Cybersecurity Analyst”-style test Verified Questions, Correct
Answers, and Detailed Explanations for Computer Science
Students||Already Graded A+
1. A risk assessment identifies a vulnerability in a web application
that could allow SQL injection. The organization rates the
likelihood as “medium” and the impact as “high”. According to
a typical risk matrix, what is the most appropriate risk level?
A. Low
B. Medium-High
C. High
D. Critical
Rationale: A “medium” likelihood combined with “high” impact
usually results in a “medium-high” or “high” risk — worst than
medium, but not maximum unless likelihood also is high.
2. Which document describes an organization’s acceptable use of
computing resources and user behavior expectations?
A. Incident response plan
B. Business continuity plan
C. Acceptable Use Policy (AUP)
D. Disaster recovery plan
Rationale: The Acceptable Use Policy outlines how computing
resources should and should not be used, and what user behavior is
acceptable.
3. What is the primary purpose of a data classification scheme?
A. To slow down data processing
B. To make all data confidential by default
C. To assign sensitivity and handling requirements to different
data types
D. To delete unnecessary data regularly
,Rationale: Data classification helps indicate what level of protection
various data require, guiding access controls, encryption, handling,
and disposal.
4. Which of the following refers to the process of ensuring critical
business functions remain available during and after a disaster?
A. Risk assessment
B. Business continuity
C. Vulnerability management
D. Patch management
Rationale: Business continuity planning is about
maintaining/resuming essential operations through/disaster or
disruption.
2. Identity & Access Management
6. What does the principle of “least privilege” require?
A. Users get full access and relinquish only when needed
B. Users must request privileges every time
C. Users share minimal credentials with others
D. Users receive only the permissions necessary to perform
their job
Rationale: Least privilege means giving users only the bare minimum
rights required — reducing chance for misuse or accidental damage.
7. In a multi-factor authentication (MFA) context, which
combination is considered valid?
A. Password + username
B. Single-factor (password only)
C. Password + a one-time token from a phone app
D. Password written on a sticky note
, Rationale: MFA requires at least two different authentication factors
(something you know + something you have OR something you are),
e.g. password + OTP token.
8. What is the role of a directory service such as Active Directory
in access management?
A. Encrypt data at rest
B. Provide endpoint protection
C. Store and manage user identities, groups, and access rights
D. Monitor network traffic
Rationale: Directory services house identity information — users,
groups, roles — and help enforce authentication/authorization
policies.
9. Which access control model is based on labels and hierarchical
levels, often used for military/government data classification?
A. Role-Based Access Control (RBAC)
B. Mandatory Access Control (MAC)
C. Discretionary Access Control (DAC)
D. Attribute-Based Access Control (ABAC)
Rationale: MAC enforces access based on security
labels/classifications (clearance levels), not on user discretion.
10. A user leaves the company. What is the MOST important
action from an IAM (Identity and Access Management)
perspective?
A. Archive user emails
B. Notify HR
C. Deactivate/revoke all account credentials and access rights
D. Keep user active for a probation period
Rationale: Revoking credentials and access prevents unauthorized or
malicious access after departure.
Answers, and Detailed Explanations for Computer Science
Students||Already Graded A+
1. A risk assessment identifies a vulnerability in a web application
that could allow SQL injection. The organization rates the
likelihood as “medium” and the impact as “high”. According to
a typical risk matrix, what is the most appropriate risk level?
A. Low
B. Medium-High
C. High
D. Critical
Rationale: A “medium” likelihood combined with “high” impact
usually results in a “medium-high” or “high” risk — worst than
medium, but not maximum unless likelihood also is high.
2. Which document describes an organization’s acceptable use of
computing resources and user behavior expectations?
A. Incident response plan
B. Business continuity plan
C. Acceptable Use Policy (AUP)
D. Disaster recovery plan
Rationale: The Acceptable Use Policy outlines how computing
resources should and should not be used, and what user behavior is
acceptable.
3. What is the primary purpose of a data classification scheme?
A. To slow down data processing
B. To make all data confidential by default
C. To assign sensitivity and handling requirements to different
data types
D. To delete unnecessary data regularly
,Rationale: Data classification helps indicate what level of protection
various data require, guiding access controls, encryption, handling,
and disposal.
4. Which of the following refers to the process of ensuring critical
business functions remain available during and after a disaster?
A. Risk assessment
B. Business continuity
C. Vulnerability management
D. Patch management
Rationale: Business continuity planning is about
maintaining/resuming essential operations through/disaster or
disruption.
2. Identity & Access Management
6. What does the principle of “least privilege” require?
A. Users get full access and relinquish only when needed
B. Users must request privileges every time
C. Users share minimal credentials with others
D. Users receive only the permissions necessary to perform
their job
Rationale: Least privilege means giving users only the bare minimum
rights required — reducing chance for misuse or accidental damage.
7. In a multi-factor authentication (MFA) context, which
combination is considered valid?
A. Password + username
B. Single-factor (password only)
C. Password + a one-time token from a phone app
D. Password written on a sticky note
, Rationale: MFA requires at least two different authentication factors
(something you know + something you have OR something you are),
e.g. password + OTP token.
8. What is the role of a directory service such as Active Directory
in access management?
A. Encrypt data at rest
B. Provide endpoint protection
C. Store and manage user identities, groups, and access rights
D. Monitor network traffic
Rationale: Directory services house identity information — users,
groups, roles — and help enforce authentication/authorization
policies.
9. Which access control model is based on labels and hierarchical
levels, often used for military/government data classification?
A. Role-Based Access Control (RBAC)
B. Mandatory Access Control (MAC)
C. Discretionary Access Control (DAC)
D. Attribute-Based Access Control (ABAC)
Rationale: MAC enforces access based on security
labels/classifications (clearance levels), not on user discretion.
10. A user leaves the company. What is the MOST important
action from an IAM (Identity and Access Management)
perspective?
A. Archive user emails
B. Notify HR
C. Deactivate/revoke all account credentials and access rights
D. Keep user active for a probation period
Rationale: Revoking credentials and access prevents unauthorized or
malicious access after departure.
