ISC2 CC (Certified in CyberSecurity) Practice Questions : Certification Success - Unofficial By Certification Terminal (Part 1)

5.6 Which protocol employs a three-way handshake to establish a reliable connection? A. TCP B. SMTP C. SNMP D. UDP

A. TCP

4.42 In the context of confidentiality, what does the term "sensitivity" refer to? A. The need for protection assigned to information by its owner B. The harm caused to external stakeholders if information is disclosed or modified C. The health status of an individual D. The ability of information to be accessed only by authorized individuals

A. The need for protection assigned to information by its owner

4.41 If Joe and Ryan are employing symmetric cryptography for secure communication, and Joe intends to transmit an encrypted message to Ryan, which key should Joe utilize? A. The shared symmetric key B. Ryan's private key C. Joe's public key D. Ryan's public key

A. The shared symmetric key

4.30 What is knowledge-based authentication? A. Authentication based on biometrics or measurable characteristics B. Authentication based on a passphrase or secret code C. Authentication based on something you do D. Authentication based on a token or memory card

B. Authentication based on a passphrase or secret code

4.45 Which one among the following represents a data handling policy procedure? A. Transform B. Encode C. Destroy D. Collect

C. Destroy

4.36 In the realm of cybersecurity, what does the term "asset" refer to? A. A gap or weakness in protection efforts B. The means by which a threat actor carries out their objectives C. Something in need of protection D. A person or thing that takes action to exploit a target organization's system vulnerabilities

C. Something in need of protection

4.12 In risk management, what does the term "impact" refer to? A. The actions taken to transfer or mitigate risks B. Confidentiality C. The severity or consequences of a risk event D. the potential vulnerabilities in a system or process.

C. The severity or consequences of a risk event

6.9 What is an illustration of a data classification scheme from the options provided? A. High, Medium, Low B A, B, C C. Red, Yellow, Green D. Public, Internal, Confidential

D. Public, Internal, Confidential

6.15 Bob has been assigned the task of setting up a network design that isolates the organization's externally accessible servers (such as the web server and email server) from its internal network to bolster security. What should he put into practice? A. DMZ B. VLAN C. VPN D. IDS

A DMZ

5.9 How does a cold site differ from a hot site? A. A cold site is a location with no infrastructure in place, while a hot site is a fully operational duplicate of the primary site. B. A cold site and a hot site are the same thing. C. A cold site is a location with minimal infrastructure in place, while a hot site is a fully operational duplicate of the primary site. D. A cold site is a fully operational duplicate of the primary site, while a hot site is a location with no infrastructure in place.

A. A cold site is a location with no infrastructure in place, while a hot site is a fully operational duplicate of the primary site.

4.2 Choose the BEST example for a preventive control from the following: A. A firewall B. A backup generator C. An intrusion detection system D. An antivirus software

A. A firewall

4.44 The most prevalent physical security measure utilized to safeguard high-security areas is A. Access control systems B. Video surveillance C. Perimeter fencing D. All of the above

A. Access control systems

4.46 Which category of control centers on formulating and implementing security policies, standards, and guidelines? A. Administrative controls B. Physical controls C. Security controls D. Technical controls

A. Administrative controls

3.8 Which of the following is not a component of System Security Configuration Management? A. Audit logs B. Patches C. Baselines D. inventories

A. Audit logs

4.38 Out of the following options, what is NOT a benefit of network segmentation? A. Easier network management B. Better compliance with regulatory requirements C. Improved network security D. Increased network performance

A. Easier network management It can make is more complex

5.2 Out of the following options, which option is a key component of an incident response plan? A. Establishing procedures for communication and coordinating with external parties B. Establishing recovery time objectives for critical systems and data C. Conducting regular vulnerability assessments D. Identifying critical business functions and their dependencies

A. Establishing procedures for communication and coordinating with external parties

3.2 Out of the following options, which is an example of an international information security standard? A. ISO/IEC 27001 B. PCI DSS C. HIPAA D. NIST SP 800-53

A. ISO/IEC 27001

4.32 Out of the following options, what can be considered as a limitation of Discretionary Access Control? A. It can result in users having too much assess to resources B. It is too rigid and inflexible C. It is difficult to implement and manage D. It can be easily circumvented by malicious users

A. It can result in users having too much assess to resources

5.5 What risk identification method involves analyzing historical data, incident reports, and lessons learned to pinpoint potential risks? A. Lessons learned analysis B. SWOT analysis C. Brainstorming D. Checklists

A. Lessons learned analysis Examines all this

5.3 What is a frequently employed authentication factor from the options below? A. Password B. Phone number C. Social Security Number D. Email

A. Password the most common

5.1 What is the PRIMARY objective of confidentiality in information security? A. Protecting data from unauthorized access B. Making sure data is not lost C. Ensuring data can be easily modified D. Ensuring data is easily accessible

A. Protecting data from unauthorized access

4.1 In the realm of information security, what constitutes the utmost crucial element of privacy? A. Protecting personal information from unauthorized access or disclosure B. Ensuring data is accurate and unchanged C. Making sure data is always accessible when needed D. All of the above

A. Protecting personal information from unauthorized access or disclosure

5.8 Which of the following describes a method of risk reduction through the implementation of security measures like firewalls, intrusion detection systems, and encryption, aimed at preventing cyber attacks and safeguarding against the aftermath of a security breach? A. Risk mitigation B. Risk avoidance C. Risk transfer D, Risk acceptance

A. Risk mitigation

5.19 Which component addresses the procedure needed to undo changes in Change Management? A. Rollback B. Request for Approval C. Request for Change D. Disaster and Recover

A. Rollback

6.1 What device is usually in charge of managing the flow of traffic between various networks in a standard home or small business network? A. Router B. Firewall C. Modem D. Switch

A. Router Switch is a device that directs traffic within a single network like the devices within your home while switches can route traffic, it's not their primary function, and they don't typically route traffic between different networks

6.18 What are the three prevalent authentication methods? A. Something you know, something you have, something your are B. Something you have, someone you know, something you do C. Something you do, something you trust, something you have D. Something you have, something you do, somewhere you are

A. Something you know, something you have, something your are

6.2 Which of the following provides the most accurate description of the purpose of a security program? A. To manage risks and threats to an acceptable level B. To prevent all security incidents C. To comply with legal regulations D. To protect against all risks and threats

A. To manage risks and threats to an acceptable level

4.28 What is the objective of laws or regulations concerning data breach notifications? A. To notify individuals affected by a data breach B. To hold organizations accountable for data breaches C. To encrypt personal information to prevent unauthorized access D. To prevent data breaches for occurring

A. To notify individuals affected by a data breach

5.15 What is the primary purpose of a disaster recovery plan? A. To recover from a disaster as quickly as possible B. To identify the cause of a disaster C. to maintain business operations in the event of a disaster D. To prevent disasters from happening in the first place

A. To recover from a disaster as quickly as possible

6.13 What distinguishes a hot site from a warm site as the primary difference between them? A. A hot site is located close to the main facility while a warm site is located farther away B. A hot site is fully functional while a warm site is partially functional. C. A hot site is used for short-term recovery while a warm site is used for long-term recovery D. A hot site is more expensive than a warm site.

B. A hot site is fully functional while a warm site is partially functional.

3.5 How do you define a threat in the Cybersecurity domain? A. The means by which a threat actor carries out their objectives B. A person or thing that takes action to exploit a target organization's system vulnerabilities C, Something in need of protection D. An inherent weakness or flaw in a system or component

B. A person or thing that takes action to exploit a target organization's system vulnerabilities

4.23 Which ISC2 Code of Ethics principle underscores the significance of continuous professional development and the maintenance of competence within the realm of information security? A. Act honorably, honestly, justly, responsibly, and legally B. Advance and protect the profession C. Protect society, the common good, and the infrastructure D. Provide diligent and competent service to stakeholders

B. Advance and protect the profession

4.19 How do you define "internal consistency of information"? A. Data being protected from errors or loss of information B. All instances of data being identical in form, content, and meaning C. Data being displayed and stored the same way on all systems D. Data being accurate, useful, and complete

B. All instances of data being identical in form, content, and meaning

4.20 Which of the following options exemplifies a corrective control? A. A backup generator B. Applying security patches to systems and software C. An access control system D. Training employees on cybersecurity best practices

B. Applying security patches to systems and software

5.20 When faced with a significant earthquake, what should be the foremost immediate concern? A. Implementing additional security measures B. Ensuring the safety of individuals C. activating the disaster recovery plan for systems D. Assessing the physical damage to infrastructure

B. Ensuring the safety of individuals

6.6 Which of the following statements accurately describes the three-way handshake? A. It involves only two messages exchanged between two devices B. It ensures both devices are ready and willing to communicate C. It is used to encrypt data during transmission D. it is only used for establishing a connection between servers and not between client and a server

B. It ensures both devices are ready and willing to communicate

3.6 Which among these options exemplifies a logical access control? A. Security cameras monitoring an area B. Passwords C. Security guards safeguarding a building D. Physical locks on doors

B. Passwords logical access control limits connections to computer networks, files and data. Logical access controls encompass electronic techniques employed to limit entry to systems or digital resources. They emphasize managing access via electronic mechanisms rather than physical barriers. An illustrative instance of logical access controls includes passwords wherein users must provide a correct combination of characters to gain entry to a system or resource

4.24 The primary objective of a company employing mantraps/turnstiles at the entrance to their high-security data center is to? A. Alerting security personnel in case of an intrusion B. Preventing tailgating C. Detecting motion within the data center D. Restricting access based on time of day

B. Preventing tailgating

4.17 What term pertains to an individual's capacity to mange the sharing of their personal information? A. Consent B. Privacy C. Anonymization D. Data minimization

B. Privacy

3.4 What constitutes the main goal of information security? A. Prevent all security incidents B. Protect information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction C. Ensure compliance with legal regulations D. Implement security controls and measures

B. Protect information and assets from unauthorized access, use, disclosure, disruption, modification, or destruction

5.12 Which of these his the main objective of a Disaster Recovery Plan? A. Outline a safe escape procedure for the organization's personnel B. Restore company operation to the last-known reliable operation state C. Communicate to the responsible entities the damage caused to operations in the event of a disaster D. Maintain crucial company operations in the event of a disaster

B. Restore company operation to the last-known reliable operation state

4.48 Which of the listed security protocols is employed to safeguard communications over the internet, thwarting eavesdropping, tampering, and message forgery? A. Telnet B. SSH C. FTP D. HTTP

B. SSH

4.25 How do you define non-repudiation? A. The protection against an individual falsely admitting having performed an action B. The protection against an individual falsely denying having performed an action C. The protection against an individual falsely denying the occurrence of an action D. the protection against an individual falsely accusing someone else of performing an action.

B. The protection against an individual falsely denying having performed an action

6.16 For Cohlerz, what does the group of hackers identified by the cybersecurity team, who are known for exploiting a specific vulnerability in network security, represent? A. Vulnerability B. Threat Actors C. Threat Vector D. Risk

B. Threat Actors

4.5 What is the objective of implementing a security awareness and training initiative? A. To develop technical specifications for security controls B. To educate employees about security policies and procedures C. To investigate and respond to security incidents D. To enforce disciplinary actions for security violations

B. To educate employees about security policies and procedures

6.17 What is the objective of a security awareness program? A. To enforce security policies and regulations B. To educate employees on their role in protecting organizational assets and information C. To monitor employee activities and behavior D. To train employees on the technical aspects of security

B. To educate employees on their role in protecting organizational assets and information

4.40 What is the fundamental goal of the CIA Triad? A. To regulate access to physical facilities and assets B. To ensure the confidentiality, integrity, and availability of information C. To provide a comprehensive approach to safeguarding information and assets C. To protect against external attacks on information systems

B. To ensure the confidentiality, integrity, and availability of information

4.14 What is the primary objective of risk assessment? A. To identify critical business functions B. To evaluate the potential impact of threats to the organization C. To define recovery time objectives for critical systems and data D. To establish procedures for restoring critical systems and data

B. To evaluate the potential impact of threats to the organization

4.9 What is the main objective of Business Continuity (BC)? A. To minimize expenses during unexpected events B. To maintain operations during unexpected events C. To maximize profits during unexpected events D. To maintain the status quo during unexpected events

B. To maintain operations during unexpected even

5.16 Which of the following does NOT represent an example of a threat actor? A. A hacker attempting to steal information B. An employee accidentally deleting important data C. A natural disaster causing system downtime D. A competitor attempting to gain an advantage

C. A natural disaster causing system downtime

4.3 What distinguishes a private cloud from a public cloud? A. A public cloud is less secure than a private cloud B. A private cloud is more expensive than a public cloud C. A public cloud is hosted by a third-party provider, while a private cloud is dedicated to a single organization D. A private cloud is only accessible from a single location

C. A public cloud is hosted by a third-party provider, while a private cloud is dedicated to a single organization

4.37 What sets apart a risk assessment from a vulnerability assessment? A. A risk assessment and vulnerability assessment are the same thing B. A risk assessment identifies specific vulnerabilities, while a vulnerability assessment evaluated the potential impact of threats C. A risk assessment evaluated the potential impact of threats, while a vulnerability assessment identifies specific vulnerabilities D. A risk assessment and a vulnerability assessment are both methods of testing the effectiveness of security controls

C. A risk assessment evaluated the potential impact of threats, while a vulnerability assessment identifies specific vulnerabilities

6.10 What does the term 'multi-factor authentication (MFA)" refer to? A. A type of authentication that uses only one facotr B. A type of authentication that used only two methods C. A type of authentication that uses more than two methods D. A type of authentication that uses only one method

C. A type of authentication that uses more than two methods

4.8 What distinguishes an incident response plan from a disaster recovery plan? A. An incident response plan focuses on recovering from security incidents, while a disaster recovery plan focuses on recovering from natural disasters. B. An incident response plan focuses on preventing security incidents, while a disaster recovery plan focuses on mitigating the impact of natural disasters C. An incident response plan focuses on detecting and responding to security incidents, while a disaster recovery plan focuses on restoring IT systems and infrastructure D. An incident response plan focuses on restoring critical systems and data, while a disaster recovery plan focuses on restoring business operations.

C. An incident response plan focuses on detecting and responding to security incidents, while a disaster recovery plan focuses on restoring IT systems and infrastructure

4.49 Which of the following exemplifies a detective controls? A. Encryption of sensitive data B. A backup generator C. An intrusion detection system D. An access control system

C. An intrusion detection system

4.39 Which access control model allows for access to a specific object based on intricate rules? A. Discretionary Access Control (DAC) B. Role-based Access Control (RBAC) C. Attribute-Based Access Control (ABAC) D. Mandatory Access Control (MAC)

C. Attribute-Based Access Control (ABAC)

4.16 Which of these is primarily focused on identifying and prioritizing critical business processes? A. Business Continuity Plan B. Disaster Recovery Plan C. Business Impact Analysis D. Business Impact Plan

C. Business Impact Analysis

5.17 You've been appointed as the disaster recovery manager for your organization following a significant disaster. What should be your initial step in this role? A. Identify the critical business processes that must be protected and prioritize their recovery. B. Conduct a damage assessment of the organization's facilities and infrastructure C. Establish a crisis management center and begin communication with key stakeholders D. Begin the process of restoring normal business operations as quickly as possible.

C. Establish a crisis management center and begin communication with key stakeholders the first step in the DR is doing this for coordinating and communications with key stakeholders and employees

3.3 What is the key component of a business continuity plan? A. Identifying critical business functions and their dependencies B. Conducting regular vulnerability assessments C. Establishing communication procedures D. Establishing recovery point objectives for critical systems and data

C. Establishing communication procedures The 5 components of a BCP are: 1. Risks and potential business impact 2. Planning an effective response 3. Roles and responsibilities 4. Establishing communication procedures 5. Testing and training

4.29 TechSys Inc., an US based organization, wants to extend its services to the European market. Which regulation should your company comply with to protect the personal data of its European users? A. Institute of Electrical and Electronics Engineers (IEEE) B. Health Insurance Portability and Accountability Act (HIPAA) C. General Data Protection Regulation (GDPR) D. National Institute of Standards and Technology (NIST)

C. General Data Protection Regulation (GDPR)

6.8 Ellison, an IT manager, receives an alert indicating that the company's website has been defaced. Which cybersecurity principle has been primarily breached? A. Non-repudiation B. Confidentiality C. Integrity D. Availability

C. Integrity Defacing violates the integrity principle with these 'alterations'. The main violation is unauthorized alterations.

4.4 What security principle asserts that a user should possess only the requisite permissions to perform a task? A. Separation of Duties B. Defense in Depth C. Least Privilege D. Privileged Accounts

C. Least Privilege

4.26 Which protocol is utilized for secure email communication among the options provided? A. IMAP B. SMTP C. POP3 D. HTTPS

C. POP3

4.6 In your roles as a cybersecurity analyst, your supervisor tasks you with producing a document that delineates the sequential procedure for setting up firewall rules within the organization's network infrastructure. What specific type of document are you creating? A. Guideline B. Policy C. Procedure D. Standard

C. Procedure

6.7 Which of the following principles is included in the ICS2 code of ethics? A. Protect society, the common good, and the infrastructure B. Act honorably, honestly, safely and legally C. Provide diligent and competent service to principals D. Advance and promote the profession.

C. Provide diligent and competent service to principals This is the only one that correctly lists the text.

4.31 What is the primary objective of business impact analysis? A. To maintain business operations in the event of a disaster B. To establish procedures for responding to incidents C. To assess the potential impact of a disruption to business operations D. To identify critical systems and data

C. To assess the potential impact of a disruption to business operations

4.50 What is the main objective of a post-incident review? A. To evaluate the effectiveness of security controls B. To identify vulnerabilities in business processes C. To identify opportunities for improving the incident response plan D. To document the incident and its resolution

C. To identify opportunities for improving the incident response plan

5.13 What is the primary purpose of data backups, in the context of cybersecurity? A. To monitor and detect potential security breaches B. To prevent unauthorized access to sensitive information C. To recover lost or corrupted data in the event of a disaster D. To ensure the availability of network resources

C. To recover lost or corrupted data in the event of a disaster

5.4 What is the core objective of implementing network segmentation within a cybersecurity strategy? A. To increase the attack surface by expanding the network B. To create a single point of failure C. To reduce the attack surface by isolating critical assets and sensitive data D. To simplify network management

C. To reduce the attack surface by isolating critical assets and sensitive data

6.19 Which of these options serves as an illustration of a compensatory control? A. A backup generator B. A firewall C. a manual process for processing transaction during a system outage D. An intrusion detection system

C. a manual process for processing transaction during a system outage

6.22 Which category of devices among the following examines packet header details to either permit or block network traffic? A. Routers B. Switches C. Firewalls D. Hubs

C. firewalls A router is a device that acts as a gateway between two or more networks by relaying and directing data packets between them. Hubs broadcast packets between ports so that all segments of a LAN can see all packets. A switch is smarter than a hub and can forward packets between Network segments instead of copying them

4.34 Which principle mandates organizations to employ suitable technical and organizational measures for the protection of personal information? A. Data minimization B. Data subject rights C. Data accuracy D. Data security

D. Data security

4.33 What should we do when we found that a device is not comply with the security baseline? A. Marked as potentially vulnerable and placed in a quarantine area B. Placed in a demilitarized zone (DMZ) until it can be reviewed and updated C. Disabled or separated into a quarantine area until a virus scan can be run D. Disable or isolated into a quarantine area until it can be checked and updated

D. Disable or isolated into a quarantine area until it can be checked and updated

6.20 What is a pivotal element in an incident response plan among the following? A Identifying critical business functions and their dependencies B. Establishing recovery time objectives for critical systems and data C. Conducting regular vulnerability assessments D. Establishing procedures for reporting and containing incidents

D. Establishing procedures for reporting and containing incidents This is a key component of an Incident response plan - it involves defining the procedures for detecting, reporting, and containing security incidents as well as identifying the individuals and teams responsible for these activities

6.21 Which regulatory framework centers on safeguarding the privacy and security of personal data for individuals within the European Union (EU)? A FERPA (Family Educational Rights and Privacy Act) B. HIPAA (Health Insurance Portability and Accountability Act) C. CCPA (California Consumer Privacy Act) D. GDPR (General Data Protection Regulation)

D. GDPR (General Data Protection Regulation)

4.7 What is the term used to denote the process of eliminating or neutralizing malicious software (malware) from a computer? A. Firewall configuration B. Decryption C. Encryption D. Malware Removal

D. Malware Removal

6.3 What is the term used to denote the practice of partitioning a network into smaller, isolated segments to mitigate the risk of cyber-attacks? A. Load balancing B. Virtual private network C. Router configuration D. Network segmentation

D. Network segmentation

4.18 Which of the following options exemplifies a logical access control? A. Security guards patrolling an area B. Physical locks on doors C. Security cameras monitoring a facility D. Passwords

D. Passwords

6.5 What category of control is represented by security guards, fences and surveillance cameras? A. Administrative controls B. Technical controls C. Security controls D. Physical controls

D. Physical controls

4.10 Which of the options below is an example that does NOT represent a possible model for an Incident Response Team (IRT)? A. Leveraged B. Dedicated C. Hybrid D. Pre-existing

D. Pre-existing

5.7 As a component of their risk mitigation strategy, an organization opts to disclose the potential financial repercussions of data breaches to a third-party. To which strategy does this belongs to? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk Transference

D. Risk Transference

4.35 In a healthcare organization, the access to patient records is determined by job roles such as "Doctor", "Nurse", and "Medical Administrator". This access control method exemplifies: A. Attribute-Based Access Control (ABAC) B. Discretionary Access Control (DAC) C. Mandatory Access Control (MAC) D. Role-based Access Control (RBAC)

D. Role-based Access Control (RBAC)

4.47 In which cloud service model does the IT department bear the smallest responsibility for overseeing and upkeeping the underlying infrastructure and software? A. On-premises deployment B. Infrastructure as a Service (IaaS) C. Platform as a Service (PaaS) D. Software as a Service (SaaS)

D. Software as a Service (SaaS)

4.13 How do you define integrity in the context of Information Security? A. The maintenance of a known configuration and unexpected operational function as the system processes information B. The maintenance of a random configuration and unpredictable operational function as the system processes information C. The maintenance of a known bad configuration and unexpected operational function as the system processes information D. The maintenance of a known good configuration and expected operational function as the system processes information

D. The maintenance of a known good configuration and expected operational function as the system processes information

4.27 What is the term for an entity that exploits system vulnerabilities in a target organization? A. Threat Vector B. Threat C. Attacker D. Threat Actor

D. Threat Actor

6.4 What is the objective of conducting a business impact analysis (BIA)? A. To define the maximum acceptable amount of downtime in the event of a disruption B. to test the effectiveness of security controls C. To establish procedures for restoring critical systems and data D. To identify critical business functions and their dependencies

D. To identify critical business functions and their dependencies

6.11 What is the main objective of conducting a risk assessment? A. To establish procedures for restoring critical systems and data B. To identify vulnerabilities in business processes C. To test the effectiveness of security controls D. To identify potential threats and their impact on business operations

D. To identify potential threats and their impact on business operations

4.11 What is the objective of a risk assessment procedure? A. To assign risk priorities to identified risks B. To assess the potential impact of risks on the organization C. To implement controls and measures to reduce or eliminate risks D. To provide a structured approach for conducting risk assessments

D. To provide a structured approach for conducting risk assessments

4.21 What is the full form of the term "wi-Fi"? A. Wireless Fire B. Wireless Framework C. Wireless Fiber D. Wireless Fidelity

D. Wireless Fidelity

5.11 What is the main objective of a Virtual Private Network (VPN)? A. To provide remote access to the network B. To segment a physical network into multiple logical networks C. To provide redundancy and high availability for critical network resources D. to encrypt network traffic between two endpoints

D. to encrypt network traffic between two endpoints

3.1 What constitutes a fundamental component of a successful SLA among the options below? A. Clear, measurable performance metrics B. Ambiguous service availability guarantees C. Vague, non-specific language D. a lack of clear responsibilities for the service provider and the client

A. Clear, measurable performance metrics

6.12 What is the focal point of the principle of purpose limitation in privacy protection? A. Collecting and using only necessary data B. Ensuring the accuracy of personal information C. Obtaining explicit consent for data processing D. Implementing appropriate data security measures

A. Collecting and using only necessary data

5.14 Which of the following is a type of risk associated with the breach of laws, regulations, or industry standards governing the use and safeguarding of sensitive information and systems? A. Compliance risk B. Operational risk C. Information risk D. Reputational risk

A. Compliance risk

5.18 Which of the following practices safeguards individual's privacy by segregating personal information from directly identifiable data? A. Data anonymization B. Data aggregation C. Data encryption D. Data backup

A. Data anonymization

4.22 In which of the access control models listed below can the creator of an object assign permissions to others? A. Discretionary Access Control (DAC) B. Mandatory Access Control (MAC) C. Role Based Access Control (RBAC) D. Attribute Based Access Control (ABAC)

A. Discretionary Access Control (DAC)

5.10 What distinguishes due care from due diligence? A. Due care refers to the legal obligation to take reasonable steps to protect against foreseeable risks, while due diligence refers to the legal obligation to investigate and disclose material facts. B. Due care refers to the steps taken to prevent or minimize the impact of a security incident, while due diligence refers to the steps taking to investigate and respond to a security incident. D. Due care refers to the legal obligation to comply and security regulations and standards, while due diligence refers to the legal obligation to monitor and enforce compliance. D. Due care and due diligence refer to the same thing.

A. Due care refers to the legal obligation to take reasonable steps to protect against foreseeable risks, while due diligence refers to the legal obligation to investigate and disclose material facts.

6.14 What is the commonly used term for the pre-established set of instructions or procedures to maintain business operations after a disaster? A. A. Disaster Recovery Plan B. Business Impact Plan C. Business Impact Analysis D. Business Continuity Plan

D Business Continuity Plan

4.43 Which of the following exemplifies a preventive control? A. A backup generator B. An intrusion detection system C. Training employees on cybersecurity best practices D. An access control system

D. An access control system

3.7 Which of the following security programs aims to establish a baseline level of security comprehension that everyone must meet? A. Coaching B. Training C. Indoctrination d. Awareness

D. Awareness

4.15 Which of the following options exemplifies an administrative control? A. Firewall B. Network-based intrusion detection system C. Physical locks on doors D. Background checks for employees

D. Background checks for employees