CCNA Reporting and Communication Questions

16 of 91 questions · Page 2/2 · Reporting and Communication · Answers revealed

76
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.No mention of the accepted risk
B.Only the analyst's personal opinion
C.Risk owner, reason, compensating controls, review date, and expiry
D.A permanent exception with no review
AnswerC

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance. This includes the risk owner, the reason for accepting the risk, any compensating controls in place, a review date to reassess the risk, and an expiry date for the acceptance. For a legal/privacy stakeholder, this documentation provides an auditable trail that demonstrates due diligence and compliance with regulatory requirements, such as GDPR or HIPAA.

Exam trap

Cisco often tests the misconception that a risk acceptance report can simply note the decision without detailing the compensating controls or expiry, leading candidates to choose an incomplete answer that omits critical audit trail elements.

How to eliminate wrong answers

Option A is wrong because omitting the accepted risk from the report would violate audit and compliance standards; legal/privacy stakeholders require full disclosure of all risks to assess liability and regulatory exposure. Option B is wrong because including only the analyst's personal opinion is subjective and lacks the objective, verifiable data needed for legal and privacy review; such opinions are not defensible in an audit or legal proceeding.

77
Drag & Dropmedium

Order the steps for setting up a SIEM (Security Information and Event Management) system.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SIEM setup includes installation, log source configuration, rule definition, log onboarding, and dashboard creation.

78
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is SOC manager, which content choice is most appropriate?

A.A public press statement draft first
B.Confidential unrelated customer data
C.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
D.Internal blame speculation
AnswerC

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option C is correct because when a third-party vendor causes an outage during remediation, the communication must focus on operational and contractual details: the exact timeline of the outage, the scope of service impact (e.g., number of users affected, systems down), evidence (e.g., logs, monitoring alerts), required corrective actions to prevent recurrence, and contractual follow-up (e.g., SLA breach, penalties). This aligns with the SOC manager's need for actionable, factual data to manage incident response and vendor accountability, not public relations or unrelated data.

Exam trap

Cisco often tests the distinction between internal operational communication (for SOC managers) and external/public communication (for PR or legal), so candidates mistakenly choose a press statement or irrelevant data instead of the structured incident details required for vendor accountability.

How to eliminate wrong answers

Option A is wrong because a public press statement draft is premature and inappropriate for internal communication to a SOC manager; the primary audience needs technical and operational details, not public messaging. Option B is wrong because sharing confidential unrelated customer data violates data privacy regulations (e.g., GDPR, HIPAA) and is irrelevant to the vendor-caused outage; the communication must focus on the incident itself, not exposing other customer information.

79
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Only a red/yellow/green chart
B.Only the CVE headline
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only estimated financial loss
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps for the remediation owner. This includes identifying affected assets and package versions, specifying patch commands or vendor guidance, outlining a validation method to confirm the fix, and including rollback notes in case the patch causes issues. Without these details, the remediation owner cannot execute the fix reliably or verify its success.

Exam trap

Cisco often tests the distinction between reporting to executives (which uses summary charts) and providing technical remediation details to the remediation owner, leading candidates to mistakenly choose a high-level summary like a chart or CVE headline instead of the actionable, step-by-step content required for the technical audience.

How to eliminate wrong answers

Option A is wrong because a red/yellow/green chart is a status summary for executive reporting, not a technical remediation plan; it lacks the specific commands, versions, and validation steps needed to fix an OpenSSL vulnerability. Option B is wrong because only the CVE headline (e.g., CVE-2024-XXXX) provides no actionable information; the remediation owner needs affected package versions, patch commands, and rollback procedures, not just a vulnerability identifier.

80
MCQmedium

During a security incident, the SOC analyst determines that the attack is originating from an internal IP address belonging to the finance department. The incident response plan requires escalation to the appropriate team. Which of the following should the analyst contact first?

A.The legal department to handle potential compliance issues.
B.The system administrator for the finance department to isolate the host.
C.The finance department manager to confirm if the activity is authorized.
D.The human resources department for disciplinary action.
AnswerC

Verifying with the department manager confirms if the activity is legitimate before further action.

Why this answer

Option C is correct because the incident response plan requires confirmation of authorization before taking containment actions. Since the activity originates from an internal IP in the finance department, the analyst must first contact the finance department manager to verify whether the traffic is legitimate business use (e.g., a scheduled audit or approved data transfer). This step prevents unnecessary disruption and aligns with the 'verify before act' principle in NIST SP 800-61 incident handling.

Exam trap

CompTIA often tests the misconception that technical containment (e.g., isolating a host) should be the immediate next step, but the correct sequence requires verifying authorization first to avoid disrupting legitimate business operations.

How to eliminate wrong answers

Option A is wrong because legal department involvement is premature at this stage; compliance issues are only considered after unauthorized activity is confirmed, not before verifying authorization. Option B is wrong because isolating the host without first confirming the activity is authorized could disrupt legitimate business operations and violates the containment-first-verify principle; system administrators are contacted after authorization is denied. Option D is wrong because HR disciplinary action is a post-incident response step, only relevant after unauthorized activity is confirmed and attributed to an individual, not during initial triage.

81
MCQeasy

A security analyst reviews the above bucket policy. Which of the following BEST describes the risk associated with this policy?

A.The bucket is publicly readable, potentially exposing sensitive data
B.The bucket allows anyone to upload malicious files
C.The bucket enforces encryption in transit
D.The bucket requires authentication for access
AnswerA

Principal: * allows unauthenticated access.

Why this answer

Option A is correct because the policy allows any anonymous user to read objects. Option B is wrong because it's a GET, not PUT. C is wrong because the policy does not require authentication.

D is wrong because encryption is not addressed.

82
MCQhard

An analyst is preparing a report that includes Personally Identifiable Information (PII) from a data breach. The report will be shared with external auditors. Which of the following is the BEST practice for handling PII in the report?

A.Include full PII in the report for complete transparency
B.Encrypt the report and send it via email to auditors
C.Use tokenization or pseudonymization to mask PII while preserving analytical value
D.Remove all PII entirely, leaving only anonymized records
AnswerC

Enables audit without exposing sensitive data.

Why this answer

Option C is correct because tokenization or pseudonymization replaces PII with non-sensitive placeholders that retain referential integrity and analytical utility, allowing auditors to perform their review without exposing actual personal data. This approach balances transparency requirements with data minimization principles mandated by regulations like GDPR and PCI DSS, unlike full disclosure or simple encryption which still exposes the original data to the recipient.

Exam trap

CompTIA often tests the misconception that encryption alone is sufficient for data protection in reports, but the trap here is that encryption only secures data in transit or at rest, not after decryption by the recipient, whereas tokenization/pseudonymization provides persistent masking even after the data is accessed.

How to eliminate wrong answers

Option A is wrong because including full PII violates the principle of data minimization and unnecessarily exposes sensitive data to external parties, increasing breach risk and non-compliance with privacy regulations. Option B is wrong because encrypting the report only protects data in transit; once decrypted by the auditors, the full PII is exposed in plaintext, offering no ongoing protection against misuse or further disclosure. Option D is wrong because removing all PII entirely destroys the analytical value needed for audit correlation and verification, effectively rendering the report useless for its intended purpose.

83
MCQmedium

Refer to the exhibit. A security analyst is reviewing SIEM logs and notices repeated entries from the same source IP. Which of the following actions should the analyst take NEXT?

A.Immediately block the source IP at the firewall
B.Check the baseline behavior of the source IP
C.Update the signature database
D.Isolate the affected system for forensic analysis
AnswerB

Comparing against baseline helps determine if the activity is truly anomalous and justifies further action.

Why this answer

Option B is correct because the first step in incident response is to validate whether the activity is malicious by comparing it against a known baseline. Repeated entries from the same source IP could indicate a benign automated process (e.g., a legitimate monitoring tool or scheduled scan) rather than an attack. Checking the baseline behavior prevents unnecessary disruption and aligns with the NIST SP 800-61 incident response framework's emphasis on identification and analysis before containment.

Exam trap

CompTIA often tests the candidate's ability to resist the impulse to immediately block or contain, emphasizing that verification against a baseline is the mandatory next step before any action in the incident response process.

How to eliminate wrong answers

Option A is wrong because immediately blocking the source IP without verifying the baseline could disrupt legitimate services (e.g., a corporate VPN concentrator or authorized vulnerability scanner) and violates the principle of least disruption during initial triage. Option C is wrong because updating the signature database is a preventive maintenance task for IDS/IPS systems, not a reactive step for analyzing a specific repeated log entry; it does not help determine if the source IP's behavior is anomalous. Option D is wrong because isolating the affected system for forensic analysis is a containment step that should only occur after confirming the activity is malicious; premature isolation can cause unnecessary downtime and data loss if the system is not actually compromised.

84
MCQmedium

A security analyst needs to report a critical vulnerability to the executive team. The report should balance technical details with business impact. Which of the following is the BEST approach?

A.Simply state the vulnerability exists and a patch is available
B.Write a 50-page report covering every technical detail and mitigation option
C.Explain the vulnerability in terms of potential business impact and recommended risk treatment
D.Provide a full technical analysis of the vulnerability and remediation steps
AnswerC

This aligns with executive needs: risk, cost, and decision-making.

Why this answer

Option C is correct because it directly addresses the core requirement of balancing technical details with business impact. For a critical vulnerability, the executive team needs to understand the potential financial, operational, and reputational risks, not just the technical flaw. This approach aligns with the NIST risk management framework, which emphasizes communicating risk in terms of business context to enable informed decision-making on risk treatment (e.g., accept, mitigate, transfer, avoid).

Exam trap

CompTIA often tests the distinction between technical completeness and audience-appropriate communication, trapping candidates who choose Option D because they mistake 'full technical analysis' for the best approach, when the question explicitly requires balancing technical details with business impact for an executive audience.

How to eliminate wrong answers

Option A is wrong because simply stating a vulnerability exists and a patch is available lacks the necessary business context and risk assessment; executives need to understand the potential impact on operations, compliance, and revenue to prioritize remediation. Option B is wrong because a 50-page report with every technical detail is excessive and counterproductive for an executive audience, who require concise, actionable summaries focused on risk and business outcomes, not exhaustive technical minutiae. Option D is wrong because providing a full technical analysis and remediation steps, while thorough, fails to translate the vulnerability into business terms; it omits the critical risk treatment recommendation and does not help executives weigh the cost of remediation against potential business disruption.

85
MCQhard

A company policy requires that all security incidents be reported to management within one hour of detection. An analyst discovers a low-severity incident (a single malware download attempt blocked by antivirus) at 4:55 PM on a Friday. The analyst is about to leave for the weekend. What should the analyst do?

A.Document the incident in the ticketing system and report it the next business day.
B.Report the incident immediately according to policy, even if it means staying late.
C.Report the incident via email and ignore it until Monday.
D.Wait until Monday morning to report, as it is low severity.
AnswerB

Complying with policy ensures timely reporting, which is mandatory.

Why this answer

Option B is correct because the company policy explicitly requires reporting all security incidents within one hour of detection, regardless of severity. The analyst must report the incident immediately, even if it means staying late, as policy compliance is mandatory and low-severity incidents still represent a security event that could indicate broader compromise or be part of a larger attack chain. Delaying reporting violates the policy and could lead to disciplinary action or missed escalation windows.

Exam trap

The trap here is that candidates assume low-severity incidents can be deferred or handled casually, but Cisco tests strict adherence to policy timelines regardless of severity, emphasizing that all incidents must be reported within the specified window.

How to eliminate wrong answers

Option A is wrong because documenting the incident in the ticketing system but delaying the report until the next business day violates the one-hour reporting policy, and low severity does not exempt the analyst from timely notification. Option C is wrong because reporting via email and then ignoring the incident until Monday fails to ensure the incident is properly tracked, escalated, or remediated, and it does not constitute a complete report within the required timeframe. Option D is wrong because waiting until Monday morning to report, even for a low-severity incident, directly contradicts the policy that mandates reporting within one hour of detection, and severity does not override the reporting requirement.

86
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is business service owner, which content choice is most appropriate?

A.Only estimated financial loss
B.Only a red/yellow/green chart
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only the CVE headline
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps for the server team to fix the OpenSSL vulnerability. It includes affected assets (specific Linux hosts), package versions (e.g., openssl-1.1.1k), patch commands (e.g., 'yum update openssl' or 'apt-get upgrade openssl'), vendor guidance (e.g., Red Hat or Ubuntu advisories), validation method (e.g., 'openssl version' or 'openssl version -a'), and rollback notes (e.g., 'yum history undo' or snapshot restore). For a business service owner, this content is most appropriate because it translates technical actions into clear, auditable steps that demonstrate risk mitigation and operational planning.

Exam trap

Cisco often tests the distinction between a technical remediation section (actionable steps for engineers) and a business impact summary (for executives), so candidates mistakenly pick a single metric or chart instead of the comprehensive, executable plan required for the server team.

How to eliminate wrong answers

Option A is wrong because only estimated financial loss is a business impact metric, not a technical remediation step; it fails to provide the server team with any actionable commands or procedures to fix the OpenSSL vulnerability. Option B is wrong because only a red/yellow/green chart is a status summary or risk heatmap, not a remediation plan; it lacks the specific package versions, patch commands, and validation methods needed to execute the fix. Option D is wrong because only the CVE headline (e.g., CVE-2022-3786) identifies the vulnerability but gives no technical steps to remediate it; the server team needs patch commands and rollback procedures, not just a reference number.

87
Matchingmedium

Match each incident response phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish policies and tools

Identify potential incidents

Isolate affected systems

Remove threat from environment

Restore normal operations

Why these pairings

These phases form the incident response lifecycle.

88
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is SOC manager, which content choice is most appropriate?

A.Mean time to detect, mean time to respond, containment time, and recurrence rate
B.Number of desktop wallpapers changed
C.Number of unused dashboards
D.Total coffee consumed by analysts
AnswerA

These KPIs show detection and response effectiveness over time. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the core operational metrics that directly measure the effectiveness and efficiency of an incident response program. For a SOC manager assessing quarter-over-quarter improvement, these metrics provide actionable insight into detection speed, response agility, containment effectiveness, and whether incidents are being fully remediated to prevent repeats.

Exam trap

Cisco often tests the distinction between operational incident response metrics and irrelevant administrative or cosmetic metrics, trapping candidates who confuse 'activity tracking' with 'performance measurement'.

How to eliminate wrong answers

Option B is wrong because the number of desktop wallpapers changed is an endpoint configuration or user-experience metric, not an incident response performance indicator; it has no bearing on detection, response, or containment. Option C is wrong because the number of unused dashboards is a reporting tool hygiene metric, irrelevant to measuring incident response maturity or improvement over time.

89
MCQmedium

An analyst runs the above command on a server. Based on the exhibit, which of the following is the MOST likely scenario?

A.The server may be compromised with a remote access trojan listening on port 4444
B.The server is running a legitimate SSH service on port 4444
C.The server is hosting a web service on a non-standard port
D.The server is being used as a proxy for internal clients
AnswerA

Port 4444 is often used by malware.

Why this answer

The command output shows a listening service on port 4444, which is not a standard port for any common service. Port 4444 is commonly associated with remote access trojans (RATs) such as Metasploit's Meterpreter or other malware, making a compromise the most likely scenario. The analyst should investigate further to confirm malicious activity.

Exam trap

CompTIA often tests the association of non-standard ports with common malware or trojans, and the trap here is that candidates may assume any open port is legitimate or overlook the significance of port 4444's known malicious use.

How to eliminate wrong answers

Option B is wrong because SSH runs on port 22 by default (per IANA assignment), and while it could be configured on a non-standard port, there is no evidence of SSH protocol behavior or authentication in the output. Option C is wrong because web services typically use ports 80 (HTTP) or 443 (HTTPS), and port 4444 is not a registered alternative for HTTP/HTTPS. Option D is wrong because proxy services for internal clients commonly use ports like 3128 (Squid) or 8080, and port 4444 is not a standard proxy port.

90
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest?

A.A raw CSV of 20,000 findings
B.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
C.A list of tool login names
D.A screenshot of every scanner page
AnswerB

Board reporting should connect investment to measurable risk reduction.

Why this answer

Option B is correct because it directly answers the board's question about whether cyber risk is decreasing by presenting a trend in exploitable critical exposures (showing if the number of high-risk vulnerabilities is going down), remediation SLA performance (proving the team is fixing issues within policy), and residual risk by business service (quantifying the remaining risk to critical assets). This combination provides a clear, measurable, and business-aligned view of risk reduction over time, which is exactly what executive leadership needs to make informed decisions.

Exam trap

Cisco often tests the trap that candidates confuse 'data' with 'information' — they think providing more raw data (like a CSV or screenshots) is better, when in fact executives need synthesized, trended, and risk-contextualized metrics that directly answer the business question.

How to eliminate wrong answers

Option A is wrong because a raw CSV of 20,000 findings is unprocessed, overwhelming, and lacks any trend analysis or risk context; it forces the board to perform their own analysis, which is impractical and ineffective for executive communication. Option C is wrong because a list of tool login names is completely irrelevant to demonstrating risk reduction; it provides no vulnerability data, no metrics, and no evidence of program effectiveness. Option D is wrong because a screenshot of every scanner page is a chaotic, non-aggregated dump of raw tool output that obscures trends and fails to translate technical findings into business risk language.

91
Multi-Selecthard

A regulator asks for incident evidence after a data exposure. Which items should be coordinated before disclosure? (Choose two.)

Select 2 answers
A.Evidence package with timeline, scope, and affected data categories
B.Unreviewed analyst speculation
C.Passwords for all production systems
D.Legal review of notification obligations
AnswersA, D

A structured package supports accurate reporting.

Why this answer

Option A is correct because a coordinated evidence package ensures that the disclosure to the regulator includes a verified timeline, scope, and affected data categories, which is essential for demonstrating due diligence and compliance with breach notification laws. Without this coordination, the evidence may be incomplete or inconsistent, potentially leading to regulatory penalties or loss of trust.

Exam trap

Cisco often tests the distinction between raw, unverified data and coordinated, legally reviewed evidence, so candidates mistakenly choose 'unreviewed analyst speculation' thinking it provides timely insight, but it fails the admissibility and accuracy requirements for regulatory disclosure.

← PreviousPage 2 of 2 · 91 questions total

Ready to test yourself?

Try a timed practice session using only Reporting and Communication questions.