(ISC)2 CC Practice Exam 1(QUESTIONS WITH
100% CORRECT ANSWERS )
Sensitivity is a measure of the ...:
... importance assigned to information by its owner, or the purpose of representing its need for
protection.
(Sensitivity is also defined as the measure of the importance assigned to information by its owner, or
the purpose of representing its need for protection)
The process of verifying or proving the user's identification is known as:
Authentication
(Authentication is the verification of the identity of a user, process or device, as a prerequisite to
allowing access to the resources in a given system. In contrast, authorization refers to the permission
granted to users, processes or devices to access specific assets. Confidentiality and integrity are
properties of information and systems, not processes.)
Which of the following Cybersecurity concepts guarantees that information is accessible only to those
authorized to access it?
Confidentiality
(Confidentiality, Integrity and Availability are known as the CIA triad, from the model that guides
policies for information security. Confidentiality is the property of data or information not being made
available or disclosed, which leads to sensitive information being protected from unauthorized access.
Integrity refers to the preservation of the consistency, accuracy and trustworthiness of data.
Availability is the property of data being consistently and readily accessible to the parties authorized
to access it. Finally, non-repudiation refers to the inability to deny the production, approval or
transmission of information.)
Which of the following areas is connected to PII?
Confidentiality
(Confidentiality is the most distinctive property of personally identifiable information (see ISC2 study
guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All data
requires integrity to be usable. Non-repudiation refers to the inability to deny the production,
approval, or transmission of information. Authentication refers to the access to information.)
Which of the following properties is NOT guaranteed by Digital Signatures?
Confidentiality
(The correct answer is B. A digital signature is the result of a cryptographic transformation of data
which is useful for providing: data origin authentication, data integrity, and non-repudiation of the
signer (see NIST SP 800-12 Rev. 1 under Digital Signature). However, digital signatures cannot
guarantee confidentiality (i.e. the property of data or information not being made available or
disclosed).)
Which of the following areas is the most distinctive property of PHI?
Confidentiality
(Confidentiality is the most distinctive property of protected health information (see ISC2 Study
Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All data
,requires integrity to be usable. Non-repudiation refers to the inability to deny the production,
approval, or transmission of information. Authentication refers to guaranteeing that systems and
information are accessed by persons and systems that are who they claim to be.)
In risk management, the highest priority is given to a risk where:
The frequency of occurrence is low, and the expected impact value is high
(The highest priority is given to risks estimated to have high impact and low probability over high
probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In qualitative risk analysis,
the 'expected probability of occurrence' and the 'frequency of occurrence' refer to the same thing.
The same goes for the concepts of expected impact value (NIST SP 800-30 Rev. 1 under Impact Value)
and potential impact (NIST SP 800-60 Vol. 1 Rev. 1 under Potential Impact).)
The magnitude of the harm expected as a result of the consequences of an unauthorized disclosure,
modification, destruction, or loss of information, is known as the:
Impact
(The sentence matches the definition of the concept of impact (see NIST SP 800-60 Vol. 1 Rev. 1 under
Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines likelihood as the probability that a
potential vulnerability may be exploited. A threat is defined as a circumstance or event that can
adversely impact organizational operations. A vulnerability is a weakness that a threat can exploit.)
An entity that acts to exploit a target organization's system vulnerabilities is a:
Threat Actor
(A Threat Actor is defined as an individual or a group posing a threat (according to NIST SP 800-150
under Threat Actor). A Threat Vector is a means by which a Threat Actor gains access to systems (for
example: phishing, trojans, baiting, etc.). An Attacker is always an individual, but a Threat Actor can be
either a group or an entity. A Threat is a circumstance or event that can adversely impact
organizational operations that a Threat Actor can potentially explore through a Threat Vector.)
Risk Management is:
The identification, evaluation and prioritization of risk
(Risk Management is the process of identifying, assessing and mitigating risks (ISC2 Study Guide,
chapter 1, module 2). "Impact and likelihood of a threat" is a definition of risk. "Creating an incident
response team" and "assessing the potential impact of a threat" can be considered Risk Management
actions, but are not in themselves Risk Management.)
An exploitable weakness or flaw in a system or component is a:
Vulnerability
(A Vulnerability is a weakness in an information system, system security procedures, internal controls
or implementation that could be exploited by a Threat source (NIST SP 800-30 Rev 1). The Threat is
the circumstance or event that can adversely impact operations. A Risk is a possible event that can
negatively impact the organization. A Bug is a flaw causing an application to produce an unintended
or unexpected result that may be exploitable.)
Which of the following is NOT an example of a physical security control?
Firewalls
, (Firewalls are a type of electronic equipment which connects to a network that filters inbound traffic
arriving from the Internet, and, thus are a type of technical security controls. Security cameras,
biometric access control and electronic locks, though connected to a network, control access to
physical facilities, and thus are types of physical security controls. (ISC2 Study Guide, Chapter 1,
Module 3))
The implementation of Security Controls is a form of:
Risk reduction
(The implementation of Security Controls involves taking actions to mitigate risk, and thus is a form of
risk reduction. Risk acceptance will take no action, risk avoidance will modify operations in order to
avoid risk entirely, and risk transference will transfer the risk to another party.)
Which of the following is an example of a technical security control?
Access Control Lists
(An access control list is a type of technical security control. Bollards, fences and turnstiles control
access to physical facilities, and thus are types of physical security controls. (ISC2 Study Guide,
Chapter 1, Module 3))
A Security safeguard is the same as a:
Security control
(Security safeguards are approved security measures taken to protect computational resources by
eliminating or reducing the risk to a system. These can be measures like hardware and software
mechanisms, policies, procedures, and physical controls (see NIST SP 800-28 Version 2, under
safeguard). This definition matches the definition of security control as the means of managing risk,
including policies, procedures, guidelines, practices, or organizational structures, which can be of an
administrative, technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev. 1 under
control).)
Which of the following is an example of an administrative security control?
Acceptable Use Policies
(Policies are a type of administrative security controls. An access control list is a type of technical
security control. A badge reader and a 'No entry' sign are types of physical security controls (see ISC2
Study Guide, Chapter 1, Module 3).)
Which of the following are NOT types of security controls?
Storage Controls
(Storage controls are not a type of security control. Security controls are safeguards or
countermeasures that an organization can employ to avoid, counteract or minimize security risks.
System-specific controls are security controls that provide security capability for only one specific
information system. Common controls are security controls that provide security capability for
multiple information systems. Hybrid controls have characteristics of both system-specific and
common controls.)
A biometric reader that grants access to a computer system in a data center is a:
Technical Control
100% CORRECT ANSWERS )
Sensitivity is a measure of the ...:
... importance assigned to information by its owner, or the purpose of representing its need for
protection.
(Sensitivity is also defined as the measure of the importance assigned to information by its owner, or
the purpose of representing its need for protection)
The process of verifying or proving the user's identification is known as:
Authentication
(Authentication is the verification of the identity of a user, process or device, as a prerequisite to
allowing access to the resources in a given system. In contrast, authorization refers to the permission
granted to users, processes or devices to access specific assets. Confidentiality and integrity are
properties of information and systems, not processes.)
Which of the following Cybersecurity concepts guarantees that information is accessible only to those
authorized to access it?
Confidentiality
(Confidentiality, Integrity and Availability are known as the CIA triad, from the model that guides
policies for information security. Confidentiality is the property of data or information not being made
available or disclosed, which leads to sensitive information being protected from unauthorized access.
Integrity refers to the preservation of the consistency, accuracy and trustworthiness of data.
Availability is the property of data being consistently and readily accessible to the parties authorized
to access it. Finally, non-repudiation refers to the inability to deny the production, approval or
transmission of information.)
Which of the following areas is connected to PII?
Confidentiality
(Confidentiality is the most distinctive property of personally identifiable information (see ISC2 study
guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All data
requires integrity to be usable. Non-repudiation refers to the inability to deny the production,
approval, or transmission of information. Authentication refers to the access to information.)
Which of the following properties is NOT guaranteed by Digital Signatures?
Confidentiality
(The correct answer is B. A digital signature is the result of a cryptographic transformation of data
which is useful for providing: data origin authentication, data integrity, and non-repudiation of the
signer (see NIST SP 800-12 Rev. 1 under Digital Signature). However, digital signatures cannot
guarantee confidentiality (i.e. the property of data or information not being made available or
disclosed).)
Which of the following areas is the most distinctive property of PHI?
Confidentiality
(Confidentiality is the most distinctive property of protected health information (see ISC2 Study
Guide, Module 1, under CIA Deep Dive). The remaining options apply to all types of data. All data
,requires integrity to be usable. Non-repudiation refers to the inability to deny the production,
approval, or transmission of information. Authentication refers to guaranteeing that systems and
information are accessed by persons and systems that are who they claim to be.)
In risk management, the highest priority is given to a risk where:
The frequency of occurrence is low, and the expected impact value is high
(The highest priority is given to risks estimated to have high impact and low probability over high
probability and low impact value (ISC2 Study Guide, Chapter 1, Module 2). In qualitative risk analysis,
the 'expected probability of occurrence' and the 'frequency of occurrence' refer to the same thing.
The same goes for the concepts of expected impact value (NIST SP 800-30 Rev. 1 under Impact Value)
and potential impact (NIST SP 800-60 Vol. 1 Rev. 1 under Potential Impact).)
The magnitude of the harm expected as a result of the consequences of an unauthorized disclosure,
modification, destruction, or loss of information, is known as the:
Impact
(The sentence matches the definition of the concept of impact (see NIST SP 800-60 Vol. 1 Rev. 1 under
Impact). Furthermore, the ISC2 Study Guide, chapter 1, defines likelihood as the probability that a
potential vulnerability may be exploited. A threat is defined as a circumstance or event that can
adversely impact organizational operations. A vulnerability is a weakness that a threat can exploit.)
An entity that acts to exploit a target organization's system vulnerabilities is a:
Threat Actor
(A Threat Actor is defined as an individual or a group posing a threat (according to NIST SP 800-150
under Threat Actor). A Threat Vector is a means by which a Threat Actor gains access to systems (for
example: phishing, trojans, baiting, etc.). An Attacker is always an individual, but a Threat Actor can be
either a group or an entity. A Threat is a circumstance or event that can adversely impact
organizational operations that a Threat Actor can potentially explore through a Threat Vector.)
Risk Management is:
The identification, evaluation and prioritization of risk
(Risk Management is the process of identifying, assessing and mitigating risks (ISC2 Study Guide,
chapter 1, module 2). "Impact and likelihood of a threat" is a definition of risk. "Creating an incident
response team" and "assessing the potential impact of a threat" can be considered Risk Management
actions, but are not in themselves Risk Management.)
An exploitable weakness or flaw in a system or component is a:
Vulnerability
(A Vulnerability is a weakness in an information system, system security procedures, internal controls
or implementation that could be exploited by a Threat source (NIST SP 800-30 Rev 1). The Threat is
the circumstance or event that can adversely impact operations. A Risk is a possible event that can
negatively impact the organization. A Bug is a flaw causing an application to produce an unintended
or unexpected result that may be exploitable.)
Which of the following is NOT an example of a physical security control?
Firewalls
, (Firewalls are a type of electronic equipment which connects to a network that filters inbound traffic
arriving from the Internet, and, thus are a type of technical security controls. Security cameras,
biometric access control and electronic locks, though connected to a network, control access to
physical facilities, and thus are types of physical security controls. (ISC2 Study Guide, Chapter 1,
Module 3))
The implementation of Security Controls is a form of:
Risk reduction
(The implementation of Security Controls involves taking actions to mitigate risk, and thus is a form of
risk reduction. Risk acceptance will take no action, risk avoidance will modify operations in order to
avoid risk entirely, and risk transference will transfer the risk to another party.)
Which of the following is an example of a technical security control?
Access Control Lists
(An access control list is a type of technical security control. Bollards, fences and turnstiles control
access to physical facilities, and thus are types of physical security controls. (ISC2 Study Guide,
Chapter 1, Module 3))
A Security safeguard is the same as a:
Security control
(Security safeguards are approved security measures taken to protect computational resources by
eliminating or reducing the risk to a system. These can be measures like hardware and software
mechanisms, policies, procedures, and physical controls (see NIST SP 800-28 Version 2, under
safeguard). This definition matches the definition of security control as the means of managing risk,
including policies, procedures, guidelines, practices, or organizational structures, which can be of an
administrative, technical, management, or legal nature (see NIST SP 800-160 Vol. 2 Rev. 1 under
control).)
Which of the following is an example of an administrative security control?
Acceptable Use Policies
(Policies are a type of administrative security controls. An access control list is a type of technical
security control. A badge reader and a 'No entry' sign are types of physical security controls (see ISC2
Study Guide, Chapter 1, Module 3).)
Which of the following are NOT types of security controls?
Storage Controls
(Storage controls are not a type of security control. Security controls are safeguards or
countermeasures that an organization can employ to avoid, counteract or minimize security risks.
System-specific controls are security controls that provide security capability for only one specific
information system. Common controls are security controls that provide security capability for
multiple information systems. Hybrid controls have characteristics of both system-specific and
common controls.)
A biometric reader that grants access to a computer system in a data center is a:
Technical Control
