to assess a particular threat, and he suggests that the best way to counter this
threat would be to purchase and implement a particular security solution. This is an
example of _______. (D1, L1.2.2)
A)Acceptance
B)Avoidance
C)Mitigation
D)Transference - Answers :C is correct. Applying a security solution (a type of control)
is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the
threat, and the acceptance of the associated risk, only needs to be documented—no
other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of
action would be to cease whatever activity was associated with the threat. D is
incorrect; if Kerpak suggested transference, this would involve forming some sort of
risk-sharing relationship with an external party, such as an insurance underwriter.
Which of the following is an example of a "something you are" authentication factor?
(D1, L1.1.1)
A)A credit card presented to a cash machine
B)Your password and PIN
C)A user ID
D)A photograph of your face - Answers :D is correct. A facial photograph is something
you are—your appearance. A is incorrect because a credit card is an example of an
authentication factor that is something you have. B is incorrect because passwords and
PINs are examples of authentication factors that are something you know. C is incorrect
because a user ID is an identity assertion, not an authentication factor.
Triffid Corporation has a rule that all employees working with sensitive hardcopy
documents must put the documents into a safe at the end of the workday, where they
are locked up until the following workday. What kind of control is the process of putting
the documents into the safe? (D1, L1.3.1)
A) Administrative
B) Tangential
C) Physical
D) Technical - Answers :A is the correct answer. The process itself is an administrative
control; rules and practices are administrative. The safe itself is physical, but the
question asked specifically about process, not the safe, so C is incorrect. Neither the
safe nor the process is part of the IT environment, so this is not a technical control; D is
incorrect. B is incorrect; "tangential" is not a term commonly used to describe a
particular type of security control, and is used here only as a distractor.
The Triffid Corporation publishes a policy that states all personnel will act in a manner
that protects health and human safety. The security office is tasked with writing a
detailed set of processes on how employees should wear protective gear such as
hardhats and gloves when in hazardous areas. This detailed set of processes is a
_________. (D1, L1.4.1)
A)Policy
B)Procedure
C)Standard
D)Law - Answers :B is correct. A detailed set of processes used by a specific
organization is a procedure. A is incorrect; the policy is the overarching document that
requires the procedure be created and implemented. C is incorrect. The procedure is
not recognized and implemented throughout the industry; it is used internally. D is
incorrect; the procedure was created by Triffid Corporation, not a governmental body.
Chad is a security practitioner tasked with ensuring that the information on the
organization's public website is not changed by anyone outside the organization. This
task is an example of ensuring _________. (D1, L1.1.1)
A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - Answers :B is correct. Preventing unauthorized modification is the
definition of integrity. A is incorrect because the website is not meant to be secret; it is
open to the public. C is incorrect because Chad is not tasked with ensuring the website
is accessible, only that the information on it is not changed. D is incorrect because
"confirmation" is not a typical security term, and is used here only as a distractor.
,The Payment Card Industry (PCI) Council is a committee made up of representatives
from major credit card providers (Visa, Mastercard, American Express) in the United
States. The PCI Council issues rules that merchants must follow if the merchants
choose to accept payment via credit card. These rules describe best practices for
securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____.
(D1, L1.4.2)
A)Law
B)Policy
C)Standard
D)Procedure - Answers :C is correct. This set of rules is known as the Data Security
Standard, and it is accepted throughout the industry. A is incorrect, because this set of
rules was not issued by a governmental body. B is incorrect, because the set of rules is
not a strategic, internal document published by senior leadership of a single
organization. D is incorrect, because the set of rules is not internal to a given
organization and is not limited to a single activity.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on
different platforms, the vendor publishes several sets of instructions on how to install it,
depending on which platform the customer is using. This is an example of a ________.
(D1, L1.4.2)
A)Law
B)Procedure
C)Standard
D)Policy - Answers :B is correct. This is a set of instructions to perform a particular task,
so it is a procedure (several procedures, actually—one for each platform). A is incorrect;
the instructions are not a governmental mandate. C is incorrect, because the
instructions are particular to a specific product, not accepted throughout the industry. D
is incorrect, because the instructions are not particular to a given organization.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit,
Olaf is asked whether Triffid is currently following a particular security practice. Olaf
knows that Triffid is not adhering to that standard in that particular situation, but that
saying this to the auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A)Tell the auditors the truth
B)Ask supervisors for guidance
C)Ask (ISC)² for guidance
D)Lie to the auditors - Answers :A is the best answer. The (ISC)² Code of Ethics
requires that members "act honorably, honestly, justly, responsibly" and also "advance
and protect the profession." Both requirements dictate that Olaf should tell the truth to
the auditors. While the Code also says that Olaf should "provide diligent and competent
service to principals," and Olaf's principal is Triffid in this case, lying does not serve
, Triffid's best long-term interests, even if the truth has some negative impact in the short
term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst.
Yesterday, Siobhan got a parking ticket while shopping after work. What should
Siobhan do? (D1, L1.5.1)
A)Inform (ISC)²
B)Pay the parking ticket
C)Inform supervisors at Triffid
D)Resign employment from Triffid - Answers :B is the best answer. A parking ticket is
not a significant crime, besmirchment of character or moral failing, and has nothing to
do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics requires that
members act "legally," and "protect the profession," a parking ticket does not reflect
poorly on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however,
pay the ticket.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak
is asked to assess a particular threat, and he suggests that the best way to counter this
threat would be to purchase and implement a particular security solution. This is an
example of _______. (D1, L1.2.2)
A)Acceptance
B)Avoidance
C)Mitigation
D)Transference - Answers :C is correct. Applying a security solution (a type of control)
is an example of mitigation. A is incorrect; if Kerpak suggested acceptance, then the
threat, and the acceptance of the associated risk, only needs to be documented—no
other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course of
action would be to cease whatever activity was associated with the threat. D is
incorrect; if Kerpak suggested transference, this would involve forming some sort of
risk-sharing relationship with an external party, such as an insurance underwriter.
Which of the following is an example of a "something you are" authentication factor?
(D1, L1.1.1)
A)A credit card presented to a cash machine
B)Your password and PIN
C)A user ID
D)A photograph of your face - Answers :D is correct. A facial photograph is something
you are—your appearance. A is incorrect because a credit card is an example of an
authentication factor that is something you have. B is incorrect because passwords and
PINs are examples of authentication factors that are something you know. C is incorrect
because a user ID is an identity assertion, not an authentication factor.
