ISC2 CC Exam 2024 with 100% correct
answers
Triffid Corporation has a rule that all employees working with sensitive hardcopy documents must put
the documents into a safe at the end of the workday, where they are locked up until the following
workday. What kind of control is the process of putting the documents into the safe? (D1, L1.3.1)
A) Administrative
B) Tangential
C) Physical
D) Technical - correct answer ✔✔A is the correct answer. The process itself is an administrative control;
rules and practices are administrative. The safe itself is physical, but the question asked specifically
about process, not the safe, so C is incorrect. Neither the safe nor the process is part of the IT
environment, so this is not a technical control; D is incorrect. B is incorrect; "tangential" is not a term
commonly used to describe a particular type of security control, and is used here only as a distractor.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on different
platforms, the vendor publishes several sets of instructions on how to install it, depending on which
platform the customer is using. This is an example of a ________. (D1, L1.4.2)
A)Law
B)Procedure
C)Standard
D)Policy - correct answer ✔✔B is correct. This is a set of instructions to perform a particular task, so it is
a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are
not a governmental mandate. C is incorrect, because the instructions are particular to a specific product,
not accepted throughout the industry. D is incorrect, because the instructions are not particular to a
given organization.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects
health and human safety. The security office is tasked with writing a detailed set of processes on how
employees should wear protective gear such as hardhats and gloves when in hazardous areas. This
detailed set of processes is a _________. (D1, L1.4.1)
,A)Policy
B)Procedure
C)Standard
D)Law - correct answer ✔✔B is correct. A detailed set of processes used by a specific organization is a
procedure. A is incorrect; the policy is the overarching document that requires the procedure be created
and implemented. C is incorrect. The procedure is not recognized and implemented throughout the
industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a
governmental body.
Chad is a security practitioner tasked with ensuring that the information on the organization's public
website is not changed by anyone outside the organization. This task is an example of ensuring
_________. (D1, L1.1.1)
A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - correct answer ✔✔B is correct. Preventing unauthorized modification is the definition
of integrity. A is incorrect because the website is not meant to be secret; it is open to the public. C is
incorrect because Chad is not tasked with ensuring the website is accessible, only that the information
on it is not changed. D is incorrect because "confirmation" is not a typical security term, and is used here
only as a distractor.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit
card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules
that merchants must follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
A)Law
B)Policy
C)Standard
D)Procedure - correct answer ✔✔C is correct. This set of rules is known as the Data Security Standard,
and it is accepted throughout the industry. A is incorrect, because this set of rules was not issued by a
, governmental body. B is incorrect, because the set of rules is not a strategic, internal document
published by senior leadership of a single organization. D is incorrect, because the set of rules is not
internal to a given organization and is not limited to a single activity.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf is asked
whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering
to that standard in that particular situation, but that saying this to the auditors will reflect poorly on
Triffid. What should Olaf do? (D1, L1.5.1)
A)Tell the auditors the truth
B)Ask supervisors for guidance
C)Ask (ISC)² for guidance
D)Lie to the auditors - correct answer ✔✔A is the best answer. The (ISC)² Code of Ethics requires that
members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession."
Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that
Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this
case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in
the short term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan
got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1)
A)Inform (ISC)²
B)Pay the parking ticket
C)Inform supervisors at Triffid
D)Resign employment from Triffid - correct answer ✔✔B is the best answer. A parking ticket is not a
significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's
duties for Triffid. Even though the (ISC)² Code of Ethics requires that members act "legally," and "protect
the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, (ISC)², or the security
profession. Siobhan should, however, pay the ticket.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess
a particular threat, and he suggests that the best way to counter this threat would be to purchase and
implement a particular security solution. This is an example of _______. (D1, L1.2.2)
answers
Triffid Corporation has a rule that all employees working with sensitive hardcopy documents must put
the documents into a safe at the end of the workday, where they are locked up until the following
workday. What kind of control is the process of putting the documents into the safe? (D1, L1.3.1)
A) Administrative
B) Tangential
C) Physical
D) Technical - correct answer ✔✔A is the correct answer. The process itself is an administrative control;
rules and practices are administrative. The safe itself is physical, but the question asked specifically
about process, not the safe, so C is incorrect. Neither the safe nor the process is part of the IT
environment, so this is not a technical control; D is incorrect. B is incorrect; "tangential" is not a term
commonly used to describe a particular type of security control, and is used here only as a distractor.
A vendor sells a particular operating system (OS). In order to deploy the OS securely on different
platforms, the vendor publishes several sets of instructions on how to install it, depending on which
platform the customer is using. This is an example of a ________. (D1, L1.4.2)
A)Law
B)Procedure
C)Standard
D)Policy - correct answer ✔✔B is correct. This is a set of instructions to perform a particular task, so it is
a procedure (several procedures, actually—one for each platform). A is incorrect; the instructions are
not a governmental mandate. C is incorrect, because the instructions are particular to a specific product,
not accepted throughout the industry. D is incorrect, because the instructions are not particular to a
given organization.
The Triffid Corporation publishes a policy that states all personnel will act in a manner that protects
health and human safety. The security office is tasked with writing a detailed set of processes on how
employees should wear protective gear such as hardhats and gloves when in hazardous areas. This
detailed set of processes is a _________. (D1, L1.4.1)
,A)Policy
B)Procedure
C)Standard
D)Law - correct answer ✔✔B is correct. A detailed set of processes used by a specific organization is a
procedure. A is incorrect; the policy is the overarching document that requires the procedure be created
and implemented. C is incorrect. The procedure is not recognized and implemented throughout the
industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation, not a
governmental body.
Chad is a security practitioner tasked with ensuring that the information on the organization's public
website is not changed by anyone outside the organization. This task is an example of ensuring
_________. (D1, L1.1.1)
A)Confidentiality
B)Integrity
C)Availability
D)Confirmation - correct answer ✔✔B is correct. Preventing unauthorized modification is the definition
of integrity. A is incorrect because the website is not meant to be secret; it is open to the public. C is
incorrect because Chad is not tasked with ensuring the website is accessible, only that the information
on it is not changed. D is incorrect because "confirmation" is not a typical security term, and is used here
only as a distractor.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit
card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules
that merchants must follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
A)Law
B)Policy
C)Standard
D)Procedure - correct answer ✔✔C is correct. This set of rules is known as the Data Security Standard,
and it is accepted throughout the industry. A is incorrect, because this set of rules was not issued by a
, governmental body. B is incorrect, because the set of rules is not a strategic, internal document
published by senior leadership of a single organization. D is incorrect, because the set of rules is not
internal to a given organization and is not limited to a single activity.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf is asked
whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not adhering
to that standard in that particular situation, but that saying this to the auditors will reflect poorly on
Triffid. What should Olaf do? (D1, L1.5.1)
A)Tell the auditors the truth
B)Ask supervisors for guidance
C)Ask (ISC)² for guidance
D)Lie to the auditors - correct answer ✔✔A is the best answer. The (ISC)² Code of Ethics requires that
members "act honorably, honestly, justly, responsibly" and also "advance and protect the profession."
Both requirements dictate that Olaf should tell the truth to the auditors. While the Code also says that
Olaf should "provide diligent and competent service to principals," and Olaf's principal is Triffid in this
case, lying does not serve Triffid's best long-term interests, even if the truth has some negative impact in
the short term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday, Siobhan
got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1)
A)Inform (ISC)²
B)Pay the parking ticket
C)Inform supervisors at Triffid
D)Resign employment from Triffid - correct answer ✔✔B is the best answer. A parking ticket is not a
significant crime, besmirchment of character or moral failing, and has nothing to do with Siobhan's
duties for Triffid. Even though the (ISC)² Code of Ethics requires that members act "legally," and "protect
the profession," a parking ticket does not reflect poorly on Siobhan, Triffid, (ISC)², or the security
profession. Siobhan should, however, pay the ticket.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to assess
a particular threat, and he suggests that the best way to counter this threat would be to purchase and
implement a particular security solution. This is an example of _______. (D1, L1.2.2)
