Your quiz has been submitted successfully.

Attempt Score 97.33

Overall Grade (Highest Attempt) 97.33
stion 1 1/1p
Chad is a security practitioner tasked with ensuring that the information on the
organization's public website is not changed by anyone outside the
organization. This task is an example of ensuring _________. (D1, L1.1.1)
Question options:
A) Confidentiality

B) Integrity

C) Availability

D) Confirmation

Hide question 1 feedback

B is correct. Preventing unauthorized modification is the definition of integrity. A is incorrect because the websit
is open to the public. C is incorrect because Chad is not tasked with ensuring the website is accessible, only that
changed. D is incorrect because "confirmation" is not a typical security term, and is used here only as a distractor
n2 1
Glen is an ISC2 member. Glen receives an email from a company offering a
set of answers for an ISC2 certification exam. What should Glen do? (D1,
L1.5.1)
Question options:
A) Nothing

B) Inform ISC2

C) Inform law enforcement

D) Inform Glen's employer

Hide question 2 feedback

B is correct. The ISC2 Code of Ethics requires that members "advance and protect the profession"; this includes
ISC2 certification material. ISC2 (and every ISC2 member) has a vested interest in protecting test material, and c
 trying to undermine the validity of the certifications. This is, however, not a matter for law enforcement; if it turn
must be involved, ISC2 will initiate that activity. Glen's employer has no bearing on this matter.
n3 1
For which of the following assets is integrity probably the most important
security aspect? (D1, L1.1.1)
Question options:
A) One frame of a streaming video

B) The file that contains passwords used to authenticate users

C) The color scheme of a marketing website

D) Software that checks the spelling of product descriptions for a retail website

Hide question 3 feedback

B is correct. If a password file is modified, the impact to the environment could be significant; there is a possibil
could be denied access, or that anyone (including unauthorized users) could be granted access. The integrity of th
the most crucial of the four options listed. A is incorrect because one frame of an entire film, if modified, probab
effect whatsoever on the value of the film to the viewer; a film has thousands (or tens of thousands, or millions) o
because a change in marketing material, while significant, is not as crucial as the integrity of the password file de
incorrect because a typo in a product description is not likely to be as important as the integrity of the password f
n4 1
Which of the following probably poses the most risk? (D1, L1.2.1)
Question options:
A) A high-likelihood, high-impact event

B) A high-likelihood, low-impact event

C) A low-likelihood, high-impact event

D) A low-likelihood, low-impact event

Hide question 4 feedback

A is correct. An event that is has a significant probability of occurring ("high-likelihood") and also has a severe n
impact") poses the most risk. The other answers all pose less risk, because either the likelihood or impact is desc
say that these risks can be dismissed, only that they are less significant than the risk posed by answer A.
n5 1
 Which of the following is an example of a "something you know"
authentication factor? (D1, L1.1.1)

Question options:
A) User ID

B) Password

C) Fingerprint

D) Iris scan

Hide question 5 feedback

B is correct. A password is something the user knows and can present as an authentication factor to confirm an id
incorrect because a user ID is an identity assertion, not an authentication factor. C and D are incorrect as they are
factors that are something you are, also referred to as "biometrics."
n6 1
Siobhan is an ISC2 member who works for Triffid Corporation as a security
analyst. Yesterday, Siobhan got a parking ticket while shopping after work.
What should Siobhan do? (D1, L1.5.1)
Question options:
A) Inform ISC2

B) Pay the parking ticket

C) Inform supervisors at Triffid

D) Resign employment from Triffid

Hide question 6 feedback

B is the best answer. A parking ticket is not a significant crime, besmirchment of character or moral failing, and
Siobhan's duties for Triffid. Even though the ISC2 Code of Ethics requires that members act "legally," and "prote
ticket does not reflect poorly on Siobhan, Triffid, ISC2, or the security profession. Siobhan should, however, pay
n7 1
The Payment Card Industry (PCI) Council is a committee made up of
representatives from major credit card providers (Visa, Mastercard, American
Express) in the United States. The PCI Council issues rules that merchants
 must follow if the merchants choose to accept payment via credit card. These
rules describe best practices for securing credit card processing technology,
activities for securing credit card information, and how to protect customers'
personal data. This set of rules is a _____. (D1, L1.4.2)
Question options:
A) Law

B) Policy

C) Standard

D) Procedure

Hide question 7 feedback

C is correct. This set of rules is known as the Data Security Standard, and it is accepted throughout the industry.
set of rules was not issued by a governmental body. B is incorrect, because the set of rules is not a strategic, inter
senior leadership of a single organization. D is incorrect, because the set of rules is not internal to a given organiz
single activity.
n8 1
A bollard is a post set securely in the ground in order to prevent a vehicle
from entering an area or driving past a certain point. Bollards are an example
of ______ controls. (D1, L1.3.1)
Question options:
A) Physical

B) Administrative

C) Drastic

D) Technical

Hide question 8 feedback

A is correct. A bollard is a tangible object that prevents a physical act from occurring; this is a physical control. B
the bollard is a physical control, not administrative or technical. C is incorrect: "drastic" is not a term commonly
type of security control, and is used here only as a distractor.
n9 1
 Hoshi is an (ISC)2 member who works for the Triffid Corporation as a data
manager. Triffid needs a new firewall solution, and Hoshi is asked to
recommend a product for Triffid to acquire and implement. Hoshi's cousin
works for a firewall vendor; that vendor happens to make the best firewall
available. What should Hoshi do? (D1, L1.5.1)

Question options:
A) recommend a different vendor/product

B) recommend the cousin's product

C) Hoshi should ask to be recused from the task

D) disclose the relationship, but recommend the vendor/product

Hide question 9 feedback

D is the best answer. According to the third Canon of the ISC2 Code of Ethics, members are required to "provide
service to principals." Hoshi's principal here is Triffid, Hoshi's employer. It would be inappropriate for Hoshi to
solely based upon the family relationship; however, if the cousin's product is, in fact, the best choice for Triffid,
recommend that product. In order to avoid any appearance of impropriety or favoritism, Hoshi needs to declare t
the recommendation.
n 10 1
Tina is an ISC2 member and is invited to join an online group of IT security
enthusiasts. After attending a few online sessions, Tina learns that some
participants in the group are sharing malware with each other, in order to use
it against other organizations online. What should Tina do? (D1, L1.5.1)
Question options:
A) Nothing

B) Stop participating in the group

C) Report the group to law enforcement

D) Report the group to ISC2

Hide question 10 feedback

B is the best answer. The ISC2 Code of Ethics requires that members "protect society, the common good, necess
 confidence, and the infrastructure"; this would include a prohibition against disseminating and deploying malwar
However, the Code does not make ISC2 members into law enforcement officers; there is no requirement to get in
beyond the scope of personal responsibility. Tina should stop participating in the group, and perhaps (for Tina's o
when participation started and stopped, but no other action is necessary on Tina's part.
n 11 1
Druna is a security practitioner tasked with ensuring that laptops are not stolen
from the organization's offices. Which sort of security control would probably
be best for this purpose? (D1, L1.3.1)
Question options:
A) Technical

B) Obverse

C) Physical

D) Administrative

Hide question 11 feedback

C is the best answer. Because laptops are tangible objects, and Druna is trying to ensure that these objects are no
physical controls are probably best for the purpose. A is incorrect; technical controls might help detect an attemp
the laptop after it has been stolen, but won't prevent the laptop from being taken. B is incorrect; "obverse" is not
describe a particular type of security control, and is used here only as a distractor. D is incorrect; administrative c
theft, such as ensuring that laptops are not left in a place unobserved, but won't prevent the laptop from being tak
n 12 1
Within the organization, who can identify risk? (D1, L1.2.2)
Question options:
A) The security manager

B) Any security team member

C) Senior management

D) Anyone

Hide question 12 feedback

D is correct. Anyone within the organization can identify risk.
n 13 1
 Of the following, which would probably not be considered a threat? (D1,
L1.2.1)
Question options:
A) Natural disaster

B) Unintentional damage to the system caused by a user

C) A laptop with sensitive data on it

D) An external attacker trying to gain unauthorized access to the environment

Hide question 13 feedback

C is correct. A laptop, and the data on it, are assets, not threats. All the other answers are examples of threats, as
cause adverse impact to the organization and the organization's assets.
n 14 1
Sophia is visiting Las Vegas and decides to put a bet on a particular number
on a roulette wheel. This is an example of _________. (D1, L1.2.2)
Question options:
A) Acceptance

B) Avoidance

C) Mitigation

D) Transference

Hide question 14 feedback

A is correct. Sophia is accepting the risk that the money will be lost, even though the likelihood is high; Sophia h
benefit (winning the bet), while low in likelihood, is worth the risk. B is incorrect; if Sophia used avoidance, Sop
bet. C is incorrect; mitigation involves applying a control to reduce the risk. There is no practical (or legal) way t
will lose the bet. D is incorrect; if Sophia wanted to transfer the risk, Sophia might ask some friends to each put u
they would all share the loss (or winnings) from the bet.
n 15 1
Zarma is an ISC2 member and a security analyst for Triffid Corporation. One
of Zarma's colleagues is interested in getting an ISC2 certification and asks
Zarma what the test questions are like. What should Zarma do? (D1, L1.5.1)
Question options:
 A) Inform ISC2

B) Explain the style and format of the questions, but no detail

C) Inform the colleague's supervisor

D) Nothing

Hide question 15 feedback

B is the best answer. It is all right to explain the format of the exam, and even to share your own impressions of h
you found the exam to be. But in order to protect the security of the test, and to adhere to the ISC2 Code of Ethic
profession"), Zarma should not share any explicit information about details of the exam or reveal any actual ques
n 16 1
In risk management concepts, a(n) ___________ is something or someone that
poses risk to an organization or asset. (D1, L1.2.1)
Question options:
A) Fear

B) Threat

C) Control

D) Asset

Hide question 16 feedback

B is correct. A threat is something or someone that poses risk to the organization; this is the definition of a threat
"fear" is not generally a term associated with risk management. C is incorrect; a control is something used to mit
asset is something of value, which may need protection.
n 17 1
Kerpak works in the security office of a medium-sized entertainment
company. Kerpak is asked to assess a particular risk, and he suggests that the
best way to counter this risk would be to purchase and implement a particular
security solution. This is an example of _______. (D1, L1.2.2)
Question options:
A) Acceptance
 B) Avoidance

C) Mitigation

D) Transference

Hide question 17 feedback

C is correct. Applying a security solution (a type of control) is an example of mitigation. A is incorrect; if Kerpak
the threat, and the acceptance of the associated risk, only needs to be documented—no other action is necessary.
suggested avoidance, the course of action would be to cease whatever activity was associated with the risk. D is i
suggested transference, this would involve forming some sort of risk-sharing relationship with an external party,
underwriter.
n 18 1
Preenka works at an airport. There are red lines painted on the ground next to
the runway; Preenka has been instructed that nobody can step or drive across a
red line unless they request, and get specific permission from, the control
tower. This is an example of a(n)______ control. (D1, L1.3.1)
Question options:
A) Physical

B) Administrative

C) Critical

D) Technical

Hide question 18 feedback

B is correct. The process of requesting and getting permission, and the painted signage, are examples of administ
incorrect; while the line is painted on the ground (and the ground is a tangible object), the line does not actually a
anything—the line is a symbol and indicator; Preenka could easily walk across the line, if Preenka chose to do so
not a term commonly used to describe a particular type of security control, and is used here only as a distractor. D
is not an IT system or part of the IT environment.
n 19 1
The European Union (EU) law that grants legal protections to individual
human privacy. (D1, L1.1.1)
Question options:
A) The Privacy Human Rights Act
 B) The General Data Protection Regulation

C) The Magna Carta

D) The Constitution

Hide question 19 feedback

B is correct: The GDPR is the EU law that treats privacy as a human right. A is incorrect because there is no Priv
which is only used here as a distractor. C is incorrect because the Magna Carta is a British law describing the rela
monarchy and the people, and does not mention privacy. D is incorrect because the Constitution is the basis of U
does not mention privacy.
n 20 1
A system that collects transactional information and stores it in a record in
order to show which users performed which actions is an example of
providing ________. (D1, L1.1.1)
Question options:
A) Non-repudiation

B) Multifactor authentication

C) Biometrics

D) Privacy

Hide question 20 feedback

A is correct. Non-repudiation is the concept that users cannot deny they have performed transactions that they di
that keeps a record of user transactions provides non-repudiation. B and C are incorrect because nothing in the qu
authentication at all. D is incorrect because non-repudiation does not support privacy (if anything, non-repudiatio
oppositional).
n 21 1
What is the overall objective of a disaster recovery (DR) effort? (D2, L2.3.1)
Question options:
A) Save money
 B) Return to normal, full operations

C) Preserve critical business functions during a disaster

D) Enhance public perception of the organization

Hide question 21 feedback

B is correct. DR efforts are intended to return the organization to normal, full operations. A is incorrect; DR is of
a cost-saving measure. C is incorrect; this is the goal of business continuity (BC) efforts. D is incorrect; DR effor
organization to normal, full operations, not enhance public perception.
n 22 1
Which of the following is likely to be included in the business continuity
plan? (D2, L2.2.1)
Question options:
A) Alternate work areas for personnel affected by a natural disaster

B) The organization's strategic security approach

C) Last year's budget information

D) Log data from all systems

Hide question 22 feedback

A is correct. The business continuity plan should include provisions for alternate work sites, if the primary site is
such as a natural disaster. B is incorrect; the organization's strategic security approach should be included in the o
policy. C is incorrect; budgetary information is not typically included in the business continuity plan. D is incorr
included in the business continuity plan.
n 23 1
Which of the following are not typically involved in incident detection? (D2,
L2.1.1)
Question options:
A) Users

B) Security analysts

C) Automated tools
 D) Regulators

Hide question 23 feedback

D is correct. Typically, regulators do not detect incidents, nor alert organizations to the existence of incidents. Al
involved in incident detection.
n 24 1
True or False? Business continuity planning is a reactive procedure that
restores business operations after a disruption occurs. (D2, L2.2.1)
Question options:
A) True
B) False
Hide question 24 feedback
B is correct. Business continuity planning is proactive preparation for restoring operations after disruption. Mem
organizations participate in the planning to ensure all systems, processes and operations are accounted for in the
continuity planning is a proactive procedure to prepare for the restoration of operations after disruption.
n 25 1
You are reviewing log data from a router; there is an entry that shows a user
sent traffic through the router at 11:45 am, local time, yesterday. This is an
example of a(n) _______. (D2, L2.1.1) incide
Question options:
A) Incident

B) Event

C) Attack

D) Threat

Hide question 25 feedback

An event is any observable occurrence within the IT environment. (Any observable occurrence in a network or s
800-61 Rev 2) While an event might be part of an incident, attack, or threat, no other information about the even
so B is the correct answer.
n 26 1
What is the goal of an incident response effort? (D2, L2.1.1)
Question options:
 A) No incidents ever happen

B) Reduce the impact of incidents on operations

C) Punish wrongdoers

D) Save money

Hide question 26 feedback

B is correct. The overall incident response effort is to reduce the impact incidents might have on the organization
there is no such thing as "zero risk" or "100% security." C is incorrect; security practitioners are neither law enfo
incorrect; incident response efforts may actually cost the organization more money than the impact of a given inc
"impact" can be measured in other ways than monetary results.
n 27 1
What is the goal of Business Continuity efforts? (D2, L2.2.1)
Question options:
A) Save money

B) Impress customers

C) Ensure all IT systems continue to operate

D) Keep critical business functions operational

Hide question 27 feedback

D is correct. Business Continuity efforts are about sustaining critical business functions during periods of potenti
emergencies, incidents, and disasters. A is incorrect; Business Continuity efforts often require significant financi
incorrect; Business Continuity efforts are important regardless of whether customers are impressed. C is incorrec
should focus specifically on critical business functions, not the entire IT environment.
n 28 1
Which of the following will have the most impact on determining the duration
of log retention? (D3, L3.2.1)
Question options:
A) Personal preference

B) Applicable laws
 C) Industry standards

D) Type of storage media

Hide question 28 feedback

B is correct. Laws will have the most impact on policies, including log retention periods, because laws cannot be
answers may have some impact on retention periods, but they will never have as much impact as applicable laws
n 29 1
Trina is a security practitioner at Triffid, Inc. Trina has been tasked with
selecting a new product to serve as a security control in the environment.
After doing some research, Trina selects a particular product. Before that
product can be purchased, a manager must review Trina's selection and
determine whether to approve the purchase. This is a description of: (D3,
L3.1.1)
Question options:
A) Two-person integrity

B) Segregation of duties

C) Software

D) Defense in depth

Hide question 29 feedback

B is correct. Segregation of duties, also called separation of duties, is used to reduce the potential for corruption o
organization. More than one person must be involved in a given process in order to complete that process. A is in
manager are not both required to be present for the transaction. C is incorrect; software is a term used to describe
applications. D is incorrect; defense in depth is the use of multiple (and multiple types of) overlapping security c
n 30 1
At Parvi's place of work, the perimeter of the property is surrounded by a
fence; there is a gate with a guard at the entrance. All inner doors only admit
personnel with badges, and cameras monitor the hallways. Sensitive data and
media are kept in safes when not in use. (D3, L3.1.1)

This is an example of:

Question options:
A) Two-person integrity
 B) Segregation of duties

C) Defense in depth

D) Penetration testing

Hide question 30 feedback

C is correct. Defense in depth is the use of multiple different (and different types of) overlapping controls to prov
and B are incorrect; nothing in the question suggested that two-person integrity or segregation of duties are being
workplace. D is incorrect; this is not a description of penetration testing.
n 31 1
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to
add or delete users, but is not allowed to read or modify the data in the
database itself. When Prachi logs onto the system, an access control list
(ACL) checks to determine which permissions Prachi has.
In this situation, what is the ACL? (D3, L3.1.1)
Question options:
A) The subject

B) The object

C) The rule

D) The firmware

Hide question 31 feedback

C is correct. The ACL, in this case, acts as the rule in the subject-object-rule relationship. It determines what Pra
what Prachi is not permitted to do. A and B are incorrect, because the ACL is the rule in this case. D is incorrect,
typically part of the subject-object-rule relationship, and the ACL is not firmware in any case.
n 32 1
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a
new access control scheme for the company. Handel wants to ensure that
operational managers have the utmost personal choice in determining which
 employees get access to which systems/data. Which method should Handel
select? (D3, L3.3.1)
Question options:
A) Role-based access controls (RBAC)

B) Mandatory access controls (MAC)

C) Discretionary access controls (DAC)

D) Security policy

Hide question 32 feedback

DAC gives managers the most choice in determining which employees get access to which assets. C is the correc
incorrect; RBAC and MAC do not offer the same kind of flexibility that DAC does. D is incorrect; "security poli
be applicable; C is the better answer.
n 33 1
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into
the network. Trina offers to log in for Doug, using Trina's credentials, so that
Doug can get some work done.
What is the problem with this? (D3, L3.3.1)
Question options:
A) Doug is a bad person

B) If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance

C) Anything either of them do will be attributed to Trina

D) It is against the law

Hide question 33 feedback

If two users are sharing one set of credentials, then the actions of both users will be attributed to that single accou
unable to discern exactly who performed which action, which can be troublesome if either user does something n
correct answer. A is incorrect; we don't know enough about Doug from the question. B is incorrect; while true, g
credentials shouldn't be the priority of the situation. D is incorrect; regardless of whether sharing credentials is ag
might not be, depending on the jurisdiction), the important point is that both users' actions must be distinct.
n 34 1
 Larry and Fern both work in the data center. In order to enter the data center
to begin their workday, they must both present their own keys (which are
different) to the key reader, before the door to the data center opens.

Which security concept is being applied in this situation? (D3, L3.1.1)

Question options:
A) Defense in depth

B) Segregation of duties

C) Least privilege

D) Dual control

Hide question 34 feedback

D is correct. This is an example of dual control, where two people, each with distinct authentication factors, mus
function. A is incorrect; defense in depth requires multiple controls protecting assets—there is no description of m
situation. B is incorrect; in segregation of duties, the parts of a given transaction are split among multiple people,
completed unless each of them takes part. Typically, in segregation of duties, the people involved do not have to
their actions can be spread over time and distance. This differs from dual control, where both people must be pre
incorrect; the situation described in the question does not reduce the permissions of either person involved or lim
job function.
n 35 1
A _____ is a record of something that has occurred. (D3, L3.2.1)
Question options:
A) Biometric

B) Law

C) Log

D) Firewall

Hide question 35 feedback

C is correct. This is a description of a log. A is incorrect; "biometrics" is a term used to describe access control sy
traits of individuals in order to grant/deny access. B is incorrect; laws are legal mandates. D is incorrect; a firewa
traffic.
n 36 1
A human guard monitoring a hidden camera could be considered a ______
control. (D3, L3.2.1)
Question options:
A) Detective

B) Preventive

C) Deterrent

D) Logical

Hide question 36 feedback

A is correct. The guard monitoring the camera can identify anomalous or dangerous activity; this is a detective co
the guard nor the camera is actually preventing any activity before it occurs. C is incorrect; because the attacker i
the camera, there is no deterrent benefit. D is incorrect; the guard is a physical control.
n 37 1
Visitors to a secure facility need to be controlled. Controls useful for
managing visitors include all of the following except: (D3, L3.2.1)
Question options:
A) Sign-in sheet/tracking log

B) Fence

C) Badges that differ from employee badges

D) Receptionist

Hide question 37 feedback

B is the best answer. A fence is useful for controlling visitors, authorized users and potential intruders. This is th
the possible answers that is not specific to visitors. A, C and D are all controls that should be used to manage vis
n 38 1
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to
add or delete users, but is not allowed to read or modify the data in the
database itself. When Prachis logs onto the system, an access control list
(ACL) checks to determine which permissions Prachi has.
 Which security concept is being applied in this situation? (D3, L3.1.1)
Question options:
A) Defense in depth

B) Layered defense

C) Two-person integrity

D) Least privilege

Hide question 38 feedback

D is correct. This is an example of least privilege; Prachi needs to be able to add or delete users from the databas
database administrator, but does not need to view or modify the data in the database itself in order to perform the
"defense in depth" and "layered defense" are two terms that mean the same thing: multiple (and multiple types of
protect assets. Nothing in the question describes multiple controls. C is incorrect; no second person is involved in
n 39 0
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a
new access control scheme for the company. Handel wants to ensure that
employees transferring from one department to another, getting promoted, or
cross-training to new positions can get access to the different assets they'll
need for their new positions, in the most efficient manner. Which method
should Handel select? (D3, L3.3.1)
Question options:
A) Role-based access controls (RBAC)

B) Mandatory access controls (MAC)

C) Discretionary access controls (DAC)

D) Barbed wire

Hide question 39 feedback

RBAC is the most efficient way to assign permissions to users based on their job duties. A is the correct answer.
and DAC don't offer the same kind of efficiency in this regard. D is incorrect; barbed wire is a physical control, a
context.
n 40 1
 Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is
required to install or remove software. Which of the following could be used
to describe Gelbi's account? (D3, L3.1.1)

Question options:
A) Privileged

B) Internal

C) External

D) User

Hide question 40 feedback

A is Correct. This is the description of a privileged account; an account that typically needs greater permissions t
incorrect; the question does not specify whether Gelbi connects to the environment from within the network, or f
this is too vague—Gelbi is a user, but has permissions that are typically greater than what basic users have.
n 41 1
Which of these is an example of a physical access control mechanism? (D3,
L3.2.1)
Question options:
A) Software-based firewall at the perimeter of the network

B) A lock on a door

C) Network switches that filter according to MAC addresses

D) A process that requires two people to act at the same time to perform a function

Hide question 41 feedback

B is correct. A lock on a door restricts physical access to the area on the other side of the door to only those perso
appropriate entry mechanism (key, badge, etc.). A and C are both technical/logical controls. D is an administrati
n 42 1
Suvid works at Triffid, Inc. When Suvid attempts to log in to the production
environment, a message appears stating that Suvid has to reset the password.
What may have occurred to cause this? (D3, L3.3.1)
Question options:
 A) Suvid broke the law

B) Suvid's password has expired

C) Suvid made the manager angry

D) Someone hacked Suvid's machine

Hide question 42 feedback

Typically, users are required to reset passwords when the password has reached a certain age. Permanent passwo
compromised or revealed. B is the correct answer. A, C and D are incorrect; these are not likely reasons to requir
n 43 1
Gary is unable to log in to the production environment. Gary tries three times
and is then locked out of trying again for one hour. Why? (D3, L3.3.1)
Question options:
A) Gary is being punished

B) The network is tired

C) Users remember their credentials if they are given time to think about it

D) Gary's actions look like an attack

Hide question 43 feedback

Repeated login attempts can resemble an attack on the network; attackers might try to log in to a user's account m
credentials, in a short time period, in an attempt to determine the proper credentials. D is correct. A is incorrect; s
processes are not intended to punish employees. B is incorrect; IT systems do not get tired. C is incorrect; the del
users remember credentials.
n 44 1
Bruce is the branch manager of a bank. Bruce wants to determine which
personnel at the branch can get access to systems, and under which conditions
they can get access. Which access control methodology would allow Bruce to
make this determination? (D3, L3.3.1)
Question options:
A) MAC (mandatory access control)
 B) DAC (discretionary access control)

C) RBAC (role-based access control)

D) Defense-in-depth

Hide question 44 feedback

Discretionary access control is a model wherein permissions are granted by operational managers, allowing them
of which personnel can get specific access to particular assets controlled by the manager. B is the correct answer
access control, managers do not have the authority (discretion) to determine who gets access to specific assets. C
access control, managers do not have the authority to determine who gets access to particular assets. D is incorre
access control model, it's a security philosophy.
n 45 1
A device typically accessed by multiple users, often intended for a single
purpose, such as managing email or web pages. (D4.1 L4.1.1)
Question options:
A) Router

B) Switch

C) Server

D) Laptop

Hide question 45 feedback

A server typically offers a specific service, such as hosting web pages or managing email, and is often accessed b
correct answer. A and B are incorrect; routers and switches are used to vector network traffic, not to provide spec
a laptop is typically only assigned to a single user.
n 46 1
Cheryl is browsing the Web. Which of the following protocols is she probably
using? (D4, L4.1.2)
Question options:
A) SNMP (Simple Network Management Protocol)

B) FTP (File Transfer Protocol)

 C) TFTP (Trivial File Transfer Protocol)

D) HTTP (Hypertext Transfer Protocol)

Hide question 46 feedback

D is correct; HTTP is designed for Web browsing. A, B and C are incorrect; these are not protocols designed to h
n 47 1
Which of the following activities is usually part of the configuration
management process, but is also extremely helpful in countering potential
attacks? (D4.2 L4.2.3)
Question options:
A) Annual budgeting

B) Conferences with senior leadership

C) Updating and patching systems

D) The annual shareholders' meeting

Hide question 47 feedback

C is the correct answer. Keeping systems up to date is typically part of both the configuration management proce
practices. A, B and D are incorrect; these activities are neither part of the configuration management process nor
n 48 1
The section of the IT environment that is closest to the external world; where
we locate IT systems that communicate with the Internet. (D4.3 L4.3.3)

Question options:
A) VLAN

B) DMZ

C) MAC

D) RBAC

Hide question 48 feedback

 B is the correct answer; we often call this portion of the environment the "demilitarized zone." A is incorrect; a V
portions of the internal network. C is incorrect; MAC is the physical address of a given networked device. D is in
control model.
n 49 1
A VLAN is a _____ method of segmenting networks. (D4.3 L4.3.3)
Question options:
A) Secret

B) Physical

C) Regulated

D) Logical

Hide question 49 feedback

VLANs use logical mechanisms to segment networks. D is the correct answer. A, B and C are incorrect; VLANs
segment networks.
n 50 1
The common term for systems that ensure proper temperature and humidity in
the data center. (D4.3 L4.3.1)
Question options:
A) RBAC

B) HVAC

C) MAC

Hide question 50 feedback

HVAC stands for "heating, ventilation and air conditioning," and is a common industry term. B is correct. A is in
control model. C is incorrect; MAC is the physical address of an IT device.
n 51 1
Triffid, Inc., has many remote workers who use their own IT devices to
process Triffid's information. The Triffid security team wants to deploy some
sort of sensor on user devices in order to recognize and identify potential
security issues. Which of the following is probably most appropriate for this
specific purpose? (D4.2 L4.2.2)
 Question options:
A) HIDS (host-based intrusion-detection systems)

B) NIDS (network-based intrusion-detection systems)

C) LIDS (logistical intrusion-detection systems)

D) Firewalls

Hide question 51 feedback

Host-based intrusion-detection systems are expressly designed for this purpose; each HIDS is installed on each e
correct answer. B is incorrect; NIDS are useful for monitoring internal traffic, but a HIDS would be better for dis
incorrect; LIDS is not a term standard within our industry, and was just made up and used here as a distractor. D
traffic, and can be used to identify potential threats, but a HIDS is specifically intended for this purpose.
n 52 1
An IoT (Internet of Things) device is typified by its effect on or use of the
_____ environment. (D4.3 L4.3.3)
Question options:
A) Philosophical

B) Remote

C) Internal

D) Physical

Hide question 52 feedback

IoT devices typically have some interaction with the physical realm, either by having some physical effect (a vac
light) or by monitoring the physical environment itself (a camera, sensor, etc.). A, B and C are incorrect; IoT is ty
of the physical environment.
n 53 1
A device that filters network traffic in order to enhance overall
security/performance. (D4.1 L4.1.1)
Question options:
A) Endpoint
 B) Laptop

C) MAC (media access control)

D) Firewall

Hide question 53 feedback

Firewalls filter traffic in order to enhance the overall security or performance of the network, or both. D is the co
"endpoint" is the term used to describe a device involved in a networked communication, at either "end" of a con
laptops are not typically employed to filter network traffic. C is incorrect; MAC is the physical address of a devic
n 54 1
Barry wants to upload a series of files to a web-based storage service, so that
people Barry has granted authorization can retrieve these files. Which of the
following would be Barry's preferred communication protocol if he wanted
this activity to be efficient and secure? (D4, L4.1.2)
Question options:
A) SMTP (Simple Mail Transfer Protocol)

B) FTP (File Transfer Protocol)

C) SFTP (Secure File Transfer Protocol)

D) SNMP (Simple Network Management Protocol)

Hide question 54 feedback

C is the correct answer; SFTP is designed specifically for this purpose. A, B and D are incorrect; these protocols
secure in Barry's intended use.
n 55 0
Which type of fire-suppression system is typically the least expensive?
(D4.3 L4.3.1)
Question options:
A) Water

B) Dirt

C) Oxygen-depletion
 D) Gaseous

Hide question 55 feedback

Water is typically the least expensive type of fire-suppression system, as water is one of the most common chem
correct. B is incorrect; dirt is usually only used in the suppression of forest fires. C and D are incorrect; gaseous/o
typically much, much more expensive than water-based systems.
n 56 1
Which of the following would be best placed in the DMZ of an IT
environment? (D4.3 L4.3.3)
Question options:
A) User's workplace laptop

B) Mail server

C) Database engine

D) SIEM log storage

Hide question 56 feedback

B is correct; devices that must often interact with the external environment (such as a mail server) are typically b
C and D are incorrect; devices that contain sensitive or valuable information are typically best placed well inside
environment, away from the external world and the DMZ.
n 57 1
A tool that aggregates log data from multiple sources, and typically analyzes it
and reports potential threats. (D4.2 L4.2.2)
Question options:
A) HIDS

B) Anti-malware

C) Router

D) SIEM
 Hide question 57 feedback
SIEM/SEM/SIM solutions are typically designed specifically for this purpose. D is the correct answer. A and C a
specific single sources of log data. B is incorrect; anti-malware does not typically gather log data from multiple s
n 58 1
To adequately ensure availability for a data center, it is best to plan for both
resilience and _______ of the elements in the facility. (D4.3 L4.3.1)
Question options:
A) Uniqueness

B) Destruction

C) Redundancy

D) Hue

Hide question 58 feedback

C is correct. Availability is enhanced by ensuring that elements of the data center are replicated, in case any give
is incorrect; this is the opposite of redundancy—is any single element is unique, that could become a single point
overall operation. B is incorrect; while secure destruction is worth planning for, that will come at the end of the s
part of ensuring availability. D is incorrect; we generally don't care what color the elements of a data center are.
n 59 1
Which type of fire-suppression system is typically the safest for humans?
(D4.3 L4.3.1)
Question options:
A) Water

B) Dirt

C) Oxygen-depletion

D) Gaseous

Hide question 59 feedback

A is correct as it is the safest fire-suppression system listed that is typically used. B is incorrect; dirt is rarely use
then usually only for forest fires. C is incorrect; humans require oxygen. D is incorrect; gaseous fire-suppression
hazard to humans than water-based systems.
n 60 1
 The concept that the deployment of multiple types of controls provides better
security than using a single type of control. (D4.3 L4.3.3)

Question options:
A) VPN

B) Least privilege

C) Internet

D) Defense in depth

Hide question 60 feedback

D is correct; defense in depth involves multiple types of controls to provide better security. A is incorrect; a virt
communication traffic over untrusted media, but does not involve multiple types of controls. B is incorrect; the p
system of access control. C is incorrect; the internet is an untrusted medium.
n 61 1
Carol is browsing the Web. Which of the following ports is she probably
using? (D4, L4.1.2)
Question options:
A) 12

B) 80

C) 247

D) 999

Hide question 61 feedback

B is the correct answer; port 80 is used for HTTP traffic, and HTTP is a Web-browsing protocol. A, C and D are
used by Web browsers.
n 62 1
A device that is commonly useful to have on the perimeter between two
networks. (D4.3 L4.3.3)
Question options:
A) User laptop
 B) IoT

C) Camera

D) Firewall

Hide question 62 feedback

Firewalls are often useful to monitor/filter traffic between two networks. D is correct. A and B are incorrect; thes
the perimeter of the internal environment. C is incorrect; cameras do not offer much benefit in monitoring comm
n 63 1
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3)
Question options:
A) The same length

B) The same characters

C) The same language

D) Different for the same inputs

Hide question 63 feedback

Hashing algorithms create output of a fixed length. A is the correct answer. B is incorrect; the characters in the o
on the input. C is incorrect; hashing algorithms do not create output in any particular language—usually, the outp
characters. D is incorrect; hash outputs should be the same when the same input is used.
n 64 1
Archiving is typically done when _________. (D5.1, L5.1.1)
Question options:
A) Data is ready to be destroyed

B) Data has lost all value

C) Data is not needed for regular work purposes

 D) Data has become illegal

Hide question 64 feedback

Archiving is the action of moving data from the production environment to long-term storage. C is the correct an
value and is not ready to be destroyed; it is just not used on a regular basis. Illegal data should not be in the envir
n 65 1
Logs should be reviewed ______. (D5.1, L5.1.2)
Question options:
A) Every Thursday

B) Continually

C) Once per calendar year

D) Once per fiscal year

Hide question 65 feedback

Log review should happen continually, in order to ensure detection efforts are optimized. B is the correct answer
logs need to be reviewed on a continual basis.
n 66 1
Dieter wants to send a message to Lupa and wants to be sure that Lupa knows
the message has not been modified in transit. What technique/tool could
Dieter use to assist in this effort? (D5.1, L5.1.3)
Question options:
A) Hashing

B) Clockwise rotation

C) Symmetric encryption

D) Asymmetric encryption

Hide question 66 feedback

Hashing is a means to provide an integrity check. A is the correct answer. B is incorrect; this term is meaningless
distractor. C and D are incorrect; neither symmetric encryption nor asymmetric encryption provides message inte
n 67 1
 Which of the following is probably the main purpose of configuration
management? (D5.2, L5.2.1)

Question options:
A) Keeping out intruders

B) Ensuring the organization adheres to privacy laws

C) Keeping secret material protected

D) Ensuring only authorized modifications are made to the IT environment

Hide question 67 feedback

The main purpose of configuration management is to ensure that there is uniformity throughout the IT environme
modifications are made. D is the correct answer. A, B and C are incorrect; these may be overall security goals, an
may assist for these purposes, but these are not the main goal of configuration management.
n 68 1
Data _____ is data left behind on systems/media after normal deletion
procedures have been attempted. (D5.1, L5.1.1)
Question options:
A) Fragments

B) Packets

C) Remanence

D) Residue

Hide question 68 feedback

C is correct. Data remanence is the term used to describe data left behind on systems/media after normal deletion
attempted.
n 69 1
Security needs to be provided to ____ data. (D5.1, L5.1.1)
Question options:
A) Restricted
 B) Illegal

C) Private

D) All

Hide question 69 feedback

D is the correct answer. All data needs some form of security; even data that is not sensitive (such as data intende
protection to ensure availability. A, B and C are incorrect; all data needs some form of security protection.
n 70 1
Security controls on log data should reflect ________. (D5.1, L5.1.2)
Question options:
A) The organization's commitment to customer service

B) The local culture where the log data is stored

C) The price of the storage device

D) The sensitivity of the source device

Hide question 70 feedback

Log data should be protected with security as high, or higher, than the security level of the systems or devices tha
is the correct answer. A, B and C are incorrect; these are not qualities that dictate security level of protection on l
n 71 1
Who dictates policy? (D5.3, L5.3.1)
Question options:
A) The security manager

B) The Human Resources office

C) Senior management

D) Auditors

Hide question 71 feedback

 Only senior management has the legal and financial authority to issue policy and accept risk on behalf of the org
answer. A, B and D are incorrect; only senior management can issue policy.
n 72 1
______ is used to ensure that configuration management activities are
effective and enforced. (D5.2, L5.2.1)
Question options:
A) Inventory

B) Baseline

C) Identification

D) Verification and audit

Hide question 72 feedback

Verification and audit are methods we use to review the IT environment to ensure that configuration managemen
and are achieving their intended purpose. D is the correct answer. A, B and C are incorrect; while these are terms
management, the answer is verification and audit.
n 73 1
Log data should be kept ______. (D5.1, L5.1.2)
Question options:
A) On the device that the log data was captured from

B) In an underground bunker

C) In airtight containers

D) On a device other than where it was captured

Hide question 73 feedback

D is the correct answer. Log data can often be useful in diagnosing or investigating the device it was captured fro
store the data away from the device where it was harvested, in case something happens to the source device. A is
happens to the source machine, the log data may be affected if it is stored on the source. B is incorrect; log data m
aboveground, underwater, in the sky, or in orbit, as long as it is stored securely. C is incorrect; airtight seals do n
or negatively.
n 74 1
Data retention periods apply to ____ data. (D5.1, L5.1.1)
Question options:
 A) Medical

B) Sensitive

C) All

D) Secret

Hide question 74 feedback

All data should have specific retention periods (even though retention periods may differ for various types of dat
A, B and D are incorrect; retention periods affect all data
n 75 1
The organization should keep a copy of every signed Acceptable Use Policy
(AUP) on file, and issue a copy to _______. (D5.3, L5.3.1)
Question options:
A) The user who signed it

B) The regulators overseeing that industry

C) Lawmakers

D) The Public Relations office

Hide question 75 feedback

The AUP is an agreement between the user and the organization, so both parties need to keep a copy of it. A is th
are incorrect; those entities are not party to the agreement, and should therefore not receive a copy.
Done