ISC2 CC FINAL EXAM 200 QUESTIONS AND CORRECT ANSWERS
ALREADY GRADED A+
Chad is a security practitioner tasked with ensuring that the information on the organization's public
website is not changed by anyone outside the organization. This task is an example of ensuring
_________. (D1, L1.1.1)
A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - answer-B is correct. Preventing unauthorized modification is the definition of integrity.
A is incorrect because the website is not meant to be secret; it is open to the public. C is incorrect
because Chad is not tasked with ensuring the website is accessible, only that the information on it is not
changed. D is incorrect because "confirmation" is not a typical security term, and is used here only as a
distractor.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's
offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1)
Question options:
A)Technical
B)Obverse
C)Physical
D)Administrative - answer-C is the best answer. Because laptops are tangible objects, and Druna is trying
to ensure that these objects are not moved from a certain place, physical controls are probably best for
the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate
the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect;
"obverse" is not a term commonly used to describe a particular type of security control, and is used here
only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that
laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1)
Question options:
A)User ID
B)Password
C)Fingerprint
,D)Iris scan - answer-B is correct. A password is something the user knows and can present as an
authentication factor to confirm an identity assertion. A is incorrect because a user ID is an identity
assertion, not an authentication factor. C and D are incorrect as they are examples of authentication
factors that are something you are, also referred to as "biometrics."
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1)
Question options:
A)A credit card presented to a cash machine
B)Your password and PIN
C)A user ID
D)A photograph of your face - answer-D is correct. A facial photograph is something you are—your
appearance. A is incorrect because a credit card is an example of an authentication factor that is
something you have. B is incorrect because passwords and PINs are examples of authentication factors
that are something you know. C is incorrect because a user ID is an identity assertion, not an
authentication factor.
A system that collects transactional information and stores it in a record in order to show which users
performed which actions is an example of providing ________. (D1, L1.1.1)
Question options:
A)Non-repudiation
B)Multifactor authentication
C)Biometrics
D)Privacy - answer-A is correct. Non-repudiation is the concept that users cannot deny they have
performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions
provides non-repudiation. B and C are incorrect because nothing in the question referred to
authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-
repudiation and privacy are oppositional).
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be
$100, but has seen other laptops of similar type and quality sell for both more and less than that
amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if
nobody bids that amount. This is an example of ___________. (D1, L1.2.2)
Question options:
A)Risk tolerance
,B)Risk inversion
C)Threat
D)Vulnerability - answer-A is correct. Phrenal has decided there is an acceptable level of risk associated
with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is
a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something
or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater
benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
In risk management concepts, a(n) _________ is something a security practitioner might need to
protect. (D1, L1.2.1)
Question options:
A)Vulnerability
B)Asset
C)Threat
D)Likelihood - answer-Hide question 7 feedback
B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C,
and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk
concepts, but are not things that a practitioner would protect.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit
card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules
that merchants must follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
Question options:
A)Law
B)Policy
C)Standard
D)Procedure - answer-C is correct. This set of rules is known as the Data Security Standard, and it is
accepted throughout the industry. A is incorrect, because this set of rules was not issued by a
governmental body. B is incorrect, because the set of rules is not a strategic, internal document
published by senior leadership of a single organization. D is incorrect, because the set of rules is not
internal to a given organization and is not limited to a single activity.
, Preenka works at an airport. There are red lines painted on the ground next to the runway; Preenka has
been instructed that nobody can step or drive across a red line unless they request, and get specific
permission from, the control tower. This is an example of a(n)______ control. (D1, L1.3.1)
Question options:
A)Physical
B)Administrative
C)Critical
D)Technical - answer-B is correct. The process of requesting and getting permission, and the painted
signage, are examples of administrative controls. A is incorrect; while the line is painted on the ground
(and the ground is a tangible object), the line does not actually act to prevent or control anything—the
line is a symbol and indicator; Preenka could easily walk across the line, if Preenka chose to do so. C is
incorrect; "critical" is not a term commonly used to describe a particular type of security control, and is
used here only as a distractor. D is incorrect; a painted line is not an IT system or part of the IT
environment.
Of the following, which would probably not be considered a threat? (D1, L1.2.1)
Question options:
A)Natural disaster
B)Unintentional damage to the system caused by a user
C)A laptop with sensitive data on it
D)An external attacker trying to gain unauthorized access to the environment - answer-C is correct. A
laptop, and the data on it, are assets, not threats. All the other answers are examples of threats, as they
all have the potential to cause adverse impact to the organization and the organization's assets.
Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)²
certification exam. What should Glen do? (D1, L1.5.1)
Question options:
A)Nothing
B)Inform (ISC)²
C)Inform law enforcement
D)Inform Glen's employer - answer-B is correct. The (ISC)² Code of Ethics requires that members
"advance and protect the profession"; this includes protecting test security for (ISC)² certification
material. (ISC)² (and every (ISC)² member) has a vested interest in protecting test material, and
countering any entity that is trying to undermine the validity of the certifications. This is, however, not a
ALREADY GRADED A+
Chad is a security practitioner tasked with ensuring that the information on the organization's public
website is not changed by anyone outside the organization. This task is an example of ensuring
_________. (D1, L1.1.1)
A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - answer-B is correct. Preventing unauthorized modification is the definition of integrity.
A is incorrect because the website is not meant to be secret; it is open to the public. C is incorrect
because Chad is not tasked with ensuring the website is accessible, only that the information on it is not
changed. D is incorrect because "confirmation" is not a typical security term, and is used here only as a
distractor.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the organization's
offices. Which sort of security control would probably be best for this purpose? (D1, L1.3.1)
Question options:
A)Technical
B)Obverse
C)Physical
D)Administrative - answer-C is the best answer. Because laptops are tangible objects, and Druna is trying
to ensure that these objects are not moved from a certain place, physical controls are probably best for
the purpose. A is incorrect; technical controls might help detect an attempt to steal a laptop, or locate
the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect;
"obverse" is not a term commonly used to describe a particular type of security control, and is used here
only as a distractor. D is incorrect; administrative controls may help reduce theft, such as ensuring that
laptops are not left in a place unobserved, but won't prevent the laptop from being taken.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1)
Question options:
A)User ID
B)Password
C)Fingerprint
,D)Iris scan - answer-B is correct. A password is something the user knows and can present as an
authentication factor to confirm an identity assertion. A is incorrect because a user ID is an identity
assertion, not an authentication factor. C and D are incorrect as they are examples of authentication
factors that are something you are, also referred to as "biometrics."
Which of the following is an example of a "something you are" authentication factor? (D1, L1.1.1)
Question options:
A)A credit card presented to a cash machine
B)Your password and PIN
C)A user ID
D)A photograph of your face - answer-D is correct. A facial photograph is something you are—your
appearance. A is incorrect because a credit card is an example of an authentication factor that is
something you have. B is incorrect because passwords and PINs are examples of authentication factors
that are something you know. C is incorrect because a user ID is an identity assertion, not an
authentication factor.
A system that collects transactional information and stores it in a record in order to show which users
performed which actions is an example of providing ________. (D1, L1.1.1)
Question options:
A)Non-repudiation
B)Multifactor authentication
C)Biometrics
D)Privacy - answer-A is correct. Non-repudiation is the concept that users cannot deny they have
performed transactions that they did, in fact, conduct. A system that keeps a record of user transactions
provides non-repudiation. B and C are incorrect because nothing in the question referred to
authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-
repudiation and privacy are oppositional).
Phrenal is selling a used laptop in an online auction. Phrenal has estimated the value of the laptop to be
$100, but has seen other laptops of similar type and quality sell for both more and less than that
amount. Phrenal hopes that the laptop will sell for $100 or more, but is prepared to take less for it if
nobody bids that amount. This is an example of ___________. (D1, L1.2.2)
Question options:
A)Risk tolerance
,B)Risk inversion
C)Threat
D)Vulnerability - answer-A is correct. Phrenal has decided there is an acceptable level of risk associated
with the online sale of the laptop; this is within Phrenal's risk tolerance. B is incorrect; "risk inversion" is
a term with no actual meaning, and is used here only as a distractor. C is incorrect; a threat is something
or someone that poses risk—the sale of the laptop does not pose risk to Phrenal, only a lesser or greater
benefit. D is incorrect; the sale of the laptop is not an avenue of attack against Phrenal.
In risk management concepts, a(n) _________ is something a security practitioner might need to
protect. (D1, L1.2.1)
Question options:
A)Vulnerability
B)Asset
C)Threat
D)Likelihood - answer-Hide question 7 feedback
B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C,
and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk
concepts, but are not things that a practitioner would protect.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit
card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules
that merchants must follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
Question options:
A)Law
B)Policy
C)Standard
D)Procedure - answer-C is correct. This set of rules is known as the Data Security Standard, and it is
accepted throughout the industry. A is incorrect, because this set of rules was not issued by a
governmental body. B is incorrect, because the set of rules is not a strategic, internal document
published by senior leadership of a single organization. D is incorrect, because the set of rules is not
internal to a given organization and is not limited to a single activity.
, Preenka works at an airport. There are red lines painted on the ground next to the runway; Preenka has
been instructed that nobody can step or drive across a red line unless they request, and get specific
permission from, the control tower. This is an example of a(n)______ control. (D1, L1.3.1)
Question options:
A)Physical
B)Administrative
C)Critical
D)Technical - answer-B is correct. The process of requesting and getting permission, and the painted
signage, are examples of administrative controls. A is incorrect; while the line is painted on the ground
(and the ground is a tangible object), the line does not actually act to prevent or control anything—the
line is a symbol and indicator; Preenka could easily walk across the line, if Preenka chose to do so. C is
incorrect; "critical" is not a term commonly used to describe a particular type of security control, and is
used here only as a distractor. D is incorrect; a painted line is not an IT system or part of the IT
environment.
Of the following, which would probably not be considered a threat? (D1, L1.2.1)
Question options:
A)Natural disaster
B)Unintentional damage to the system caused by a user
C)A laptop with sensitive data on it
D)An external attacker trying to gain unauthorized access to the environment - answer-C is correct. A
laptop, and the data on it, are assets, not threats. All the other answers are examples of threats, as they
all have the potential to cause adverse impact to the organization and the organization's assets.
Glen is an (ISC)² member. Glen receives an email from a company offering a set of answers for an (ISC)²
certification exam. What should Glen do? (D1, L1.5.1)
Question options:
A)Nothing
B)Inform (ISC)²
C)Inform law enforcement
D)Inform Glen's employer - answer-B is correct. The (ISC)² Code of Ethics requires that members
"advance and protect the profession"; this includes protecting test security for (ISC)² certification
material. (ISC)² (and every (ISC)² member) has a vested interest in protecting test material, and
countering any entity that is trying to undermine the validity of the certifications. This is, however, not a
