Page | 1
(ISC)2 Certified in Cybersecurity - Exam Prep
Questions with Detailed Verified Answers
Document specific requirements that a customer has about any aspect of
a vendor's service performance.
A) DLR
B) Contract
C) SLR
D) NDA Ans: C) SLR (Service-Level Requirements)
_________ identifies and triages risks. Ans: Risk Assessment
_________ are external forces that jeopardize security. Ans: Threats
_________ are methods used by attackers. Ans: Threat Vectors
_________ are the combination of a threat and a vulnerability. Ans:
Risks
We rank risks by _________ and _________. Ans: Likelihood and
impact
, Page | 2
_________ use subjective ratings to evaluate risk likelihood and impact.
Ans: Qualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and
impact. Ans: Quantitative Risk Assessment
_________ analyzes and implements possible responses to control risk.
Ans: Risk Treatment
_________ changes business practices to make a risk irrelevant. Ans:
Risk Avoidance
_________ reduces the likelihood or impact of a risk. Ans: Risk
Mitigation
An organization's _________ is the set of risks that it faces. Ans: Risk
Profile
_________ Initial Risk of an organization. Ans: Inherent Risk
_________ Risk that remains in an organization after controls. Ans:
Residual Risk
_________ is the level of risk an organization is willing to accept. Ans:
Risk Tolerance
_________ reduce the likelihood or impact of a risk and help identify
issues. Ans: Security Controls
_________ stop a security issue from occurring. Ans: Preventive
Control
, Page | 3
_________ identify security issues requiring investigation. Ans:
Detective Control
_________ remediate security issues that have occurred. Ans:
Recovery Control
Hardening == Preventative Ans: Virus == Detective
Backups == Recovery Ans: For exam (Local and Technical Controls are
the same)
_________ use technology to achieve control objectives. Ans: Technical
Controls
_________ use processes to achieve control objectives. Ans:
Administrative Controls
_________ impact the physical world. Ans: Physical Controls
_________ tracks specific device settings. Ans: Configuration
Management
_________ provide a configuration snapshot. Ans: Baselines (track
changes)
_________ assigns numbers to each version. Ans: Versioning
_________ serve as important configuration artifacts. Ans: Diagrams
_________ and _________ help ensure a stable operating environment.
Ans: Change and Configuration Management
, Page | 4
Purchasing an insurance policy is an example of which risk management
strategy? Ans: Risk Transference
What two factors are used to evaluate a risk? Ans: Likelihood and
Impact
What term best describes making a snapshot of a system or application
at a point in time for later comparison? Ans: Baselining
What type of security control is designed to stop a security issue from
occurring in the first place? Ans: Preventive
What term describes risks that originate inside the organization? Ans:
Internal
What four items belong to the security policy framework? Ans: Policies,
Standards, Guidelines, Procedures
_________ describe an organization's security expectations. Ans:
Policies (mandatory and approved at the highest level of an organization)
_________ describe specific security controls and are often derived from
policies. Ans: Standards (mandatory)
_________ describe best practices. Ans: Guidelines
(recommendations/advice and compliance is not mandatory)
_________ step-by-step instructions. Ans: Procedures (not mandatory)
_________ describe authorized uses of technology. Ans: Acceptable
Use Policies (AUP)
(ISC)2 Certified in Cybersecurity - Exam Prep
Questions with Detailed Verified Answers
Document specific requirements that a customer has about any aspect of
a vendor's service performance.
A) DLR
B) Contract
C) SLR
D) NDA Ans: C) SLR (Service-Level Requirements)
_________ identifies and triages risks. Ans: Risk Assessment
_________ are external forces that jeopardize security. Ans: Threats
_________ are methods used by attackers. Ans: Threat Vectors
_________ are the combination of a threat and a vulnerability. Ans:
Risks
We rank risks by _________ and _________. Ans: Likelihood and
impact
, Page | 2
_________ use subjective ratings to evaluate risk likelihood and impact.
Ans: Qualitative Risk Assessment
_________ use objective numeric ratings to evaluate risk likelihood and
impact. Ans: Quantitative Risk Assessment
_________ analyzes and implements possible responses to control risk.
Ans: Risk Treatment
_________ changes business practices to make a risk irrelevant. Ans:
Risk Avoidance
_________ reduces the likelihood or impact of a risk. Ans: Risk
Mitigation
An organization's _________ is the set of risks that it faces. Ans: Risk
Profile
_________ Initial Risk of an organization. Ans: Inherent Risk
_________ Risk that remains in an organization after controls. Ans:
Residual Risk
_________ is the level of risk an organization is willing to accept. Ans:
Risk Tolerance
_________ reduce the likelihood or impact of a risk and help identify
issues. Ans: Security Controls
_________ stop a security issue from occurring. Ans: Preventive
Control
, Page | 3
_________ identify security issues requiring investigation. Ans:
Detective Control
_________ remediate security issues that have occurred. Ans:
Recovery Control
Hardening == Preventative Ans: Virus == Detective
Backups == Recovery Ans: For exam (Local and Technical Controls are
the same)
_________ use technology to achieve control objectives. Ans: Technical
Controls
_________ use processes to achieve control objectives. Ans:
Administrative Controls
_________ impact the physical world. Ans: Physical Controls
_________ tracks specific device settings. Ans: Configuration
Management
_________ provide a configuration snapshot. Ans: Baselines (track
changes)
_________ assigns numbers to each version. Ans: Versioning
_________ serve as important configuration artifacts. Ans: Diagrams
_________ and _________ help ensure a stable operating environment.
Ans: Change and Configuration Management
, Page | 4
Purchasing an insurance policy is an example of which risk management
strategy? Ans: Risk Transference
What two factors are used to evaluate a risk? Ans: Likelihood and
Impact
What term best describes making a snapshot of a system or application
at a point in time for later comparison? Ans: Baselining
What type of security control is designed to stop a security issue from
occurring in the first place? Ans: Preventive
What term describes risks that originate inside the organization? Ans:
Internal
What four items belong to the security policy framework? Ans: Policies,
Standards, Guidelines, Procedures
_________ describe an organization's security expectations. Ans:
Policies (mandatory and approved at the highest level of an organization)
_________ describe specific security controls and are often derived from
policies. Ans: Standards (mandatory)
_________ describe best practices. Ans: Guidelines
(recommendations/advice and compliance is not mandatory)
_________ step-by-step instructions. Ans: Procedures (not mandatory)
_________ describe authorized uses of technology. Ans: Acceptable
Use Policies (AUP)
