ISC2 · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?
Implement mandatory access control (MAC) with labels for all data.
Use role-based access control (RBAC) to grant permissions specific to each administrator's duties.
RBAC aligns with least privilege by scoping permissions to roles.
Allow administrators to self-assign permissions as needed.
Assign each administrator full database admin rights for simplicity.
A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?
Job rotation
Need-to-know
Separation of duties
Least privilege
Least privilege requires minimal permissions; write access is excessive.
Which access control model uses subject and object labels to enforce access based on a security policy?
Discretionary Access Control (DAC)
Attribute-Based Access Control (ABAC)
Mandatory Access Control (MAC)
MAC uses labels and a central policy to control access.
Role-Based Access Control (RBAC)
A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?
Need-to-know
Separation of duties
Separation of duties requires multiple people to complete a sensitive task.
Least privilege
Job rotation
An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?
Use a group managed service account with a 30-day password expiration.
Create a security group with a time-based membership that expires automatically after 30 days.
Time-based group membership automates access lifecycle, aligning with least privilege.
Assign each intern directly to the folder permissions and set a calendar reminder to revoke.
Create a security group, add interns, and manually remove them after 30 days.
Which TWO are characteristics of Role-Based Access Control (RBAC)?
Users are assigned to roles, and inherit permissions from those roles.
Role assignment is fundamental to RBAC.
Object owners can delegate permissions to others.
Access decisions are based on security labels.
It enforces a centralized policy that cannot be overridden by users.
Permissions are assigned to roles, not individual users.
RBAC groups permissions into roles.
Want more Access Controls Concepts practice?
Practice this domainDuring a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?
Preserve forensic evidence from the isolated systems.
Preserving evidence supports investigation and potential legal action.
Wipe and rebuild all affected systems.
Notify law enforcement immediately.
Pay the ransom to restore operations quickly.
An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?
Conduct the restore test only during annual disaster recovery drills.
Reduce the recovery point objective (RPO) to minimize data loss.
Increase the RTO to 6 hours.
Automate the configuration and validation steps after restore.
Automation reduces manual time, helping meet the 4-hour RTO.
A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?
Identification phase
Eradication phase
Eradication includes containment actions like blocking IPs and removing malware.
Recovery phase
Preparation phase
A company's business continuity plan includes an alternate work site with full IT capabilities. Which type of recovery site does this describe?
Hot site
A hot site is fully operational with all necessary hardware, software, and data.
Mobile site
Cold site
Warm site
An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?
High recovery point objective (RPO)
Data encryption overhead
Insufficient bandwidth between sites
Increased latency for write operations
Synchronous replication requires acknowledgment from backup, causing latency proportional to distance.
Which TWO actions are appropriate during the identification phase of incident response?
Conduct a post-mortem analysis.
Correlate alerts from multiple sources.
Alert correlation aids in identifying incidents.
Review system logs for anomalies.
Log review helps identify potential incidents.
Restore data from backups.
Disconnect affected systems from the network.
Want more Business Continuity, DR & Incident Response practice?
Practice this domainA security analyst discovers that an employee's workstation has been infected with ransomware. Which security principle has been directly violated?
Availability
Least privilege
Correct. The user likely had excessive permissions.
Separation of duties
Defense in depth
A company is designing a new authentication system for remote employees. They want to ensure that if one authentication factor is compromised, the system remains secure. Which security principle should they apply?
Fail-safe
Least privilege
Need to know
Defense in depth
Correct. Multiple authentication factors provide layered security.
During a security audit, it is found that a database administrator can access payroll data. The company policy states that administrators should not have access to sensitive HR data. Which security principle is being violated?
Accountability
Least privilege
Separation of duties
Correct. The DBA should not have access to payroll data.
Privacy
A company has implemented a policy where all employees must use a smart card and PIN to access the data center. Which security principle does this practice support?
Keep it simple
Defense in depth
Correct. Multiple factors create depth.
Least privilege
Fail-safe
A security engineer is configuring a firewall to allow web traffic but block all other inbound connections. The firewall is set to deny all traffic by default and only allow specific ports. Which security principle is being applied?
Default deny
Correct. The firewall denies everything by default.
Defense in depth
Fail-safe
Least privilege
An organization is implementing a new system that processes financial transactions. To reduce the risk of fraud, they ensure that no single individual can both initiate and approve a transaction. Which security principle is this?
Need to know
Separation of duties
Correct. Initiation and approval are separate duties.
Accountability
Least privilege
Want more Security Principles practice?
Practice this domainA security analyst notices that an internal web server is receiving a high volume of TCP SYN packets from a single external IP address, but the server is not sending SYN-ACK replies. The server's CPU and memory usage are normal. What is the most likely cause?
A firewall rule is blocking inbound SYN-ACK packets
The server is under a SYN flood attack, filling the connection queue
SYN flood attacks fill the server's half-open connection queue, preventing it from sending SYN-ACKs.
The server's TCP/IP stack has crashed
The server is experiencing a distributed denial-of-service (DDoS) attack
A network administrator is designing a DMZ to host a public-facing web server and a database server that should only be accessible from the web server. Which of the following firewall rule sets best achieves this design?
Allow inbound HTTP/HTTPS to web server; allow web server to database on port 3306; deny all else
This permits necessary traffic and restricts database access to only the web server.
Allow web server to initiate outbound connections to internet; allow database to initiate connections to web server; deny all else
Allow inbound HTTP/HTTPS to web server; allow all traffic from web server to database; deny all else
Allow inbound HTTP/HTTPS to web server; allow inbound SQL from internet to database; deny all else
A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?
The switch is now using a different certificate that is not trusted by the clients
The firmware update may have changed the certificate presented by the switch, and clients do not trust it.
The switch is not forwarding EAP packets properly due to a firmware bug
The RADIUS shared secret was changed during the firmware update
The authentication server (NPS) is overloaded and dropping requests
A security engineer is configuring a network intrusion detection system (NIDS) to monitor traffic on a critical subnet. To minimize false positives, which of the following should the engineer baseline first?
The results of a recent vulnerability scan
The normal traffic patterns during peak business hours
Baseline normal traffic to identify anomalies.
The latest attack signatures from the vendor
The firewall logs from the past 24 hours
A company's remote access VPN uses IPsec with pre-shared keys. Employees report that they cannot connect from home. The VPN server logs show 'IKE authentication failed.' The help desk confirms the pre-shared keys are correct. Which of the following is the most likely cause?
The client is behind a NAT device that blocks IPsec traffic
The VPN server is not responding to IKE requests
The client's certificate has expired
The IKE phase 1 parameters (encryption, hash, DH group) do not match
Mismatched parameters cause authentication failure despite correct keys.
During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?
Spoof the source IP address of the attacker's machine
Launch a denial-of-service attack against the target
Perform a stealth scan using a zombie host to hide the attacker's identity
Idle scan uses IP ID to map a zombie's activity and infer port states.
Evade a firewall by fragmenting packets
Want more Network Security practice?
Practice this domainA security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?
Perform a forensic analysis of the user's workstation
Reset the user's password and enforce multi-factor authentication
Disable the user account immediately
Initiate the incident response process
The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.
A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?
Deploying a web application firewall
Enabling verbose logging for authentication events
Increasing password complexity requirements
Implementing account lockout policies
Account lockout policies limit the number of failed attempts, preventing continued brute-force attacks.
An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?
Intrusion detection system alerts
DNS query logs from internal DNS servers
DNS logs are less frequently used for real-time security monitoring and can be archived with lower priority.
Firewall deny logs
Authentication logs from domain controllers
During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?
Disable SSH on all servers
Notify the server owners and wait for their response
Document the finding and include it in the audit report
Modify the firewall rules to allow SSH only from specific management IPs
This directly mitigates the vulnerability by restricting access.
A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?
Restore the workstation from a recent backup
Disconnect the workstation from the network
Network isolation is the primary containment step to halt lateral movement.
Reboot the workstation in safe mode
Run a full antivirus scan
An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?
Denial of service attack
Brute-force attack
Credential theft or session hijacking
Logins from impossible travel locations indicate that credentials may be used by an attacker.
Man-in-the-middle attack
Want more Security Operations practice?
Practice this domainThe CC exam has 100 questions and must be completed in 120 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 5 domains: Access Controls Concepts, Business Continuity, DR & Incident Response, Security Principles, Network Security, Security Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official ISC2 CC exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.