ISC2 CC Exam ACTUAL 2025-2026
WITH QUESTIONS AND CORRECT
VERIFIED ANSWERS GRADED A+
Which devices have the PRIMARY objective of collecting and analyzing security
events?
A. Firewalls
B. Hubs
C. Routers
D. SIEM - ANSWER-D. SIEM
A security Information and Even Management (SIEM) system is an application that
gathers security data from information system components and presents actionable
information through a unified interface. Routers and Hubs aim to receive and forward
traffic. Firewalls filter incoming traffic. Neither of these last three options aim at
collecting and analyzing security events.
Which access control model specifies access to an object based on the subject's role in
the organization?
A. RBAC
B. MAC
C. ABAC
D. DAC - ANSWER-A. RBAC
The role-based access control (RBAC) model is well known for governing access to
objects based on the roles of individual users within the organization. Mandatory access
control is based on security classification. Attribute-access control is based on complex
attribute rules. In discretionary access control, subjects can grant privileges to other
subjects and change some of the security attributes of the object they have access to,
When a company hires an insurance company to mitigate risk, which risk management
technique is being applied?
A. Risk transfer
,B. Risk avoidance
C. Risk mitigation
D. Risk tolerance - ANSWER-A. Risk transfer
Risk transfer is a risk management strategy that contractually shifts a pure risk from one
party to another (in this case, to an insurance company.) Risk avoidance consists in
stopping activities and exposures that can negatively affect an organization and its
assets. Risk mitigation consists of mechanism to reduce the risk. Finally, risk tolerance
is the degree of risk that an investor is willing to endure.
Which type of attack will most effectively provide privileged access (root access in
Unix/Linux platforms) to a computer while hiding its presence?
A. Rootkits
B. Phishing
C. Cross-Site Scripting
D. Trojans - ANSWER-A. Rootkits
A rootkit tries to maintain root-level access while concealing malicious activity. It
typically creates a backdoor and attempts to remain undetected by anti-malware
software. A rootkit is active while the system is running. Trojans can also create
backdoors but are only active while a specific application is running, and thus are not as
effective as a rootkit. Phishing is used to initiate attacks by redirecting the user to fake
websites. Cross-site scripting is used to attack websites.
Which device is used to connect a LAN to the Internet?
A. Router
B. Firewall
C. HIDS
D. SIEM - ANSWER-A. Router
A router is a device that acts as a gateway between two or more networks by relaying
and directing data packets between them. A firewall is a device that filters traffic coming
from the Internet but does not seek to distribute traffic. Neither Security Information and
Event Management (SIEM) systems nor Host Intrusion Detection Systems (HIDS) are
monitoring devices nor applications that aim at inter-network connectivity.
How many data labels are considered manageable?
A. 1-2
B. 1
C. 2-3
D. >4 - ANSWER-C. 2 - 3
According to data handling and labeling best practices, two or three classifications for
data are typically considered manageable for most organizations. In the ISC2 Study
Guide, Ch. 5, Module 1, under Data Handling Practices in Labeling, "two or three
classification are manageable, but more than four tend to be challenging to manage,".
These classifications could be labels such as Public, Confidential, and Restricted, each
representing a different level of data sensitivity. The Labeling system allows the
organization to easily identify and manage data based on its sensitivity level, ensuring
that appropriate security measures are in place for each classification. The principle is
,that labeling data based on its sensitivity level should be based on a limited,
unambiguous set of labels that correspond to different levels of data sensitivity. The key
is to have a system that differentiates data sensitivity levels without being overly
complex to implement and maintain. (Having more that 4 can make the system overly
complex and difficult to manage, increasing the risk of misclassification and potential
data breaches.
In Change Management, which component addresses the procedures needed to undo
changes?
A. Request for Approval
B. Rollback
C. Request for Change
D. Disaster and Recover - ANSWER-B. Rollback
In Change Management, the Request for Change (RFC) is the first stage of the request;
it formalizes the change from the stakeholder's point of view. The next phase is the
Approval phase, where each stakeholder reviews the change, identifies and allocates
the corresponding resources, and eventually either approves or rejects the change
(appropriately documenting the approval or rejection). Finally, the Rollback phase
addresses the actions to take when the monitoring change suggests a failure or
inadequate performance.
Which of the following is an example of 2FA?
A. One-time passwords (OTA)
B. Keys
C. Badges
D. Passwords - ANSWER-A. One-time passwords (OTA)
One-time passwords are typically generated by a device (i.e. "something you have")
and are required in addition to the actual password (i.e. "something you know").
Badges, keys and passwords with no overlapping authentication controls are
considered single-factor.
Which cloud deployment model is suited to companies with similar needs and
concerns?
A. Community cloud
B. Private cloud
C. Multi-tenant
D. Hybrid cloud - ANSWER-A. Community cloud
Community cloud deployment models are where several organization with similar needs
and concern (technological or regulatory) share the infrastructure and resources of a
cloud environment. This model is attractive because it is cost-effective while addressing
the specific requirements of the participating organizations. A private cloud is a cloud
computing model where the cloud infrastructure is dedicated to a single organization
(and never shared with others). A Hybrid cloud is a model that combines (i.e.
orchestrates) on-premises infrastructure, private cloud services, and a public cloud to
handle storage and service. Multi-tenancy refers to a cloud architecture where multiple
cloud tenants (organizations or users) share the same computing resources. Yet, while
, resources are shared, each tenant's data is isolated and remains invisible to other
tenants.
Which of these would be the best option if a network administrator need to control
access to a network?
A. HIDS
B. IDS
C. SIEM
D. NAC - ANSWER-D. NAC
Network Access Control (NAC) refers to a class of mechanisms that prevent access to a
network until a user (or the user's device) either presents the relevant credentials, or
passes the results of health checks performed on the client device. Security Information
and Event Management (SIEM), Host Intrusion Detection Systems (HIDS), and
Intrusion Detection Systems (IDS) are all monitoring systems.
In order to find out whether personal tablet devices are allowed in the office, which of
the following policies would be helpful to read?
A. Change Management Policy
B. BYOD
C. Privacy Policy
D. AUP - ANSWER-B. BYOD
The Bring Your Own Device (BYOD) policy establishes rules for using personal devices
for work-related activities. The Acceptable Use Policy (AUP) denies the permissions
and limitations that users must agree to while accessing the network and using
computer systems or any other organizational resources. The Privacy Policy (PP)
outlines the data security mechanism that protect customer data. In the context of
Cybersecurity, a Change Management Policy (CMP) established the use of
standardized methods to enable IT and process change while minimizing the disruption
of services, reducing back-out, and ensuring clear communication with all of the
stakeholders in the organization.
Governments can impose financial penalties as a consequence of breaking a:
A. Regulation
B. Procedure
D. Standard
D. Policy - ANSWER-A. Regulation
Standards are created by governing or professional bodies (no governments
themselves). Policies and procedures are created by organizations, and are therefore
not subject to financial penalties (see ISC2 Study Guide Chapter 1, Module 4).
In incident terminology, the meaning of Zero Day is:
A. Days to solve a previously unknown system vulnerability
B. Days without a cybersecurity incident
C. Days with a cybersecurity incident
D. A previously unknown system vulnerability - ANSWER-D. A previously unknown
system vulnerability
WITH QUESTIONS AND CORRECT
VERIFIED ANSWERS GRADED A+
Which devices have the PRIMARY objective of collecting and analyzing security
events?
A. Firewalls
B. Hubs
C. Routers
D. SIEM - ANSWER-D. SIEM
A security Information and Even Management (SIEM) system is an application that
gathers security data from information system components and presents actionable
information through a unified interface. Routers and Hubs aim to receive and forward
traffic. Firewalls filter incoming traffic. Neither of these last three options aim at
collecting and analyzing security events.
Which access control model specifies access to an object based on the subject's role in
the organization?
A. RBAC
B. MAC
C. ABAC
D. DAC - ANSWER-A. RBAC
The role-based access control (RBAC) model is well known for governing access to
objects based on the roles of individual users within the organization. Mandatory access
control is based on security classification. Attribute-access control is based on complex
attribute rules. In discretionary access control, subjects can grant privileges to other
subjects and change some of the security attributes of the object they have access to,
When a company hires an insurance company to mitigate risk, which risk management
technique is being applied?
A. Risk transfer
,B. Risk avoidance
C. Risk mitigation
D. Risk tolerance - ANSWER-A. Risk transfer
Risk transfer is a risk management strategy that contractually shifts a pure risk from one
party to another (in this case, to an insurance company.) Risk avoidance consists in
stopping activities and exposures that can negatively affect an organization and its
assets. Risk mitigation consists of mechanism to reduce the risk. Finally, risk tolerance
is the degree of risk that an investor is willing to endure.
Which type of attack will most effectively provide privileged access (root access in
Unix/Linux platforms) to a computer while hiding its presence?
A. Rootkits
B. Phishing
C. Cross-Site Scripting
D. Trojans - ANSWER-A. Rootkits
A rootkit tries to maintain root-level access while concealing malicious activity. It
typically creates a backdoor and attempts to remain undetected by anti-malware
software. A rootkit is active while the system is running. Trojans can also create
backdoors but are only active while a specific application is running, and thus are not as
effective as a rootkit. Phishing is used to initiate attacks by redirecting the user to fake
websites. Cross-site scripting is used to attack websites.
Which device is used to connect a LAN to the Internet?
A. Router
B. Firewall
C. HIDS
D. SIEM - ANSWER-A. Router
A router is a device that acts as a gateway between two or more networks by relaying
and directing data packets between them. A firewall is a device that filters traffic coming
from the Internet but does not seek to distribute traffic. Neither Security Information and
Event Management (SIEM) systems nor Host Intrusion Detection Systems (HIDS) are
monitoring devices nor applications that aim at inter-network connectivity.
How many data labels are considered manageable?
A. 1-2
B. 1
C. 2-3
D. >4 - ANSWER-C. 2 - 3
According to data handling and labeling best practices, two or three classifications for
data are typically considered manageable for most organizations. In the ISC2 Study
Guide, Ch. 5, Module 1, under Data Handling Practices in Labeling, "two or three
classification are manageable, but more than four tend to be challenging to manage,".
These classifications could be labels such as Public, Confidential, and Restricted, each
representing a different level of data sensitivity. The Labeling system allows the
organization to easily identify and manage data based on its sensitivity level, ensuring
that appropriate security measures are in place for each classification. The principle is
,that labeling data based on its sensitivity level should be based on a limited,
unambiguous set of labels that correspond to different levels of data sensitivity. The key
is to have a system that differentiates data sensitivity levels without being overly
complex to implement and maintain. (Having more that 4 can make the system overly
complex and difficult to manage, increasing the risk of misclassification and potential
data breaches.
In Change Management, which component addresses the procedures needed to undo
changes?
A. Request for Approval
B. Rollback
C. Request for Change
D. Disaster and Recover - ANSWER-B. Rollback
In Change Management, the Request for Change (RFC) is the first stage of the request;
it formalizes the change from the stakeholder's point of view. The next phase is the
Approval phase, where each stakeholder reviews the change, identifies and allocates
the corresponding resources, and eventually either approves or rejects the change
(appropriately documenting the approval or rejection). Finally, the Rollback phase
addresses the actions to take when the monitoring change suggests a failure or
inadequate performance.
Which of the following is an example of 2FA?
A. One-time passwords (OTA)
B. Keys
C. Badges
D. Passwords - ANSWER-A. One-time passwords (OTA)
One-time passwords are typically generated by a device (i.e. "something you have")
and are required in addition to the actual password (i.e. "something you know").
Badges, keys and passwords with no overlapping authentication controls are
considered single-factor.
Which cloud deployment model is suited to companies with similar needs and
concerns?
A. Community cloud
B. Private cloud
C. Multi-tenant
D. Hybrid cloud - ANSWER-A. Community cloud
Community cloud deployment models are where several organization with similar needs
and concern (technological or regulatory) share the infrastructure and resources of a
cloud environment. This model is attractive because it is cost-effective while addressing
the specific requirements of the participating organizations. A private cloud is a cloud
computing model where the cloud infrastructure is dedicated to a single organization
(and never shared with others). A Hybrid cloud is a model that combines (i.e.
orchestrates) on-premises infrastructure, private cloud services, and a public cloud to
handle storage and service. Multi-tenancy refers to a cloud architecture where multiple
cloud tenants (organizations or users) share the same computing resources. Yet, while
, resources are shared, each tenant's data is isolated and remains invisible to other
tenants.
Which of these would be the best option if a network administrator need to control
access to a network?
A. HIDS
B. IDS
C. SIEM
D. NAC - ANSWER-D. NAC
Network Access Control (NAC) refers to a class of mechanisms that prevent access to a
network until a user (or the user's device) either presents the relevant credentials, or
passes the results of health checks performed on the client device. Security Information
and Event Management (SIEM), Host Intrusion Detection Systems (HIDS), and
Intrusion Detection Systems (IDS) are all monitoring systems.
In order to find out whether personal tablet devices are allowed in the office, which of
the following policies would be helpful to read?
A. Change Management Policy
B. BYOD
C. Privacy Policy
D. AUP - ANSWER-B. BYOD
The Bring Your Own Device (BYOD) policy establishes rules for using personal devices
for work-related activities. The Acceptable Use Policy (AUP) denies the permissions
and limitations that users must agree to while accessing the network and using
computer systems or any other organizational resources. The Privacy Policy (PP)
outlines the data security mechanism that protect customer data. In the context of
Cybersecurity, a Change Management Policy (CMP) established the use of
standardized methods to enable IT and process change while minimizing the disruption
of services, reducing back-out, and ensuring clear communication with all of the
stakeholders in the organization.
Governments can impose financial penalties as a consequence of breaking a:
A. Regulation
B. Procedure
D. Standard
D. Policy - ANSWER-A. Regulation
Standards are created by governing or professional bodies (no governments
themselves). Policies and procedures are created by organizations, and are therefore
not subject to financial penalties (see ISC2 Study Guide Chapter 1, Module 4).
In incident terminology, the meaning of Zero Day is:
A. Days to solve a previously unknown system vulnerability
B. Days without a cybersecurity incident
C. Days with a cybersecurity incident
D. A previously unknown system vulnerability - ANSWER-D. A previously unknown
system vulnerability
