Certified Cyber Security Professional Exam
Question 1. Which principle of the CIA triad ensures that information is accessible to authorized users
when needed?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: C
Explanation: Availability ensures that authorized users have reliable access to information and resources
when required, maintaining system uptime and data accessibility.
Question 2. In security governance, aligning security strategies with which of the following ensures that
security efforts support overall organizational objectives?
A) Technical standards
B) Business strategy and goals
C) Regulatory requirements
D) Employee training programs
Answer: B
Explanation: Aligning security strategies with business strategy and goals guarantees that security
initiatives directly support and enable organizational objectives and mission.
Question 3. Which of the following roles is primarily responsible for implementing and enforcing security
policies within an organization?
A) CEO
B) Security Manager or Chief Information Security Officer (CISO)
C) HR Manager
D) Network Administrator
Answer: B
Explanation: The Security Manager or CISO is responsible for developing, implementing, and enforcing
security policies to protect organizational assets and ensure compliance.
Question 4. Under GDPR, which of the following is a key requirement regarding personal data?
, Certified Cyber Security Professional Exam
A) Data must be kept indefinitely
B) Data must be anonymized at all times
C) Data subjects have rights to access, rectify, and erase their data
D) Data can be transferred freely without restrictions
Answer: C
Explanation: GDPR grants individuals rights over their personal data, including access, rectification,
erasure, and portability, emphasizing data privacy and control.
Question 5. Which type of investigation is primarily focused on compliance with industry standards and
internal policies?
A) Criminal investigation
B) Civil investigation
C) Regulatory investigation
D) Internal audit or standard compliance review
Answer: D
Explanation: Internal audits or standard compliance reviews assess adherence to organizational policies
and industry standards, rather than legal violations.
Question 6. When developing a security policy, which characteristic is most essential?
A) Vague and flexible language
B) Clear, specific, and enforceable directives
C) Focus solely on technical controls
D) Avoidance of compliance considerations
Answer: B
Explanation: Effective security policies must be clear, specific, and enforceable to ensure consistent
implementation and compliance across the organization.
Question 7. Which of the following is a preventive security control?
A) Intrusion Detection System (IDS)
B) Firewall
, Certified Cyber Security Professional Exam
C) Security audit
D) Incident response plan
Answer: B
Explanation: Firewalls prevent unauthorized access by filtering incoming and outgoing network traffic,
serving as a preventive control.
Question 8. Which personnel security measure involves verifying an individual's identity before granting
access?
A) Background check
B) Security awareness training
C) Identity verification during onboarding
D) Periodic security audits
Answer: C
Explanation: Identity verification during onboarding ensures that only authenticated individuals are
granted access, helping prevent unauthorized entry.
Question 9. In risk management, which approach involves transferring risk to another party, such as
through insurance?
A) Mitigation
B) Acceptance
C) Transfer
D) Avoidance
Answer: C
Explanation: Transferring risk involves shifting the impact to another entity, often via insurance or
outsourcing, to reduce organizational exposure.
Question 10. Which risk framework is developed by NIST and used to manage information security risk?
A) ISO 27001
B) COBIT
C) NIST RMF (Risk Management Framework)
, Certified Cyber Security Professional Exam
D) FAIR
Answer: C
Explanation: The NIST RMF provides a structured approach for managing security risk across information
systems, aligning with best practices.
Question 11. STRIDE is a threat modeling methodology that categorizes threats into which of the
following groups?
A) Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
B) Scanning, Testing, Reconnaissance, Injection, Exploitation
C) Confidentiality, Integrity, Availability, Accountability, Auditability
D) Detection, Response, Recovery, Prevention, Mitigation
Answer: A
Explanation: STRIDE categorizes threats as Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege.
Question 12. Which of the following best describes supply chain risk management (SCRM)?
A) Managing internal security policies
B) Assessing and mitigating risks associated with third-party suppliers and providers
C) Securing wireless networks within an organization
D) Encrypting data at rest and in transit
Answer: B
Explanation: SCRM focuses on identifying and reducing risks posed by third-party vendors, including
product tampering and counterfeit components.
Question 13. Asset classification involves which of the following activities?
A) Assigning security controls to all organizational data
B) Identifying and categorizing organizational data and assets based on their importance and sensitivity
C) Creating encryption keys for data at rest
D) Developing incident response procedures
Answer: B
Question 1. Which principle of the CIA triad ensures that information is accessible to authorized users
when needed?
A) Confidentiality
B) Integrity
C) Availability
D) Authentication
Answer: C
Explanation: Availability ensures that authorized users have reliable access to information and resources
when required, maintaining system uptime and data accessibility.
Question 2. In security governance, aligning security strategies with which of the following ensures that
security efforts support overall organizational objectives?
A) Technical standards
B) Business strategy and goals
C) Regulatory requirements
D) Employee training programs
Answer: B
Explanation: Aligning security strategies with business strategy and goals guarantees that security
initiatives directly support and enable organizational objectives and mission.
Question 3. Which of the following roles is primarily responsible for implementing and enforcing security
policies within an organization?
A) CEO
B) Security Manager or Chief Information Security Officer (CISO)
C) HR Manager
D) Network Administrator
Answer: B
Explanation: The Security Manager or CISO is responsible for developing, implementing, and enforcing
security policies to protect organizational assets and ensure compliance.
Question 4. Under GDPR, which of the following is a key requirement regarding personal data?
, Certified Cyber Security Professional Exam
A) Data must be kept indefinitely
B) Data must be anonymized at all times
C) Data subjects have rights to access, rectify, and erase their data
D) Data can be transferred freely without restrictions
Answer: C
Explanation: GDPR grants individuals rights over their personal data, including access, rectification,
erasure, and portability, emphasizing data privacy and control.
Question 5. Which type of investigation is primarily focused on compliance with industry standards and
internal policies?
A) Criminal investigation
B) Civil investigation
C) Regulatory investigation
D) Internal audit or standard compliance review
Answer: D
Explanation: Internal audits or standard compliance reviews assess adherence to organizational policies
and industry standards, rather than legal violations.
Question 6. When developing a security policy, which characteristic is most essential?
A) Vague and flexible language
B) Clear, specific, and enforceable directives
C) Focus solely on technical controls
D) Avoidance of compliance considerations
Answer: B
Explanation: Effective security policies must be clear, specific, and enforceable to ensure consistent
implementation and compliance across the organization.
Question 7. Which of the following is a preventive security control?
A) Intrusion Detection System (IDS)
B) Firewall
, Certified Cyber Security Professional Exam
C) Security audit
D) Incident response plan
Answer: B
Explanation: Firewalls prevent unauthorized access by filtering incoming and outgoing network traffic,
serving as a preventive control.
Question 8. Which personnel security measure involves verifying an individual's identity before granting
access?
A) Background check
B) Security awareness training
C) Identity verification during onboarding
D) Periodic security audits
Answer: C
Explanation: Identity verification during onboarding ensures that only authenticated individuals are
granted access, helping prevent unauthorized entry.
Question 9. In risk management, which approach involves transferring risk to another party, such as
through insurance?
A) Mitigation
B) Acceptance
C) Transfer
D) Avoidance
Answer: C
Explanation: Transferring risk involves shifting the impact to another entity, often via insurance or
outsourcing, to reduce organizational exposure.
Question 10. Which risk framework is developed by NIST and used to manage information security risk?
A) ISO 27001
B) COBIT
C) NIST RMF (Risk Management Framework)
, Certified Cyber Security Professional Exam
D) FAIR
Answer: C
Explanation: The NIST RMF provides a structured approach for managing security risk across information
systems, aligning with best practices.
Question 11. STRIDE is a threat modeling methodology that categorizes threats into which of the
following groups?
A) Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
B) Scanning, Testing, Reconnaissance, Injection, Exploitation
C) Confidentiality, Integrity, Availability, Accountability, Auditability
D) Detection, Response, Recovery, Prevention, Mitigation
Answer: A
Explanation: STRIDE categorizes threats as Spoofing, Tampering, Repudiation, Information Disclosure,
Denial of Service, and Elevation of Privilege.
Question 12. Which of the following best describes supply chain risk management (SCRM)?
A) Managing internal security policies
B) Assessing and mitigating risks associated with third-party suppliers and providers
C) Securing wireless networks within an organization
D) Encrypting data at rest and in transit
Answer: B
Explanation: SCRM focuses on identifying and reducing risks posed by third-party vendors, including
product tampering and counterfeit components.
Question 13. Asset classification involves which of the following activities?
A) Assigning security controls to all organizational data
B) Identifying and categorizing organizational data and assets based on their importance and sensitivity
C) Creating encryption keys for data at rest
D) Developing incident response procedures
Answer: B
