CCNA Cysa Reporting Communication Questions

75 of 84 questions · Page 1/2 · Cysa Reporting Communication topic · Answers revealed

1
MCQhard

An organization is preparing evidence for a compliance audit. Which of the following pieces of evidence would BEST demonstrate that a security control is effective?

A.A screenshot of the control configuration
B.A policy document describing the control
C.A control effectiveness report with test results and metrics
D.An email from the system owner stating the control is working
AnswerC

Correct. This provides proof that the control is working effectively.

Why this answer

To demonstrate control effectiveness, evidence should show that the control is operating as intended. A control effectiveness report that includes testing results and metrics directly demonstrates effectiveness.

2
MCQmedium

A company experiences a data breach involving personal data of EU citizens. Under GDPR, what is the maximum time frame to notify the supervisory authority?

A.7 days
B.24 hours
C.48 hours
D.72 hours
AnswerD

GDPR requires notification within 72 hours.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of a breach.

3
MCQmedium

Which of the following BEST describes the purpose of a risk register in the context of reporting and communication?

A.To document vulnerabilities found during scans
B.To record all security incidents and their outcomes
C.To list compliance requirements and deadlines
D.To provide a structured way to track identified risks, their likelihood, impact, and mitigation actions
AnswerD

Correct. This is the primary purpose of a risk register.

Why this answer

A risk register is a central document that captures identified risks, their assessments, mitigation plans, and status. It supports ongoing risk management and communication to stakeholders.

4
MCQeasy

Which metric would best indicate the effectiveness of an organization's patch management program?

A.Phishing simulation click rates
B.Open vulnerability counts by severity
C.Mean time to detect (MTTD)
D.Patch SLA compliance percentage
AnswerD

Directly measures patching timeliness.

Why this answer

Patch SLA compliance percentage directly measures how often patches are applied within required timeframes.

5
MCQmedium

A phishing simulation is conducted, and the click rate is reported to management. What does a high click rate indicate?

A.Employees are well-trained in security
B.The phishing simulation was not realistic
C.The organization has strong technical controls
D.There is a need for more security awareness training
AnswerD

High click rate shows users are falling for phishing, requiring training.

Why this answer

A high click rate suggests that employees are susceptible to phishing, indicating a need for security awareness training.

6
MCQhard

An analyst is evaluating the performance of the security operations center (SOC). Which metric best indicates the team's ability to contain an active threat?

A.Mean time to detect (MTTD)
B.Patch SLA compliance %
C.Mean time to respond (MTTR)
D.Open vulnerability counts by severity
AnswerC

MTTR measures the time from detection to response, including containment.

Why this answer

Mean Time to Respond (MTTR) measures the average time taken to contain and remediate an incident, directly reflecting containment speed.

7
Multi-Selectmedium

During a security incident, which THREE elements are critical to include in the incident report for a compliance review?

Select 3 answers
A.Lessons learned
B.Impact assessment
C.Remediation timeline
D.Timeline of events
E.Root cause analysis
AnswersB, D, E

Quantifies damage to data, systems, and finances.

Why this answer

Timeline, impact assessment, and root cause are essential for understanding the incident and meeting compliance requirements. Lessons learned are important for improvement but not always mandatory for compliance; remediation timeline may be separate.

8
Multi-Selectmedium

During a security incident, a cybersecurity analyst must communicate with various stakeholders. Which TWO are appropriate internal escalation paths? (Select TWO.)

Select 2 answers
A.Legal and compliance department
B.Law enforcement
C.Customers
D.Incident response team
E.Media
AnswersA, D

Handles legal and regulatory implications.

Why this answer

Internal escalation typically goes to the incident response team for technical handling and to legal/compliance for regulatory and liability issues. Law enforcement is external, and customers are external as well.

9
Multi-Selecteasy

A security analyst is creating metrics for a security dashboard aimed at executive leadership. Which THREE metrics are most appropriate for this audience? (Select THREE.)

Select 3 answers
A.Phishing simulation click rates
B.Number of security incidents by category
C.Mean time to detect (MTTD)
D.Vulnerability scan details for individual hosts
E.Firewall rule change request logs
AnswersA, B, C

Indicates user awareness program effectiveness.

Why this answer

Executives prefer high-level metrics that show overall security posture, trends, and business impact.

10
MCQmedium

After a security incident, which component of the incident report provides a chronological sequence of events from detection to recovery?

A.Timeline
B.Lessons learned
C.Root cause
D.Impact assessment
AnswerA

The timeline documents the sequence of events.

Why this answer

The timeline is a critical component that shows the order of events during an incident.

11
MCQeasy

Which metric is commonly used to measure the average time it takes to identify that a security incident has occurred?

A.MTTD (Mean Time to Detect)
B.MTTRem (Mean Time to Remediate)
C.MTTR (Mean Time to Respond)
D.Patch SLA Compliance %
AnswerA

Correct. MTTD is the metric for detection speed.

Why this answer

Mean Time to Detect (MTTD) measures the average time between the start of an incident and its detection. It is a key metric for evaluating the effectiveness of monitoring and detection capabilities.

12
MCQeasy

After a phishing simulation, the security team wants to report the results to management. Which metric is most appropriate to include in the report?

A.Total number of employees
B.Number of phishing emails blocked at the gateway
C.Mean time to detect phishing emails
D.Phishing simulation click rate
AnswerD

This metric directly reflects user behavior in the simulation.

Why this answer

Phishing simulation click rate measures the percentage of users who clicked a simulated phishing link, a key metric for security awareness.

13
Multi-Selecteasy

A cybersecurity analyst is building a compliance dashboard for an upcoming audit. Which TWO metrics are most relevant for demonstrating effective patch management? (Select TWO.)

Select 2 answers
A.Open vulnerability counts by severity
B.Security incidents by category
C.Patch SLA compliance %
D.Mean time to detect (MTTD)
E.Phishing simulation click rates
AnswersA, C

Shows current vulnerability backlog by severity.

Why this answer

Patch SLA compliance % shows adherence to patching timelines, and open vulnerability counts by severity show the current risk posture. Mean time to remediate is also relevant but not listed as an option; here the two best are patch SLA compliance and open vulnerabilities.

14
Multi-Selecthard

A cybersecurity analyst is presenting risk findings to the board of directors. Which THREE types of impact should be emphasized to effectively communicate business risk? (Select THREE.)

Select 3 answers
A.Operational impact
B.Financial impact
C.Technical impact
D.Regulatory penalties
E.Reputational impact
AnswersB, D, E

Direct monetary losses.

Why this answer

Business risk communication should focus on financial impact, reputational impact, and regulatory penalties as these resonate with business leaders. Technical impact is too detailed.

15
MCQmedium

During a security incident, a CySA+ analyst needs to communicate the status to the CISO. Which type of report is most appropriate for this purpose?

A.Technical report with packet captures
B.Executive dashboard
C.Vulnerability scan report
D.Threat intelligence feed
AnswerB

Executive dashboards present summarized, actionable information for leadership.

Why this answer

An executive dashboard provides a high-level, real-time view of key metrics and incident status suitable for executive communication.

16
MCQeasy

Which of the following is the best example of a Key Performance Indicator (KPI) for patch management?

A.Patch SLA compliance percentage
B.Mean time to detect vulnerabilities
C.Number of security incidents
D.Number of vulnerabilities discovered
AnswerA

This KPI measures patch timeliness.

Why this answer

Patch SLA compliance percentage measures how often patches are applied within the agreed timeline, a key performance indicator.

17
MCQmedium

A security analyst must present a risk assessment to the board of directors. Which approach is most effective for communicating technical risks?

A.Focus solely on CVSS scores
B.Provide raw log data
C.Translate technical risk into business impact
D.Use technical jargon to demonstrate expertise
AnswerC

This aligns risks with business objectives and is more understandable.

Why this answer

Translating technical risks into business impact (e.g., financial, reputational) helps non-technical stakeholders understand and prioritize risks.

18
MCQmedium

During a compliance audit, the auditor requests evidence of access reviews. Which of the following would be the MOST appropriate evidence to provide?

A.Vulnerability scan reports
B.A list of all user accounts and their creation dates
C.Completed access review sign-off sheets with manager approvals
D.Logs of successful and failed login attempts
AnswerC

Correct. This evidence directly shows that access reviews were performed and approved.

Why this answer

Access review documentation, such as sign-off sheets or reports showing review and approval of user access rights, directly demonstrates that periodic access reviews are conducted.

19
Multi-Selectmedium

A security analyst is preparing an incident report after a ransomware attack. Which two components must be included in the report? (Select TWO.)

Select 2 answers
A.Resume of the incident responder
B.Root cause analysis
C.Marketing department's budget
D.Timeline of the incident
E.Software license keys
AnswersB, D

Root cause is essential to prevent recurrence.

Why this answer

An incident report should include a timeline of events, impact assessment, root cause, lessons learned, and recommendations. Timeline and root cause are essential.

20
MCQmedium

During a security incident, which of the following should be the FIRST communication to internal stakeholders?

A.Notification to law enforcement
B.Press release to customers
C.Update to the risk register
D.Internal escalation to the incident response team
AnswerD

First step per incident response plan.

Why this answer

Internal escalation procedures dictate notifying the incident response team and relevant management first.

21
MCQhard

Which type of threat intelligence report is most appropriate for communicating long-term trends and strategic risks to senior executives?

A.Technical intelligence
B.Tactical intelligence
C.Operational intelligence
D.Strategic intelligence
AnswerD

Strategic reports are tailored for executive decision-making.

Why this answer

Strategic intelligence reports provide high-level analysis of threats, trends, and risks for decision-makers.

22
MCQmedium

A vulnerability report includes a risk acceptance section. Which of the following scenarios is most appropriate to include in this section?

A.A vulnerability that has been exploited in the wild
B.A critical vulnerability that has been patched
C.All open vulnerabilities regardless of severity
D.A medium-severity vulnerability with a compensating control that reduces risk to acceptable levels
AnswerD

This is a valid reason for risk acceptance.

Why this answer

Risk acceptance is documented when the organization decides not to remediate a vulnerability due to compensating controls or low risk.

23
MCQeasy

Which component of an incident report describes the sequence of events from detection to resolution?

A.Root cause
B.Impact assessment
C.Lessons learned
D.Timeline
AnswerD

The timeline details the sequence of events.

Why this answer

The timeline provides a chronological account of events, crucial for understanding the incident's progression.

24
Multi-Selectmedium

An organization is preparing evidence for an audit of access controls. Which THREE types of evidence should be collected? (Select THREE.)

Select 3 answers
A.Network flow data
B.Access review documentation
C.Vulnerability scan reports
D.Log exports of user access events
E.Incident response reports
AnswersB, C, D

Shows periodic review of user permissions.

Why this answer

Audit evidence for access controls includes log exports (showing access events), access reviews (certifying user permissions), and vulnerability scan reports (identifying misconfigurations). Incident reports are not directly relevant.

25
MCQhard

During an incident, the security team discovers that customer personally identifiable information (PII) was exfiltrated. Which of the following notifications must be made according to GDPR?

A.Notify law enforcement within 48 hours
B.Notify all customers within 24 hours
C.Notify the supervisory authority within 72 hours and affected individuals without undue delay if high risk
D.Notify the data protection officer only
AnswerC

This matches GDPR requirements.

Why this answer

Under GDPR, if a breach is likely to result in a high risk to individuals, the organization must notify the affected data subjects without undue delay.

26
Multi-Selectmedium

A cybersecurity analyst is preparing an incident report after a data breach. Which TWO components are essential to include? (Select TWO.)

Select 2 answers
A.Root cause
B.Timeline
C.Budget forecast
D.Employee performance review
E.Marketing analysis
AnswersA, B

Root cause is critical for understanding why the incident occurred.

Why this answer

Root cause and timeline are standard components of incident reports.

27
MCQmedium

After a ransomware incident, the incident report includes lessons learned. Which of the following is the BEST example of a lesson learned?

A.The ransomware encrypted 500 files.
B.The incident started at 2:00 AM.
C.The root cause was a phishing email.
D.Implement multi-factor authentication for remote access to reduce risk.
AnswerD

This is an actionable recommendation.

Why this answer

Lessons learned should be actionable recommendations to prevent recurrence.

28
Multi-Selecthard

An organization has experienced a data breach involving personal information of EU residents. The incident response team is preparing communications. Which THREE of the following are mandatory actions under GDPR? (Select THREE.)

Select 3 answers
A.Notify all affected data subjects without undue delay if high risk
B.Document the breach and remediation actions
C.Publish a public notice in the local newspaper
D.Notify law enforcement within 24 hours
E.Notify the supervisory authority within 72 hours
AnswersA, B, E

Required by GDPR Article 34.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours, documentation of the breach, and notification to affected individuals if high risk.

29
Multi-Selectmedium

A security analyst is preparing a compliance report for an upcoming audit. The auditor has requested evidence of access controls. Which TWO of the following would provide appropriate evidence? (Select TWO.)

Select 2 answers
A.Recent access review reports
B.A network topology diagram
C.User account audit logs showing privilege changes
D.A list of all employees
E.The company's password policy
AnswersA, C

Shows periodic review of access rights.

Why this answer

Access review reports and user account audit logs directly demonstrate access control implementation.

30
MCQhard

An organization has a risk acceptance process for vulnerabilities that cannot be remediated immediately. Which of the following should be documented in the risk acceptance paperwork?

A.The name of the person who discovered the vulnerability
B.Compensating controls, business justification, and expiration date
C.The patch details and installation instructions
D.The CVSS score and exploitability
AnswerB

These elements are essential for formal risk acceptance.

Why this answer

Risk acceptance documentation should include compensating controls, business justification, and an expiration date or review period.

31
MCQmedium

A security analyst discovers a critical vulnerability in a web application that stores customer payment data. The analyst needs to report this to the CISO. Which type of report is most appropriate for communicating the business impact of this vulnerability?

A.Compliance report showing PCI DSS control status
B.Technical vulnerability report with CVSS scores and proof of concept
C.Incident report detailing steps to exploit
D.Executive dashboard highlighting financial risk and regulatory penalties
AnswerD

Focuses on business impact, appropriate for CISO.

Why this answer

An executive dashboard provides high-level metrics and business impact summaries suitable for non-technical stakeholders like the CISO.

32
MCQmedium

A cybersecurity analyst needs to communicate the risk of a newly discovered vulnerability in a legacy system to the executive leadership. Which approach best translates the technical risk into business risk?

A.Explain the vulnerability's potential impact on revenue, customer trust, and compliance penalties
B.Provide the CVSS score and technical exploit details
C.Recommend immediate patching without further justification
D.Describe the attack vector and required privileges
AnswerA

This translates technical risk into business terms.

Why this answer

Executives care about business impact. Relating the vulnerability to potential financial loss, reputational damage, or regulatory penalties is the most effective way to communicate risk.

33
MCQmedium

During an incident, which of the following should be the FIRST priority when communicating with law enforcement?

A.Sharing the incident response plan
B.Requesting a warrant for internal investigation
C.Coordinating evidence collection and preservation
D.Providing a list of affected customers
AnswerC

Correct. Ensuring evidence integrity is critical for any legal proceedings.

Why this answer

Law enforcement may need to preserve evidence for legal proceedings. Coordination ensures that evidence is handled properly and that the organization does not inadvertently destroy or compromise evidence.

34
MCQeasy

Which metric measures the average time it takes for an organization to identify a security incident from the moment it occurs?

A.Mean Time to Resolve (MTTR)
B.Patch SLA compliance percentage
C.Mean Time to Remediate (MTTRem)
D.Mean Time to Detect (MTTD)
AnswerD

MTTD measures detection speed.

Why this answer

Mean Time to Detect (MTTD) is the average time to detect an incident.

35
MCQeasy

Which type of threat intelligence report is MOST appropriate for a Chief Information Security Officer (CISO) to understand the overall threat landscape and make strategic decisions?

A.Strategic intelligence
B.Operational intelligence
C.Technical intelligence
D.Tactical intelligence
AnswerA

Correct. Strategic intelligence is for executives to understand long-term trends and risks.

Why this answer

Strategic intelligence provides high-level analysis of threats, trends, and risks that impact business decisions. It is designed for senior management and executives.

36
MCQmedium

A security analyst is preparing an after-action report for a phishing incident. Which component is MOST critical to include to prevent recurrence?

A.Timeline of the incident
B.Lessons learned and recommendations
C.Impact assessment
D.Root cause analysis
AnswerB

Correct. This component directly informs improvements to prevent future incidents.

Why this answer

Lessons learned identify what went well and what did not, and provide actionable recommendations to improve processes and prevent similar incidents.

37
MCQhard

During an audit, the compliance team needs to provide evidence that access reviews are performed regularly. Which of the following is the BEST evidence?

A.A list of user accounts with last login dates
B.A policy stating that access reviews should be done quarterly
C.Email reminders sent to managers to perform reviews
D.Signed and dated access review reports
AnswerD

These are direct evidence of completed reviews.

Why this answer

Completed access review reports with timestamps and signatures provide clear evidence that reviews were conducted.

38
MCQeasy

A cybersecurity analyst is preparing a report for the executive leadership team. Which type of report is most appropriate for communicating high-level security posture and risk to non-technical stakeholders?

A.Threat intelligence feed
B.Technical vulnerability report
C.Executive dashboard
D.Incident response playbook
AnswerC

Executive dashboards summarize key metrics and risks for leadership.

Why this answer

Executive dashboards provide a high-level overview of security posture, using metrics and visualizations that are easily understood by non-technical stakeholders. Technical reports are too detailed.

39
MCQeasy

A cybersecurity analyst is preparing a vulnerability report for the IT manager. Which section should summarize the most critical risks for the organization?

A.Remediation timeline
B.Risk acceptance
C.Findings by severity
D.Executive summary
AnswerD

The executive summary condenses the most critical risks and actions for decision-makers.

Why this answer

The executive summary provides a high-level overview of the most critical risks and recommended actions for management.

40
Multi-Selectmedium

A security analyst is preparing a vulnerability report for management. Which TWO elements should be included in the executive summary? (Select TWO.)

Select 2 answers
A.Raw CVSS scores for all vulnerabilities
B.Detailed technical description of each vulnerability
C.Network topology diagrams
D.Overall risk posture summary
E.Key findings that require management attention
AnswersD, E

Correct. A high-level summary of risk helps management understand the severity.

Why this answer

The executive summary should provide a high-level overview, including the overall risk posture and key findings that require management attention. Detailed technical descriptions are better left for the main body.

41
MCQmedium

A security analyst needs to present a risk register to a non-technical board. Which of the following formats is most appropriate?

A.A timeline of past incidents
B.A heat map with risk ratings and business impact descriptions
C.A list of CVEs with CVSS scores
D.A detailed network diagram with vulnerability locations
AnswerB

Heat maps and business impact are clear to executives.

Why this answer

A risk register with business impact, likelihood, and mitigation status is understandable for non-technical stakeholders.

42
MCQeasy

Which metric measures the average time it takes to identify a security incident from the moment it occurs?

A.MTTRem
B.MTTR
C.SLA compliance
D.MTTD
AnswerD

MTTD is Mean Time to Detect.

Why this answer

MTTD (Mean Time to Detect) measures the average time to detect an incident.

43
Multi-Selecthard

After a security incident involving a ransomware attack, the organization needs to communicate with various stakeholders. Which THREE of the following are appropriate actions? (Select THREE.)

Select 3 answers
A.Place legal holds on relevant data
B.Delete all logs to prevent data leakage
C.Publish details on social media immediately
D.Coordinate with law enforcement
E.Notify affected customers as required by law
AnswersA, D, E

To preserve evidence for litigation.

Why this answer

Customer notification, law enforcement coordination, and legal holds are key communication steps during incidents.

44
MCQeasy

Which metric measures the average time taken to fix a vulnerability after it is identified?

A.Mean time to remediate (MTTRem)
B.Mean time to detect (MTTD)
C.Mean time to respond (MTTR)
D.Patch SLA compliance %
AnswerA

MTTRem measures the time to fix vulnerabilities.

Why this answer

Mean Time to Remediate (MTTRem) specifically tracks the time from identification to remediation.

45
MCQmedium

A vulnerability report is presented to the IT manager. The report lists 15 critical, 40 high, 100 medium, and 200 low vulnerabilities. The IT manager asks which vulnerabilities should be prioritized for remediation. According to the vulnerability report structure, which section should the analyst reference?

A.Findings by severity
B.Executive summary
C.Remediation timeline
D.Risk acceptance
AnswerA

This section categorizes vulnerabilities by severity, aiding prioritization.

Why this answer

Findings by severity provides a breakdown of vulnerabilities by criticality, guiding prioritization.

46
MCQhard

An organization needs to report a data breach involving personal data of EU residents. Under GDPR, what is the maximum time allowed for notifying the supervisory authority after becoming aware of the breach?

A.48 hours
B.7 days
C.24 hours
D.72 hours
AnswerD

GDPR mandates notification within 72 hours.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of a personal data breach.

47
MCQmedium

A SOC manager needs to share threat intelligence with the SOC analysts to help them identify and block malicious activity. Which type of intelligence report is MOST appropriate?

A.Operational intelligence report
B.Technical intelligence report
C.Tactical intelligence report
D.Strategic intelligence report
AnswerC

Contains IoCs and technical details for immediate use.

Why this answer

Tactical intelligence provides technical indicators like IoCs, which SOC analysts use for detection and blocking.

48
MCQmedium

A security analyst is creating a risk register. Which of the following is the most important element to include for each risk?

A.Likelihood and impact rating
B.The exact date the risk was identified
C.The name of the person who discovered the risk
D.The CVSS score of related vulnerabilities
AnswerA

These are fundamental for risk assessment and prioritization.

Why this answer

A risk register should include risk owner, likelihood, impact, and mitigation status. Likelihood and impact help prioritize risks.

49
Multi-Selectmedium

A security analyst is selecting Key Performance Indicators (KPIs) for a security operations dashboard. Which THREE metrics are most relevant for measuring incident response effectiveness? (Select THREE.)

Select 3 answers
A.Number of employees
B.Mean time to detect (MTTD)
C.Mean time to remediate (MTTRem)
D.Revenue growth
E.Mean time to respond (MTTR)
AnswersB, C, E

Measures detection speed.

Why this answer

MTTR measures response time, MTTD measures detection time, and MTTRem measures remediation time. These are key incident response metrics.

50
Multi-Selecthard

A security analyst is collecting evidence for an upcoming compliance audit. Which three types of evidence are typically required? (Select THREE.)

Select 3 answers
A.Employee training attendance records
B.Access review documentation
C.Log exports from critical systems
D.Vulnerability scan reports
E.Marketing brochures
AnswersB, C, D

Demonstrates access control compliance.

Why this answer

Auditors typically require log exports, vulnerability scan reports, and access reviews to verify controls.

51
MCQhard

A security analyst is communicating a complex security risk about a new zero-day vulnerability to the board of directors. The board members have varying technical backgrounds. Which approach would be MOST effective?

A.Provide a list of all current vulnerabilities
B.Present the CVSS score and affected systems
C.Describe the potential financial loss, reputational damage, and regulatory fines
D.Explain the technical details of the exploit chain
AnswerC

Focuses on business impact, aligning with board interests.

Why this answer

Translating technical risk to business impact (financial, reputational, regulatory) is key for non-technical stakeholders.

52
MCQhard

During an incident, the security team needs to preserve evidence for potential litigation. Which of the following actions is most critical to ensure the admissibility of digital evidence?

A.Creating a bit-for-bit forensic image of affected systems
B.Immediately notifying law enforcement
C.Establishing and maintaining a chain of custody for all evidence
D.Encrypting all evidence files
AnswerC

Chain of custody ensures evidence integrity and admissibility.

Why this answer

Preserving the chain of custody is essential for evidence admissibility, as it documents who handled the evidence and when.

53
MCQhard

A cybersecurity analyst is preparing a threat intelligence report for the SOC team. Which type of intelligence should be included to provide actionable indicators of compromise (IoCs)?

A.Tactical intelligence
B.Strategic intelligence
C.Technical intelligence
D.Operational intelligence
AnswerA

Tactical intelligence provides IoCs for immediate action.

Why this answer

Tactical intelligence includes IoCs such as IP addresses, domain names, and hashes that can be used for detection and blocking.

54
MCQhard

A vulnerability report is being prepared for an organization's management. Which of the following is the MOST appropriate structure for this report?

A.Charts showing open vulnerability counts over time, without any narrative
B.List of all vulnerabilities sorted by CVSS score, followed by detailed technical descriptions
C.Executive summary, findings by severity, risk acceptance, remediation timeline
D.Network diagram with vulnerability locations, patch status, and compliance checklists
AnswerC

Correct. This structure provides both high-level and detailed information needed for decision-making.

Why this answer

A standard vulnerability report includes an executive summary for high-level decision-makers, findings grouped by severity, risk acceptance decisions, and a remediation timeline.

55
Multi-Selecthard

An organization is preparing for a compliance audit. Which TWO of the following are essential pieces of evidence to demonstrate effective vulnerability management?

Select 2 answers
A.Network topology diagrams
B.Employee training logs
C.Vulnerability scan reports
D.Patch management reports
E.Incident response playbooks
AnswersC, D

Provide evidence of scanning and identification of vulnerabilities.

Why this answer

Vulnerability scan reports show identified vulnerabilities, and patch management reports show remediation efforts, together demonstrating the vulnerability management lifecycle.

56
MCQhard

An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the supervisory authority?

A.24 hours
B.7 days
C.48 hours
D.72 hours
AnswerD

Correct. GDPR mandates notification within 72 hours.

Why this answer

GDPR Article 33 requires that data breaches be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

57
MCQhard

A security analyst needs to present the risk of an unpatched critical vulnerability to the board of directors. Which of the following is the most effective way to communicate the risk?

A.Explain the potential financial loss and reputational damage.
B.Show the CVSS score and exploit complexity.
C.Recommend immediate patching without details.
D.Describe the vulnerability in technical terms.
AnswerA

This translates technical risk to business risk.

Why this answer

Boards care about business impact, not technical details. Quantifying financial exposure helps them understand urgency.

58
MCQmedium

Which compliance reporting requirement under GDPR mandates that organizations notify the relevant supervisory authority within a specific timeframe after becoming aware of a personal data breach?

A.72 hours
B.7 days
C.24 hours
D.48 hours
AnswerA

GDPR Article 33 requires notification within 72 hours.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of awareness.

59
MCQeasy

Which of the following metrics measures the average time it takes to identify a security incident after it occurs?

A.Patch SLA compliance percentage
B.Mean time to remediate (MTTRem)
C.Mean time to respond (MTTR)
D.Mean time to detect (MTTD)
AnswerD

Correct definition.

Why this answer

MTTD is specifically defined as the average time to detect an incident.

60
MCQmedium

During a security incident involving a potential data breach, the CISO asks you to prepare a communication for the board of directors. What is the MOST important aspect to emphasize in this communication?

A.The specific malware used and its technical attributes
B.The names of the IT staff who first detected the incident
C.A step-by-step timeline of the incident response actions taken so far
D.The financial impact, reputational risk, and potential regulatory penalties
AnswerD

Correct. Business risk communication is key for executive audiences.

Why this answer

Board members are non-technical stakeholders who need to understand the business impact. The communication should translate technical details into financial, reputational, and regulatory consequences.

61
Multi-Selectmedium

Which three metrics are commonly used to measure the effectiveness of a security operations center (SOC)? (Select THREE.)

Select 3 answers
A.Number of firewall rules
B.Number of employees in the SOC
C.Mean Time to Respond (MTTR)
D.Mean Time to Remediate (MTTRem)
E.Mean Time to Detect (MTTD)
AnswersC, D, E

Measures response time.

Why this answer

MTTD, MTTR, and MTTRem are standard SOC metrics to measure detection and response effectiveness.

62
MCQhard

An organization's compliance dashboard shows a control effectiveness score of 85%. Which type of evidence best supports this score?

A.Incident response logs
B.Employee training records
C.Vendor documentation
D.Penetration test results and audit reports
AnswerD

These provide objective evidence of control performance.

Why this answer

Control effectiveness evidence, such as penetration test results and audit reports, directly demonstrates how well controls are working.

63
MCQmedium

An incident report includes a section that details the sequence of events from initial compromise to containment. Which component of the incident report does this describe?

A.Impact assessment
B.Root cause
C.Lessons learned
D.Timeline
AnswerD

Timeline records events in order.

Why this answer

The timeline component chronologically documents the incident's progression.

64
MCQeasy

Which of the following is the primary audience for a strategic threat intelligence report?

A.System administrators
B.SOC analysts
C.Executive leadership
D.Incident responders
AnswerC

Strategic intelligence is for executives.

Why this answer

Strategic intelligence is high-level and intended for executive leadership to inform business decisions.

65
MCQmedium

An organization is preparing for an audit to demonstrate compliance with GDPR. The compliance officer needs to provide evidence of data protection controls. Which of the following would be the BEST evidence to include?

A.The organization's risk register
B.Copies of recent vulnerability scan reports and access review logs
C.Email communications about security incidents
D.A summary of security policies and procedures
AnswerB

These are concrete evidence of controls.

Why this answer

Log exports, configuration reports, vulnerability scans, and access reviews are typical evidence for GDPR audits.

66
Multi-Selectmedium

An analyst is preparing a vulnerability report for management. Which THREE sections should be included to effectively communicate findings and remediation? (Select THREE.)

Select 3 answers
A.Executive summary
B.Incident response procedures
C.Network topology diagram
D.Findings by severity
E.Remediation timeline
AnswersA, D, E

Provides high-level overview for management.

Why this answer

A vulnerability report typically includes an executive summary for leadership, findings by severity to prioritize, and a remediation timeline for action. Risk acceptance may be part of findings but not always a separate section; here the three essential sections are those listed.

67
MCQmedium

An analyst is creating a compliance dashboard for management. Which of the following is the most relevant metric to include regarding patch management?

A.Number of antivirus alerts
B.Phishing simulation click rate
C.Mean time to detect incidents
D.Patch SLA compliance %
AnswerD

This metric shows compliance with patching deadlines.

Why this answer

Patch SLA compliance percentage directly measures how well the organization meets patch deadlines, which is a key compliance metric.

68
MCQmedium

Which of the following is a key component of a vulnerability report that provides a high-level overview for management?

A.Remediation timeline
B.Executive summary
C.Findings by severity
D.Risk acceptance
AnswerB

The executive summary is designed for management.

Why this answer

The executive summary condenses findings for management to quickly understand the state of vulnerabilities.

69
MCQmedium

During an incident response, the SOC team identifies a data breach involving customer PII. Under GDPR, what is the maximum time frame to notify the supervisory authority?

A.96 hours
B.72 hours
C.24 hours
D.48 hours
AnswerB

Correct under GDPR Article 33.

Why this answer

GDPR Article 33 requires notification within 72 hours of becoming aware of a personal data breach.

70
Multi-Selecthard

A security analyst is creating a compliance dashboard for a PCI DSS audit. Which THREE metrics should be included to demonstrate compliance with access control requirements? (Select THREE.)

Select 3 answers
A.Number of failed login attempts in the last 24 hours
B.Number of critical vulnerabilities in network devices
C.Number of active user accounts with privileged access
D.Percentage of accounts that have been inactive for more than 90 days
E.Percentage of accounts that have undergone access review in the last quarter
AnswersC, D, E

Correct. Tracking privileged accounts is important for access control.

Why this answer

PCI DSS requires strict access controls, including unique IDs, timely deactivation, and periodic reviews. Failed login attempts and vulnerability scan results are not direct access control metrics.

71
MCQmedium

During a security incident, the SOC team identifies indicators of compromise (IoCs) related to a new malware strain. Which type of threat intelligence report should be produced for the SOC team to enhance detection?

A.Tactical intelligence report with IoCs and detection signatures
B.Technical intelligence report on malware code analysis
C.Strategic intelligence report on global threat trends
D.Operational intelligence report on threat actor campaigns
AnswerA

Tactical intelligence provides actionable technical details.

Why this answer

Tactical intelligence provides IoCs, TTPs, and actionable details for defenders to detect and mitigate threats.

72
MCQmedium

An analyst needs to collect evidence for a compliance audit. Which type of evidence is most appropriate to demonstrate that access reviews are performed regularly?

A.Vulnerability scan reports
B.Access review reports
C.Configuration backups
D.Log exports of user activity
AnswerB

These reports document the review process and decisions.

Why this answer

Access review reports serve as direct evidence that reviews are conducted, showing dates and outcomes.

73
MCQhard

During a security incident, a SOC analyst identifies that customer PII has been exfiltrated. The company operates in multiple states and processes EU residents' data. Which of the following is the MOST critical immediate communication requirement?

A.Notify law enforcement within 24 hours
B.Notify affected customers within 48 hours
C.Notify the relevant data protection authority within 72 hours
D.Issue a press release within 24 hours
AnswerC

GDPR 72-hour rule for supervisory authority notification.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach involving personal data.

74
MCQmedium

A security analyst receives a threat intelligence report containing detailed Indicators of Compromise (IoCs) such as IP addresses, file hashes, and domain names. What is the MOST appropriate audience for distributing this type of report?

A.The Security Operations Center (SOC) team
B.External auditors
C.All employees in the organization
D.Senior executives and the board of directors
AnswerA

Correct. The SOC uses tactical IoCs to enhance detection and response.

Why this answer

Tactical intelligence, such as IoCs, is most useful for frontline technical teams like the SOC, who can use it to detect and block threats. Executives typically receive strategic intelligence.

75
Multi-Selectmedium

A security analyst needs to provide threat intelligence to different audiences. Which TWO of the following are appropriate dissemination approaches?

Select 2 answers
A.Sending tactical intelligence with IoCs to the SOC team
B.Publishing operational intelligence on the company intranet
C.Discussing classified threat data in public forums
D.Sharing raw intelligence feeds with all employees
E.Providing strategic intelligence reports to executives
AnswersA, E

SOC teams need IoCs for detection and response.

Why this answer

Strategic intelligence for executives helps them understand the threat landscape, while tactical intelligence for SOC teams provides IoCs for detection.

Page 1 of 2 · 84 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cysa Reporting Communication questions.