Practice CC Security Principles questions with full explanations on every answer.
Start practicing
Security Principles — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which principle of the CIA triad ensures that data is not disclosed to unauthorized individuals?
2Which of the following is an example of a Type 2 authentication factor?
3An organization implements redundant servers and failover mechanisms to ensure continuous operation during a power outage. Which goal of the CIA triad is primarily being addressed?
4According to the (ISC)² Code of Ethics, which of the following obligations takes the highest priority?
5A security analyst is reviewing a log that shows an unauthorized user attempted to modify a payroll database. Which security principle is most directly threatened?
6A company is evaluating a new cloud service provider. As part of due diligence, they review the provider's security certifications, conduct a site visit, and check references. This process is an example of which risk management strategy?
7Which of the following is classified as sensitive PII?
8Which risk management strategy involves implementing security controls to reduce the likelihood or impact of a risk?
9A security professional is asked to ensure that a document has not been altered since it was signed. Which technology best supports this requirement?
10An employee uses a password and a one-time code from a mobile authenticator app to log in. Which authentication type is being used?
11A vulnerability assessment reveals that a legacy system has unpatched software. The organization decides to accept the risk because the system is isolated and has compensating controls. This decision is an example of:
12Which of the following best describes the difference between due care and due diligence in security governance?
13A security analyst is evaluating controls to protect the confidentiality of customer data. Which TWO of the following are effective controls? (Select TWO).
14A company is implementing a data classification policy. According to best practices, which THREE of the following should be classified as 'restricted' or 'top secret'? (Select THREE).
15Which TWO of the following are examples of Type 3 authentication? (Select TWO).
16A security professional is implementing a file integrity monitoring (FIM) system on critical servers. Which element of the CIA triad does this primarily address?
17A company is deploying a multi-factor authentication (MFA) solution. Which combination represents two different authentication factors?
18An organization decides to accept the risk of using a legacy system that cannot be patched due to critical business operations. This is an example of:
19Which of the following is an example of a Type 2 authentication factor?
20According to the (ISC)² Code of Ethics, which principle has the highest priority?
21A data breach exposed customers' names, addresses, and Social Security numbers. Which type of data was compromised?
22An organization is evaluating a new vendor that will process customer data. The security team performs a thorough assessment of the vendor's security controls and background checks. This process best demonstrates:
23Which of the following controls is primarily designed to ensure availability?
24A security analyst is implementing controls to prevent unauthorized disclosure of sensitive information. Which element of the CIA triad is being addressed?
25Which of the following best describes a vulnerability in the context of risk management?
26An organization labels data as 'Confidential' and requires encryption both at rest and in transit. This classification is an example of:
27What is the primary purpose of a digital signature?
28A security administrator is selecting controls to protect the confidentiality of a database containing customer PII. Which TWO controls are most appropriate?
29An organization is implementing a risk management strategy for a new system. Which THREE actions are examples of risk mitigation?
30Which TWO of the following are examples of Type 3 (inherence) authentication factors?
31An organization implements full-disk encryption on all laptops. Which element of the CIA triad is primarily being addressed?
32A security professional is asked to choose an authentication method for a high-security facility. The requirement is to use something the user 'is'. Which authentication type should be selected?
33After a data breach, an organization discovers that an attacker exploited a known vulnerability in an outdated web server. The organization had previously identified the vulnerability but decided not to patch it due to potential downtime. Which risk management strategy did the organization employ?
34Which of the following is an example of a Type 2 authentication factor?
35An organization classifies data as 'confidential' and requires encryption at rest and in transit. Which data classification level is likely being used?
36A security analyst is evaluating a new vendor for cloud services. The analyst reviews the vendor's security certifications, conducts background checks, and visits the data center. This process is an example of:
37According to the (ISC)² Code of Ethics, if a conflict arises between protecting society and providing diligent service to your employer, which should take precedence?
38A company uses redundant servers and automated failover to ensure that its website remains accessible during a server outage. Which principle of the CIA triad is being addressed?
39What is the primary purpose of hashing in information security?
40Which of the following is an example of a vulnerability?
41A company stores customer PII including social security numbers and medical records. Under privacy principles, these data elements are best described as:
42Which of the following is a control that can reduce the risk of a DDoS attack?
43When implementing multi-factor authentication, which combination of factors is considered strongest?
44A security manager is advised to implement 'due care' in their organization. Which action best exemplifies due care?
45An organization wants to ensure that an email message has not been altered during transmission. Which security control should be used?
46A security professional is reviewing authentication methods. Which TWO are examples of Type 2 (possession) factors? (Select TWO)
47Which THREE of the following are considered risk management strategies? (Select THREE)
48Which TWO of the following are examples of integrity controls? (Select TWO)
49Which of the following is an example of a physical control that supports the availability principle of the CIA triad?
50An organization implements a policy requiring employees to use a smart card and a PIN to access the data center. This is an example of which type of authentication?
51A security analyst discovers that a vendor's software contains a known vulnerability that could lead to data exposure. The analyst reports this to management. According to risk management principles, which action represents risk transfer?
52Which of the following best describes the purpose of due care in information security?
53A company stores customer records that include names, addresses, and Social Security numbers. According to ISC2 Code of Ethics, which canon has the highest priority when handling this sensitive data?
54An organization labels its financial reports as "Confidential" and requires encryption at rest and in transit. This is an example of:
55Which of the following ensures that data has not been tampered with during transmission?
56A security team implements a load balancer to distribute traffic across multiple web servers. This control primarily supports which principle?
57Which of the following is an example of a Type 1 authentication factor?
58After a security breach, the organization conducts a background check on a new vendor before signing a contract. This practice is known as:
59What is the primary goal of data classification?
60An organization uses a digital signature to verify the authenticity of a software update. This supports which part of the CIA triad?
61Which TWO of the following are examples of sensitive PII? (Select TWO.)
62A company is implementing risk management for a new project. Which THREE of the following are valid risk treatment options? (Select THREE.)
63Which TWO of the following are examples of multi-factor authentication? (Select TWO.)
64An organization encrypts all sensitive data at rest and in transit. Which principle of the CIA triad is primarily being addressed?
65A security analyst implements a hashing algorithm to verify that a downloaded file has not been altered. Which security goal is being achieved?
66A multinational corporation deploys redundant servers in geographically diverse data centers and uses a load balancer to distribute traffic. This setup primarily addresses which security concern?
67Which of the following is an example of Type 2 (possession) authentication?
68A user logs into a system using a password and a one-time passcode from a mobile authenticator app. This is an example of:
69According to the (ISC)² Code of Ethics, which canon has the highest priority?
70A company performs background checks on potential employees before hiring. This action demonstrates which concept?
71Which of the following is considered sensitive Personally Identifiable Information (PII)?
72A security team identifies that a server has a known vulnerability. A threat actor could exploit it to gain unauthorized access. The combination of these factors represents:
73A company decides to accept the risk of using a legacy system because the cost of replacing it exceeds potential losses. This is an example of:
74Which data classification level typically requires the highest level of protection?
75A system administrator implements version control for all configuration files. Which principle is being strengthened?
76During a vendor risk assessment, a company discovers that a potential vendor has poor security practices. The company decides not to hire the vendor. This is an example of:
77A security analyst is implementing controls to protect the integrity of a database. Which TWO of the following controls would best achieve this goal?
78An organization is developing a data classification policy. Which THREE of the following are common classification levels?
79An organization implements encryption for data at rest and in transit. Which principle of the CIA triad is primarily being addressed?
80A security administrator is configuring a system to detect unauthorized changes to critical files by calculating and storing a hash value for each file. Which security goal is primarily supported?
81After a major DDoS attack, a company deploys redundant internet connections and load balancers to ensure continued access to its web services. Which principle of the CIA triad is being strengthened?
82Which of the following is an example of Type 2 authentication?
83An organization requires employees to enter a password and then approve a push notification on their mobile device to access the corporate network. What type of authentication is this?
84A security consultant is evaluating a vendor's security practices before signing a contract. The consultant reviews the vendor's security policies, incident response plans, and conducts background checks on key personnel. This activity is an example of:
85According to the (ISC)² Code of Ethics, which canon has the highest priority?
86Which of the following is considered Sensitive PII?
87A company classifies its data into four categories: Public, Internal, Confidential, and Restricted. Which classification requires the highest level of protection?
88An organization decides to accept the risk of using an older software version known to have vulnerabilities because the cost of upgrading outweighs the potential impact. This is an example of:
89Which of the following best describes a vulnerability in the context of risk management?
90A company implements a new firewall and intrusion detection system to reduce the risk of network breaches. This is an example of:
91A security analyst is designing a multi-factor authentication system for remote access. Which TWO of the following combinations represent true multi-factor authentication? (Select TWO)
92An organization is conducting a risk assessment. Which THREE of the following are considered assets? (Select THREE)
93A security policy requires that data classified as 'Confidential' must be encrypted both at rest and in transit. Which TWO of the following are likely data handling requirements for 'Confidential' data? (Select TWO)
94Which security principle ensures that data cannot be accessed by unauthorized individuals?
95An organization uses hashing to ensure that data has not been altered during transmission. Which security principle is being implemented?
96Which authentication type is a smart card an example of?
97A company implements redundant servers to ensure that if one server fails, another can take over immediately. Which security principle is primarily being addressed?
98An organization requires both a password and a fingerprint scan to access a secure system. This is an example of:
99According to the (ISC)² Code of Ethics, which obligation has the highest priority?
100What is the difference between due care and due diligence in security governance?
101Which of the following is considered sensitive personally identifiable information (PII)?
102A security team identifies a vulnerability in a web application that could allow attackers to steal customer data. The team decides to accept the risk because the cost to fix exceeds the potential loss. This is an example of:
103An organization classifies data as 'Confidential' and requires encryption both at rest and in transit. Which data classification level best fits this requirement?
104What is the primary purpose of a digital signature?
105A company conducts a background check on a new vendor before signing a contract. This activity is an example of:
106An organization wants to implement multi-factor authentication for remote access. Which TWO of the following would provide multi-factor authentication? (Select TWO)
107Which THREE of the following are examples of risk mitigation? (Select THREE)
108An organization is developing a data classification policy. Which THREE of the following should be classified as Confidential or higher? (Select THREE)
109Which of the following best describes the principle of confidentiality in the CIA triad?
110Which type of authentication factor involves something the user knows?
111A security analyst recommends implementing digital signatures to ensure that a software update has not been altered during distribution. Which aspect of the CIA triad is primarily being addressed?
112An organization implements a redundant server infrastructure to ensure that services remain operational even if one server fails. This is an example of protecting which principle?
113Which of the following is an example of a Type 2 authentication factor?
114According to the (ISC)² Code of Ethics, which of the following has the highest priority?
115A company is evaluating a new cloud service provider and performs a thorough investigation of the provider's security practices and compliance with industry standards. This activity is best described as:
116Which of the following is an example of sensitive PII?
117In risk management, which term describes the probability that a threat will exploit a vulnerability and cause harm to an asset?
118Which data classification level typically requires the highest level of protection and is reserved for information that could cause catastrophic harm if disclosed?
119A security team decides to implement multi-factor authentication for all remote access. Which combination of factors would constitute multi-factor authentication?
120An organization decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment strategy?
121An organization is implementing a new access control system. Which TWO of the following are examples of Type 3 authentication factors?
122A security analyst is reviewing data handling procedures. Which THREE of the following are considered sensitive PII?
123An organization is developing a security policy. Which TWO of the following are core components of the CIA triad?
124A security analyst is implementing a solution to ensure that data transmitted between two servers cannot be read by unauthorized parties. Which security principle is the analyst primarily addressing?
125An organization wants to implement multi-factor authentication (MFA) for remote access. Which two types of authentication factors would meet the definition of MFA? (Choose two.)
126A company is classifying data and wants to ensure that personally identifiable information (PII) receives appropriate protection. Which two of the following are considered PII? (Choose two.)
127A security team is conducting a risk assessment for a new cloud application. They have identified a vulnerability in the application that could allow unauthorized access to sensitive data. Which three risk management strategies should they consider? (Choose three.)
128A security professional is advising a company on adherence to the (ISC)² Code of Ethics. Which two of the following actions align with the Code's canons? (Choose two.)
129A financial institution is implementing data classification to protect customer information. They have identified data that includes medical records and financial account numbers. Which three labels are most appropriate for this data? (Choose three.)
130An organization wants to ensure the integrity of a software update before deployment. Which two methods can be used to verify integrity? (Choose two.)
The Security Principles domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 130 questions in the Security Principles domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Principles domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included