ISC2 CC Exam Questions with answers

ISC2 CC Exam Questions with answers
|\ |\ |\ |\ |\




Triffid Corporation has a rule that all employees working with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


sensitive hardcopy documents must put the documents into a
|\ |\ |\ |\ |\ |\ |\ |\ |\


safe at the end of the workday, where they are locked up until
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


the following workday. What kind of control is the process of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


putting the documents into the safe? (D1, L1.3.1)
|\ |\ |\ |\ |\ |\ |\




A) Administrative
|\




B) Tangential
|\




C) Physical
|\




D) Technical - CORRECT ANSWERS ✔✔A is the correct answer.
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


The process itself is an administrative control; rules and practices
|\ |\ |\ |\ |\ |\ |\ |\ |\


are administrative. The safe itself is physical, but the question
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


asked specifically about process, not the safe, so C is incorrect.
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


Neither the safe nor the process is part of the IT environment, so
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


this is not a technical control; D is incorrect. B is incorrect;
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


"tangential" is not a term commonly used to describe a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


particular type of security control, and is used here only as a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


distractor.


A vendor sells a particular operating system (OS). In order to
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


deploy the OS securely on different platforms, the vendor
|\ |\ |\ |\ |\ |\ |\ |\ |\


publishes several sets of instructions on how to install it,
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


depending on which platform the customer is using. This is an
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


example of a ________. (D1, L1.4.2) |\ |\ |\ |\ |\




A)Law

,B)Procedure
C)Standard
D)Policy - CORRECT ANSWERS ✔✔B is correct. This is a set of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


instructions to perform a particular task, so it is a procedure
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


(several procedures, actually—one for each platform). A is
|\ |\ |\ |\ |\ |\ |\ |\


incorrect; the instructions are not a governmental mandate. C is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


incorrect, because the instructions are particular to a specific
|\ |\ |\ |\ |\ |\ |\ |\ |\


product, not accepted throughout the industry. D is incorrect,
|\ |\ |\ |\ |\ |\ |\ |\ |\


because the instructions are not particular to a given
|\ |\ |\ |\ |\ |\ |\ |\ |\


organization.


The Triffid Corporation publishes a policy that states all personnel
|\ |\ |\ |\ |\ |\ |\ |\ |\


will act in a manner that protects health and human safety. The
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


security office is tasked with writing a detailed set of processes
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


on how employees should wear protective gear such as hardhats
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


and gloves when in hazardous areas. This detailed set of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


processes is a _________. (D1, L1.4.1) |\ |\ |\ |\ |\




A)Policy
B)Procedure
C)Standard
D)Law - CORRECT ANSWERS ✔✔B is correct. A detailed set of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


processes used by a specific organization is a procedure. A is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


incorrect; the policy is the overarching document that requires
|\ |\ |\ |\ |\ |\ |\ |\ |\


the procedure be created and implemented. C is incorrect. The
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


procedure is not recognized and implemented throughout the
|\ |\ |\ |\ |\ |\ |\ |\


industry; it is used internally. D is incorrect; the procedure was
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


created by Triffid Corporation, not a governmental body.
|\ |\ |\ |\ |\ |\ |\

,Chad is a security practitioner tasked with ensuring that the
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


information on the organization's public website is not changed|\ |\ |\ |\ |\ |\ |\ |\ |\


by anyone outside the organization. This task is an example of
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


ensuring _________. (D1, L1.1.1) |\ |\ |\




A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - CORRECT ANSWERS ✔✔B is correct. Preventing |\ |\ |\ |\ |\ |\ |\ |\


unauthorized modification is the definition of integrity. A is |\ |\ |\ |\ |\ |\ |\ |\ |\


incorrect because the website is not meant to be secret; it is
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


open to the public. C is incorrect because Chad is not tasked with
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


ensuring the website is accessible, only that the information on it
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


is not changed. D is incorrect because "confirmation" is not a
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


typical security term, and is used here only as a distractor.
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\




The Payment Card Industry (PCI) Council is a committee made up
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


of representatives from major credit card providers (Visa,
|\ |\ |\ |\ |\ |\ |\ |\ |\


Mastercard, American Express) in the United States. The PCI |\ |\ |\ |\ |\ |\ |\ |\ |\


Council issues rules that merchants must follow if the merchants
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


choose to accept payment via credit card. These rules describe
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


best practices for securing credit card processing technology,
|\ |\ |\ |\ |\ |\ |\ |\


activities for securing credit card information, and how to protect
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


customers' personal data. This set of rules is a _____. (D1, L1.4.2)
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\




A)Law
B)Policy
C)Standard

, D)Procedure - CORRECT ANSWERS ✔✔C is correct. This set of |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


rules is known as the Data Security Standard, and it is accepted
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


throughout the industry. A is incorrect, because this set of rules
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


was not issued by a governmental body. B is incorrect, because
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


the set of rules is not a strategic, internal document published by
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


senior leadership of a single organization. D is incorrect, because
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


the set of rules is not internal to a given organization and is not
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


limited to a single activity. |\ |\ |\ |\




Olaf is a member of (ISC)² and a security analyst for Triffid
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


Corporation. During an audit, Olaf is asked whether Triffid is |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


currently following a particular security practice. Olaf knows that
|\ |\ |\ |\ |\ |\ |\ |\ |\


Triffid is not adhering to that standard in that particular situation,
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


but that saying this to the auditors will reflect poorly on Triffid.
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


What should Olaf do? (D1, L1.5.1)
|\ |\ |\ |\ |\




A)Tell the auditors the truth
|\ |\ |\ |\




B)Ask supervisors for guidance
|\ |\ |\




C)Ask (ISC)² for guidance
|\ |\ |\




D)Lie to the auditors - CORRECT ANSWERS ✔✔A is the best
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


answer. The (ISC)² Code of Ethics requires that members "act
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\


honorably, honestly, justly, responsibly" and also "advance and |\ |\ |\ |\ |\ |\ |\ |\


protect the profession." Both requirements dictate that Olaf
|\ |\ |\ |\ |\ |\ |\ |\


should tell the truth to the auditors. While the Code also says
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


that Olaf should "provide diligent and competent service to
|\ |\ |\ |\ |\ |\ |\ |\ |\


principals," and Olaf's principal is Triffid in this case, lying does|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


not serve Triffid's best long-term interests, even if the truth has
|\ |\ |\ |\ |\ |\ |\ |\ |\ |\ |\


some negative impact in the short term.
|\ |\ |\ |\ |\ |\