ISC2 Certified in Cybersecurity Exam Questions - PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 18

ISC2

CC Exam
ISC certification

Questions & Answers


(Demo Version - Limited Content)

Thank you for Downloading CC exam PDF Demo

Get Full File:

https://www.dumpshouse.com/cc-dumps/
CC Dumps Demo Page 2

Question: 1
Which access control is more effective at protecting a door against unauthorized access?

A. Fences
B. Turnstiles
C. Barriers
D. Locks

Answer: D
Explanation:

A lock is a device that prevents a physical structure (typically a door) from being opened, indicating that
only the authorized person (i.e. the person with the key) can open it. A fence or a barrier will prevent ALL
access. Turnstiles are physical barriers that can be easily overcome (after all, it is common knowledge
that intruders can easily jump over a turnstile when no one is watching).

Question: 2
The process that ensures that system changes do not adversely impact business operations is
known as:

A. Change Management
B. Inventory Management
C. Vulnerability Management
D. Configuration Management

Answer: A
Explanation:

Change Management is the process of implementing necessary changes so that they do not adversely
affect business operations (see ISC2 Study Guide, chapter 5, module 3). Vulnerability Management
refers to the capacity to identify, track, prioritize and eliminate vulnerabilities in systems and devices.

Configuration Management refers to a collection of activities with the purpose of establishing and
maintaining the integrity of information systems through their development lifecycle (see NIST SP
1800-16B under Configuration Management). Inventory management refers to the management of keys
and/or certificates, so as to monitor their status and owners

Question: 3
When an incident occurs, which of the following is NOT a primary responsibility of an
organization's incident response team?

A. Communicating with top management regarding the circumstances of the cybersecurity


event

www.dumpshouse.com
CC Dumps Demo Page 3

B. Implementing the recovery procedures necessary to restore security and recover from
any incident- related damage
C. Determining the scope of the damage caused by the incident
D. Determining whether any confidential information has been compromised over the course
of the entire incident

Answer: A
Explanation:

While communicating with senior management about the circumstances of a cybersecurity event is
important, it is not a primary responsibility of the incident response team. The response team's primary
responsibility is to address the immediate impact of the incident and restore security as quickly as
possible. For example, if a data breach occurs, the response team's focus would be on determining the
extent of the breach, determining if any confidential information has been compromised, and
implementing recovery procedures to restore security and recover from the damage.
In fact, when an incident occurs, a response team's primary responsibilities include the following:

• Determine the extent of the damage caused by the incident and the resources required to recover
fromit;

• Determine if any confidential information was compromised during the incident;

• Implementing the recovery procedures necessary to restore security and recover from the damage
caused by the incident (including restoring systems, recovering data, and implementing any
necessarysecurity controls);

• Communicating with relevant parties (such as users, customers, and other stakeholders) about the
incident and the steps needed to address it.

Communication with senior management is typically the responsibility of the incident manager or
designated spokesperson, not the incident response team.

Question: 4

At which of the OSI layers do TCP and UDP work?

A. Session Layer
B. Transport Layer
C. Physical Layer
D. Application Layer

Answer: B
Explanation:

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are both transport layer
protocols, which operate at the fourth layer of the OSI (Open Systems Interconnection) model (see ISC2
Study Guide, Domain 4).

www.dumpshouse.com
CC Dumps Demo Page 4

Main protocols of the TCP/IP stack arranged according to OSI layers

As shown in the figure, both TCP and UDP are part of the transport layer (also known as "Layer 4"),
which ensures that data is delivered reliably and efficiently between different devices on a network.
TCP is a connection-oriented protocol that establishes a dedicated end-to-end connection. UDP is a
connectionless protocol and therefore does not establish a reliable connection before transmitting
data. The decision to use TCP or UDP is typically based on tradeoffs between reliability and speed
requirements.

The physical layer ("Layer 1") is responsible for transmitting raw data over a physical medium, such as a
copper wire or fiber optic cable. The session layer ("Layer 5") is responsible for establishing, maintaining
and terminating connections between different devices on a network. The application layer ("Layer 7") is
the highest layer of the OSI model, and is responsible for enabling communication between applications,
as well as for providing services to the user.

Question: 5

In the event of a disaster, which of these should be the PRIMARY objective?

A. Protection of the production database


B. Guarantee the safety of people
C. Application of disaster communication
D. Guarantee the continuity of critical systems

Answer: B
Explanation:

In the event of a disaster, the primary objective must always be to ensure the safety and well-being of
people. This principle is paramount in any emergency response plan because human life is
irreplaceable.

www.dumpshouse.com
CC Dumps Demo Page 5

For example, in the event of a data center fire, the immediate focus should be on safely evacuating all
personnel from the building before addressing any technical or operational concerns. Ensuring that
everyone is safe minimizes the risk of injury or loss of life, which is the most critical aspect of disaster
response.

As for the other options, the use of disaster communications, while important, is secondary to
ensuring the safety of people. Effective communication can help coordinate efforts and provide
updates, but it should not take precedence over immediate actions to protect people. Protecting the
production database is critical to business continuity, but it is not more important than human life.
Ensuring the continuity of critical systems is also critical to business stability, but again, it should not be
addressed until all people are safe. Prioritizing human safety ensures that subsequent recovery efforts
can proceed without the added burden of dealing with injuries or fatalities.

Question: 6

Which of the following logical access control models uses a set of rules to determine whether a
subject can access a specific object?

A. Mandatory Access Control (MAC)


B. Discretionary Access Control (DAC)
C. Role-Based Access Control (RBAC)
D. Rule-Based Access Control (RAC)

Answer: D

Explanation:

Rule-based access control involves setting up a set of rules that dictate what actions are allowed or
denied based on specific criteria such as source IP address, destination IP address, and port number
(see ISC2 Study Guide, Module 3, under Logical Access Controls). Discretionary Access Control (DAC)
allows data owners to grant or restrict access at their discretion. Role-Based Access Control (RBAC)
assigns access rights based on job responsibilities. Mandatory Access Control (MAC) enforces access
decisions based on security classifications and clearance levels. Rule-based access control is the only
option that uses a set of rules to determine whether a subject can access a specific object.

Question: 7
In the context of the risk management process, what does the term 'residual risk' refer to?

A. The risk associated with an organization's assets before any controls are implemented
B. The risks that are considered irrelevant or insignificant
C. The total elimination of risk within an organization
D. The risk that remains after all possible controls and countermeasures have been applied

Answer: D
Explanation:

Residual risk is the risk that remains after all possible controls and countermeasures have been applied

www.dumpshouse.com
CC Dumps Demo Page 6

(see ISC2 Study Guide, Domain 1). Residual risk is an important concept in risk management, as it helps
organizations understand the remaining level of risk they face after implementing their chosen controls
and countermeasures, enabling them to make informed decisions about whether additional actions are
necessary or if the remaining risk is acceptable.

The risk associated with an organization's assets before any controls are implemented, the total
elimination of risk within an organization, and the risks considered irrelevant or insignificant are all
incorrect options, as none accurately describe the concept of residual risk

Question: 8

In terms of social engineering tactics, what does 'vishing' refer to?

A. Following an authorized user into a restricted area


B. Using a rogue interactive voice response system
C. Impersonating an authority figure or trusted individual
D. Requesting password or login credentials in exchange for compensation

Answer: B
Explanation:

Vishing refers to the social engineering tactic of using a fraudulent interactive voice response system to
trick victims into divulging sensitive information (see ISC2 Study Guide, Chapter 5, Module 4). For
example, a fraudster might set up an automated call system that mimics a bank's phone service and ask
the victim to enter his or her account number and PIN for "verification purposes".

Although the remaining options are social engineering tactics, they do not define vishing. In particular,
impersonating an authority figure or trusted individual is a common tactic in phishing attacks, but it is not
specific to vishing. Following an authorized user into a restricted area is a physical social engineering
tactic known as 'tailgating'. Requesting passwords or credentials in exchange for compensation is a form
of fraud. However, it does not involve the use of a fraudulent interactive voice response system and is
therefore not vishing.

Question: 9
What is the purpose of the two-person rule in a security strategy?

A. Ensuring that all tasks are completed twice for verification


B. Require a minimum of two individuals to be together in high-security areas
C. Limiting access to high-security areas to two individuals only
D. Reduce workload by dividing security tasks between two individuals

Answer: B
Explanation:

The two-person rule is a security measure designed to prevent unauthorized access to sensitive or
secure areas. It requires the presence of two authorized individuals at all times when accessing these
areas, thereby reducing the risks of unauthorized action or security breaches (see the ISC2 Study Guide,
www.dumpshouse.com
CC Dumps Demo Page 7

Chapter 3, Module 1).

For example, in a data center that houses sensitive information, the two-person rule would require that
no individual can access the data center alone. This ensures that there is always a second person to
verify actions, prevent unauthorized activity, and provide assistance in case of a medical emergency.

The other options do not accurately reflect the purpose of the two-person rule. The rule is not designed
to reduce workload by dividing security tasks between two people, nor does it limit access to high-
security areas to only two people. Finally, while the two-person rule adds a layer of verification, its
primary purpose is not to ensure that all verification tasks are performed twice.

Question: 10
What can be considered as Personally Identifiable Information (PII)?

A. Trade secrets, research, business plans and intellectual property


B. Data that, if improperly handled, would harm an organization or individual
C. Any data about an individual that could be used to direct or indirect identify them
D. Aggregated information about a sensible group

Answer: C
Explanation:

Personally Identifiable Information (PII) is any data about an individual that could be used to directly or
indirectly identify that individual (see the ISC2 Study Guide, Chapter 1, Module 1). PII includes information
such as an individual's name, e-mail address, physical address, telephone number, or socialsecurity number.

For example, in an e-commerce transaction, a customer's credit card number, billing address, and e-mail
address are all considered PII because they can be used to identify the individual.

The other options do not precisely define PII. Trade secrets, research, business plans, and intellectual
property are types of sensitive business information that are not PII. They are valuable to an organization
but do not directly identify an individual. Aggregated information about a sensitive group is not PII
because it does not contain specific details that can identify an individual. It's a collection of anonymized
data used for statistical analysis. Finally, data that would cause harm to an organization or individual if
mishandled could include a variety of data types, not just PII (for example, it could include proprietary
business information that is not considered PII).

Question: 11

Which method eliminates residual physical effects from writing original values?

A. Purging
B. Overwriting
C. Clearing
D. Destruction

Answer: C
Explanation:
www.dumpshouse.com
CC Dumps Demo Page 8

Clearing is a method used to eliminate the residual physical effects of writing original values to a storage
device. This process involves overwriting the data with zeros or ones to ensure the original data cannot
be retrieved. For example, when a hard disk is erased, all previously stored data is overwritten, making it
impossible to recover the original data (see ISC2 Study Guide, Chapter 5, Module 1).

On the other hand, purging is more rigorous than wiping, in which the storage media is declassified to be
used in a less secure environment. Destruction physically destroys the storage media so it cannot be
used again. Overwriting is used in the wiping process, but it does not remove the remaining physical
effects. It is part of the wiping process, not a stand-alone method.

Question: 12

What is the consequence of failing to adhere to the ISC2 Code of Ethics?

A. Suspension of certification
B. Loss of professional reputation
C. Revocation of certification
D. Loss of membership

Answer: C

Explanation:

Failure to adhere to the principles of the ISC2 Code of Ethics can result in serious consequences,
including revocation of certification (see ISC2 Study Guide, Chapter 1, Module 5). Revocation of
certification means that the individual is no longer recognized as certified by ISC2, which can have a
significant impact on their professional standing and career opportunities.

For example, if a cybersecurity professional is found to have engaged in unethical practices, such as
knowingly implementing weak security measures or misusing sensitive data, their certification could be
revoked. This would affect their current employment and hinder future job prospects, as many employers
require or prefer candidates with valid certifications.

The other options are not as severe or definitive as revocation of certification. Suspension is temporary,
and the individual may be able to regain certification after a period of time or if certain conditions are
met. Loss of membership refers to expulsion from a professional organization, which is serious but does
not necessarily prevent the individual from practicing in his or her field. Finally, loss of professional
reputation is subjective and can vary in its impact.

Question: 13
Which of the following options BEST describes the concept of a network?

A. A group of computers with no connection to one another


B. A group of computers sharing data, information or resources
C. A single computer that exchanges data with itself
D. A single computer

Answer: B
www.dumpshouse.com
CC Dumps Demo Page 9

Explanation:

The most accurate description of a network is a group of computers that share data, information, or
resources (see ISC2 Study Guide, Domain 4). A network facilitates communication between devices,
allowing them to share resources and information efficiently.

For example, in an office environment, computers are networked together to share files, printers, and
Internet access.

The other options do not properly define a network. A single computer, or a single computer sharing data
with itself, is not a network because a network is multiple devices connected to each other. A group of
computers that are not connected to each other is also not a network, because the fundamental
characteristic of a network is the connection and communication between devices.

Question: 14

What does Configuration Management guarantee?

A. That any changes made to a system are unauthorized and invalidated


B. That all changes made to a system are authorized and validated
C. That all changes made to a system are authorized and invalidated
D. That all changes to a system are unauthorized and validated

Answer: B
Explanation:

Configuration management ensures that all changes made to a system are authorized and validated
(see ISC2 Study Guide, Domain 5).

For example, when a software update is proposed for a system, Configuration Management ensures
that the update is approved and tested to confirm that it works as expected and does not introduce
new vulnerabilities.

The remaining options do not accurately represent what Configuration Management guarantees.
Suggesting that changes are unauthorized is contrary to the purpose of Configuration Management.
Suggesting that changes are invalid is also incorrect; Configuration Management validates changes to
ensure that they work as expected and do not compromise the security of the system.

Question: 15

In a data center, what is NOT a typical issue related to airflow?

A. Noise
B. Cooling
C. Noxious fumes
D. Dust

Answer: A
www.dumpshouse.com
CC Dumps Demo Page 10

Explanation:

Noise is not typically an issue related to airflow in a data center (see ISC2 Study Guide, Chapter 4,
Module 3). While noise can be an issue in a data center, it is typically related to equipment operation and
not directly related to airflow. For example, servers and other hardware may generate noise during
operation, but this is not caused by airflow.

All of the other options are potential problems related to airflow in a data center. Cooling is a major
concern because inadequate airflow can lead to overheating and hardware failure. For example, if the air
conditioning fails or is underpowered, it can raise temperatures and damage equipment. Dust can collect
on equipment and cause overheating or other problems. For example, dust can block server vents,
causing them to overheat. Toxic fumes can also be a problem. For example, if a data center is located
near a chemical plant, noxious fumes could potentially enter the data center and damage equipment.

Question: 16

What is the PRIMARY purpose of using an intrusion detection and prevention system?

A. To prevent existing threats


B. To detect and block malicious attacks
C. To detect attempts to connect to a system
D. To stop malicious code

Answer: B
Explanation:

The primary purpose of using an intrusion detection and prevention system is to detect and block
malicious attacks (see ISC2 Study Guide, Module 2, under Intrusion Detection System). An IDS can
detect attempts to connect to a system, but its primary purpose is to detect and block malicious attacks.
It can also prevent existing threats, but its primary focus is on detecting and blocking malicious attacks.
An IDS can also be used to stop malicious code, but it is not its primary purpose.

Question: 17

Which of the following is an example of a technical security control?

A. Establishing an acceptable usage policy


B. Using CCTV cameras to monitor unauthorized access
C. Conducting user security awareness training
D. Establishing a BYOD policy

Answer: B
Explanation:

Using CCTV cameras to monitor unauthorized access is an example of a technical security control as it
involves the use of technology to control user access (see ISC2 Study Guide, Chapter 1, Module 1). Technical
security controls are designed to protect the confidentiality, integrity, and availability of an organization's
systems and data. Establishing an acceptable usage policy, conducting user security awareness training, and

www.dumpshouse.com
CC Dumps Demo Page 11

establishing a BYOD policy are examples of administrative security controls, which are designed to ensure
that users comply with the organization's security policies and procedures.

Question: 18

What is the recommended approach for assessing risks when designing a Business Continuity Plan
(BCP) that considers tangible and intangible assets?

A. Quantitative risk assessment


B. Neither quantitative nor qualitative risk assessment
C. Qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment

Answer: D
Explanation:

When designing a business continuity plan (BCP) that addresses both tangible and intangible assets, a
combination of quantitative and qualitative risk assessment is recommended (see the ISC2 Study Guide,
Module 2, under Understanding Business Continuity). Quantitative risk assessment uses numerical data
to identify, measure and prioritize risks, providing a clear, objective view of the potential impact of each
risk. On the other hand, qualitative risk assessment uses subjective data, such as expert opinion and
experience, to provide a more nuanced understanding of potential risks.

For example, an organization might use quantitative risk assessment to calculate the potential financial
loss if a critical server fails, and qualitative risk assessment to understand the impact on the
organization's reputation. By combining these approaches, the company can fully understand the risks it
faces and develop a robust BCP.

Neither quantitative nor qualitative risk assessment alone provides a complete picture of risk.
Quantitative risk assessment may overlook intangible assets such as reputation, while qualitative risk
assessment may not accurately measure the potential financial impact. Neither quantitative nor
qualitative risk assessment is viable because it would leave the company unprepared for potential risks.
Therefore, a combination of both approaches is the most effective way to assess all potential risks.

Question: 19

Which of these is a type of detective access control?

A. Turnstiles
B. Bollards
C. Movement Sensors
D. Firewalls

Answer: C
Explanation:

www.dumpshouse.com
CC Dumps Demo Page 12

Intrusion detection systems (IDS) are a type of detective access control. They monitor network traffic
and system activity for malicious or policy-violating activity and report to a management station. An IDS
can detect various attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB
probes, and OS fingerprinting attempts (see ISC2 Study Guide, Domain 1).

The other options are wrong. Intrusion prevention systems (IPS) are preventive controls that detect
potential security breaches and take action to prevent them from being accomplished. Turnstiles are
physical access controls that restrict or control access to a site or location. Firewalls are preventive
controls that protect a network by controlling inbound and outbound network traffic based on
predetermined security rules.

Question: 20

According to (ISC)², which are the six phases of data handling?

A. Create → Share → Store → Use → Archive → Destroy


B. Create → Share → Use → Store → Archive → Destroy
C. Create → Use → Store → Share → Archive → Destroy
D. Create → Store → Use → Share → Archive → Destroy

Answer: D
Explanation:

According to ISC2, there are six phases in the data lifecycle (create → store → use → share →
archive → destroy). Each phase addresses a specific aspect of data management and ensures that
data is managed appropriately from its creation to its eventual destruction.

For example, an organization may create customer data when a new account is opened, store it in a
secure database, use it for customer service, share it with authorized personnel, archive it for future
reference, and finally destroy it when it is no longer needed.

www.dumpshouse.com
CC Dumps Demo Page 13

The secure data handling lifecycle


The diagram illustrates of the successive stages that data passes through during its existence. Each
stage has specific security requirements to ensure proper data handling and compliance.
Specifically, the stages are:

1. Create Stage. Involves generating new data through various means, such as data entry, collecting
data from external sources, collecting data from sensors, or creating digital documents and files
(examples: writing a report, filling out a form, generating logs from a system, capturing images or
video).
2. Storage Stage. Data is securely stored and organized in databases, data warehouses, cloud
storage, or physical storage media so that it can be easily accessed and retrieved when needed.

3. Usage Stage. Data is accessed and used for various purposes such as analysis, decision making,
operations, or reporting. The integrity and accuracy of the data are critical at this stage (examples:
analyzing sales data, using customer information for marketing campaigns, querying a database to
generate reports).

4. Share Stage. Data is shared with authorized people or systems. This stage ensures that data is
transmitted securely and reaches the intended recipients without unauthorized access or breaches
(examples: reports can be emailed, documents can be shared through collaboration tools, and data
can be distributed to other systems through APIs).

5. Archive phase. When data is no longer actively used, but needs to be retained for future
reference or compliance purposes, it is archived. Archiving involves moving data to a secure, long-
term storage solution (examples: moving old financial records to an archive system, storing
historical data in a tape backup, keeping inactive customer records in an archive database).

6. Destruction phase. This final phase involves the secure destruction of data to ensure that
sensitive information is permanently erased and cannot be recovered or misused (examples include
shredding physical documents, securely deleting digital files, degaussing hard drives, and using data
www.dumpshouse.com
CC Dumps Demo Page 14

wiping software to erase data from storage devices).

Question: 21

In an Access Control List (ACL), the element that determines what permissions you have is:

A. The object
B. The firmware
C. The rule
D. The subject

Answer: C
Explanation:

An Access Control List (ACL) is a list of rules that specifies which users or systems are granted or
denied access (i.e., have permission to access) to a particular object or system resource (see ISC2
Study Guide, chapter 3, module 4).

Each rule in the ACL specifies the permissions, such as read, write, or execute, that a subject has over
an object. For instance, in a file system, an ACL might include a rule that grants read and write access to
a specific user for a particular file. This rule determines the permissions that the user has for that file.

The subject is a user or a process run by a user, which inherits the user authorization. The object is the
resource or data in the system (or the network) to be accessed. Firmware is a type of software
embedded in a hardware system; therefore, the concept of an Access Control List does not directly apply
to it.

Question: 22

An organization that uses a layered approach when designing its security architecture is using
which of these security approaches?

A. Defense in depth
B. Network Access Control
C. Network Layers
D. Zero trust

Answer: A
Explanation:

An organization that uses a layered approach to designing its security architecture uses a defense-in-
depth approach. Each layer is designed to provide backup security in case the previous layer fails or is
bypassed.

www.dumpshouse.com
CC Dumps Demo Page 15

Illustration of the concept of Defense in Depth


As shown in the figure, each concentric circle represents a layer, starting with the innermost circle,
which protects data (presumably one of the most valuable assets) with high-security measures such as
encryption; moving outward to network security with firewalls, VPNs, and network intrusion detection
systems; continuing outward to perimeter defenses such as fences, gates, or mantraps; and finally to the
outermost layer, which includes administrative controls that orchestrate the underlying controls. This
layered security architecture ensures that if one line of defense is breached, others are ready to thwart
attacks, emphasizing redundancy and comprehensive protection against potential threats.

The other options are incorrect. Zero trust is a security strategy that assumes all network traffic is
potentially malicious and must be verified. Next, network access control refers to the process of
controlling access to a network. Network layers refer to the different layers of a computer network, such
as the network infrastructure, network applications, and network devices.

Question: 23

Which of these types of malware self-replicates without the need for human intervention?

A. Rootkits
B. Virus
C. Trojan
D. Worm

Answer: D
Explanation:

www.dumpshouse.com
CC Dumps Demo Page 16

A worm is a type of malware designed to replicate itself and spread to other computers without human
intervention. Worms exploit operating systems, network servers and other software vulnerabilities in
order to propagate themselves. They can cause various damaging effects, including disrupting network
performance, consuming bandwidth, and stealing sensitive information (see ISC2 Study Guide, chapter
4, module 2).

Some worms can also perform directly malicious actions, such as installing rootkits, backdoors or other
malicious software on the systems they infect. Viruses, like worms, replicate themselves and exploit
vulnerabilities in systems or software to propagate themselves. However, viruses
typically require human intervention (like being activated from an e-mail or downloaded from the internet
to be run on a system). On the other hand, Trojans do not replicate themselves, and typically rely on
human intervention to be delivered and installed. Finally, rootkits are malware that conceals the
presence of other malicious software (such as viruses or Trojans) on a system, namely by hiding their
files, processes, and other system artifacts.

Question: 24

Which port is used to secure communication over the web (HTTPS)?

A. 69
B. 25
C. 80
D. 443
Answer: D
Explanation:

Port 443 is used for Hypertext Transfer Protocol Secure (HTTPS) communications, which ensures that
data transmitted between a Web browser and a server is encrypted and secure. This encryption is
typically achieved through the use of SSL/TLS protocols

www.dumpshouse.com
CC Dumps Demo Page 17

For example, when you visit a secure Web site such as https://www.example.com, your browser
uses port 443 to establish a secure connection, ensuring that sensitive information such as login
credentials and personal information is protected from eavesdropping and tampering.
Ports of the main TCP application protocols grouped by functionality
Of the remaining ports, port 25 is used for SMTP (Simple Mail Transfer Protocol) to send e-mail. Port
69 is used for TFTP (Trivial File Transfer Protocol), a simple file transfer protocol without encryption.
Port 80 is used for HTTP (Hypertext Transfer Protocol), which is the standard protocol for web traffic
but does not provide encryption, making it less secure than HTTPS.

Question: 25

In the risk management process, which of the following best describes the concept of 'risk
acceptance'?

A. Implementing controls and countermeasures to eliminate all risks


B. Ignoring potential risks and their impacts
C. Acknowledging that certain risks are too costly or impractical to mitigate and accepting the
potential consequences
D. Avoiding the need for a risk management process

Answer: C
Explanation:

Risk acceptance is a component of the risk management process that involves recognizing when it may
be more practical or cost-effective to accept a certain level of risk rather than attempting to eliminate it
entirely (see ISC2 Study Guide, Module 2, under Risk Treatment). This decision is an informed choice
typically based on the organization's risk appetite and on carefully analyzing the potential costs and
benefits of implementing additional controls or countermeasures. By contrast, implementing controls and
countermeasures to eliminate all risks, ignoring potential risks and their impacts, and avoiding the need
for a risk management process are all incorrect options, as these approaches do not accurately describe
the concept of informed choice underlying risk acceptance.

www.dumpshouse.com
Thank You for trying CC PDF Demo

https://www.dumpshouse.com/cc-dumps/

Start Your CC Preparation

[Limited Time Offer] Use Coupon " SAVE20 " for extra 20%
discount on the purchase of PDF file. Test your
CC preparation with actual exam questions

www.dumpshouse.com

You might also like