ISC2 Certified In Cybersecurity: Pre And Post Course
Assessment Questions With 100% Correct Answers |
Verified | Updated 2024, 109 Q&A.
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After
attending a few online sessions, Tina learns that some participants in the group are sharing malware
with each other, in order to use it against other organizations online. What should Tina do? (D1,
L1.5.1)
A) Nothing
B) Stop participating in the group
C) Report the group to law enforcement
D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the common
good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition
against disseminating and deploying malware for offensive purposes. However, the Code does not make
(ISC)² members into law enforcement officers; there is no requirement to get involved in legal matters
beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for
Tina's own protection) document when participation started and stopped, but no other action is
necessary on Tina's part.
Triffid Corporation has a policy that all employees must receive security awareness instruction before
using email; the company wants to make employees aware of potential phishing attempts that the
employees might receive via email. What kind of control is this instruction? (D1, L1.3.1)
A) Administrative
B) Finite
C) Physical
D) Technical
A is correct. Both the policy and the instruction are administrative controls; rules and governance are
administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of
security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so
this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a
technical control.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the
organization's offices. Which sort of security control would probably be best for this purpose? (D1,
L1.3.1)
A) Technical
B) Obverse
,C) Physical
D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these
objects are not moved from a certain place, physical controls are probably best for the purpose. A is
incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it
has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term
commonly used to describe a particular type of security control, and is used here only as a distractor. D is
incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a
place unobserved, but won't prevent the laptop from being taken.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to
assess a particular threat, and he suggests that the best way to counter this threat would be to
purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2)
A) Acceptance
B) Avoidance
C) Mitigation
D) Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if
Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to
be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course
of action would be to cease whatever activity was associated with the threat. D is incorrect; if Kerpak
suggested transference, this would involve forming some sort of risk-sharing relationship with an
external party, such as an insurance underwriter.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit
card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules
that merchants must follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
A) Law
B) Policy
C) Standard
D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted throughout the
industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect,
because the set of rules is not a strategic, internal document published by senior leadership of a single
organization. D is incorrect, because the set of rules is not internal to a given organization and is not
limited to a single activity.
For which of the following systems would the security concept of availability probably be most
important? (D1, L1.1.1)
,A) Medical systems that store patient data
B) Retail records of past transactions
C) Online streaming of camera feeds that display historical works of art in museums around the world
D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily must be kept available in
real time, because that data is directly linked to the patients' well-being (and possibly their life). This is,
by far, the most important of the options listed. A is incorrect because stored data, while important, is
not as critical to patient health as the monitoring function listed in answer D. B is incorrect because retail
transactions do not constitute a risk to health and human safety. C is incorrect because displaying
artwork does not reflect a risk to health and human safety; also because the loss of online streaming
does not actually affect the asset (the artwork in the museum) in any way—the art will still be in the
museum, regardless of whether the camera is functioning.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1)
A) User ID
B) Password
C) Fingerprint
D) Iris scan
B is correct. A password is something the user knows and can present as an authentication factor to
confirm an identity assertion. A is incorrect because a user ID is an identity assertion, not an
authentication factor. C and D are incorrect as they are examples of authentication factors that are
something you are, also referred to as "biometrics."
In risk management concepts, a(n) _________ is something a security practitioner might need to
protect. (D1, L1.2.1)
A) Vulnerability
B) Asset
C) Threat
D) Likelihood
B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C,
and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk
concepts, but are not things that a practitioner would protect.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf is asked
whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not
adhering to that standard in that particular situation, but that saying this to the auditors will reflect
poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A) Tell the auditors the truth
B) Ask supervisors for guidance
C) Ask (ISC)² for guidance
D) Lie to the auditors
, A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly, justly,
responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should
tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent
service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-
term interests, even if the truth has some negative impact in the short term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday,
Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1)
A) Inform (ISC)²
B) Pay the parking ticket
C) Inform supervisors at Triffid
D) Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral
failing, and has nothing to do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics
requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly
on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is
reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable
use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1)
A) Inform (ISC)²
B) Inform law enforcement
C) Inform Triffid management
D) Nothing
C is the best answer. Aphrodite is required by the (ISC)² Code of Ethics to "provide diligent and
competent service to principals." This includes reporting policy violations to Triffid management (Triffid is
the principal, in this case). A policy violation of this type is not a crime, so law enforcement does not
need to be involved, and (ISC)² has no authority over Triffid policy enforcement or employees.
A software firewall is an application that runs on a device and prevents specific types of traffic from
entering that device. This is a type of ________ control. (D1, L1.3.1)
A) Physical
B) Administrative
C) Passive
D) Technical
D is correct. A software firewall is a technical control, because it is a part of the IT environment. A is
incorrect; a software firewall is not a tangible object that protects something. B is incorrect; a software
firewall is not a rule or process. Without trying to confuse the issue, a software firewall might
incorporate an administrative control: the set of rules which the firewall uses to allow or block particular
traffic. However, answer D is a much better way to describe a software firewall. C is incorrect; "passive" is
Assessment Questions With 100% Correct Answers |
Verified | Updated 2024, 109 Q&A.
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After
attending a few online sessions, Tina learns that some participants in the group are sharing malware
with each other, in order to use it against other organizations online. What should Tina do? (D1,
L1.5.1)
A) Nothing
B) Stop participating in the group
C) Report the group to law enforcement
D) Report the group to (ISC)²
B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the common
good, necessary public trust and confidence, and the infrastructure"; this would include a prohibition
against disseminating and deploying malware for offensive purposes. However, the Code does not make
(ISC)² members into law enforcement officers; there is no requirement to get involved in legal matters
beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for
Tina's own protection) document when participation started and stopped, but no other action is
necessary on Tina's part.
Triffid Corporation has a policy that all employees must receive security awareness instruction before
using email; the company wants to make employees aware of potential phishing attempts that the
employees might receive via email. What kind of control is this instruction? (D1, L1.3.1)
A) Administrative
B) Finite
C) Physical
D) Technical
A is correct. Both the policy and the instruction are administrative controls; rules and governance are
administrative. B is incorrect; "finite" is not a term commonly used to describe a particular type of
security control, and is used here only as a distractor. C is incorrect; training is not a tangible object, so
this is not a physical control. D is incorrect; training is not part of the IT environment, so it is not a
technical control.
Druna is a security practitioner tasked with ensuring that laptops are not stolen from the
organization's offices. Which sort of security control would probably be best for this purpose? (D1,
L1.3.1)
A) Technical
B) Obverse
,C) Physical
D) Administrative
C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these
objects are not moved from a certain place, physical controls are probably best for the purpose. A is
incorrect; technical controls might help detect an attempt to steal a laptop, or locate the laptop after it
has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not a term
commonly used to describe a particular type of security control, and is used here only as a distractor. D is
incorrect; administrative controls may help reduce theft, such as ensuring that laptops are not left in a
place unobserved, but won't prevent the laptop from being taken.
Kerpak works in the security office of a medium-sized entertainment company. Kerpak is asked to
assess a particular threat, and he suggests that the best way to counter this threat would be to
purchase and implement a particular security solution. This is an example of _______. (D1, L1.2.2)
A) Acceptance
B) Avoidance
C) Mitigation
D) Transference
C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if
Kerpak suggested acceptance, then the threat, and the acceptance of the associated risk, only needs to
be documented—no other action is necessary. B is incorrect; if Kerpak suggested avoidance, the course
of action would be to cease whatever activity was associated with the threat. D is incorrect; if Kerpak
suggested transference, this would involve forming some sort of risk-sharing relationship with an
external party, such as an insurance underwriter.
The Payment Card Industry (PCI) Council is a committee made up of representatives from major credit
card providers (Visa, Mastercard, American Express) in the United States. The PCI Council issues rules
that merchants must follow if the merchants choose to accept payment via credit card. These rules
describe best practices for securing credit card processing technology, activities for securing credit card
information, and how to protect customers' personal data. This set of rules is a _____. (D1, L1.4.2)
A) Law
B) Policy
C) Standard
D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is accepted throughout the
industry. A is incorrect, because this set of rules was not issued by a governmental body. B is incorrect,
because the set of rules is not a strategic, internal document published by senior leadership of a single
organization. D is incorrect, because the set of rules is not internal to a given organization and is not
limited to a single activity.
For which of the following systems would the security concept of availability probably be most
important? (D1, L1.1.1)
,A) Medical systems that store patient data
B) Retail records of past transactions
C) Online streaming of camera feeds that display historical works of art in museums around the world
D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily must be kept available in
real time, because that data is directly linked to the patients' well-being (and possibly their life). This is,
by far, the most important of the options listed. A is incorrect because stored data, while important, is
not as critical to patient health as the monitoring function listed in answer D. B is incorrect because retail
transactions do not constitute a risk to health and human safety. C is incorrect because displaying
artwork does not reflect a risk to health and human safety; also because the loss of online streaming
does not actually affect the asset (the artwork in the museum) in any way—the art will still be in the
museum, regardless of whether the camera is functioning.
Which of the following is an example of a "something you know" authentication factor? (D1, L1.1.1)
A) User ID
B) Password
C) Fingerprint
D) Iris scan
B is correct. A password is something the user knows and can present as an authentication factor to
confirm an identity assertion. A is incorrect because a user ID is an identity assertion, not an
authentication factor. C and D are incorrect as they are examples of authentication factors that are
something you are, also referred to as "biometrics."
In risk management concepts, a(n) _________ is something a security practitioner might need to
protect. (D1, L1.2.1)
A) Vulnerability
B) Asset
C) Threat
D) Likelihood
B is correct. An asset is anything with value, and a security practitioner may need to protect assets. A, C,
and D are incorrect because vulnerabilities, threats and likelihood are terms associated with risk
concepts, but are not things that a practitioner would protect.
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf is asked
whether Triffid is currently following a particular security practice. Olaf knows that Triffid is not
adhering to that standard in that particular situation, but that saying this to the auditors will reflect
poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A) Tell the auditors the truth
B) Ask supervisors for guidance
C) Ask (ISC)² for guidance
D) Lie to the auditors
, A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly, justly,
responsibly" and also "advance and protect the profession." Both requirements dictate that Olaf should
tell the truth to the auditors. While the Code also says that Olaf should "provide diligent and competent
service to principals," and Olaf's principal is Triffid in this case, lying does not serve Triffid's best long-
term interests, even if the truth has some negative impact in the short term.
Siobhan is an (ISC)² member who works for Triffid Corporation as a security analyst. Yesterday,
Siobhan got a parking ticket while shopping after work. What should Siobhan do? (D1, L1.5.1)
A) Inform (ISC)²
B) Pay the parking ticket
C) Inform supervisors at Triffid
D) Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral
failing, and has nothing to do with Siobhan's duties for Triffid. Even though the (ISC)² Code of Ethics
requires that members act "legally," and "protect the profession," a parking ticket does not reflect poorly
on Siobhan, Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation. While Aphrodite is
reviewing user log data, Aphrodite discovers that another Triffid employee is violating the acceptable
use policy and watching streaming videos during work hours. What should Aphrodite do? (D1, L1.5.1)
A) Inform (ISC)²
B) Inform law enforcement
C) Inform Triffid management
D) Nothing
C is the best answer. Aphrodite is required by the (ISC)² Code of Ethics to "provide diligent and
competent service to principals." This includes reporting policy violations to Triffid management (Triffid is
the principal, in this case). A policy violation of this type is not a crime, so law enforcement does not
need to be involved, and (ISC)² has no authority over Triffid policy enforcement or employees.
A software firewall is an application that runs on a device and prevents specific types of traffic from
entering that device. This is a type of ________ control. (D1, L1.3.1)
A) Physical
B) Administrative
C) Passive
D) Technical
D is correct. A software firewall is a technical control, because it is a part of the IT environment. A is
incorrect; a software firewall is not a tangible object that protects something. B is incorrect; a software
firewall is not a rule or process. Without trying to confuse the issue, a software firewall might
incorporate an administrative control: the set of rules which the firewall uses to allow or block particular
traffic. However, answer D is a much better way to describe a software firewall. C is incorrect; "passive" is
