Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCCExam Questions

ISC2 · Free Practice Questions · Last reviewed May 2026

CC Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

100 exam questions
120 min time limit
Pass: 700/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Access Controls Concepts2. Business Continuity, DR & Incident Response3. Security Principles4. Network Security5. Security Operations
1

Domain 1: Access Controls Concepts

All Access Controls Concepts questions
Q1
mediumFull explanation →

An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?

A

Implement mandatory access control (MAC) with labels for all data.

B

Use role-based access control (RBAC) to grant permissions specific to each administrator's duties.

RBAC aligns with least privilege by scoping permissions to roles.

C

Allow administrators to self-assign permissions as needed.

D

Assign each administrator full database admin rights for simplicity.

Why: Role-based access control (RBAC) directly enforces the principle of least privilege by granting database administrators only the permissions required for their specific job functions. Unlike MAC, which focuses on data classification labels, RBAC maps roles (e.g., backup admin, security admin) to precise sets of privileges, ensuring no user has unnecessary access.
Q2
hardFull explanation →

A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?

A

Job rotation

B

Need-to-know

C

Separation of duties

D

Least privilege

Least privilege requires minimal permissions; write access is excessive.

Why: The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. Granting write access when only read access is required violates this principle by providing unnecessary and potentially harmful capabilities. This is a core access control concept in the CC exam.
Q3
easyFull explanation →

Which access control model uses subject and object labels to enforce access based on a security policy?

A

Discretionary Access Control (DAC)

B

Attribute-Based Access Control (ABAC)

C

Mandatory Access Control (MAC)

MAC uses labels and a central policy to control access.

D

Role-Based Access Control (RBAC)

Why: Mandatory Access Control (MAC) enforces access decisions based on security labels assigned to subjects (users/processes) and objects (files/resources). The system, not the user, controls access by comparing these labels against a security policy, such as Bell-LaPadula or Biba. This is why MAC is the correct answer for label-based enforcement.
Q4
mediumFull explanation →

A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?

A

Need-to-know

B

Separation of duties

Separation of duties requires multiple people to complete a sensitive task.

C

Least privilege

D

Job rotation

Why: Separation of duties (SoD) is an access control concept that requires a critical task, such as a financial transaction, to be split into multiple steps performed by different individuals. This prevents any single employee from having the authority to both initiate and approve a transaction, thereby reducing the risk of fraud or error. In this scenario, the policy directly enforces SoD by ensuring that no one person can complete the entire process alone.
Q5
hardFull explanation →

An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?

A

Use a group managed service account with a 30-day password expiration.

B

Create a security group with a time-based membership that expires automatically after 30 days.

Time-based group membership automates access lifecycle, aligning with least privilege.

C

Assign each intern directly to the folder permissions and set a calendar reminder to revoke.

D

Create a security group, add interns, and manually remove them after 30 days.

Why: Option B is correct because Active Directory supports time-based group membership via the `memberTimeToLive` attribute (introduced in Windows Server 2016 and later), which allows a security group to be configured so that members are automatically removed after a specified duration. This eliminates manual intervention and ensures the interns lose access exactly after 30 days without requiring password changes or calendar reminders.
Q6
mediumFull explanation →

Which TWO are characteristics of Role-Based Access Control (RBAC)?

A

Users are assigned to roles, and inherit permissions from those roles.

Role assignment is fundamental to RBAC.

B

Object owners can delegate permissions to others.

C

Access decisions are based on security labels.

D

It enforces a centralized policy that cannot be overridden by users.

E

Permissions are assigned to roles, not individual users.

RBAC groups permissions into roles.

Why: Option A is correct because RBAC defines roles that group specific permissions, and users are assigned to these roles. When a user is added to a role, they automatically inherit all permissions associated with that role, simplifying administration and ensuring consistent access rights across the organization.

Want more Access Controls Concepts practice?

Practice this domain
2

Domain 2: Business Continuity, DR & Incident Response

All Business Continuity, DR & Incident Response questions
Q1
easyFull explanation →

During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?

A

Preserve forensic evidence from the isolated systems.

Preserving evidence supports investigation and potential legal action.

B

Wipe and rebuild all affected systems.

C

Notify law enforcement immediately.

D

Pay the ransom to restore operations quickly.

Why: After isolating affected systems during a ransomware incident, the next best step is to preserve forensic evidence from those systems. This ensures that data such as memory dumps, logs, and encrypted files are captured intact for analysis, which is critical for understanding the attack vector, identifying the ransomware variant, and potentially recovering data without paying the ransom. Forensic preservation must occur before any remediation steps like wiping or rebuilding, as those actions would destroy the evidence needed for investigation and legal proceedings.
Q2
mediumFull explanation →

An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?

A

Conduct the restore test only during annual disaster recovery drills.

B

Reduce the recovery point objective (RPO) to minimize data loss.

C

Increase the RTO to 6 hours.

D

Automate the configuration and validation steps after restore.

Automation reduces manual time, helping meet the 4-hour RTO.

Why: The RTO is 4 hours, but the actual recovery time is 2 hours (restore) + 3 hours (reconfigure and test) = 5 hours, exceeding the RTO by 1 hour. Automating the configuration and validation steps (option D) reduces the post-restore manual effort, bringing the total recovery time closer to or within the 4-hour RTO. This directly addresses the gap without altering the RTO or neglecting testing.
Q3
hardFull explanation →

A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?

A

Identification phase

B

Eradication phase

Eradication includes containment actions like blocking IPs and removing malware.

C

Recovery phase

D

Preparation phase

Why: Option B (Eradication phase) is correct because containment actions such as removing the malicious PowerShell script, terminating the outbound connections, and cleaning the affected system are part of the eradication phase. The incident response lifecycle (NIST SP 800-61) places containment, eradication, and recovery as sequential steps after identification; here, the alert has already been identified, so the most appropriate next step is to eradicate the threat by removing the script and blocking the external IP.
Q4
easyFull explanation →

A company's business continuity plan includes an alternate work site with full IT capabilities. Which type of recovery site does this describe?

A

Hot site

A hot site is fully operational with all necessary hardware, software, and data.

B

Mobile site

C

Cold site

D

Warm site

Why: A hot site is a fully equipped alternate work site with all necessary IT infrastructure—servers, networking, telecommunications, and power—ready to take over operations immediately. The question specifies 'full IT capabilities,' which aligns with the hot site's purpose of enabling rapid failover with minimal downtime, typically within hours.
Q5
mediumFull explanation →

An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?

A

High recovery point objective (RPO)

B

Data encryption overhead

C

Insufficient bandwidth between sites

D

Increased latency for write operations

Synchronous replication requires acknowledgment from backup, causing latency proportional to distance.

Why: Synchronous replication requires the primary site to wait for an acknowledgment from the backup site before completing each write operation. The 500-mile distance introduces a minimum round-trip latency of approximately 8-10 ms (based on fiber optic propagation at ~200 km/ms), which directly increases the time taken for write operations. This latency impact is the most likely risk introduced by this configuration.
Q6
hardFull explanation →

Which TWO actions are appropriate during the identification phase of incident response?

A

Conduct a post-mortem analysis.

B

Correlate alerts from multiple sources.

Alert correlation aids in identifying incidents.

C

Review system logs for anomalies.

Log review helps identify potential incidents.

D

Restore data from backups.

E

Disconnect affected systems from the network.

Why: During the identification phase of incident response, the goal is to detect and confirm that an incident is occurring. Correlating alerts from multiple sources (e.g., IDS/IPS logs, firewall logs, and endpoint detection) helps reduce false positives and provides a clearer picture of the attack chain. Reviewing system logs for anomalies is a core detection technique that can reveal indicators of compromise (IoCs) such as unusual process execution or failed login bursts.

Want more Business Continuity, DR & Incident Response practice?

Practice this domain
3

Domain 3: Security Principles

All Security Principles questions
Q1
easyFull explanation →

A security analyst discovers that an employee's workstation has been infected with ransomware. Which security principle has been directly violated?

A

Availability

B

Least privilege

Correct. The user likely had excessive permissions.

C

Separation of duties

D

Defense in depth

Why: Ransomware directly violates the availability security principle because it encrypts files and systems, rendering them inaccessible to authorized users. While the infection may also impact confidentiality or integrity, the immediate and primary effect is denial of access to data and services, which is a breach of availability.
Q2
mediumFull explanation →

A company is designing a new authentication system for remote employees. They want to ensure that if one authentication factor is compromised, the system remains secure. Which security principle should they apply?

A

Fail-safe

B

Least privilege

C

Need to know

D

Defense in depth

Correct. Multiple authentication factors provide layered security.

Why: Defense in depth is the correct principle because it involves implementing multiple layers of security controls so that if one authentication factor is compromised, other layers still protect the system. In this scenario, requiring multiple authentication factors (e.g., password plus biometric or token) ensures that a single compromised factor does not grant full access, maintaining overall system security.
Q3
hardFull explanation →

During a security audit, it is found that a database administrator can access payroll data. The company policy states that administrators should not have access to sensitive HR data. Which security principle is being violated?

A

Accountability

B

Least privilege

C

Separation of duties

Correct. The DBA should not have access to payroll data.

D

Privacy

Why: The scenario describes a single database administrator having both the ability to access and modify payroll data, which combines operational and oversight roles. Separation of duties (SoD) is the principle that requires splitting critical tasks and privileges among multiple individuals to prevent fraud or error. Here, the administrator's access violates SoD because they can both manage the database and view sensitive HR data, which should require separate authorization.
Q4
easyFull explanation →

A company has implemented a policy where all employees must use a smart card and PIN to access the data center. Which security principle does this practice support?

A

Keep it simple

B

Defense in depth

Correct. Multiple factors create depth.

C

Least privilege

D

Fail-safe

Why: The use of both a smart card (something you have) and a PIN (something you know) creates a multi-factor authentication mechanism. This layered approach ensures that even if one factor is compromised, the other still provides protection, which is the core of the defense-in-depth principle. Defense in depth is about implementing multiple, overlapping security controls rather than relying on a single point of defense.
Q5
mediumFull explanation →

A security engineer is configuring a firewall to allow web traffic but block all other inbound connections. The firewall is set to deny all traffic by default and only allow specific ports. Which security principle is being applied?

A

Default deny

Correct. The firewall denies everything by default.

B

Defense in depth

C

Fail-safe

D

Least privilege

Why: The correct answer is A, Default deny. The scenario describes a firewall configured to deny all traffic by default and then explicitly allow only specific ports (e.g., TCP 80/443 for web traffic). This directly implements the default deny security principle, where any traffic not explicitly permitted is blocked. This contrasts with a default allow posture, which would permit all traffic unless explicitly denied.
Q6
hardFull explanation →

An organization is implementing a new system that processes financial transactions. To reduce the risk of fraud, they ensure that no single individual can both initiate and approve a transaction. Which security principle is this?

A

Need to know

B

Separation of duties

Correct. Initiation and approval are separate duties.

C

Accountability

D

Least privilege

Why: Separation of duties (SoD) is the security principle that prevents a single individual from having conflicting responsibilities, such as both initiating and approving a financial transaction. By splitting these tasks across different roles, the organization reduces the risk of fraud or error because collusion would be required to bypass controls. This is a core internal control mechanism in financial systems and aligns with the principle of dual control.

Want more Security Principles practice?

Practice this domain
4

Domain 4: Network Security

All Network Security questions
Q1
easyFull explanation →

A security analyst notices that an internal web server is receiving a high volume of TCP SYN packets from a single external IP address, but the server is not sending SYN-ACK replies. The server's CPU and memory usage are normal. What is the most likely cause?

A

A firewall rule is blocking inbound SYN-ACK packets

B

The server is under a SYN flood attack, filling the connection queue

SYN flood attacks fill the server's half-open connection queue, preventing it from sending SYN-ACKs.

C

The server's TCP/IP stack has crashed

D

The server is experiencing a distributed denial-of-service (DDoS) attack

Why: The correct answer is B because a SYN flood attack works by sending a high volume of TCP SYN packets to a server, filling its half-open connection queue (the backlog) and preventing it from completing the three-way handshake. Since the server's CPU and memory are normal, the issue is not resource exhaustion but rather the queue being saturated, causing the server to stop sending SYN-ACK replies to new connection requests.
Q2
mediumFull explanation →

A network administrator is designing a DMZ to host a public-facing web server and a database server that should only be accessible from the web server. Which of the following firewall rule sets best achieves this design?

A

Allow inbound HTTP/HTTPS to web server; allow web server to database on port 3306; deny all else

This permits necessary traffic and restricts database access to only the web server.

B

Allow web server to initiate outbound connections to internet; allow database to initiate connections to web server; deny all else

C

Allow inbound HTTP/HTTPS to web server; allow all traffic from web server to database; deny all else

D

Allow inbound HTTP/HTTPS to web server; allow inbound SQL from internet to database; deny all else

Why: Option A is correct because it implements the principle of least privilege for a DMZ: it allows inbound HTTP/HTTPS traffic (ports 80/443) to the public-facing web server, then permits only the web server to initiate outbound connections to the database server on port 3306 (MySQL/MariaDB default), and denies all other traffic. This ensures the database is not directly accessible from the internet, reducing the attack surface while still supporting the required application flow.
Q3
hardFull explanation →

A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?

A

The switch is now using a different certificate that is not trusted by the clients

The firmware update may have changed the certificate presented by the switch, and clients do not trust it.

B

The switch is not forwarding EAP packets properly due to a firmware bug

C

The RADIUS shared secret was changed during the firmware update

D

The authentication server (NPS) is overloaded and dropping requests

Why: The error 'Unknown CA certificate' indicates that the client does not trust the certificate presented by the RADIUS server during PEAP-MSCHAPv2 authentication. After a switch firmware update, the switch may have been reconfigured to use a different server certificate (e.g., a self-signed or internally issued certificate) that is not in the trusted root store of the affected workstations. Since PEAP requires the client to validate the server certificate, a mismatch causes intermittent authentication failures.
Q4
easyFull explanation →

A security engineer is configuring a network intrusion detection system (NIDS) to monitor traffic on a critical subnet. To minimize false positives, which of the following should the engineer baseline first?

A

The results of a recent vulnerability scan

B

The normal traffic patterns during peak business hours

Baseline normal traffic to identify anomalies.

C

The latest attack signatures from the vendor

D

The firewall logs from the past 24 hours

Why: Baselining normal traffic patterns during peak business hours establishes a reference of legitimate network behavior, which is essential for a NIDS to distinguish benign anomalies from actual threats. Without this baseline, the NIDS may generate false positives by flagging legitimate peak-hour traffic spikes as malicious. This aligns with the principle that anomaly-based detection relies on a statistical model of normal activity to reduce noise.
Q5
mediumFull explanation →

A company's remote access VPN uses IPsec with pre-shared keys. Employees report that they cannot connect from home. The VPN server logs show 'IKE authentication failed.' The help desk confirms the pre-shared keys are correct. Which of the following is the most likely cause?

A

The client is behind a NAT device that blocks IPsec traffic

B

The VPN server is not responding to IKE requests

C

The client's certificate has expired

D

The IKE phase 1 parameters (encryption, hash, DH group) do not match

Mismatched parameters cause authentication failure despite correct keys.

Why: Option D is correct because 'IKE authentication failed' specifically indicates a failure during IKE phase 1, where the peers negotiate security parameters. Even if the pre-shared key is correct, mismatched encryption (e.g., AES vs. 3DES), hash (e.g., SHA-1 vs. SHA-256), or Diffie-Hellman group (e.g., group 2 vs. group 14) will cause the IKE SA to fail, preventing phase 1 authentication from completing.
Q6
hardFull explanation →

During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?

A

Spoof the source IP address of the attacker's machine

B

Launch a denial-of-service attack against the target

C

Perform a stealth scan using a zombie host to hide the attacker's identity

Idle scan uses IP ID to map a zombie's activity and infer port states.

D

Evade a firewall by fragmenting packets

Why: Setting the IP ID field to 0 and the DF flag in packets is characteristic of an idle scan (also known as a stealth scan). This technique uses a zombie host (with an incremental IP ID) to probe a target; by sending packets with DF set and IP ID 0 to the zombie, the attacker can observe changes in the zombie's IP ID to infer open ports on the target, thereby hiding the attacker's true IP address.

Want more Network Security practice?

Practice this domain
5

Domain 5: Security Operations

All Security Operations questions
Q1
mediumFull explanation →

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

A

Perform a forensic analysis of the user's workstation

B

Reset the user's password and enforce multi-factor authentication

C

Disable the user account immediately

D

Initiate the incident response process

The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.

Why: Option D is correct because the scenario describes a potential security incident—unauthorized access to sensitive data from an unfamiliar IP address outside business hours—which requires immediate activation of the incident response process. The first step in any security operations workflow is to follow the organization's incident response plan (NIST SP 800-61) to contain, analyze, and remediate the threat. Jumping to forensic analysis, password resets, or account disabling without a coordinated incident response can destroy evidence or fail to address the root cause.
Q2
easyFull explanation →

A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?

A

Deploying a web application firewall

B

Enabling verbose logging for authentication events

C

Increasing password complexity requirements

D

Implementing account lockout policies

Account lockout policies limit the number of failed attempts, preventing continued brute-force attacks.

Why: Option D is correct because account lockout policies directly mitigate brute-force attacks by temporarily disabling an account after a defined number of failed login attempts (e.g., 5 failures within 15 minutes). This prevents the attacker from continuing to guess passwords for multiple user accounts from a single external IP, without affecting legitimate users who can be unlocked after a lockout duration or via an administrative reset.
Q3
hardFull explanation →

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

A

Intrusion detection system alerts

B

DNS query logs from internal DNS servers

DNS logs are less frequently used for real-time security monitoring and can be archived with lower priority.

C

Firewall deny logs

D

Authentication logs from domain controllers

Why: DNS query logs from internal DNS servers are the least critical for ongoing security monitoring because they primarily contain name resolution requests, which are high-volume and low-signal data. While they can be useful for threat hunting or forensic analysis of malware command-and-control (C2) traffic, they are not essential for real-time alerting or immediate incident response. Archiving them first preserves storage for more actionable logs like IDS alerts, firewall denies, and authentication failures.
Q4
mediumFull explanation →

During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?

A

Disable SSH on all servers

B

Notify the server owners and wait for their response

C

Document the finding and include it in the audit report

D

Modify the firewall rules to allow SSH only from specific management IPs

This directly mitigates the vulnerability by restricting access.

Why: Option D is correct because the immediate priority is to eliminate the critical vulnerability by restricting inbound SSH access to only authorized management IPs. This aligns with the principle of least privilege and the immediate remediation steps in security incident response, as leaving the misconfiguration active even briefly exposes the servers to potential compromise.
Q5
easyFull explanation →

A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?

A

Restore the workstation from a recent backup

B

Disconnect the workstation from the network

Network isolation is the primary containment step to halt lateral movement.

C

Reboot the workstation in safe mode

D

Run a full antivirus scan

Why: The first step in the containment phase is to disconnect the workstation from the network. This immediately stops the ransomware from spreading laterally to other systems via SMB, RDP, or other network protocols. Containment prioritizes preventing further damage over remediation or analysis.
Q6
mediumFull explanation →

An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?

A

Denial of service attack

B

Brute-force attack

C

Credential theft or session hijacking

Logins from impossible travel locations indicate that credentials may be used by an attacker.

D

Man-in-the-middle attack

Why: The SIEM rule detects impossible travel — a user authenticating from two geographically distant locations within a time window too short for physical travel. This behavior strongly indicates that an attacker has stolen the user's credentials (credential theft) or taken over an active session (session hijacking) and is using them from a different location. The SIEM correlates authentication logs (e.g., from Active Directory, VPN, or web apps) with geolocation data (IP-to-location mapping) to flag this anomaly.

Want more Security Operations practice?

Practice this domain

Frequently asked questions

How many questions are on the CC exam?

The CC exam has 100 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the CC exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are CC questions organised by domain?

The exam covers 5 domains: Access Controls Concepts, Business Continuity, DR & Incident Response, Security Principles, Network Security, Security Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CC exam questions?

No. These are original exam-style practice questions written against the official ISC2 CC exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 100 CC questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CC questionsTake a timed practice test