473 questions · instant answer feedback · concise explanations · free
Question 1 of 473Which type of attack will most effectively provide privileged access (root access in Unix/Linux platforms) to a computer while hiding its presence?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Rootkits
A rootkit is designed to obtain and maintain highly privileged access while actively concealing its existence from system monitoring tools. Trojans provide backdoors but lack the robust stealth mechanisms inherent to rootkits, making them less effective for hidden root access.
Question 2 of 473Which of the following Cybersecurity concepts guarantees that information is accessible only to those authorized to access it?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Confidentiality
Confidentiality ensures that sensitive data is only accessible and readable by authorized individuals. Authentication verifies identity but does not itself enforce access rules, and accessibility focuses on system uptime rather than restricting unauthorized data disclosure.
Question 3 of 473If there is no time constraint, which protocol should be employed to establish a reliable connection between two devices?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. TCP
TCP establishes a reliable connection by ensuring error-checked, ordered packet delivery, making it ideal when data integrity outweighs speed constraints. UDP skips handshake processes and error correction to favor low-latency transmission, rendering it unsuitable for reliable delivery.
Question 4 of 473Which concept describes an information security strategy that integrates people, technology and operations in order to establish security controls across multiple layers of the organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Defense in Depth
Defense in depth uses multiple, overlapping security controls across people, technology, and operations to protect an organization. Least privilege and separation of duties are access control principles, while privileged accounts are an administrative asset type.
Question 5 of 473When a company hires an insurance company to mitigate risk, which risk management technique is being applied?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Risk transfer
Risk transfer shifts the financial consequences of a threat to a third party, typically by purchasing an insurance policy. Risk mitigation reduces threat likelihood or impact, and risk avoidance requires eliminating the vulnerable process entirely.
Question 6 of 473Which regulations address data protection and privacy in Europe?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. GDPR
The General Data Protection Regulation, or GDPR, is the European Union legislation governing data protection and privacy. The other options are United States regulations and do not apply to European data governance.
Question 7 of 473A web server that accepts requests from external clients should be placed in which network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. DMZ
Publicly accessible servers like web servers belong in a demilitarized zone, or DMZ, to isolate them from the trusted internal network. Placing them internally exposes the network, while a VPN is an access tunnel, not a hosting segment.
Question 8 of 473Which of the following is NOT an example of a physical security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Firewalls
Firewalls are technical controls regulating network traffic, not physical barriers protecting facilities. Security cameras, biometric readers, and electronic locks act as tangible, physical deterrents restricting direct access to buildings.
Question 9 of 473How many layers does the OSI model have?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. 7
The Open Systems Interconnection model consists of exactly seven distinct layers. These range from the physical hardware layer up to the application layer, differing from the four-layer TCP/IP model.
Question 10 of 473Alice and Bob are exchanging sensitive financial data over an unsecured network. Alice prepares a document and wants to ensure that only Bob can decrypt and read the contents. To achieve this, she uses an asymmetric encryption algorithm. Which of the following keys must Alice use to encrypt the document?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Bob's public key
To ensure confidentiality in asymmetric encryption, the sender must encrypt the message using the recipient's public key. This guarantees that only the intended recipient, who holds the matching private key, can decrypt and read the contents. Using your own private key provides non-repudiation, not confidentiality.
Question 11 of 473Which of the following properties is NOT guaranteed by Digital Signatures?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Confidentiality
Digital signatures provide authentication, integrity, and non-repudiation, but they do not provide confidentiality. A signature verifies the sender and proves the message was not altered, but it does not encrypt the contents to hide them from unauthorized viewers.
Question 12 of 473Which access control model specifies access to an object based on the subject's role in the organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. RBAC
Role-based access control grants permissions based on the user's assigned role or job function within the organization. Eliminate mandatory and discretionary models because they rely on security labels or direct owner discretion rather than organizational roles.
Question 13 of 473Which of these would be the best option if a network administrator needs to control access to a network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. NAC
Network Access Control enforces security policy by restricting device access to the network until appropriate credentials and compliance checks are met. Intrusion detection and SIEM systems are monitoring tools that lack the active enforcement capability needed to block initial access.
Question 14 of 473An entity that acts to exploit a target organization's system vulnerabilities is a:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Threat Actor
The correct answer proves a threat actor is an entity that intentionally exploits system vulnerabilities to compromise security. While an attacker is a plausible synonym, threat actor is the precise ISC2 exam terminology for this specific concept.
Question 15 of 473Which of the following is NOT an element of system security configuration management?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Audit logs
The correct answer proves audit logs are generated by verification and audit procedures rather than serving as core elements of system security configuration management. Baselines, inventories, and updates are foundational steps for securely configuring systems.
Question 16 of 473Which of the following documents contains elements that are NOT mandatory?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Guidelines
Guidelines are voluntary recommendations providing flexibility, whereas policies, procedures, and regulations mandate strict compliance. Recognizing this distinction in force is essential for categorizing governance documents accurately.
Question 17 of 473What is an effective way of hardening a system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Patch the system
Applying patches and updates directly eliminates system vulnerabilities, hardening it against exploitation. The other options focus on detection or architectural isolation rather than actively reducing the system's inherent attack surface.
Question 18 of 473Which of the following is NOT a social engineering technique?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Segregation
Segregation, specifically segregation of duties, is an administrative control principle preventing fraud by splitting responsibilities. Baiting, pretexting, and quid pro quo are all recognized social engineering tactics used to manipulate human behavior.
Question 19 of 473After an earthquake disrupts business operations, which document contains the procedures required to return business to normal operation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The Disaster Recovery Plan
The Disaster Recovery Plan guides restoring IT infrastructure and operations after a catastrophic event. A Business Impact Analysis identifies critical functions, while the Business Continuity Plan sustains operations during the disruption.
Question 20 of 473In which phase of an incident response plan are incidents prioritized based on their severity and potential impact?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Detection and Analysis
Incidents are prioritized during the detection and analysis phase. The team assesses alerts to determine severity and impact, ensuring the most critical threats are addressed first. Other phases handle preparation, containment, or post-incident review rather than initial prioritization.
Question 21 of 473Which type of key can be used to both encrypt and decrypt the same message?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A symmetric key
Symmetric encryption uses a single shared secret key for both encrypting and decrypting data. This method is fast and efficient for bulk data. Asymmetric cryptography, by contrast, uses a matched public and private key pair where one key encrypts and the other decrypts.
Question 22 of 473A security safeguard is the same as a:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Security control
A security safeguard is synonymous with a security control, acting as a measure to manage risk by protecting system resources. Controls can be administrative, technical, or physical. The other terms describe different concepts and do not accurately define a safeguard.
Question 23 of 473What is the consequence of a Denial of Service attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Exhaustion of device resources
A denial of service attack overwhelms a target system with malicious traffic, causing exhaustion of its computational resources. This renders the service unavailable to legitimate users. The primary goal is operational disruption, not unauthorized remote control or malware deployment.
Question 24 of 473Which devices have the PRIMARY objective of collecting and analyzing security events?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. SIEM
A Security Information and Event Management system is designed specifically to collect, aggregate, and analyze security events from across the network. Firewalls and routers handle traffic filtering and routing, while hubs act as basic signal repeaters without analytical capabilities.
Question 25 of 473The implementation of Security Controls is a form of:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Risk reduction
Implementing security controls is a form of risk reduction, also known as risk mitigation. The other options represent different risk responses, such as avoiding the activity, accepting the potential loss, or transferring the risk to a third party through insurance.
Question 26 of 473Which cloud model gives the customer the least responsibility over the infrastructure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. SaaS
Software as a Service gives the customer the least responsibility over the infrastructure because the provider manages everything from servers to the application. Infrastructure as a Service requires the customer to manage the operating systems and applications, leaving more infrastructure responsibility.
Question 27 of 473Which type of attack embeds malicious payload inside a reputable or trusted software?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Trojans
A Trojan horse embeds malicious payload inside a reputable or trusted software to evade security mechanisms. A rootkit maintains privileged access while concealing malicious activity, whereas phishing and cross-site scripting target users and web applications rather than hiding inside trusted software.
Question 28 of 473Which of the following is NOT a protocol of the OSI Level 3?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. SNMP
Simple Network Management Protocol is an application layer protocol, which corresponds to level seven of the OSI model, not level three. IP, ICMP, and IGMP all operate at the network layer, making them incorrect answers when looking for a non-level three protocol.
Question 29 of 473Which of the following is a public IP?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 13.16.123.1
A public IP address must be routable on the open internet, and the thirteen dot sixteen dot one hundred twenty-three dot one address fits this requirement. The remaining options fall under private address ranges reserved for internal local area networks, such as ten dot zero dot zero dot zero.
Question 30 of 473In which of the following access control models can the creator of an object delegate permission?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. DAC
Discretionary Access Control allows the creator or owner of an object to delegate permissions to other users. Mandatory access control enforces strict rules set by a central authority, while role-based and attribute-based models rely on assigned roles or policies.
Question 31 of 473An exploitable weakness or flaw in a system or component is a:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Vulnerability
A vulnerability is an exploitable weakness or flaw in a system or component that a threat source could leverage. A threat is the potential danger, risk is the potential for loss, and a bug is simply a software flaw that does not always create a security issue.
Question 32 of 473The process of verifying or proving the user's identification is known as:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Authentication
Authentication is the process of verifying or proving a user's identification before granting access to a system. Authorization determines what specific resources the verified user can access, while confidentiality and integrity are core security principles.
Question 33 of 473Which device is used to connect a LAN to the Internet?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Router
A router is the network device specifically used to connect a local area network to the Internet by directing data packets between networks. Firewalls filter traffic for security, intrusion detection systems monitor for threats, and SIEM analyzes security alerts.
Question 34 of 473Malicious emails that aim to attack company executives are an example of:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Whaling
Whaling is a specific type of phishing attack that explicitly targets high-ranking executives. Phishing targets general users, while Trojans and rootkits refer to malicious software rather than social engineering techniques.
Question 35 of 473Which of the following principles aims primarily at fraud detection?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Separation of Duties
Separation of Duties ensures that critical tasks require multiple individuals, preventing one person from committing and concealing fraud. This shared responsibility serves as a direct fraud detection mechanism, unlike least privilege or defense in depth.
Question 36 of 473Which port is used to secure communication over the web (HTTPS)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. 443
Port 443 is used for HTTPS to ensure encrypted web traffic. Port 80 is unencrypted HTTP, while ports 69 and 25 are reserved for TFTP and SMTP respectively.
Question 37 of 473According to ISC2, which are the six phases of data handling?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Create → Store → Use → Share → Archive → Destroy
According to ISC2, the six phases of the data lifecycle are create, store, use, share, archive, and destroy. Memorizing this exact order is crucial for the exam.
Question 38 of 473Which of the following cloud models allows access to fundamental computer resources?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Impact
Impact is defined as the magnitude of harm expected from unauthorized disclosure or loss of information. Likelihood measures probability, while vulnerabilities are weaknesses and threats are potential adverse events.
Question 39 of 473Which are the three packets used on the TCP connection handshake? (★)
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. SYN → SYN/ACK → ACK
TCP uses a three-way handshake to establish a reliable connection by exchanging three packets with the SYN, SYN/ACK and ACK flags. Although SYN, ACK and FIN are valid TCP packet flags, the sequence SYN → ACK → FIN is not the TCP handshake. Both the sequences Discover → Offer → Request and Offer → Request → ACK are used in DHCP.
Question 40 of 473The cloud deployment model where a company has resources on-premises and in the cloud is known as:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Hybrid cloud
A hybrid cloud combines on-premises infrastructure, private cloud services, and a public cloud to handle storage and services. Community clouds involve shared resources among organizations with common goals, while multi-tenancy refers to customers sharing computing resources.
Question 41 of 473The process that ensures that system changes do not adversely impact business operations is known as:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Change Management
Change management is the process of implementing necessary changes so that they do not adversely affect business operations. Vulnerability management tracks system flaws, configuration management maintains system integrity, and incident management addresses unplanned events.
Question 42 of 473Which of the following is an example of a technical security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Access control lists
Access control lists are technical security controls implemented in software or hardware to limit access to digital resources based on rules. Fences, bollards, and turnstiles are physical security controls designed to prevent unauthorized physical access to facilities.
Question 43 of 473Which of these tools is commonly used to crack passwords?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. John the Ripper
John the Ripper is a standard password cracking and auditing tool used to test password strength. The other options serve different security functions: Burp Suite tests web applications, while Wireshark and Nslookup are used for network analysis and DNS queries.
Question 44 of 473Which of the following is NOT a type of learning activity used in security awareness?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Tutorial
Awareness, training, and education are the three foundational learning activities defined in security programs. Tutorials simply teach specific step-by-step tasks and are not categorized as a primary security learning activity.
Question 45 of 473Which security principle states that a user should only have the necessary permission to execute a task?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Least Privilege
The principle of least privilege ensures users are granted only the minimum access required to perform their specific job duties. Separation of duties divides tasks to prevent fraud, while defense in depth uses multiple security layers.
Question 46 of 473The Bell and LaPadula access control model is a form of:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. MAC
The Bell and LaPadula model is a classic implementation of mandatory access control, focusing on data confidentiality across strict security levels. Unlike discretionary access control, users cannot change the security labels governing access.
Question 47 of 473Which of the following is NOT a possible model for an incident response team (IRT)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Pre-existing
Valid incident response team structures include dedicated, leveraged, and hybrid models. A pre-existing team is not a recognized model because incident response groups are intentionally formed to address specific organizational security mandates.
Question 48 of 473Which of the following is an example of two-factor authentication (2FA)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. One-Time passwords (OTP)
One-time passwords act as a secondary authentication factor, typically fulfilling the 'something you have' criteria. Badges, keys, and standard passwords only represent a single authentication factor unless paired with another mechanism.
Question 49 of 473Which of the following is a detection control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Smoke sensors
Smoke sensors are detection controls because they identify hazards and trigger alerts. The distractors represent physical or technical preventive controls—bollards, turnstiles, and firewalls—which are designed to block unauthorized access entirely.
Question 50 of 473Which access control model can grant access to a given object based on complex rules?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. ABAC
Attribute-based access control, or ABAC, evaluates complex rules using subject, object, and environmental attributes. The alternative models rely on fixed labels, ownership, or roles, lacking ABAC's dynamic policy flexibility.
Question 51 of 473Which are the components of an incident response plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Preparation → Detection and Analysis → Containment, Eradication and Recovery → Post-Incident Activity
The standard incident response lifecycle includes preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. Eliminate any options that place containment after recovery, as you must isolate the threat before safely removing it and restoring systems.
Question 52 of 473The predetermined set of instructions or procedures to sustain business operations after a disaster is commonly known as:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Business Continuity Plan
A Business Continuity Plan outlines how an organization will sustain critical business operations during and after a major disruption. Disaster recovery focuses specifically on restoring IT infrastructure, whereas business continuity addresses the overall mission and business processes.
Question 53 of 473A company needs to securely connect two branch offices over the public internet. They implement a solution that encrypts the entire original IP packet and wraps it in a new packet header for safe transit. This ensures that internal IP addresses are hidden from external viewers during transmission. Which concept best applies?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. IPSec Tunnel Mode
IPSec tunnel mode encapsulates and encrypts the entire original IP packet within a new packet header, which hides internal network addresses during transit. Transport mode only encrypts the payload and leaves the original IP header visible, making it unsuitable for site-to-site gateway connections.
Question 54 of 473Which of the following types of devices inspect packet header information to either allow or deny network traffic?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Firewalls
Firewalls inspect packet header information against a defined rule set to either allow or deny network traffic. Switches and routers forward traffic based on destination addresses, while hubs simply broadcast all packets without any inspection or filtering capabilities.
Question 55 of 473Governments can impose financial penalties as a consequence of breaking a:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Regulation
Regulations are legal requirements established by governments, meaning non-compliance can result in official financial penalties. Standards are voluntary technical guidelines, while policies and procedures are internal organizational rules that do not carry government fines.
Question 56 of 473A device found not to comply with the security baseline should be:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Disabled or isolated into a quarantine area until it can be checked and updated
A device that fails to meet security baselines should be disabled or isolated in a quarantine area until it is remediated. Placing it in a demilitarized zone exposes it to the internet, and a virus scan alone does not guarantee baseline compliance.
Question 57 of 473Which protocol uses a three-way handshake to establish a reliable connection?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. TCP
The Transmission Control Protocol uses a three-way handshake to establish a reliable connection between two devices. UDP is a connectionless protocol that does not use handshakes, while SMTP and SNMP are application-layer protocols.
Question 58 of 473Which of the following attacks take advantage of poor input validation in websites?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Cross-Site Scripting
Cross-site scripting is a web application vulnerability that exploits poor input validation to inject malicious client-side scripts. Phishing relies on social engineering, while rootkits and trojans are types of malicious software.
Question 59 of 473Which cloud deployment model is suited to companies with similar needs and concerns?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Community cloud
A community cloud is shared by several organizations with similar needs, such as specific regulatory or security requirements. Private clouds serve a single organization, while hybrid clouds mix different environments.
Question 60 of 473What is the PRIMARY characteristic of a Smurfing attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. It floods a victim with traffic by abusing broadcast addresses
A smurfing attack is a distributed denial-of-service technique that abuses IP broadcast addresses to flood a victim with traffic. The other options describe malware, social engineering, or ransomware.
Question 61 of 473What type of security control is the biometric reader that grants access to the data center building?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Physical Control
A biometric reader that grants access to a building is considered a physical security control because it restricts facility entry. Technical controls protect computer systems, while administrative controls guide human behavior.
Question 62 of 473The detailed steps to complete tasks supporting departmental or organizational policies are typically documented in:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Procedures
Procedures provide the mandatory, step-by-step actions required to implement organizational policies. Policies establish high-level rules, whereas procedures detail the exact operational execution. Standards offer specific benchmarks, leaving procedures as the clear choice for detailed task completion.
Question 63 of 473Which of these has the PRIMARY objective of identifying and prioritizing critical business processes?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Business Impact Analysis
A Business Impact Analysis focuses entirely on identifying and prioritizing critical business processes following a disruption. Disaster recovery and business continuity plans dictate the actual technical and operational recovery steps, making them incorrect options here.
Question 64 of 473Two ISC2 certified professionals are involved in a heated legal dispute regarding the terms of a consulting contract. One member files a complaint with the ISC2 ethics committee, claiming the other party breached the contract and acted unprofessionally. The dispute is currently purely civil and has not been decided by a court of law. How will ISC2 typically respond to this request for resolution?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. They will not intervene or investigate private disputes or conflicts of interest
ISC2 does not act as an arbitrator or legal authority for private, contractual disputes between certified professionals. The organization only reviews ethics violations based on established legal or factual findings, eliminating the distractors about suspensions and legal counsel.
Question 65 of 473Which of the following is an example of an administrative security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Acceptable Use Policies
Acceptable use policies represent administrative security controls because they dictate human behavior and governance rules. Badge readers and signs are physical controls, while access lists are technical, meaning only the policy correctly identifies an administrative function.
Question 66 of 473Which type of attack attempts to trick the user into revealing personal information by sending a fraudulent message?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Phishing
Phishing relies on social engineering, using fraudulent messages to manipulate users into surrendering private data. Trojans and cross-site scripting rely on technical exploits or malware execution rather than direct human deception to harvest information.
Question 67 of 473Which type of attack PRIMARILY aims to make a resource inaccessible to its intended users?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Denial of Service
Denial of Service attacks target system availability by overwhelming resources with illegitimate traffic until legitimate users are locked out. Phishing and cross-site scripting primarily compromise confidentiality or integrity, completely missing the availability target.
Question 68 of 473Which of these is NOT an attack against an IP network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Side-channel Attack
A side-channel attack extracts cryptographic secrets by monitoring physical device emissions or timing rather than targeting network traffic. Man-in-the-middle, oversized, and fragmented packet attacks explicitly disrupt or intercept standard IP network communications.
Question 69 of 473Which device would be more effective in detecting an intrusion into a network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. NIDS
A network intrusion detection system is purpose-built to monitor traffic and alert administrators about malicious activity across the entire network. Firewalls and routers focus on traffic filtering, and host-based systems only monitor individual endpoints.
Question 70 of 473Which type of attack has the PRIMARY objective of controlling a system from outside?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Backdoors
A backdoor bypasses standard authentication to provide remote attackers with ongoing unauthorized control over a compromised system. While rootkits or trojans might install backdoors, the backdoor itself is the mechanism enabling external command execution.
Question 71 of 473Which access control is more effective at protecting a door against unauthorized access?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Locks
Locks directly secure doors by requiring authorized keys or credentials for entry. While turnstiles and fences manage perimeter traffic, locks provide the most targeted defense against unauthorized physical access at the entry point itself.
Question 72 of 473The SMTP protocol operates at which level of the OSI model?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 7
The Simple Mail Transfer Protocol operates at layer seven, the application layer of the OSI model, which interfaces directly with end-user software. The numerical options like twenty-five and twenty-three are port numbers, not network layers.
Question 73 of 473Which of these is the most thorough and effective way to test a business continuity plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Simulations
Simulations are the most effective method because they involve full-scale re-enactments of emergency procedures, testing the plan under realistic conditions. Walkthroughs and reviews are valuable but remain static preparation steps that do not actively stress-test operational readiness.
Question 74 of 473How many data classification labels are generally considered manageable for an organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. 2 – 3
Industry best practices state that two or three data classification labels are manageable for most organizations. Maintaining a simple system prevents confusion and reduces administrative overhead. Implementing more than four categories often becomes overly complex and challenging to enforce consistently.
Question 75 of 473Which of the following is a data handling policy procedure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Destroy
Destroy is the final phase of the data handling lifecycle, requiring the secure elimination of data so it cannot be recovered. The other options relate to general data processing or transformation, but they are not official data handling phases used in security policies.
Question 76 of 473The address 8be2:4382:8d84:7ce2:ec0f:3908:d29a:903a is an:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. IPv6 address
An IPv6 address is represented as eight groups of four hexadecimal digits separated by colons. The length and format clearly distinguish it from 32-bit IPv4 addresses, 48-bit MAC addresses, and standard web URLs.
Question 77 of 473What is the PRIMARY purpose of an information security awareness program?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To influence and change employee behavior regarding security risks
The primary purpose of an information security awareness program is to influence employee behavior and foster a security-conscious culture. Technical controls are handled by systems, and eliminating all incidents or phishing responses is impossible.
Question 78 of 473Which of these is the PRIMARY objective of a Disaster Recovery Plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Restore company operation to the last-known reliable operation state
The primary objective of a Disaster Recovery Plan is to restore operations to the last-known reliable state after an incident. Maintaining crucial operations during a disaster is the goal of a Business Continuity Plan.
Question 79 of 473Sensitivity is a measure of the …:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. … importance assigned to information by its owner, or the purpose of representing its need for protection
Sensitivity measures the importance assigned to information by its owner to represent its need for protection. This concept directly dictates how data is classified and safeguarded against unauthorized access.
Question 80 of 473Which type of attack attempts to gain information by observing the device's power consumption?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Side Channels
A side-channel attack extracts information from the physical implementation of a system, such as power consumption or electromagnetic leaks. The other options represent different threat categories that do not rely on passive hardware emissions to gather data.
Question 81 of 473In incident terminology, the meaning of Zero Day is:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A previously unknown system vulnerability
A zero-day vulnerability is an unknown system flaw that attackers can exploit because no patch or signature exists yet. These vulnerabilities do not fit recognized patterns, making them difficult to detect and prevent using standard security tools.
Question 82 of 473Which action best describes the capability of an editing account?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Change the contents of existing files
An editing account is designed specifically to modify file content while lacking administrative or ownership-level control. Assigning permissions requires administrative rights, and accessing or sharing files typically requires owner or contributor privileges.
Question 83 of 473Which of these types of user is LESS likely to have a privileged account?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. External Worker
External workers are less likely to have privileged accounts due to the increased risk of misuse and lack of oversight. Help desk staff, security analysts, and system administrators require elevated privileges to manage endpoints, infrastructure, and data environments.
Question 84 of 473In Change Management, which component addresses the procedures needed to undo changes?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Rollback
A rollback component addresses the procedures and actions needed to undo changes if monitoring suggests a failure or inadequate performance. A request for change formalizes the initial proposal, but only the rollback phase plans the reversal procedure.
Question 85 of 473Which of the following elements is the minimum required information that must be included in an ethics complaint affidavit?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The respondent, alleged behavior, breached canon, complainant's standing, and corroborating evidence
An ethics complaint must include the respondent, alleged behavior, breached canon, complainant's standing, and corroborating evidence. This provides the necessary jurisdiction and context, whereas the distractors omit mandatory elements or suggest non-required steps.
Question 86 of 473With respect to risk management, which of the following options should be prioritized?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The frequency of occurrence is low, and the expected impact value is high
Risk management prioritizes scenarios with high impact, even if the probability or frequency is low. This focus ensures resources mitigate severe consequences to critical assets, rather than routine low-impact issues.
Question 87 of 473Logging and monitoring systems are essential to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Identifying inefficient performing systems, detecting compromises, and providing a record of how systems are used
Logging and monitoring systems are essential for identifying inefficient performance, detecting security compromises, and providing an audit trail. Logging detects and records incidents rather than actively preventing them, which eliminates options that promise prevention.
Question 88 of 473Two individuals approach a restricted server room entrance that requires biometric authentication. The first individual successfully scans their fingerprint to unlock the door, and the second individual slips in through the open door without scanning and with the acknowledgement of the first person. Which security concept best applies to this scenario?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Piggybacking
Piggybacking occurs when an unauthorized individual enters a secure area with the knowledge and consent of an authorized person. Tailgating is the trap to avoid here because it implies the authorized user is completely unaware of the person following them inside.
Question 89 of 473Which of the following areas is the most distinctive property of PHI?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Confidentiality
Confidentiality is the most distinctive property of Protected Health Information because preventing unauthorized disclosure is the primary concern. While integrity, authentication, and non-repudiation apply to general data, strict privacy rules uniquely govern health records.
Question 90 of 473A best practice of patch management is to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Test patches before applying them
Testing patches before applying them to production systems is a core best practice to prevent unexpected downtime or stability issues. Rushing deployment based on arbitrary schedules or vendor reputation introduces operational risk.
Question 91 of 473In order to find out whether personal tablet devices are allowed in the office, which of the following policies would be helpful to read?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. BYOD
A Bring Your Own Device policy establishes the rules for using personal tablets or phones in the workplace. The acceptable use policy governs how organizational systems are used, while change and privacy policies cover different areas.
Question 92 of 473Which of these is NOT a change management component?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Governance
Governance is a broad organizational concept rather than a specific change management component. Change management relies on requests for change, approvals, and rollbacks to manage system modifications safely.
Question 93 of 473Which of the following are NOT types of security controls?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Storage controls
Control frameworks categorize safeguards into common, system-specific, and hybrid controls. Storage controls represent a hardware location, not a distinct administrative or technical control category, making it the correct outlier.
Question 94 of 473Which of the following is NOT a feature of a cryptographic hash function?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Reversible
Cryptographic hashes are one-way mathematical operations, meaning the original plaintext cannot be derived from the hash output. Reversibility directly contradicts this core security principle, ensuring that stolen hashes remain computationally secure.
Question 95 of 473What is the proper procedure to submit a complaint to ISC2?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Submit a sworn affidavit in writing with a second copy in PDF format
Formal ethics complaints must be submitted in writing with supporting evidence attached. This requirement ensures due process, traceability, and fairness during the investigation. Anonymous reports or verbal updates lack the verifiable accountability required by the ethics committee.
Question 96 of 473After conducting a risk assessment, an organization implements multiple security controls to reduce the likelihood and impact of known threats. However, some level of risk remains because it cannot be completely eliminated without incurring excessive costs or disrupting business operations. Management formally acknowledges and accepts this risk. Which concept best describes this situation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: E. Residual Risk
Residual risk is the portion of threat exposure that remains after management implements and accepts the limitations of security controls. Risk appetite and tolerance define strategic willingness, but neither describes the concrete leftover risk itself.
Question 97 of 473What is the PRIMARY goal of security training?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To build proficiency in a set of skills or actions in security subjects
Security training is designed to build practical skills, enabling employees to recognize and respond to threats effectively. The distractors describe unrealistic outcomes, as eliminating policies or granting administrative access would severely weaken security.
Question 98 of 473What is the most effective physical security measure for a recently established unstaffed computing facility, featuring motion detectors and secondary authentication?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Mantrap
A mantrap provides physical access control by using two interlocking doors, ensuring only authenticated users enter. The distractors fail because cameras only record intrusion, an IPS is a network control, and Faraday cages block electromagnetic fields.
Question 99 of 473Which of the following is a best practice for data backup policies?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Encrypting backups to protect data confidentiality and integrity
Encrypting backups protects the confidentiality and integrity of the stored data if it is lost or stolen. The other options represent poor practices, as backups require regular testing, defined schedules, and off-site storage to ensure recovery.
Question 100 of 473Which risk management strategy does an organization use when it recognizes the risk of a natural disaster but decides not to implement controls because the costs outweigh the benefits?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Risk acceptance
Risk acceptance occurs when leadership acknowledges a risk but chooses not to implement controls because the cost outweighs the benefit. Avoidance removes the threat entirely, mitigation reduces it, and transference shifts the impact to a third party.
Question 101 of 473What is a zero-day vulnerability?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. An attack previously unknown to the security community
A zero-day vulnerability is an unknown security flaw in software or hardware that developers have had zero days to patch. The term does not refer to novice attackers or literal date manipulation.
Question 102 of 473What type of disaster recovery test involves activating the alternate processing facility while keeping the primary site operational?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Parallel test
A parallel test activates the alternate processing facility while keeping the primary site operational. The trap options are checklist, tabletop, and full interruption tests because they do not involve running both sites concurrently.
Question 103 of 473What is the PRIMARY objective of a Virtual Private Network (VPN)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. To provide secure access to a network
The primary objective of a Virtual Private Network is to provide secure access to a network. While VPNs do provide device access, options like subnetting or cloud connectivity are secondary functions rather than the main security goal.
Question 104 of 473What term is used to describe a large collection of unrelated patches released together?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Service pack
A service pack is a large collection of unrelated patches released together to update software efficiently. Eliminate hotfix and security fix because those terms refer to individual, targeted vulnerability patches.
Question 105 of 473Which of the following access control types does NOT involve a lock?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Directive
Directive access control is an administrative control that issues policies or guidelines, which does not involve a physical lock. Physical, preventive, and deterrent controls often rely on physical barriers or devices to function.
Question 106 of 473What term refers to a facility that is equipped with HVAC, power, and communications circuits, but does not have hardware for a business to use during a disaster?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Cold site
A cold site is a facility equipped with basic infrastructure like HVAC, power, and communications, but lacks active hardware. Eliminate warm and hot sites because they include pre-installed equipment and data replication capabilities.
Question 107 of 473Which option below does NOT represent a type of biometric data?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Smart Card
Biometric data refers to physical characteristics used for identification, such as voice records, retina scans, and fingerprints. A smart card is a physical authentication token, not an inherent physical or behavioral trait.
Question 108 of 473Which of the following documents is developed by governments or industry regulators to enforce specific requirements for cybersecurity?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Regulations
Regulations are developed by governments or industry regulators to enforce legally binding cybersecurity requirements. Eliminate policies and procedures because they are internal documents created by the organization itself.
Question 109 of 473Which of the ISC2 Code of Ethics canons emphasizes the importance of continuous professional development?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Advance and protect the profession
The advance and protect the profession canon requires members to maintain their competence and keep skills current. The other canons focus on protecting society, acting legally, and providing diligent service.
Question 110 of 473What type of control is commonly exemplified by dogs, guards, and fences?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Physical
Dogs, guards, and fences are physical controls designed to prevent or deter unauthorized physical access. Detective controls identify incidents, recovery controls restore operations, and administrative controls manage policies.
Question 111 of 473The CIA Triad is a foundational security model that includes which three key principles?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Confidentiality, Integrity, Availability
The CIA Triad is the foundational security model encompassing confidentiality, integrity, and availability. Accessibility, identity, and concealment are distractors that sound similar but do not form the standard triad.
Question 112 of 473What access control principle prevents someone from both creating a new user account and assigning that account superuser privileges within the same system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Separation of duties
Separation of duties requires multiple individuals to complete sensitive tasks, preventing one person from creating and elevating an account. Least privilege limits access, but separation specifically divides these conflicting duties.
Question 113 of 473Which aspect of the CIA Triad focuses on ensuring that the information is accessible when it is needed?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Availability
Availability ensures that information and systems remain accessible to authorized users when needed. Confidentiality protects against unauthorized access, while integrity prevents unauthorized data alteration.
Question 114 of 473Which ISC2 Code of Ethics Canon emphasizes a security analyst's duty to avoid harm and uphold public well-being?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Protect society, the common good, necessary public trust and confidence, and the infrastructure
The first canon of the ISC2 Code of Ethics prioritizes protecting society, the common good, and public infrastructure. This overarching duty ranks above responsibilities to principals, ethical behavior, or advancing the profession.
Question 115 of 473An organization plans to implement a new billing policy for the financial department. The policy will affect existing procedures, require approval, and must be communicated to relevant stakeholders before being enforced. Which concept BEST describes this process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Change management
Change management is the formal process of controlling modifications to systems, policies, or procedures to minimize disruption. It requires logging, assessing, approving, and communicating changes, distinguishing it from incident response or business continuity.
Question 116 of 473A business application fails to open a file received from an external source because the file has an unusual extension (.XLL). The user wants to open the file so work can continue and is unsure of the best action to take. What is the MOST appropriate action?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Treat the file as untrusted and analyze it in a secure environment
Files with unusual extensions from external sources must be treated as untrusted and analyzed in a secure environment like a sandbox. Forcing applications to open files, renaming extensions, or disabling validation prioritizes convenience over security and weakens your defense-in-depth posture.
Question 117 of 473Which of the following layers is NOT a layer in the TCP/IP architecture?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Data link Layer
The data link layer is part of the OSI model, not the four-layer TCP/IP architecture. The TCP/IP model consists of the Application, Transport, and Internet layers, plus a Network Access layer, which eliminates the other options.
Question 118 of 473HIPAA primarily oversees the use of:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Protected health information (PHI) in the United States
HIPAA is a United States law that regulates the use and disclosure of Protected Health Information. It applies to covered entities like healthcare providers, eliminating options that reference European data or social media.
Question 119 of 473What term describes the maximum level of data loss an organization is willing to accept in pursuit of its objectives?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Risk appetite
Risk appetite is the broad amount and type of risk an organization is willing to accept to achieve its objectives. Risk tolerance refers to operational thresholds, while residual risk remains after controls are applied, eliminating the distractors.
Question 120 of 473Which of the following is NOT considered a threat actor?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. A software company developing a malware detection system
A software company developing a malware detection system is a cybersecurity defender, not a threat actor. Nation-states, corporate competitors, and cyberterrorists are all malicious entities that exploit vulnerabilities, which validates the other options.
Question 121 of 473What is a side-channel attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. A passive, noninvasive attack to observe the operation of a device
A side-channel attack is a passive, noninvasive technique where attackers observe the physical operation of a device, such as power consumption or timing. Options describing spoofing, phishing, or botnets target software or users instead.
Question 122 of 473What process should the company undertake to verify that an employee has the necessary privileges, considering their roles in HR, payroll, and customer service?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Account review
Account review verifies that employees have only the necessary privileges for their current roles, directly preventing privilege creep. Revocation removes access entirely, while re-provisioning happens during role changes, eliminating the distractors.
Question 123 of 473Which of the following is a common topic covered in security awareness training?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Recognizing and reporting phishing attempts
Recognizing and reporting phishing attempts is a core focus of security awareness training because it directly reduces human risk. Disabling antivirus, sharing passwords, and granting admin access to everyone all introduce critical vulnerabilities.
Question 124 of 473Which of the following documents outlines the specific step-by-step instructions to achieve a task or process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Procedures
Procedures provide the mandatory, step-by-step technical instructions required to complete specific tasks securely. Policies establish high-level rules, standards define technical requirements, and regulations are legal mandates, which eliminates those options.
Question 125 of 473Which type of disaster recovery test has the LEAST possible impact on regular information system operations?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Checklist review
A checklist review is a paper-based exercise that validates recovery documentation without touching production systems. The other options involve actual system disruption or resource usage, with a full interruption test being the most disruptive approach.
Question 126 of 473Which type of documentation is commonly created once an incident has been remediated?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. A document outlining the lessons learned
Once an incident is resolved, organizations create a lessons learned document to identify process improvements. The distractors apply to different lifecycle phases, as risk assessments happen beforehand and remediation actions occur during active mitigation.
Question 127 of 473What is the PRIMARY goal of a spoofing attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Gaining access to a target system
The primary goal of spoofing is gaining system access by impersonating a legitimate user or device to bypass authentication. While spoofing can support malicious code delivery or redirection, those are secondary effects rather than the core objective.
Question 128 of 473What is the main purpose of an Acceptable Use Policy (AUP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Informs users of company expectations when they use computer systems and networks
An Acceptable Use Policy outlines the rules and expectations for how employees may use organizational systems and networks. Password guidelines and network monitoring are separate administrative controls, making them incorrect distractors here.
Question 129 of 473What type of attack is a Distributed Denial of Service (DDoS) attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. An attack involving numerous unsuspecting secondary victim systems used to flood the target system
A Distributed Denial of Service attack uses multiple compromised systems to flood a target with traffic, disrupting service for legitimate users. The other options describe spoofing, phishing, or specific HTTP floods rather than the distributed nature of the attack.
Question 130 of 473Which principle limits access to personally identifiable information (PII) to essential information?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Need to know
The need to know principle limits access to sensitive data strictly to what is required for a specific job function. Separation of duties splits tasks to prevent fraud, while context-dependent controls rely on system state.
Question 131 of 473What is the best technology for detecting unauthorized storage of sensitive data on hard drives?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. DLP
Data Loss Prevention identifies, monitors, and protects sensitive data at rest, such as on hard drives. Intrusion detection and prevention systems focus on network traffic analysis, while Transport Layer Security encrypts data in transit.
Question 132 of 473What is the term for retaining and maintaining information for as long as it is needed?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Record retention
Record retention refers to the practice of maintaining and storing information for its required lifespan. Data storage policies dictate security guidelines, whereas asset maintenance deals with physical or virtual inventory tracking.
Question 133 of 473A security analyst is required to transmit a confidential incident report to the organization's CISO using email. The primary security objective is to ensure confidentiality of the message if it is intercepted during transmission. The analyst has access to the organization's public key infrastructure. Which of the following is the BEST key to use to encrypt the message?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The CISO's public key
To ensure confidentiality in public key infrastructure, the sender encrypts the message using the recipient's public key. This guarantees that only the intended recipient, who holds the matching private key, can decrypt and read the message.
Question 134 of 473Which of the following is an administrative security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Security Awareness Training
Security awareness training is an administrative control because it focuses on educating personnel and managing human risk through policies. Physical controls deter physical access, while technical controls enforce rules digitally.
Question 135 of 473Which of the following is an example of a physical security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Using CCTV cameras to monitor unauthorized access
Closed-circuit television cameras are physical controls because they monitor and record physical access to deter unauthorized entry. Acceptable use and training are administrative controls that manage human behavior.
Question 136 of 473What is the main difference between PII and PHI?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. PII is personal information, while PHI is health-related information
Personally identifiable information identifies an individual, while protected health information specifically relates to their medical care and health status. Protected health information is a specialized subset of personally identifiable information.
Question 137 of 473What statement regarding the ISC2 code of ethics is NOT true?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The code applies to all members of the information security profession
The ISC2 Code of Ethics applies specifically to ISC2 members and certified professionals, not every member of the information security industry. Adherence is mandatory for certification, breaches must be reported, and violations can result in certification revocation.
Question 138 of 473Digital signatures provide which of the following security benefits?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Data integrity and non-repudiation
Digital signatures provide data integrity and non-repudiation by uniquely linking the sender to the message. Any changes made after signing invalidate the signature, and the sender cannot deny sending it, whereas confidentiality requires encryption.
Question 139 of 473Which OSI model layer is responsible for the end-to-end transmission of data between two hosts?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The Transport layer
The Transport layer manages reliable or unreliable end-to-end data transmission between hosts using protocols like TCP and UDP. The Network layer handles routing between networks, while the Session and Presentation layers manage dialog and data formatting.
Question 140 of 473Which of the following describes the number of authentication factors employed by an organization requiring a username, PIN, token, and retina scan during login?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Three
The scenario uses three authentication factors: something you know, something you have, and something you are. The trap is counting the username and PIN as two separate items, but a username is an identity identifier, not an authentication factor.
Question 141 of 473A hash function is …:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. … a mathematical function that generates a fixed-size string of characters
A hash function is a mathematical function that generates a fixed-size string of characters from an input. Eliminate data compression and encryption because hashing specifically ensures data integrity rather than confidentiality.
Question 142 of 473Which security solution can prevent unauthorized access to the internal network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. NAC
Network Access Control enforces security policies by checking device compliance before granting network access. SIEM aggregates logs, NAT translates addresses, and VLANs segment traffic, but none actively block non-compliant devices.
Question 143 of 473What is the term for an instance in which a logged-in user can perform specific activities within an application or system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Authorization
Authorization grants or denies specific rights to a logged-in user, dictating what actions they can perform. Logins verify identity, while roles and groups simply organize users to make assigning those permissions easier.
Question 144 of 473A flood of inbound connections from various global locations suggests what kind of attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A distributed denial-of-service attack
A distributed denial-of-service attack floods a target with traffic from multiple compromised systems across various locations. Viruses and worms are malware types, while a smurf attack is a specific ICMP-based local flood.
Question 145 of 473What responsibility do you have as a member of the data protection team?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To understand how the privacy laws apply to your organization
Data protection teams must understand how privacy laws apply to their specific organization. Interpreting, drafting, or enacting laws falls to legal professionals, judges, and legislators, not internal security staff.
Question 146 of 473Which of the following is a PRIMARY purpose of using digital signatures?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Protecting data from unauthorized modification
Digital signatures provide non-repudiation and protect data from unauthorized modification by ensuring integrity. Encryption protects confidentiality, authentication verifies identity, and hashing secures password storage.
Question 147 of 473What phase of the incident response process is aimed at minimizing the impact or extent of an incident?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Containment
The containment phase minimizes the impact and extent of a security incident by isolating affected systems. Detection identifies the incident, response stops it, and recovery restores normal operations, but containment specifically limits the damage.
Question 148 of 473After receiving a valid personal data access request, how long does an EU company typically have to respond?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Within 30 days
Under GDPR, organizations must respond to data subject access requests without undue delay and within one month. The other durations are incorrect because they either fall short of the standard or incorrectly apply complex case extensions.
Question 149 of 473Which cryptographic attribute is demonstrated when Alice proves that Bob's message undeniably came from him?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Non-repudiation
Non-repudiation proves the origin of a message so the sender cannot deny sending it. Authentication verifies identity, confidentiality protects data from unauthorized viewing, and integrity ensures the message remains unaltered during transmission.
Question 150 of 473Which term is used to denote the standard permissions assigned to a user account upon creation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Baseline
A baseline defines the standard initial permissions assigned to a user account upon creation. Entitlement refers to rights granted later based on role, while aggregation and transitivity involve data collection and domain trust relationships, respectively.
Question 151 of 473Which of the following logical access control models uses a set of rules to determine whether a subject can access a specific object?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Rule-Based Access Control (RuBAC)
Rule-Based Access Control uses specific conditions, like access control lists, to determine access permissions. Discretionary control relies on owner discretion, Role-Based uses job functions, and Mandatory Access Control relies on classification labels.
Question 152 of 473What instrument assists system administrators by providing secure configuration templates for operating systems and applications?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Baseline configuration
A baseline configuration provides secure configuration templates for operating systems and applications. Security guidelines are general recommendations, while a running configuration is simply the current active state, making baseline the only proven template.
Question 153 of 473When developing a business impact analysis, what should be the next step after creating a list of assets?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Determine the value of each asset
After creating an asset list in a business impact analysis, the immediate next step is determining the value of each asset. Evaluating risks and identifying vulnerabilities belong to the risk assessment process, not the initial business impact valuation.
Question 154 of 473Why is it important to conduct security awareness training regularly?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To ensure employees stay up to date with the latest security threats and best practices
Regular security awareness training ensures employees stay up to date with the latest threats and best practices. The other options describe actively bypassing security or decreasing critical security measures, which are never valid training goals.
Question 155 of 473What type of malware is used to take hostage a user's data and require a ransom payment for release?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Ransomware
Ransomware is malware that holds a user's data hostage by encrypting it until a ransom is paid. Trojans create backdoors, and denial of service attacks disrupt availability through traffic floods, eliminating the other options.
Question 156 of 473What receives a label in a MAC model?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Labels are assigned to objects and subjects
In a mandatory access control model, labels are assigned to both objects and subjects based on classification levels. Options suggesting only one receives a label or that all share the same label misrepresent the required subject and object pairing.
Question 157 of 473Which one of the following is PRIMARILY used for identification purposes and is not suitable for use as an authenticator?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Username
A username is used for identification, claiming an identity, but it is not an authenticator. Passwords, tokens, and biometrics like retinal scans prove that identity, making them true authentication factors.
Question 158 of 473What information security principle is applied by restricting access to administrative servers only to IT system administrators?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Least privilege
The principle of least privilege grants users only the minimum access required to perform their official duties. Need to know is a valid related concept, but least privilege specifically focuses on restricting administrative rights to appropriate roles.
Question 159 of 473Which one of the following security principles is PRIMARILY at risk when a device is lost or stolen?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Confidentiality
When a device is physically lost or stolen, the primary security concern is unauthorized access to sensitive data. This directly impacts confidentiality, as the theft exposes private information to unauthorized individuals.
Question 160 of 473Which of the following is NOT a principle of the ISC2 code of ethics?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Promptly report security vulnerabilities to relevant authorities
Promptly reporting vulnerabilities is a best practice but is not explicitly listed as one of the four ISC2 Code of Ethics Canons. The four actual canons focus on protecting society, acting legally, serving principals, and advancing the profession.
Question 161 of 473A senior cybersecurity engineer is working late at night in the office. Before leaving, he notices an individual searching through a trash bin in a restricted area. The engineer does not recognize this person as an employee. Which security concept best applies to this scenario?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Dumpster Diving
Dumpster diving involves physically searching through trash to find discarded sensitive information or documents. Tailgating involves following someone through a secure door, whereas whaling and eavesdropping target executives and communications.
Question 162 of 473What access control model is commonly used in firewalls?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Rule-based access controls (RuBAC)
Rule-based access control, or RuBAC, uses specific conditions like IP addresses and ports to allow or deny actions. Firewalls rely heavily on these configured rule sets to filter network traffic, unlike role-based or discretionary models.
Question 163 of 473What type of attack involves attackers intercepting a connection between a user and a genuine website?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. On Path
An on-path attack, formerly known as a man-in-the-middle attack, occurs when an attacker secretly intercepts and possibly alters communication between two parties. The other options describe software, internal actors, or prolonged network invasions.
Question 164 of 473What security principle is being adhered to when a user's access request is declined, despite meeting the necessary security clearance, because there is no business justification for the access?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Need to know
The need to know principle restricts access even from cleared personnel if they lack a specific business requirement. Least privilege grants the minimum necessary permissions, but need to know directly enforces business justification for sensitive data.
Question 165 of 473Which of the following concepts is exemplified by a load balancer that spans across multiple regions and boosts website availability and performance?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Multiple processing sites
Multiple processing sites provide redundancy by distributing workloads across different geographic locations to ensure availability. Warm and cold sites are standby facilities for disasters, while a honeynet serves as a decoy network to trap attackers.
Question 166 of 473What cloud service is recommended for developers to create applications?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Platform as a Service (PaaS)
Platform as a Service provides developers with a framework to build, test, and deploy applications without managing the underlying infrastructure. Infrastructure as a Service requires managing virtual machines, while Software as a Service delivers finished applications.
Question 167 of 473Access is based on which three elements?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Subject, Object, and Rules
Access control fundamentally relies on the relationship between a subject, an object, and the rules that govern their interaction. Permissions are derived from rules, while layers refer to network architecture rather than core access components.
Question 168 of 473What is a PRIMARY objective of a Virtual Local Area Network (VLAN)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To segment a network into multiple subnets
A Virtual Local Area Network segments a larger physical network into multiple distinct broadcast domains to improve traffic management. Secure access to external providers uses VPNs, not local VLAN segmentation.
Question 169 of 473What is the PRIMARY purpose of encryption?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To protect data from unauthorized access
Encryption primarily protects data confidentiality by transforming readable plaintext into unreadable ciphertext. While it supports secure storage, its defining technical purpose is preventing unauthorized access, not processing or analyzing data.
Question 170 of 473What is the PRIMARY objective of security baselines?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Establish a standard for security configurations
Security baselines establish a uniform standard for system and application configurations to ensure a minimum level of protection. While baselines indirectly support data protection and threat monitoring, their primary purpose is to provide a measurable configuration standard.
Question 171 of 473Which of the following is typically NOT used as an anti-fraud measure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Human resources
Mandatory vacations, job rotation, and two-person control are administrative controls specifically designed to prevent and detect internal fraud. Human resources is a department, not a specific anti-fraud control mechanism.
Question 172 of 473Which of the following is NOT an example of a technical control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Data classification
Data classification is an administrative control because it involves defining policies and procedures for handling data based on its sensitivity. Technical controls are technology-based safeguards like firewalls, access control lists, and encryption.
Question 173 of 473What is the final phase of the data handling life cycle?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Destruction phase
Destruction is the final phase of the data handling lifecycle, ensuring that data is securely disposed of when it is no longer needed. This prevents unauthorized recovery of sensitive information.
Question 174 of 473What is the likelihood of a major earthquake in the downtown area of Paris in any given year, if records show that a major earthquake happens there every 100 years?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 0.01
The annual likelihood of an event occurring is calculated by dividing one by the frequency of occurrence in years. A 100-year event yields a probability of 0.01 per year.
Question 175 of 473What model is utilized in Mandatory Access Control (MAC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Lattice based
Mandatory Access Control uses a lattice-based model to determine access based on subject clearance and object sensitivity labels. Discretionary access control allows owners to set permissions, while group-based and rule-based methods describe implementation rather than the underlying model.
Question 176 of 473Which of the following security concepts enables message recipients to prove the authenticity of the message sender to a third party?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Non-repudiation
Non-repudiation provides undeniable proof that a sender transmitted a message, preventing them from denying the action. Authentication only validates identity for the recipient, while integrity proves the message was unaltered, but neither concept alone prevents the sender from later denying it.
Question 177 of 473What is the PRIMARY goal of a visitor management policy as part of physical access controls?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To control and monitor visitor access to the facility, ensuring only authorized individuals are granted entry
A visitor management policy tracks and restricts guest access to ensure only authorized individuals enter the facility. The remaining options describe weakening physical security, which directly contradicts the goal of safeguarding the facility and its physical assets.
Question 178 of 473What is the name of the network tool that changes and maps source addresses of client requests for client anonymity?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A proxy
A proxy server acts as an intermediary, forwarding client requests while masking the original IP address for anonymity. Standard gateways, routers, and firewalls focus on routing and filtering traffic rather than deliberately rewriting source addresses.
Question 179 of 473Which access control model is more flexible and scalable between Mandatory Access Control (MAC) and Discretionary Access Control (DAC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. DAC, for enabling individual administrators to make decisions and achieve scalability and flexibility
Discretionary Access Control, or DAC, is more flexible because it allows individual resource owners to make access decisions. Eliminate Mandatory Access Control because adding security labels actually increases administrative rigidity, not scalability.
Question 180 of 473What is the recommended approach for assessing risks when designing a Business Continuity Plan (BCP) that considers tangible and intangible assets?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Combination of quantitative and qualitative risk assessment
Assessing both tangible and intangible assets requires a combination of quantitative and qualitative risk assessments. Quantitative methods calculate financial loss, while qualitative methods evaluate subjective impacts like reputation.
Question 181 of 473What is the best technology for enforcing uniform security settings on multiple mobile devices in an organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. MDM
Mobile Device Management provides organizations with the tools to enforce security policies and manage mobile devices. Intrusion detection, intrusion prevention, and Security Information and Event Management systems focus on network threat detection rather than device configuration enforcement.
Question 182 of 473What is the other name given to security controls?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Security safeguards
Security controls are commonly referred to as safeguards to protect the confidentiality, integrity, and availability of data. The other terms are informal or describe specific software agents rather than the broad administrative, technical, or physical measures used.
Question 183 of 473Which of the following can be considered an example of a computer security incident?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Conducting an unauthorized vulnerability scan
An unauthorized vulnerability scan qualifies as an incident because it threatens system confidentiality and integrity through active probing. Routine administrative tasks, like updating signatures or completing backups, are standard operational events.
Question 184 of 473Which port is typically used to identify unencrypted FTP traffic by an IDS?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. TCP port 21
File Transfer Protocol control traffic operates over TCP port 21. An intrusion detection system monitors this specific port to identify unencrypted FTP connections, distinguishing it from Telnet on port 23 or TFTP on UDP port 69.
Question 185 of 473Which of the following is a valid public IP address?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. 12.123.23.23
A valid public IP address must fall outside private ranges and contain octets no higher than 255. Option D is public, while option A is private, and options B and C contain invalid octets or syntax, quickly eliminating them.
Question 186 of 473What is an 'on-path' attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. An attack that attempts to intercept the communication between two devices in order to modify the information.
An on-path attack places a threat actor between two communicating devices to intercept or modify transmitted data. Eliminate the other options because passive observation does not include modification, and DDoS attacks use secondary victim systems.
Question 187 of 473Which cloud service model provides the highest level of flexibility and customization for the organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Infrastructure-as-a-Service (IaaS)
Infrastructure as a Service provides the highest level of flexibility and customization among cloud models by allowing organizations to manage operating systems, applications, and virtualized hardware. While on-premises offers maximum control, it is not categorized as a cloud service.
Question 188 of 473The PRIMARY objective of the Risk Management process is:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. …To identify, assess, and prioritize risks, and implement appropriate controls to minimize their potential impact
Risk management is a proactive process of identifying, assessing, and prioritizing risks. Appropriate controls are then selected and implemented to reduce their potential impact. Eliminating all risks is impractical, while minimizing costs or relying on reactive measures leaves an organization exposed to unnecessary threats.
Question 189 of 473In disaster recovery planning, which of the following would typically be considered examples of natural disasters? (I) Hacking incident, (II) Tsunami, (III) Forest fire, (IV) Terrorism
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. II and III only
Natural disasters such as tsunamis and forest fires are naturally occurring events considered during disaster recovery planning. Hacking and terrorism are intentional, man-made security incidents, making them separate threat categories that require different preventive controls.
Question 190 of 473During a security incident, where will an incident responder member find the most recent modification to a system's security settings?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Change log
The change log records all modifications made to a system, including security settings. Security logs track events like logon attempts, while application and server logs capture software and operating system errors.
Question 191 of 473A Memorandum of Understanding (MOU) or Memorandum of Agreement (MOA) is:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. … a formal agreement between two or more parties outlining the terms of their working relationship
A Memorandum of Understanding or Agreement is a formal document outlining the working relationship between parties. It differs from strict contracts by often lacking legal binding, focusing instead on mutual expectations.
Question 192 of 473What is the main purpose of a Service-Level Agreement (SLA)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To outline the services provided by an MSP
A Service-Level Agreement defines the expected services and obligations between a service provider and a customer. It establishes measurable performance standards, unlike network segmentation, secure network access, or cloud access configuration.
Question 193 of 473What is the difference between Network Access Control (NAC) and a Virtual Private Network (VPN)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. NAC is used to control network access based on a determined policy, while VPN is used to create a secure connection
Network Access Control restricts network access based on endpoint compliance with defined policies. A Virtual Private Network creates an encrypted tunnel for secure remote connections, which distractors oversimplify by isolating the encryption feature.
Question 194 of 473What type of attack is an APT attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Advanced persistent threat attack
An Advanced Persistent Threat is a stealthy, continuous computer intrusion process targeting a specific entity. While the other options represent valid attack vectors, the acronym APT literally stands for Advanced Persistent Threat, making it the only correct choice.
Question 195 of 473What is the term for the random value added to a password to prevent rainbow table attacks?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Salt
A salt is a random value added to a password before it is hashed to ensure unique outputs and prevent rainbow table attacks. MD5 is a weak hashing algorithm, while an extender is irrelevant, making Salt the only correct option.
Question 196 of 473What technology is used to ensure only authorized software is used within an organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Allow list
An allow list ensures only explicitly approved applications can run on a system, blocking everything else by default. A deny list only blocks known malicious software, which fails to prevent unknown threats.
Question 197 of 473Which of the following tools would be the BEST to prevent unauthorized data exfiltration from a corporate network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Data Loss Prevention (DLP)
Data Loss Prevention tools are specifically designed to detect and block the unauthorized transmission of sensitive data. A network intrusion detection system only detects malicious activity, whereas a firewall simply controls traffic flow.
Question 198 of 473How does a Business Impact Analysis contribute to the disaster recovery planning process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. By identifying the critical systems and processes that must be prioritized
A Business Impact Analysis identifies critical systems and processes to prioritize recovery efforts during a disaster. It does not prevent disasters or ignore impacts, but rather forms the foundation of continuity planning.
Question 199 of 473What is the PRIMARY purpose of using a mantrap in physical access control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To prevent tailgating or piggybacking
A mantrap prevents tailgating or piggybacking by using two interlocking doors that allow only one person to pass at a time. It mitigates unauthorized physical entry rather than serving as an authentication factor.
Question 200 of 473Which principle of the ISC2 Code of Ethics Canons obliges you to prioritize public interest and protect critical infrastructure over personal or organizational interests?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Protect society, the common good, necessary public trust and confidence, and the infrastructure
The first canon requires protecting society, the common good, public trust, and infrastructure. This canon sits above all others, meaning public safety always supersedes personal or organizational interests.
Question 201 of 473Which ISC2 Code of Ethics canon is being enacted when an employee refuses a bribe from a vendor to recommend their product and reports the incident?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Act honorably, honestly, justly, responsibly, and legally
Refusing a bribe demonstrates the requirement to act honorably, honestly, justly, responsibly, and legally. The other canons address public infrastructure, employer service quality, or advancing the profession, none of which directly cover personal integrity.
Question 202 of 473Which IPSec component is used to encrypt IP packets?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Encapsulating Security Payload
The Encapsulating Security Payload, or ESP, provides confidentiality by encrypting IP packet payloads. A common trap is Authentication Header, which provides integrity but does not encrypt data.
Question 203 of 473Which of the following is a logical access control method that verifies the identity of a user before granting access to a system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Authentication
Authentication is the process of verifying user identity before granting access. The other options represent security controls like encryption or traffic monitoring that protect data rather than directly verifying identity.
Question 204 of 473What is the primary benefit of incorporating real-life examples and scenarios into security awareness training?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To make the training more engaging and help employees better understand the practical implications of security best practices
Real-life examples make security awareness training more engaging and help employees understand practical applications. The remaining options represent negative outcomes that actively harm an organization's security posture.
Question 205 of 473What is the PRIMARY purpose of implementing role-based access control (RBAC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To grant users access to resources based on their job responsibilities
Role-based access control grants users access to resources based on their job responsibilities. The other options describe physical security, encryption, and network monitoring, which are distinct concepts. The exam cue here is that RBAC maps permissions to job functions rather than individual identities.
Question 206 of 473Which technology is BEST for port-based authentication to ensure that network clients authenticate before use?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 802.1x
802.1x is the best technology for port-based authentication, ensuring network clients authenticate before gaining access. The trap is picking a standard like 802.3 or 802.11g, which simply define Ethernet and wireless transmission rather than enforcing network access control.
Question 207 of 473What term is used to describe phishing attacks that specifically target company administrators?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Whaling attacks
Whaling attacks are highly targeted phishing campaigns aimed at high-level executives and administrators. The other options are simply made up distractors designed to test your knowledge of social engineering terminology.
Question 208 of 473What type of malware is designed to replicate itself and spread to other devices without any user intervention?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Worm
Worms replicate independently across networks without user action. Viruses require host execution, distinguishing them from autonomous worms.
Question 209 of 473Which right allows a data subject in the UK to request the erasure of their personal data under certain conditions?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Right to be forgotten
The right to be forgotten allows individuals to request data erasure under privacy laws. Data portability involves moving data, not deleting it.
Question 210 of 473Which of the following is NOT a common system hardening practice?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Regularly performing backups
Performing regular backups is a disaster recovery practice, not a system hardening technique. Hardening reduces an attack surface by disabling unnecessary services, patching software, and implementing strong passwords.
Question 211 of 473Which term describes the acceptable range of potential losses that an organization is willing to accept in pursuit of its objectives?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Risk tolerance
Risk tolerance defines the acceptable range of variation within an organization's overall risk appetite. Risk appetite is a broad high-level statement, while risk capacity is the absolute maximum risk an organization can survive.
Question 212 of 473Which of the following security measures is most effective in protecting PII stored on a laptop in case of theft?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Full-disk encryption
Full-disk encryption protects data at rest by making it unreadable without the proper decryption key. Firewalls and antivirus software protect against network threats and malware, but they do not prevent a thief from directly reading the physical drive.
Question 213 of 473In the context of the CIA Triad, which of the following security controls would primarily enhance data availability?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Regularly backing up data and using redundant systems
Regularly backing up data and using redundant systems directly ensures timely access to information, fulfilling the availability principle of the CIA Triad. Encryption and authentication primarily protect confidentiality, while monitoring protects integrity and detects threats.
Question 214 of 473Which of the following system hardening techniques involves reducing the attack surface by removing unnecessary software and services?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Reducing the number of elements of a system
Reducing the number of system elements removes unnecessary software and services to minimize the attack surface. Patch management focuses on fixing vulnerabilities, while configuration management tracks system changes rather than eliminating unnecessary components.
Question 215 of 473How does encryption contribute to system hardening? (★)
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. By protecting data at rest and in transit from unauthorized access
Encryption hardens a system by protecting data at rest and in transit from unauthorized access, ensuring confidentiality even if other defenses fail. Managing permissions and patching software are separate administrative controls that do not directly secure the data itself.
Question 216 of 473What is the PRIMARY purpose of a firewall?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. To stop or block attacks
A firewall primarily functions to stop or block network attacks. While they can detect threats or filter malware, the other options describe secondary features or specific technologies rather than the core purpose of network filtering.
Question 217 of 473What is the recommended frequency for testing an organization's Business Continuity Plan (BCP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. According to business needs and requirements
Business Continuity Plan testing frequency should be determined by business needs and requirements. Fixed schedules like annual or biannual testing are traps because they ignore the changing risk environment.
Question 218 of 473Which category of cloud services does a ready-to-use email service fall into?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. SaaS
A ready-to-use email service is Software as a Service, or SaaS. You can eliminate IaaS and PaaS because they provide infrastructure or development environments rather than finished, fully managed end-user applications.
Question 219 of 473What is the primary goal of the Health Insurance Portability and Accountability Act (HIPAA)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To ensure the security and privacy of patients' health information
HIPAA establishes rules to ensure the security and privacy of patient health information. The other options target different sectors, like credit card security or financial data, which fall under PCI DSS or GLBA.
Question 220 of 473What is the primary problem typically associated with decentralized access control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Inconsistent control
The primary problem with decentralized access control is inconsistent policy enforcement. Because different locations manage their own access, security rules often vary widely, leading to dangerous gaps in coverage.
Question 221 of 473Which of the following is an example of a threat actor?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. A nation-state-sponsored hacking group
Threat actors are the individuals or groups orchestrating cyberattacks. A nation-state group is an actor, whereas a phishing email is a vector, a vulnerability is a weakness, and a denial-of-service attack is an event.
Question 222 of 473Which aspect ensures that authorized users have timely and reliable access to information and resources?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Availability
Availability ensures that authorized users have reliable and timely access to data and systems when needed. Confidentiality protects against unauthorized disclosure, and integrity ensures data remains unaltered.
Question 223 of 473What type of physical access control mechanism involves the use of electronic cards or key fobs that contain unique identifying information?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Electronic access control
Electronic access control relies on electronic cards or key fobs containing unique identifying data to manage facility entry. Mechanical locks require physical keys, and biometrics rely on biological traits.
Question 224 of 473In the context of risk management, what is the purpose of risk mitigation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To implement controls and countermeasures that reduce the likelihood or impact of identified risks
Risk mitigation applies proactive controls to reduce the likelihood or impact of identified risks. Disregarding risks or relying purely on reactive measures fails to minimize potential organizational damage.
Question 225 of 473Which of the following principles states that individuals should be held to a standard of doing what a reasonable person would do under similar circumstances?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Due care
Due care is the legal standard of practicing the level of reasonable responsibility a prudent person would exercise in similar circumstances. Due diligence is the ongoing practice of ensuring these required safeguards are actually maintained.
Question 226 of 473Which principle of the ISC2 Code of Ethics Canons highlights the importance of providing quality service to clients or employers?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Provide diligent and competent service to principals
The ISC2 Code of Ethics mandates providing diligent and competent service to principals, which means delivering quality work to employers and clients. The other options represent separate canons focused on society, integrity, and advancing the profession.
Question 227 of 473Which of the following controls safeguards an organization during a power outage?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. UPS
An uninterruptible power supply provides immediate backup power to systems during an electrical outage. While redundant servers and RAID arrays improve availability, they cannot function without electricity, making a UPS the direct safeguard.
Question 228 of 473Which network security device is PRIMARILY responsible for monitoring network traffic and detecting potential threats based on predefined rules or signatures?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Intrusion Detection System (IDS)
An intrusion detection system monitors network traffic to detect potential threats using predefined rules or signatures. Firewalls actively block traffic based on rules, while proxy servers and VPN gateways serve different networking and security functions.
Question 229 of 473In the risk management process, which of the following best describes the concept of 'risk acceptance'?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Acknowledging that certain risks are too costly or impractical to mitigate and accepting the potential consequences
Risk acceptance means acknowledging that certain risks are too costly or impractical to mitigate and accepting the potential consequences. The trap is that implementing controls to eliminate all risk is impossible, while ignoring risks or avoiding the process entirely represents negligence, not informed acceptance.
Question 230 of 473What type of authentication factor is voice pattern recognition?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Something you are
Voice pattern recognition is a biometric factor classified as something you are, because it relies on unique physical or behavioral characteristics. The trap is confusing this with something you know, like a password, or something you have, like a physical token.
Question 231 of 473What is the primary goal of an Advanced Persistent Threat (APT) attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. To gain unauthorized access to sensitive data and maintain a long-term presence in the target network
An Advanced Persistent Threat aims to gain unauthorized access to sensitive data and maintain a long-term, undetected presence in the target network. The trap is confusing APTs with denial of service attacks, which disrupt services, or malware designed to spread quickly.
Question 232 of 473Which of the following best describes non-repudiation in the context of digital signatures?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Providing proof that a specific sender sent a specific message
Non-repudiation provides undeniable proof that a specific sender sent a specific message, preventing them from denying the action. The distractors map to other security principles, such as confidentiality for unreadable messages and integrity for unaltered messages.
Question 233 of 473Which is the second phase of the data handling lifecycle?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Storage phase
The second phase of the secure data handling lifecycle is storage, where generated or received data is securely saved to servers or databases. The creation phase comes first, while sharing and destruction occur later in the data lifecycle.
Question 234 of 473What type of network attack involves an attacker creating a malicious email that appears to come from a legitimate source to trick recipients into revealing sensitive information or downloading malware?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Spear Phishing Attack
Spear phishing uses highly targeted, deceptive emails that appear to come from a trusted source to trick users into revealing sensitive data or downloading malware. Denial-of-service attacks disrupt availability, while on-path attacks intercept live network traffic.
Question 235 of 473What is the role of an Access Control List (ACL) in a Unix file system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Specify which users have access to resources
An access control list specifies exactly which users or groups have access to specific system resources. It does not actively monitor unauthorized access, nor does it dynamically adjust permissions or set default configurations without administrative input.
Question 236 of 473What network security device allows remote users to securely connect to a private network over the public Internet by encrypting their communications?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Virtual Private Network (VPN)
A virtual private network securely connects remote users to a private network over the public internet by encrypting their communications. Firewalls filter traffic, intrusion detection systems monitor for threats, and proxy servers act as intermediaries.
Question 237 of 473What access control model allows the owner of a file to grant access to others via an access control list?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Discretionary
Discretionary access control empowers the owner or creator of a resource to decide who gets access and what actions they can perform. Role-based and non-discretionary models rely on system administrators or central organizational policies.
Question 238 of 473What is the PRIMARY purpose of using an intrusion detection and prevention system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To detect and block malicious attacks
An intrusion detection and prevention system actively monitors network traffic to detect and block malicious attacks in real time. Stopping malicious code or detecting connections are specific secondary functions rather than the primary overarching purpose.
Question 239 of 473A company wants to replace its traditional firewall with a solution that can both filter network traffic and perform advanced security functions such as application awareness and intrusion prevention in a single integrated system. Which technology best meets this requirement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A next-generation firewall (NGFW)
A next-generation firewall integrates traditional traffic filtering with advanced features like application awareness and intrusion prevention. The other options handle isolated tasks like encryption or blocking exploits but cannot replace comprehensive firewall functionality.
Question 240 of 473Which of the following documents establishes context and sets out strategic direction and priorities?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Policies
Policies establish strategic direction and priorities by outlining high-level organizational rules and expectations. Standards mandate specific technical requirements, while procedures provide the granular steps needed to implement those policies.
Question 241 of 473Which of the following is a key component of a Business Continuity Plan (BCP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Developing strategies to maintain essential operations during and after a major incident
A business continuity plan develops strategies to maintain essential operations during and after a major disruption. The negative distractors are dangerous assumptions because ignoring alternate facilities or focusing solely on prevention guarantees operational failure.
Question 242 of 473Which of the following cloud models puts MOST responsibility on the cloud provider?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. SaaS
Software as a Service places the most security responsibility on the provider because they manage everything from the underlying infrastructure to the application itself. Infrastructure and Platform models leave the customer managing applications or operating systems.
Question 243 of 473In the context of the risk management process, what does the term 'residual risk' refer to?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The risk that remains after all possible controls and countermeasures have been applied
Residual risk is the portion of risk that remains after all selected controls and countermeasures have been applied. Total elimination of risk is impossible, and the initial risk before controls is simply the inherent risk.
Question 244 of 473An organization wants to decrease the number of help desk cases related to password changes. What measure can the organization take?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Self-service password reset
Implementing self-service password reset directly decreases help desk tickets by empowering users to securely unlock their own accounts. Alternative authentication methods improve security but fail to address the volume of password reset requests.
Question 245 of 473Which principle is PRIMARILY concerned with preventing unauthorized data alteration or destruction?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Integrity
Integrity ensures data remains accurate and unaltered during its lifecycle. While authentication verifies access, it does not prevent modifications once access is granted.
Question 246 of 473Which policy will outline if personally owned equipment is permitted for business purposes?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Bring Your Own Device (BYOD) Policy
A bring your own device policy governs personal equipment use for business. Acceptable use dictates behavior, not hardware permissions.
Question 247 of 473Digital signatures PRIMARILY rely on which cryptographic technique?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Asymmetric-key cryptography
Digital signatures rely on asymmetric cryptography, using public and private key pairs. Symmetric cryptography uses shared keys, making non-repudiation impossible.
Question 248 of 473Which attacks involve an attacker using a list of pre-computed hashes to find a matching hash value for a user's password?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Rainbow Table Attack
Rainbow table attacks use pre-computed hashes to reverse passwords quickly. Dictionary attacks guess passwords using word lists rather than hash databases.
Question 249 of 473Which of the following is a PRIMARY objective of implementing physical access controls in an organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To prevent unauthorized access to facilities and protect sensitive information and resources
Physical access controls prevent unauthorized facility entry to protect assets. Public access and unrestricted entry defeat security goals, while technical controls remain necessary.
Question 250 of 473Defense in depth is a strategy that:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. …that employs multiple layers of security measures for comprehensive protection
Defense in depth employs multiple layers of security controls to protect systems and data. Relying on a single layer leaves vulnerabilities, so this layered approach provides comprehensive protection against various threats.
Question 251 of 473A security analyst discovers a vulnerability in a client's system but decides to withhold the information, fearing negative publicity for the client. Which ISC2 Code of Ethics Canon has the analyst potentially violated?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Provide diligent and competent service to principals
Withholding crucial vulnerability information violates the canon to provide diligent and competent service to principals. Failing to inform the client prevents them from making informed decisions and securing their environment.
Question 252 of 473Which one of the following security tools would be the BEST to detect malicious behavior on a device (e.g., your personal computer)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. HIDS
A Host-based Intrusion Detection System monitors and detects malicious behavior on an individual device. A Network Intrusion Detection System monitors network traffic, while a firewall blocks unauthorized traffic.
Question 253 of 473What is the PRIMARY purpose of a forensic investigation during the analysis phase of an incident response?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To collect evidence and maintain its chain of custody for potential legal proceedings
Forensic investigations during incident response focus on collecting and preserving evidence to maintain a strict chain of custody for legal proceedings. Identifying attacker motivation or updating risk registries are secondary tasks that depend on properly preserved evidence.
Question 254 of 473Which of the following incident response team roles is responsible for coordinating communication between the incident response team and external stakeholders, such as law enforcement or media?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Public relations coordinator
The public relations coordinator manages consistent and accurate communication with external parties, including media and law enforcement. The technical and incident leads focus on operational containment, while legal advisors handle liability and compliance guidance.
Question 255 of 473Which U.S. government agency within the Department of Commerce publishes and makes available for free download a wide variety of technical standards, including those for information technology and information security?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology is a U.S. government agency that publishes free cybersecurity frameworks and technical standards. ISO, IEEE, and IETF are international or professional organizations that typically charge for their published standards.
Question 256 of 473What is the PRIMARY objective of baselines?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To establish a minimum level of protection that can be used as a reference point
Baselines establish a minimum level of protection and standard operating conditions to serve as a reference point for future security comparisons. Identifying threats or monitoring events are functions of risk assessment and security tools, not the baselines themselves.
Question 257 of 473Which of the following is NOT considered an insider threat?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. An external hacker breaching the company's firewall
An insider threat originates from someone with authorized access, such as an employee or vendor. External hackers do not have authorized internal access, which clearly eliminates employees, contractors, and vendors as examples of insiders.
Question 258 of 473What type of factor is a callback to a mobile phone?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Something you have
A mobile phone callback is a possession-based authentication factor. The system verifies that the user has the registered physical device. It does not rely on biometric traits, knowledge, or location.
Question 259 of 473What is the main difference between symmetric and asymmetric encryption?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses different keys for encryption and decryption
Symmetric encryption uses the same secret key for both encryption and decryption. Asymmetric encryption uses a public and private key pair, rendering the other options incorrect regarding speed and fundamental mechanics.
Question 260 of 473Which of the following options is NOT an access control layer?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Policy
Access control consists of three layers: technical, physical, and administrative. Policies govern administrative controls, but the policy itself is not categorized as a standalone fourth layer.
Question 261 of 473During which phase of the incident response process would it be most appropriate to implement long-term fixes to prevent similar incidents in the future?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Post-incident Activity
Post-incident activity focuses on long-term fixes and lessons learned after an event is resolved. Containment and eradication handle immediate threats, whereas preparation establishes baseline readiness.
Question 262 of 473Alice and Bob want to send secret messages to each other using asymmetric encryption. Alice receives a message from Bob. What key does Alice use to decrypt the encrypted message she received?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Alice's private key
In asymmetric encryption, a sender encrypts a confidential message using the recipient's public key. The recipient must then use their matching private key to decrypt it, ensuring only the intended party can read the message.
Question 263 of 473What is the PRIMARY identity and access management function you use when providing a user ID and password?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Authentication
Authentication proves a user's identity, typically by verifying credentials like a username and password. Authorization determines what resources an authenticated user can access, making the latter a distinct subsequent step.
Question 264 of 473What is the PRIMARY difference between a threat and a vulnerability?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A threat is a potential source of harm, while a vulnerability is a weakness in a system
A threat is any potential event or actor capable of causing harm, whereas a vulnerability is an actual flaw or weakness that a threat can exploit. Identifying this distinction is fundamental to assessing organizational risk.
Question 265 of 473When developing a banking website, what is the advised method to confirm user identities?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Requiring password and sms token
Requiring a password alongside an SMS token implements multi-factor authentication by combining something you know with something you have. Options like personal answers or PIN codes remain single-factor, lacking the necessary hardware verification.
Question 266 of 473What is the MOST formal document between a service provider and a customer that sets expectations FOR performance parameters?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Service-level agreement (SLA)
A Service-Level Agreement is a formal contract between a provider and a customer that defines specific performance metrics like uptime and response times. Internal departments use Operational Level Agreements, which differ from customer-facing commitments.
Question 267 of 473Which of the following is an example of a measure to protect confidentiality?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Access controls and encryption
Access controls and encryption are primary measures to protect the confidentiality of the CIA Triad by ensuring only authorized users can read sensitive data. Backups protect availability, while checksums and digital signatures protect data integrity.
Question 268 of 473Which of the options does not have attributes of a Privileged User Account?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. It does not interact directly with servers and other infrastructure devices
Privileged accounts are specifically designed to interact directly with servers and infrastructure devices to perform critical administrative tasks. Requiring multi-factor authentication, assigning permissions, and enabling high-level logging are all required attributes of privileged accounts.
Question 269 of 473In the context of physical access controls, what is the purpose of implementing a mantrap?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To prevent tailgating
A mantrap is designed to prevent tailgating by creating a small space with two interlocking doors, ensuring only one person enters at a time. It does not replace security personnel or grant unrestricted access, but strictly controls physical entry.
Question 270 of 473Which of the following is a technical control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Access control list (ACL)
An access control list is a technical control that enforces security policies by specifying system access permissions. Stop signs, acceptable use policies, and emergency procedures are administrative controls, as they govern human behavior and organizational processes.
Question 271 of 473What is the cloud computing model where customers share computing infrastructure without knowing each other's identity?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Public cloud
In a public cloud model, customers share computing infrastructure without knowing the identity of other tenants. Private clouds dedicate infrastructure to a single organization, while community clouds are shared among known organizations with common requirements.
Question 272 of 473Which of the following is a key component of a Disaster Recovery Plan (DRP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Establishing clear roles and responsibilities for personnel during disaster recovery efforts
A disaster recovery plan must establish clear roles and responsibilities for personnel to ensure effective response during a crisis. The other options describe ignoring backups and offsite facilities, which directly contradict disaster recovery best practices.
Question 273 of 473What security principle can help detect fraudulent behavior, such as employees transferring funds to their personal accounts?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Mandatory vacation
Mandatory vacation is a primary detective control used to uncover fraudulent behavior by requiring another employee to cover the perpetrator's duties. Separation of duties prevents fraud, but mandatory vacation detects ongoing malicious activity.
Question 274 of 473Which three OSI model layers correspond to the TCP/IP model's Application layer?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Application, Presentation, and Session
The Application layer of the TCP/IP model maps directly to the top three layers of the OSI model: Application, Presentation, and Session. A common trap is assuming a one-to-one mapping across all layers, but TCP/IP consolidates upper-layer functions.
Question 275 of 473What technology prioritizes critical network traffic over browsing and social media?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. QoS
Quality of Service, or QoS, is the technology that prioritizes critical network traffic like voice and video over less important traffic. VLANs separate networks, TLS provides encryption, and VPNs create secure connections, but none of these directly manage traffic prioritization.
Question 276 of 473Which of the following types of information is considered PII?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. A user's date of birth
Personally Identifiable Information includes data that can identify a specific individual, such as a user's date of birth. The elimination cue is that corporate policies, public posts, and topology diagrams do not directly identify a living person.
Question 277 of 473What is the PRIMARY purpose of a password policy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. To enforce the use of strong, complex passwords and periodic password changes
A password policy primarily enforces strong, complex passwords and periodic changes to reduce unauthorized access. Option C is a trap, as while unique passwords are a good practice, policy enforcement primarily targets complexity and lifecycle management rather than strict cross-system uniqueness.
Question 278 of 473In an organization, which document provides step-by-step guidance in implementing a security measure?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Procedures
Procedures provide the step-by-step, granular actions required to implement a specific security measure or technical process. Policies set the high-level organizational direction, while regulations are external legal requirements and standards provide mandatory baseline controls.
Question 279 of 473Which of the following is a key component of the risk assessment process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Identifying and evaluating potential risks based on their likelihood and impact
Identifying and evaluating potential risks based on their likelihood and impact is the core goal of a risk assessment. The distractors describe bad security practices, such as ignoring threats or avoiding frameworks, which defeat the purpose of risk management.
Question 280 of 473Which type of network attack involves an attacker intercepting and potentially altering the communication between two parties without their knowledge?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. On Path Attack
An on-path attack, formerly known as a man-in-the-middle attack, involves secretly intercepting and potentially altering communication between two parties. DDoS attacks overwhelm resources, and SQL injection targets web application databases.
Question 281 of 473What is the PRIMARY goal of a Disaster Recovery Plan (DRP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Restoring the business to full last-known reliable operations
A disaster recovery plan aims to restore systems and operations to their last known reliable state after a disruption. A business continuity plan keeps critical functions running during a crisis, while emergency response plans guide immediate physical safety actions.
Question 282 of 473What type of attack attempts to misdirect legitimate users to malicious websites by abusing URLs or hyperlinks in emails?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Phishing
Phishing attacks frequently abuse URLs and hyperlinks in emails to misdirect users to fraudulent websites. Spoofing only fakes an identity, while a denial-of-service attack disrupts availability rather than stealing credentials.
Question 283 of 473Which type of network attack involves an attacker sending specially crafted malicious data to an application or system, causing it to crash or become unresponsive?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Buffer Overflow Attack
A buffer overflow occurs when malicious data exceeds allocated memory, causing crashes. Denial of service uses request flooding, while on-path attacks intercept traffic.
Question 284 of 473Which of the following physical access control methods is designed to authenticate the identity of individuals entering a facility?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Key cards
Key cards authenticate users by matching embedded data against an authorized database. Surveillance and sign-in sheets monitor activity but lack identity verification.
Question 285 of 473What access control problems arise if during an audit it is found that an IT manager retains permission access to shared folders from his previous company roles?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Privilege creep
Privilege creep occurs when users accumulate outdated permissions after changing roles. Excessive provisioning happens initially, whereas creep develops over time.
Question 286 of 473What is the situation that occurs when a user accumulates system privileges that exceed the requirements of the user's job?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Privilege creep
Privilege creep occurs when a user accumulates system privileges that exceed their job requirements over time. However, the term excessive privileges also accurately describes this state, making the options potentially ambiguous. Excessive privileges can result from privilege creep.
Question 287 of 473Which of the following is NOT a recommended practice for password protection?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Reusing passwords for multiple systems
Reusing passwords across multiple systems increases the risk of credential stuffing attacks. Using a password manager and maintaining unique credentials are fundamental security practices that prevent a single breach from compromising multiple accounts.
Question 288 of 473What is the term for the GDPR requirement allowing individuals to request the termination of their data dissemination?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The right to be forgotten
The right to be forgotten allows individuals to request the erasure of their personal data. Data portability and access rights grant visibility or movement of data, but they do not mandate its deletion.
Question 289 of 473What is the primary objective of a Business Continuity Plan (BCP) in the context of incident response, business continuity, and disaster recovery concepts?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To ensure the organization can continue to operate during and after a disaster or major incident
A Business Continuity Plan ensures critical business operations continue during and after a disruption. Distractors suggesting the avoidance of recovery strategies or ignoring coordinated responses represent the exact opposite of continuity planning goals.
Question 290 of 473What attribute is NOT associated with a hashing algorithm?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. A cryptographic key is required
Hashing provides integrity by creating a fixed-length digital fingerprint from variable-length data without using a cryptographic key. Options mentioning irreversibility and collision resistance describe essential hash properties, making the key requirement the false attribute.
Question 291 of 473Which of the following is not a physical security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Stop Sign in a Parking Lot
A stop sign is an administrative control because it directs human behavior through a rule rather than physically blocking access. Physical controls are tangible barriers like bollards, turnstiles, and door locks that physically restrict entry.
Question 292 of 473Which type of token-based authentication generates codes at fixed intervals without a server challenge?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Synchronous
Synchronous tokens generate one-time passwords at fixed time intervals, relying on internal clocks rather than a server challenge. Asynchronous tokens require a challenge-response mechanism, while smart cards and RFID use different hardware methods.
Question 293 of 473Which of the following is the MOST effective method to destroy data on a tape or disk?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Degaussing
Degaussing is the most effective method to destroy data on magnetic tapes or disks, using a strong magnetic field to permanently erase data. Disk zeroing, formatting, and encryption do not physically destroy the magnetic media, leaving potential for data recovery.
Question 294 of 473Which of the following is an example of biometric authentication?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Voiceprint
Biometric authentication relies on unique biological characteristics, proving a voiceprint is the correct answer. The other options represent something you know, like a password or PIN, or something you have, like a physical key or token.
Question 295 of 473What is the first step in the risk management process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Identify risks
The risk management process begins with identifying risks, as you cannot analyze or mitigate a threat without first discovering it. Analyzing, assessing, and mitigating risks are subsequent phases that rely entirely on accurate initial identification.
Question 296 of 473Which of these is not one of the components of change management according to ISC2?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Regression
Change management relies on a structured process to minimize disruptions. The core components include requesting a change, obtaining approval, and having a rollback plan, making regression the correct choice. The distractors represent actual phases or required actions in the standard workflow.
Question 297 of 473What does the acronym APT stand for?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Advanced Persistent Threat
An Advanced Persistent Threat refers to a long-term, highly resourced attack. Threat actors use continuous and stealthy techniques to gain unauthorized access to a target network. The other options are fabricated terms designed to test your knowledge of security acronyms.
Question 298 of 473Which of the following is an example of collusion?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. When two or more individuals collaborate to circumvent segregation of duties for fraudulent purposes
Collusion defeats segregation of duties controls. It happens when multiple people coordinate their efforts to bypass security measures and commit fraud. The remaining options merely describe normal workplace collaboration or shift coverage without any malicious circumvention of controls.
Question 299 of 473Which of the following is NOT an ethical canon of the ISC2?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Provide active and diligent service to principals
The ISC2 Code of Ethics canon is to provide diligent and competent service to principals. This option incorrectly states active and qualified service, making it the false choice. The remaining options accurately reflect the mandatory ethical canons.
Question 300 of 473What are the six components in the data lifecycle?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Create, Store, Use, Share, Archive, Destroy
The standard data lifecycle components are create, store, use, share, archive, and destroy. The distractors swap in synonyms like delete or save, but ISC2 expects these exact terms.
Question 301 of 473In the context of business continuity planning (BCP), which of the following is an effective strategy for mitigating the risk of data loss?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Regular backup of data and systems in multiple dispersed geographical locations
Regular backups stored across multiple dispersed geographic locations directly mitigate data loss from localized disasters or system failures. The distractors represent physical security, awareness, or financial transfers rather than actual data preservation.
Question 302 of 473What term describes the activities that must be performed to ensure an incident is properly handled?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Incident Response
Incident response is the structured sequence of activities required to properly handle a security incident from detection through recovery. Incident management is a broader IT service desk concept, and investigation is just one specific phase.
Question 303 of 473What does a Privacy Policy typically stipulate?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Which information is considered personally identifiable information (PII)
A privacy policy stipulates how an organization collects, uses, and protects personally identifiable information. Breach notification steps belong in an incident response plan, weakening the other options.
Question 304 of 473What is the difference between SFA and MFA?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. SFA uses one authentication method, while MFA uses two or more authentication methods
Single factor authentication relies on one method, while multi factor authentication requires two or more distinct factors. The distractors simply reverse the definitions or incorrectly limit the maximum number of allowed factors.
Question 305 of 473What is the time frame in which an organization must notify the relevant supervisory authority if it finds a personal data breach that is likely to result in a risk to individuals' rights and freedoms?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Within 72 hours
Under GDPR, organizations must notify the relevant supervisory authority of a qualifying personal data breach within seventy two hours. The other timeframes are incorrect regulatory variations and serve as pure memorization traps.
Question 306 of 473What is the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Business Continuity Plan is about maintaining critical business functions, while Disaster Recovery Plan is about restoring IT and communications back to full operations
A Business Continuity Plan maintains overall critical business functions during a disruption, while a Disaster Recovery Plan specifically focuses on restoring IT and communications to full operation. Remember that BCP keeps the business running, whereas DRP brings the technical systems back online.
Question 307 of 473In the event of a disaster, which of the following designates a location to where an organization can relocate and that is fully equipped to resume operations immediately?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Hot site
A hot site is a fully equipped facility that allows an organization to immediately resume operations after a disaster. Warm and cold sites require additional time, equipment, or configuration before operations can safely resume.
Question 308 of 473Why is it a best practice to have a documented incident response plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To provide a clear and consistent process for handling security incidents and minimizing their impact
A documented incident response plan provides a clear, consistent process for handling security incidents and minimizing their overall impact. The alternative options suggest ignoring incidents or reducing security training, which directly violate foundational security principles.
Question 309 of 473In change management, what is the purpose of a rollback plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Recovery of the system to the state it was in before the change was made
A rollback plan provides a predefined procedure to restore a system to its previous state if a change causes unexpected failures. This ensures business continuity, unlike options related to testing patches or introducing updates.
Question 310 of 473What is the PRIMARY consideration when choosing physical access controls?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Security of the personnel
The primary consideration when selecting physical access controls is always the safety and security of personnel. While protecting equipment, buildings, and networks is important, human life and safety are paramount in security design.
Question 311 of 473What is the most critical factor when implementing access controls for a physical site?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The cost of implementing the controls to the value of what is being protected
When implementing physical access controls, the cost of the controls must be proportional to the value of the assets being protected. Security measures should be cost-effective, avoiding excessive spending on low-value items.
Question 312 of 473What is a common method for an access control system to authenticate an individual?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Compares the individual's badge against a verified database
Access control systems commonly authenticate individuals by comparing their presented credentials, such as a badge, against a verified database. The remaining options are invalid because access times, clothing, and unrelated biometric comparisons do not provide reliable identity verification.
Question 313 of 473In terms of social engineering tactics, what does 'vishing' refer to?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Using a rogue interactive voice response system
Vishing is a social engineering attack that uses voice communication, often through a rogue interactive voice response system, to steal information. The other options describe different concepts like tailgating or general authority impersonation rather than voice-based fraud.
Question 314 of 473Which of the following is NOT an example of a cyber attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Data breach
A data breach is the resulting compromise of a successful cyber attack, not an attack technique itself. The other options are active methods or actions used by threat actors to compromise systems and facilitate those breaches.
Question 315 of 473Mandatory Access Control (MAC) can be defined as:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A policy uniformly enforced across all subjects and objects within the system boundary
Mandatory Access Control enforces a strict security policy uniformly across all subjects and objects within a system boundary using classification labels. The other options describe discretionary control, physical security, or unrestricted access, which contradict the MAC framework.
Question 316 of 473How does ransomware typically enter a system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Automatically installed through phishing emails or by visiting an infected website
Ransomware primarily relies on social engineering to compromise systems. Attackers often deliver malicious payloads through phishing emails or compromised websites. The remaining options fail to represent the most common and realistic infection vectors used by threat actors.
Question 317 of 473Which of the following is a law with multinational implications?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. GDPR
The General Data Protection Regulation is a law with significant multinational implications. It affects any organization handling the personal data of individuals within the European Union. The other options are globally recognized standards or frameworks rather than enforceable laws.
Question 318 of 473Which of the following is NOT a common indicator for side-channel attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Packet analysis
Side-channel attacks gather information from the physical implementation of a system. Attackers exploit timing, power consumption, or fault analysis rather than standard network data. Packet analysis is a network diagnostic tool and not a characteristic indicator of physical system compromise.
Question 319 of 473Which of the following is NOT a common component of a comprehensive Business Continuity Plan (BCP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Employee well-being programs
Business continuity plans prioritize operational resilience and emergency response procedures, making employee well-being programs out of scope. The distractors are core elements because they address communication and operational recovery during a crisis.
Question 320 of 473Which of the following is NOT commonly included in an Acceptable Use Policy (AUP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Access to physical premisses
Acceptable use policies govern digital resources like networks, systems, and data, rather than physical building access. Facilities access is managed by physical security controls and policies, making it the clear outlier here.
Question 321 of 473How many classifications are typically considered difficult to manage for an organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. More than four
Maintaining more than four data classification tiers becomes administratively difficult and resource intensive. Lower tier counts offer adequate protection without overwhelming administrative overhead, making this the threshold.
Question 322 of 473An organization plans to deploy new surveillance technology that systematically monitors individuals in public areas. Is a Data Protection Impact Assessment (DPIA) required?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Yes, because it poses a risk to individuals' rights and freedoms
A Data Protection Impact Assessment is required when processing poses a high risk to individuals rights and freedoms, such as public surveillance. Public collection and privacy policies do not waive this requirement, and the assessment must happen before deployment to be effective.
Question 323 of 473What is the purpose of awareness training?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Ensure everyone knows what is expected of them
Awareness training ensures everyone understands security expectations and their role in protecting the organization. Testing technologies or providing breaks are not the educational goals of a security awareness program.
Question 324 of 473In the cybersecurity landscape, what is the definition of a 'bug'?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A flaw causing an application to produce an unintended or unexpected result that may be exploitable
A bug is a flaw causing an application to produce an incorrect or unexpected result that may be exploitable. A bug creates a vulnerability, but the terms are not interchangeable, and a risk is a potential negative event.
Question 325 of 473What is the recommended temperature range for optimized data center uptime and hardware life?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. 64°F to 81°F (18°C to 27°C)
The recommended temperature range for a data center is 64 to 81 degrees Fahrenheit, or 18 to 27 degrees Celsius. Maintaining this specific range optimizes hardware lifespan while preventing failures caused by overheating or excessive cooling.
Question 326 of 473Which of these is a type of detective access control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. IDS
Intrusion detection systems are detective controls because they monitor traffic and alert administrators after malicious activity occurs. Firewalls and intrusion prevention systems are preventative controls, while turnstiles act as physical deterrents.
Question 327 of 473What is the term used to describe the combination of the likelihood of a threat and the potential impact of the threat?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Risk
Risk is the combination of likelihood and impact when a threat exploits a vulnerability. A breach is an event, a zero-day is a specific unknown vulnerability, and a vulnerability is merely a weakness.
Question 328 of 473What does SaaS offer consumers?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Access to software applications
Software as a Service provides consumers with access to software applications over the internet. Hardware, network, and security components belong to infrastructure, network, and security as a service models.
Question 329 of 473Which device determines the most efficient route for traffic flow on a network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Router
A router determines the most efficient path for traffic based on network topology and IP addresses. Switches use MAC addresses, firewalls filter traffic, and hubs simply broadcast to all ports.
Question 330 of 473What is the PRIMARY objective of access control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Grant the appropriate level of access to authorized personnel and processes
Access control primarily ensures that authorized personnel and processes receive the appropriate access levels. Options A, B, and D act as distractors by describing secondary effects or focusing only on insiders or outsiders.
Question 331 of 473Non-repudiation is …:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. … the protection against an individual falsely denying having performed a particular action
Non-repudiation proves that a specific individual performed an action, preventing them from falsely denying it. Privacy rights and general security measures act as distractors, while non-repudiation is a principle, not a law.
Question 332 of 473What is the definition of a 'risk'?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A possible event that can negatively impact the organization
Risk is defined as a possible event that negatively impacts an organization. The other options define core risk components like threat actors, vulnerabilities, and exploits, but do not represent the overall concept of risk.
Question 333 of 473What type of malware disguises itself as benign software but carries a malicious payload?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Trojan
A Trojan disguises itself as legitimate software to trick users into executing its malicious payload. Worms self-replicate, viruses attach to files, and spyware collects data covertly without relying on deceptive disguises.
Question 334 of 473What should be the PRIMARY consideration when deciding whether to install biometric scanners on all of the organization's doors or only some of them?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The results of a site assessment
A site assessment provides the primary data needed to determine where security controls are required. Evaluating the work area is important, but a comprehensive assessment considers all physical and operational risks.
Question 335 of 473Who controls access in a Mandatory Access Control (MAC) system?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Only properly designated security administrators
In Mandatory Access Control, designated security administrators strictly control access using classification labels. Standard users and executives cannot alter these permissions, distinguishing MAC from discretionary models.
Question 336 of 473What does a well-designed security policy aim to achieve?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Reduce the potential of security breaches to an acceptable level
The primary goal of a well-designed security policy is to reduce the potential of security breaches to an acceptable level. Security is never about absolute guarantees, so any option implying zero risk is a trap on the exam.
Question 337 of 473Which of the following options BEST describes the concept of a network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A group of computers sharing data, information or resources
A network is fundamentally a group of computers that share data, information, or resources. Any option describing a single machine or a group of disconnected computers acts as a distractor because connectivity and resource sharing are the defining characteristics.
Question 338 of 473Which of the following is TRUE about Denial of Service (DoS)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. It is a type of attack used to disrupt normal operations
A Denial of Service or DoS attack is specifically designed to disrupt normal operations by making a system unavailable. Options mentioning bypassing authentication or gaining system access describe entirely different attack vectors, such as spoofing or unauthorized access.
Question 339 of 473Who dictates the access control rules in Discretionary Access Control (DAC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The subject who created the object
Discretionary Access Control allows the subject who created the object, or the owner, to dictate access control rules. The owner has the discretion to decide who gets access. This differs from mandatory access control, where a central authority enforces strict rules.
Question 340 of 473What is the concept of redundancy in system design?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Duplicate components as a backup in case of failure
Redundancy in system design involves including duplicate components as a backup to ensure continued operation if a primary component fails. The goal is maintaining availability and preventing downtime, rather than using diverse suppliers or saving costs by reducing parts.
Question 341 of 473A company accuses a certified employee of intellectual property theft and demands ISC2 revoke their certification immediately. The company provides internal logs as evidence but has not yet pursued criminal charges or a civil lawsuit against the employee. The employee denies all allegations. How does the ISC2 Board of Directors generally proceed with disputes involving alleged illegal acts?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. They proceed only after a competent court or authority has made a factual determination
ISC2 relies on the findings of a competent legal or regulatory authority before taking disciplinary action for alleged illegal acts. This ensures due process, because ISC2 is not a law enforcement agency and lacks the mandate to conduct forensic investigations or act on unproven accusations.
Question 342 of 473In the context of change management, what is a security baseline?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A minimum level of protection that can be used as a reference point
A security baseline is a minimum level of protection used as a reference point. Any system changes should not reduce security below this baseline, making maximum protection and validation processes distractors.
Question 343 of 473In a network environment, which of the following is an example of a security control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. A firewall
A firewall is a preventative network security control that actively monitors and filters traffic. Access logs and user credentials are not controls themselves, but rather configuration elements or records used for identification and monitoring.
Question 344 of 473Which of the following options describes a possible enrollment process in a high-security environment?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Issuing a badge with the employee's credentials, possibly including biometrics
High-security enrollment often involves issuing a badge embedded with credentials and biometric data. This ensures accurate authentication, whereas letting users choose identifiers or collecting irrelevant religious history weakens security and violates privacy.
Question 345 of 473Physical access controls are employed to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Protect the assets of a company, including its personnel
Physical access controls are primarily designed to protect company assets and personnel by preventing unauthorized entry. While they may track movement, features like easy entry or open facility access defeat their core security purpose.
Question 346 of 473What is the typical response when someone is detected trying to access a database without permission?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The attempt is logged, and the user is blocked
Standard security practice dictates that unauthorized access attempts should be logged and blocked immediately to prevent potential data breaches. Issuing warnings or deleting accounts are not typical automated responses, and promoting access violates the principle of least privilege.
Question 347 of 473What is an endpoint in a network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The ends of a network communications link
An endpoint refers to the ends of a network communication link, typically representing devices like clients and servers. The other choices referencing beginnings or centers do not accurately reflect networking terminology.
Question 348 of 473Which of the following is NOT a type of attack used to gain access to an organization's network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Denial of Service
A Denial of Service attack is designed to disrupt network availability by overwhelming it with traffic, not to gain unauthorized access. Brute force, password spraying, and rainbow tables are all credential-based attacks meant to bypass authentication.
Question 349 of 473Which of the following is NOT a category of the incident response process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Retention
The standard phases of incident response include preparation, detection, containment, and recovery. Retention is a data management concept and does not belong to the active incident response lifecycle.
Question 350 of 473What is one of the challenges presented by a Bring Your Own Device (BYOD) policy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Ensuring that the device is configured securely
A major challenge of BYOD policies is ensuring that employee-owned personal devices are securely configured to protect corporate data. The organization lacks direct control over these endpoints, unlike company-issued hardware.
Question 351 of 473Which of the following is an example of an invasion of privacy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A doctor discussing patient information without consent
Invasion of privacy involves the unauthorized access or disclosure of personal information, making a doctor sharing patient data without consent the correct choice. The other options involve public information or general corporate access that lack the specific targeting of personal privacy.
Question 352 of 473What is the European Union's General Data Protection Regulation (GDPR)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A regulation that applies to all organizations, foreign or domestic, doing business in the EU or any persons in the EU
The General Data Protection Regulation establishes strict rules for handling personal data. It famously applies to any organization processing the data of European Union residents, regardless of where the business operates. The remaining options are either too narrow or incorrectly describe legal relationships.
Question 353 of 473Which of the following is an example of a standard?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. ISO 27001
Standards provide mandatory rules and frameworks to ensure consistent security implementation. ISO 27001 is a recognized international standard for information security management systems. The other choices represent internal documents or broader legal regulations rather than formal standards.
Question 354 of 473What is the PRIMARY purpose of the ISC2 Code of Ethics?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To ensure members adhere to the highest standards of ethical conduct
The ISC2 Code of Ethics mandates that certified professionals uphold the highest standards of ethical conduct. While protecting the public and advancing the profession are mandatory ethical canons, the primary purpose is enforcing a strict code of professional behavior.
Question 355 of 473The Bell-LaPadula model has a PRIMARY goal to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Prevent the unauthorized sharing of classified information
The Bell-LaPadula model primarily prevents unauthorized disclosure of classified information using strict read and write rules. It is a confidentiality model, so malware protection or encryption are distractors.
Question 356 of 473What is the PRIMARY purpose of a Business Continuity Plan (BCP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Preserve business operations while recovering from a significant disruption
A Business Continuity Plan aims to maintain critical business operations during and after a significant disruption. Providing alternate workspaces or ensuring data security are supporting tasks, not the primary objective of the overall plan.
Question 357 of 473To protect sensitive information, when is sanitization or destruction required?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. When elements of the system are to be removed and replaced
Sanitization or destruction of sensitive information is required when system elements like hard drives are removed and replaced. This prevents data recovery during hardware disposal. Upgrades or adding data require proper handling, not destruction.
Question 358 of 473What is the purpose of non-repudiation?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Ensure people are held responsible for transactions they conducted
Non-repudiation ensures individuals cannot deny their actions, holding them accountable for transactions they conducted. Options involving privacy data or regulations address compliance and confidentiality rather than proving an action originated from a specific user.
Question 359 of 473Which is NOT an example of biometric data?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Credit history identifiers
Biometrics measure unique physical or behavioral traits like fingerprints, retinal patterns, and keystroke dynamics. Credit history is a financial record, not a measurable biological characteristic, making it the correct non-biometric choice.
Question 360 of 473A vulnerability is:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. …an exploitable weakness or flaw in a system or component
A vulnerability is an exploitable weakness or flaw in a system or component. A threat actor uses an exploit to take advantage of this weakness, whereas a risk is the potential for negative impact.
Question 361 of 473For a rack in a data center, how many temperature sensors are recommended?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Three
Data center racks should have three temperature sensors placed at the top, middle, and bottom. This arrangement accurately monitors airflow and identifies hot spots. Fewer sensors miss temperature variations, and more add unnecessary cost.
Question 362 of 473When implementing authentication, which of the following is considered a best practice?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Use two or more authentication methods, such as password, biometrics, and a pin code
The best practice for implementing authentication is to use multi-factor authentication by combining two or more independent factors. A username represents identification, not authentication, so options relying solely on a username and password fail to meet the multi-factor requirement.
Question 363 of 473What is the first activity in the change management process?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Request for change
The change management process begins with a formal request for change to identify the desired modification. Activities like approval, implementation, and rollback happen later in the lifecycle after the request is submitted and reviewed.
Question 364 of 473What is the main difference between risk avoidance and risk transference?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Risk avoidance is the process of withdrawing from a risk scenario, while risk transference is the process of transferring risk to another party
Risk avoidance means withdrawing from a risk scenario entirely, while risk transference shifts the risk burden to another party. Options that mix definitions or introduce mitigation are incorrect.
Question 365 of 473What is a definition for cloud computing?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A set of computing resources sold as a service
Cloud computing delivers computing resources like storage and processing as a service over the internet. Defining it as a physical product or limiting it to data storage or analysis are incorrect constraints.
Question 366 of 473What role does a hub play in a network?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Connect multiple devices on a network
A network hub connects multiple devices by acting as a central connection point. Hubs operate at the physical layer and lack intelligence, so they cannot filter traffic or control network flow like switches or routers.
Question 367 of 473The term "defense in depth" refers to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. A strategy that uses multiple security measures to protect an organization's systems
Defense in depth is a strategy that uses multiple security measures to protect an organization's information. The trap here is picking options that suggest using only one barrier or only technical measures, which completely miss the core concept of layering administrative, technical, and physical controls.
Question 368 of 473Which method involves writing multiple patterns across all storage media?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Overwriting
Overwriting involves writing multiple patterns across all storage media to ensure the original data cannot be recovered. The trap here is confusing this with deleting, which only removes the reference to the data, or purging and destroying, which use different methods.
Question 369 of 473What is the PRIMARY goal of enforcing defense in depth?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Prevent or deter a cyberattack using multiple layers of security measures
The primary goal of defense in depth is to prevent or deter cyberattacks using multiple layers of security measures. Beware of any option claiming a network can be made impenetrable or guaranteeing zero attacks, as absolute security is impossible.
Question 370 of 473What is the PRIMARY difference between DAC and MAC?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The person who controls access (object owner in DAC, security administrators in MAC)
The primary difference is who controls access. In Discretionary Access Control, the object owner decides, whereas in Mandatory Access Control, a security administrator enforces strict policies based on clearance levels.
Question 371 of 473What does configuration management guarantee?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. That all changes made to a system are authorized and validated
Configuration management guarantees that all changes made to a system are formally authorized and validated before implementation. This ensures system stability, tracks modifications, and prevents unauthorized or untested updates from introducing new vulnerabilities into the environment.
Question 372 of 473Data remanence is known as:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Data that is left on media after deleting
Data remanence refers to the residual data left on storage media after standard deletion methods are used. Because deletion typically just marks space as available, the original data remains and can often be recovered until it is properly overwritten or the media is physically destroyed.
Question 373 of 473Members of a data protection team in an organization are typically NOT required to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. … Interpret global privacy laws
Data protection teams are not typically required to interpret global privacy laws unless the organization operates internationally. They must, however, ensure protective measures are in place and meet local legislative requirements for data collection.
Question 374 of 473Access controls are…
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. …mechanisms that grant appropriate access levels to authorized personnel and deny access to unauthorized ones
Access control mechanisms are designed to grant appropriate access to authorized users while explicitly denying access to unauthorized individuals. Providing the highest access level to everyone violates least privilege, and securing data integrity is only one aspect of their function.
Question 375 of 473In the incident response process, who is NOT typically involved in forensic investigations?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Sales Personnel
Sales personnel lack the technical expertise required for forensic investigations and are not typically involved in incident response. Cybersecurity analysts, network architects, and even receptionists providing physical logs can offer relevant investigative support.
Question 376 of 473Why do organizations classify their information?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. To restrict the access to the information
Organizations classify information primarily to restrict access based on sensitivity and need-to-know principles. While searching and access speed are useful, they are not security drivers, and classification cannot stop ransomware directly.
Question 377 of 473In the context of incident response, the term that refers to the collection and preservation of an incident is:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Evidence Collection
Evidence collection is the process of properly gathering and preserving data from a cybersecurity incident. Forensics analysis involves examining that evidence, while the other terms are fabricated distractors.
Question 378 of 473What is the common mistake in records retention?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Applying the longest retention period to all types of information
A common records retention mistake is applying the longest retention period to all types of information. This increases storage costs and creates unnecessary legal risks if the data is subpoenaed. The other options describe practices that are either generally acceptable or not realistic business scenarios.
Question 379 of 473What does a 'low sensitivity' label on data mean?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Data compromise could cause minor disruption
A low sensitivity label means that compromising the data could cause a minor disruption. Data causing significant loss of life or loss of competitive advantage would be classified much higher, while data causing no harm might not need classification at all.
Question 380 of 473In a data center, what is NOT a typical issue related to airflow?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Noise
In data centers, noise is an environmental issue but is not directly tied to airflow management. Issues like cooling, dust, and noxious fumes are all direct results of how air is circulated, filtered, and managed in the facility.
Question 381 of 473What is Role-Based Access Control (RBAC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. An access control based on user permissions set according to roles
Role-Based Access Control assigns permissions to specific roles rather than individual users. Users then inherit permissions by being assigned to those roles. While roles often align with job descriptions, the access control is strictly based on the defined role permissions, not the descriptions themselves.
Question 382 of 473What does the label 'unrestricted public data' mean?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Data compromise result in no harm
Unrestricted public data implies that compromising the data would result in no harm because it is already freely available. Data causing loss of life, competitive advantage, or disruption carries higher classification levels.
Question 383 of 473What are cloud-based resources?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Any resources that an organization accesses using cloud computing
Cloud-based resources are any computing resources that an organization accesses over the internet using cloud computing models. This includes storage, applications, and virtual machines. Accessing local physical servers or personal computers does not inherently mean using cloud resources.
Question 384 of 473Before sending a message, Bob encrypts it using Alice's public key. Why is Alice's public key used?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To ensure only the receiver can decrypt the message
Asymmetric encryption uses the recipient's public key to ensure confidentiality, meaning only the matching private key holder can decrypt the message. Non-repudiation is a trap here; that property requires the sender to digitally sign the message with their own private key.
Question 385 of 473In a healthcare organization, which of the following would be an example of the principle of least privilege?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Healthcare workers can only access the assets they need for their role and nothing more
The principle of least privilege ensures that healthcare workers can only access the assets they need for their specific role and nothing more. Allowing blanket access to all patient data violates this principle and introduces unnecessary privacy risks.
Question 386 of 473The sender transmits a message and an encrypted hash of the message using their private key. Why is this done?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To provide non-repudiation
Encrypting a hash with a sender's private key creates a digital signature that provides non-repudiation, proving the sender cannot deny sending the message. Confidentiality would require encrypting the message itself with the recipient's public key, not signing a hash.
Question 387 of 473What is the PRIMARY goal of a Denial of Service (DoS) attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Preventing legitimate activity on a system
A Denial of Service attack aims to prevent legitimate activity by overwhelming a system with traffic. Stealing data or spreading malware are goals of other attack types. Use the intent to disrupt availability to eliminate the distractors.
Question 388 of 473What are the two PRIMARY transport layer protocols?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. TCP and UDP
The two primary transport layer protocols are TCP and UDP. TCP is connection-oriented, while UDP is connectionless. Eliminate the distractors because HTTPS and IMAP are application layer protocols, and ICMP is a network layer protocol.
Question 389 of 473What is the term used to verify or prove the user's identity?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Authentication
Authentication is the process of verifying a user's claimed identity. Authorization happens later and determines access rights. Rely on the standard identity proofing definitions to eliminate verification and validation distractors.
Question 390 of 473The concept of data integrity refers to:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Preventing data from being altered in an unintended manner
Data integrity ensures information remains accurate and unaltered during storage or transmission. The other options are incorrect because they describe ethical use, confidentiality, and availability.
Question 391 of 473What is a definition of confidentiality?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Ensuring access to data only to authorized users
Confidentiality ensures that data is accessible only to authorized users and is protected from unauthorized disclosure. Options describing unaltered data or completeness define integrity, leaving authorized access as the correct choice.
Question 392 of 473Posting photos of confidential documents containing clients' identifying information that were left unattended on a printer is considered a:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Breach
A breach involves the unauthorized access or inadvertent disclosure of sensitive or personally identifiable information. Posting photos of confidential documents constitutes an unintended disclosure, distinguishing it from a mere system occurrence or a direct technical exploit.
Question 393 of 473Which of the following cloud models allows organizations to integrate their existing on-premises networks?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Hybrid cloud
A hybrid cloud integrates an organization's existing on-premises private networks with public cloud services. This combination allows businesses to leverage both environments, unlike private, public, or community models deployed independently.
Question 394 of 473An employee received a suspicious text message with an unfamiliar invoice number and a hyperlink for more information. Which of the following attacks is MOST likely being described?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Smishing
Smishing is a social engineering attack that uses fraudulent text messages to trick victims into clicking malicious links. Vishing utilizes voice calls, while traditional phishing and whaling typically rely on email communication.
Question 395 of 473What is the PRIMARY difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. IPS can block network traffic, but IDS can't
An intrusion prevention system actively blocks malicious network traffic, whereas an intrusion detection system only monitors and alerts on suspicious activity. The other options are incorrect because both systems can be hardware or software based, and their network placement can vary.
Question 396 of 473How are permissions typically assigned in a role-based access control (RBAC) model?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Based on the user's role within the organization
In a role-based access control model, permissions are assigned based on the user's specific role within the organization. This differs from discretionary control, where administrators set permissions, and mandatory control, which relies on clearances.
Question 397 of 473What port range refers to dynamic or private ports?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Ports 49152 – 65535
Dynamic or private ports fall within the range of 49152 to 65535, often used for temporary connections. Ports 0 to 1023 are well-known ports, and ports 1024 to 49151 are registered ports, making the other options incorrect for this range.
Question 398 of 473What attack involves intercepting and possibly altering communication between two persons without their knowledge?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Man-in-the-middle attack
A man-in-the-middle attack involves secretly intercepting and potentially altering communication between two parties. Distractors describe denial of service or spoofing, which do not inherently involve undetected communication modification.
Question 399 of 473Audit trail logs showed that a bank employee accessed customer accounts and transferred funds to a personal bank account. Which of the following describes this action?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Insider threat
An insider threat occurs when a trusted employee misuses their authorized access for malicious purposes. Options describing social engineering or third-party risks are eliminated because the threat actor is an internal employee.
Question 400 of 473In the context of disaster recovery planning, what does RTO stand for?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Recovery Time Objective
In disaster recovery, RTO stands for Recovery Time Objective, defining the maximum tolerable downtime. The other options use plausible terms but do not represent standard business continuity metrics.
Question 401 of 473During troubleshooting you encounter an IP address written using two consecutive colons and the number 1 (for example, ::1). What does this address represent?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. The IPv6 loopback address
The address ::1 is the IPv6 loopback address, equivalent to 127.0.0.1 in IPv4, and it allows a system to test its internal network stack. Link-local addresses start with fe80, while multicast addresses begin with ff00, which helps eliminate those distractors.
Question 402 of 473What is the PRIMARY benefit of using a rule-based access control (RuBAC) model? (★)
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. It provides dynamic access control based on pre-defined rules
Rule-based access control relies on system-level preconditions to dynamically grant or restrict access. The distractors describe other models; for instance, allowing the object creator to dictate access defines discretionary access control rather than a centralized rule.
Question 403 of 473Which of the following is an example of the principle of least privilege?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Users can only access the assets they need for their role and nothing more
The principle of least privilege grants users only the minimum access required to perform their specific job duties. Unrestricted access or allowing users to control their own permissions directly violates this core security concept and increases organizational risk.
Question 404 of 473What kind of attack is likely to occur when a hacker intercepts and redirects traffic by spoofing the IP address of a corporate server?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. On-path attack
An on-path attack occurs when a malicious actor intercepts and potentially alters communication between two parties, often using spoofed addresses. Trojans and spyware are malware types rather than network interception techniques, and advanced persistent threats are sustained intrusions.
Question 405 of 473What is the PRIMARY objective of Crime Prevention through Environmental Design (CPTED)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Create safer workspaces through passive design elements
Crime Prevention Through Environmental Design creates safer workspaces through passive physical design elements like lighting and landscaping. Distractors mentioning green technologies or environmental policies are trap choices playing on the word environmental, which here refers to physical surroundings, not sustainability.
Question 406 of 473What is the PRIMARY difference between qualitative and quantitative risk analysis?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Qualitative risk analysis is based on subjective data, while quantitative risk analysis is based on numerical data
Qualitative risk analysis relies on subjective data like expert judgment and opinions, whereas quantitative analysis uses numerical or measurable data. The key exam rule is to associate qualitative with subjective scenarios and quantitative with hard numbers.
Question 407 of 473What is a Business Impact Analysis (BIA)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A systematic process to evaluate the potential effects of an interruption to critical business operations
A Business Impact Analysis is a systematic process used to evaluate the potential effects of an interruption to critical business operations. Do not confuse this with disaster recovery, which involves the proactive development of procedures to restore operations after an event.
Question 408 of 473Which is one PRIMARY benefit of having the least privilege principle?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To minimize the risk of unauthorized access to sensitive data
The primary benefit of the least privilege principle is to minimize the risk of unauthorized access to sensitive data by restricting users to minimum necessary permissions. Options suggesting administrative simplification or account reduction miss the core security objective.
Question 409 of 473A system password with two separate parts that no single person knows the full password
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. A system password with two separate parts that no single person knowing the full password
Dual control requires two or more people to complete a sensitive task, such as combining two halves of a password. The trap option involving an employee creating an invoice and a manager approving it is segregation of duties, not dual control.
Question 410 of 473Which of the following is NOT a type of phishing attack?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Tailgating
Tailgating is a physical security breach where an unauthorized person follows someone into a restricted area, making it completely different from phishing. Whaling, spear phishing, and vishing are all variations of social engineering attacks that use electronic communications.
Question 411 of 473Which is the PRIMARY objective of the principle of segregation of duties?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To ensure that no one person should control an entire high-risk task from start to finish
Segregation of duties ensures no single person controls an entire high-risk task from start to finish. This prevents fraud and errors. Eliminate distractors about distributing workloads or verifying tasks twice, as those are management concepts, not security controls.
Question 412 of 473Two healthcare organizations are planning to collaborate on a project. Which of the following can be used to formalize this collaboration agreement?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. A memorandum of understanding (MOU)
A memorandum of understanding formalizes a collaborative partnership between organizations. Eliminate the alternatives because an SLA defines service metrics, and an NDA only restricts information sharing without establishing the partnership itself.
Question 413 of 473What should be included in the Business Continuity Plan (BCP) team members list?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Multiple contact methods and a list of backup members
A Business Continuity Plan team list requires multiple contact methods and backup members for redundancy. Call trees and supply chain numbers are separate operational components. Focus on personnel availability to eliminate the process distractors.
Question 414 of 473Until the generators start up and stabilize, what do battery backups need to be properly sized to carry?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. The critical load
Battery backups must carry the critical load until generators stabilize. This ensures essential systems remain operational during the transition. HVAC and fire suppression are supporting infrastructure, not the primary critical load.
Question 415 of 473What term describes a potential malicious actor that may cause harm to an organization or its assets?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Threat
A threat is defined as a potential malicious actor or event that could cause harm to an organization or its assets. A vulnerability is a weakness, while a breach is an incident where a threat successfully compromises a system.
Question 416 of 473What is a disadvantage of password managers?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. They can be compromised if protected by a weak password
Password managers create a single point of failure if compromised by a weak master password. The other options are incorrect because modern managers are generally inexpensive, compatible, and user-friendly.
Question 417 of 473Which type of malware self-replicates without the need for user interaction?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Worm
A worm is malware that self-replicates and spreads across networks without user interaction. The other options are incorrect because viruses and Trojans require user action, while spyware monitors rather than replicates.
Question 418 of 473A company application asks employees to acknowledge that usage is only permitted for authorized individuals. Employees must click the "Accept Terms" button. What does this PRIMARILY exemplify?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Acceptable Use Policy (AUP)
An Acceptable Use Policy dictates the rules and constraints for using organizational systems. The other options are incorrect because they govern service expectations, confidentiality, or bilateral agreements rather than user behavior.
Question 419 of 473Which of the following documents are NOT commonly part of a Disaster Recovery Plan?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Software source code
Disaster recovery plans contain procedural documentation rather than actual software source code. The other options are incorrect because checklists, executive summaries, and technical guides are standard components of recovery documentation.
Question 420 of 473Choosing NOT to implement the needed security controls is a form of:
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Risk acceptance
Risk acceptance means acknowledging a risk and deliberately choosing not to implement controls. The other options are incorrect because avoidance, transference, and mitigation require active steps to change the risk profile.
Question 421 of 473What is the PRIMARY goal of Change Management in cybersecurity?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Release software without introducing new vulnerabilities
The primary goal of change management is to implement updates securely without disrupting operations or introducing new vulnerabilities. Options describing patch creation or vulnerability scanning belong to vulnerability management, not change control.
Question 422 of 473In a change management process, what is the purpose of Verification and Audit?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Verify that newly applied changes don't break anything
Verification and audit ensure that newly applied changes function correctly without causing system failures or unintended side effects. Identifying a baseline or requesting changes occurs during the initial planning stages rather than the post-implementation audit.
Question 423 of 473In the context of information security, what is a definition for 'control'?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. A safeguard conceived to guarantee the CIA of data
A control is a safeguard designed to preserve the confidentiality, integrity, and availability of data. The distractors list specific technical mechanisms like encryption protocols or policy documents, which are too narrow to define a control comprehensively.
Question 424 of 473Which of the following best describes a robust security awareness training program?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A combination of education, training, and awareness activities
A robust security awareness program integrates education, training, and awareness activities to address human risk effectively. Single-focus options fail because they omit critical elements like practical skill-building or ongoing reinforcement.
Question 425 of 473Which organization is responsible for establishing global computer connectivity by setting communication protocol standards?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. IETF
The Internet Engineering Task Force, or IETF, establishes communication protocol standards that enable global computer connectivity. ISO and NIST focus on broader security frameworks and best practices rather than core internet protocols.
Question 426 of 473What is the purpose of the two-person rule in a security strategy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Require a minimum of two individuals to be together in high-security areas
The two-person rule requires at least two authorized individuals to be present during sensitive activities to prevent fraud or errors. The distractors misinterpret the rule as either a simple task division or a strict limit on total access.
Question 427 of 473Why is it important to have a rollback plan in place for organizations that do not have the ability to fully test a change?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Because it allows them to roll back to a previous state if necessary
A rollback plan allows an organization to revert a system to its previous stable state if an untested change causes unexpected failures. Baselines and third-party testing are planning steps, not the safety net provided by rolling back.
Question 428 of 473What are some examples of physical access controls?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Fences, locks, security guards, badges, and alarms
Physical access controls include tangible barriers like fences, locks, security guards, badges, and alarms. Firewalls are logical controls, while background checks are administrative controls used to manage personnel security.
Question 429 of 473Which of the following statements is TRUE about ransomware?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. It encrypts the victim's data and demands payment to decrypt it
Ransomware encrypts a victim's data and demands payment, typically via cryptocurrency, in exchange for a decryption key. The distractors fail because modern ransomware targets any operating system and deploys without explicit user permission.
Question 430 of 473What concept is at the center in the concentric circles model of defense in depth?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Assets
The concentric circle model of defense in depth places valuable assets at the very center. Physical, administrative, and technical controls function as the surrounding protective layers, making assets the only correct choice.
Question 431 of 473Which of the following options best describes the concept of Ethernet?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. A standard that defines wired connections between networked devices
Ethernet is a network standard that defines wired connections between devices on a local area network. Wireless connections fall under different protocols like Wi-Fi, making the wired option the only accurate description.
Question 432 of 473At which layer of the OSI model does a firewall NOT control traffic?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Layer 1
Firewalls operate at higher OSI layers to inspect traffic based on logical rules, addresses, or application data. They do not control raw bit streams at the physical layer, making layer one the correct answer.
Question 433 of 473A junior cybersecurity analyst has detected a ransomware attack on the company's servers and has activated the incident response team. Which is the next BEST course of action?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Attempt to isolate any compromised servers to prevent further damage
During a ransomware incident, the immediate priority is containment to prevent the threat from spreading. Isolating compromised servers stops further damage, whereas investigating the entry point or restoring systems happens later in the response process.
Question 434 of 473Which of the following options best describes the concept of a server?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A computer that provides information to other computers on a network
A server is a computer that manages network resources and provides information to other computers, known as clients. The remaining options describe networking standards or filtering devices like firewalls rather than data-serving hardware.
Question 435 of 473What type of access control model is based on user clearance and object classification?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Mandatory access control (MAC)
Mandatory access control grants access based on user security clearance and object classification labels. Rule-based and role-based models rely on system rules or job functions, while discretionary access allows users to set permissions themselves.
Question 436 of 473In which of these activities are security posters PRIMARILY used?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Security Awareness
Security posters are administrative controls used primarily in security awareness programs to educate employees and promote a security-conscious culture. They are not typically used for incident response, physical security, or business continuity planning.
Question 437 of 473What is a Local Area Network (LAN)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. A network that typically connects a single floor or building
A local area network connects devices within a limited geographic area, such as a single floor or building. A wide area network covers distinct geographic locations, while a point-to-point connection links only two computers directly.
Question 438 of 473Which canon of the ISC2 Code of Ethics is specifically designed to prioritize the welfare and trust of the broader public?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Protect society, the common good, necessary public trust and confidence, and the infrastructure
The canon to protect society, the common good, and necessary public trust is the highest priority in the ISC2 Code of Ethics. The other options are lower-priority canons focused on principals, the profession, or individual behavior.
Question 439 of 473What best describes the primary objective of a data retention policy?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. To specify how long information and assets should be retained
A data retention policy specifies the required lifespan for information and assets. Distractors fail by giving arbitrary timeframes, suggesting indefinite storage, or describing unrelated scope boundaries.
Question 440 of 473Which of the following statements is related to Discretionary Access Control (DAC)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Allows the creator of the object to dictate access
Discretionary Access Control empowers the creator or owner of an object to dictate access permissions. Options describing predefined rules or total administrator control instead define Rule-Based or Mandatory Access Control.
Question 441 of 473Why might users be uncomfortable when using biometrics as an authentication method?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. They could be considered an invasion of privacy
Biometric authentication can be considered an invasion of privacy because it requires collecting sensitive personal biological data. Claims that biometrics are less secure or easy to bypass are factually incorrect distractors.
Question 442 of 473What is the primary category of information specifically regulated by HIPAA?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. PHI
The Health Insurance Portability and Accountability Act specifically regulates Protected Health Information, or PHI. PCI and PII represent payment card data and personally identifiable information, which fall under different regulatory frameworks.
Question 443 of 473Which of the following is a technique used to protect the confidentiality of data?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Encryption
Encryption protects data confidentiality by converting information into a format readable only by authorized parties. However, tokenization is also a valid confidentiality technique, making this question technically ambiguous. Hashing provides integrity, while digital signatures provide non-repudiation.
Question 444 of 473What are the three main concepts of access control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Objects, Rules, Subjects
Core access control concepts are subjects, which request access; objects, which are the protected resources; and rules, which define permissions. Confidentiality, integrity, and availability represent the broader security triad, serving as a trap for test-takers looking for familiar acronyms.
Question 445 of 473What is ensured by an information security policy? (★)
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The commitment of senior management to ensure that access to data is secure
An information security policy formally establishes senior management's commitment to protecting organizational data and outlines security expectations. While it communicates overall security posture, specific issues like social media usage or financial backups belong in separate, more targeted policies.
Question 446 of 473What is the difference between risk mitigation and risk acceptance?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Risk mitigation is the process of diminishing a risk, while risk acceptance is the process of accepting a risk
Risk mitigation is the process of diminishing or reducing a risk, while risk acceptance is a conscious decision to accept it without taking immediate action. Eliminate options that confuse these concepts with risk transfer, such as buying insurance, or risk elimination.
Question 447 of 473What are the 'known' ports?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Ports 0 – 1023
Known ports, also called well-known ports, range from 0 to 1023 and are assigned to system-level processes like web traffic. Remember that ports 1024 to 49151 are registered ports, while 49152 to 65535 are dynamic ports.
Question 448 of 473What is the consequence of failing to adhere to the ISC2 Code of Ethics?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Revocation of certification
Failure to adhere to the ISC2 Code of Ethics can result in severe consequences, including the revocation of your certification. While suspension or loss of membership might occur depending on the specific ethical breach, the most definitive and severe consequence is total revocation.
Question 449 of 473A company wants to process customer email addresses for direct marketing based on legitimate interest. What is assessed in the first step of a Legitimate Interest Assessment (LIA)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Whether the processing activity supports a clearly defined business purpose
The first step in a Legitimate Interest Assessment is the purpose test, which ensures the processing supports a clearly defined business goal. The other choices are incorrect because explicit permission relates to consent, while internal policies and premium services do not establish this lawful basis.
Question 450 of 473Which of the following BEST describes a security solution that enforces policies on devices attempting to access network resources?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Network access control
Network Access Control enforces security policies on devices before granting them access to network resources. The remaining options are incorrect because they manage user passwords, access times, or locations rather than verifying the actual health or compliance of the connecting device.
Question 451 of 473Which of the following cloud models requires the LEAST administration and support from the organization?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Software as a Service (SaaS)
Software as a Service requires the least administration because the cloud provider manages the underlying infrastructure, operating systems, and applications. The other models leave the customer responsible for managing operating systems, applications, or network configurations.
Question 452 of 473What is the difference between 'implicit deny' and 'explicit deny' in access control?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 'Implicit deny' means that access is denied unless specifically granted, while 'explicit deny' means that access is specifically denied
Implicit deny means access is denied by default unless specifically granted, while explicit deny directly blocks a user regardless of other permissions. The remaining options are incorrect because they incorrectly attribute these controls to administrators or system events.
Question 453 of 473Which of the following can be considered Personally Identifiable Information (PII)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Any data about an individual that could be used to direct or indirect identify them
Personally Identifiable Information is any data that can be used directly or indirectly to identify an individual. The distractors fail because they describe intellectual property, anonymized statistics, or general sensitive data rather than specific identifying information.
Question 454 of 473What is the definition of availability in the CIA triad?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Timely and reliable access to information and the ability to use it
Availability ensures timely and reliable access to information and the ability to use it when needed. The other choices are incorrect because they focus on unrelated aspects like information services, making data available to others, or location independence.
Question 455 of 473What information can be obtained by using the 'ping' command?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. The online status of the remote system
The ping command tests the availability of a remote host by sending ICMP echo requests. Avoid options like file transfer speed or network routing, as those require tools like FTP or traceroute.
Question 456 of 473In a data center, what do backup generators need to be sized for?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. The critical load and supporting infrastructure
Backup generators must be sized to handle the critical load and supporting infrastructure during a power outage. The critical load includes essential servers, while infrastructure includes cooling and power distribution.
Question 457 of 473The latest anti-malware solutions have expanded their detection capabilities to include more than just viruses. Which of the following is NOT typically detected by modern anti-malware?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. APT
Modern anti-malware solutions are designed to detect common malicious software like ransomware, spyware, and rootkits. Advanced Persistent Threats involve stealthy, long-term operations by skilled adversaries, making them difficult for standard anti-malware to detect.
Question 458 of 473Which method prevents information from being recovered even in a laboratory environment?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Purging
Purging removes information from storage media so that it cannot be reconstructed by any known technique, including advanced laboratory methods. Clearing only prevents casual recovery, while overwriting might leave remnants that sophisticated tools could retrieve.
Question 459 of 473In change management, what is the meaning of baseline identification?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Identifying the system and all its components, interfaces, and documentation
Baseline identification in change management refers to comprehensively identifying and documenting the current state of a system, including its components and interfaces. This baseline serves as a reference point to evaluate the impact of proposed changes.
Question 460 of 473Why do many organizations find it challenging to maintain a separate test environment?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. Because it presents logistical challenges
Maintaining a separate testing environment presents logistical challenges because it requires additional hardware, software, and personnel. It also demands careful coordination to ensure the test environment accurately mirrors the production environment.
Question 461 of 473What is one requirement of PCI DSS regarding credit card data?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Credit card data should be classified as confidential and encrypted
The Payment Card Industry Data Security Standard requires credit card data to be classified as confidential and encrypted during storage and transmission. Other options are beneficial security practices but are not explicit baseline requirements of the standard.
Question 462 of 473In unified cloud storage, which solution can be used to separate access to patient records from administrative data without moving servers into different networks?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. VLAN segmentation
Virtual Local Area Network segmentation separates network traffic without changing the physical layout of the network. A screened subnet provides an additional layer of security with firewalls but does not specifically separate data types within the same network.
Question 463 of 473Which type of fire suppression system is better for electronics but can be toxic to humans?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Gas-based
Gas-based fire suppression systems are designed to suppress fires without damaging electronic equipment, making them ideal for data centers. However, the gases used can be harmful to humans, requiring immediate evacuation upon system activation.
Question 464 of 473Which of the following can be considered an administrative control in a data center?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. A policy, defining the rules that assign access to authorized individuals
Administrative controls consist of the policies and procedures that govern human behavior. The other options are incorrect because they represent physical controls or technical controls.
Question 465 of 473Which of the following would help an organization secure its network-critical server that is about to experience a power outage?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Install redundant power supplies
Installing redundant power supplies directly maintains server functionality during a power outage. The other options are incorrect because they do not provide an immediate physical solution to keep the server running.
Question 466 of 473What are three common methods of authentication?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Passwords, Tokens, and Biometrics
The three common factors of authentication are something you know, something you have, and something you are. These are best represented by passwords, tokens, and biometrics. The other options list specific sub-types like memory cards rather than the broad categories.
Question 467 of 473What is the purpose of risk assessment?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. Identify and prioritize risks
Risk assessment primarily identifies and prioritizes risks to an organization. Eradicating all risk is impossible, making options that claim complete elimination incorrect.
Question 468 of 473What should be done if one person is unavailable during an emergency?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: D. Diligently assign a new decision maker to overcome the situation
During an emergency, organizations must diligently assign a new decision maker to maintain operational continuity. While phone trees provide communication, they do not solve the immediate need for authoritative leadership.
Question 469 of 473What is the main goal of a Disaster Recovery Plan (DRP)?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Restore IT and communications back to full operations
A disaster recovery plan specifically focuses on restoring information technology and communications systems after a disruptive event. Maintaining critical business functions overall is the goal of a business continuity plan, which represents the primary distractor in this scenario.
Question 470 of 473Which of the following best illustrates a shortened version of the IPv6 address 2003:0ab8:0000:0000:0000:eeee:0000:0001?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: B. 2003:ab8::eeee:0:1
IPv6 compression rules allow leading zeros to be removed from groups and consecutive zero groups to be replaced with a single double colon. The other options fail because they either misuse the double colon, use it twice, or fail to drop leading zeros properly.
Question 471 of 473Why is it essential for organizations to periodically review their retained records?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. To stay compliant with changing regulations
Organizations must periodically review retained records to stay compliant with changing data privacy regulations and avoid legal penalties. While freeing up storage or evaluating security risks are valid operational tasks, regulatory compliance is the primary driver.
Question 472 of 473What types of cards can be used as a tool to grant access?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: C. Smart cards
Smart cards act as authentication tokens to grant logical or physical access. The other options are incorrect because standard credit, business, or birthday cards lack the necessary integrated circuit technology.
Question 473 of 473Which of the following is typically NOT a member of an incident response team?
Tap an answer — you get instant feedback and the reasoning.
Show answer & explanation
Correct answer: A. HR representatives
An incident response team typically includes IT, engineering, legal, and public relations representatives to cover technical, legal, and communication needs. While HR may be consulted for internal investigations, they are not traditionally considered primary members of the core incident response team.
More free practice tests at certpunch.com and new video rounds on @CertPunch.