CCNA Business Continuity, DR & Incident Response Questions

75 of 85 questions · Page 1/2 · Business Continuity, DR & Incident Response · Answers revealed

1
MCQmedium

Refer to the exhibit. What does this indicate?

A.The source file changed during backup
B.The backup medium has errors
C.The verification algorithm is incorrect
D.The backup file is corrupt
AnswerA

File modification during backup leads to checksum mismatch.

Why this answer

The exhibit shows a backup verification failure where the checksum or hash of the source file does not match the backup copy. This typically occurs when the source file is modified during the backup process (e.g., an open file that is being written to), causing the verification algorithm to detect a mismatch. The correct answer is A because the backup software correctly identifies that the source changed, not that the backup medium or file is corrupt.

Exam trap

ISC2 often tests the distinction between backup file corruption and source file modification during backup, trapping candidates who assume any verification failure means the backup is corrupt, when the exhibit's wording or error message explicitly points to a source change.

How to eliminate wrong answers

Option B is wrong because backup medium errors (e.g., bad sectors on tape or disk) would typically manifest as read/write failures or CRC errors during the backup or verification process, not as a checksum mismatch specifically indicating a source file change. Option C is wrong because the verification algorithm (e.g., MD5, SHA-1, or SHA-256) is a standard cryptographic hash function; if it were incorrect, the backup software would fail to compute any valid hash, not produce a mismatch between source and backup. Option D is wrong because a corrupt backup file would usually fail verification with a hash mismatch, but the exhibit explicitly indicates the source file changed during backup, which is a distinct scenario from post-backup corruption.

2
MCQhard

Refer to the exhibit. Which statement best describes compliance with the recovery objectives?

A.Compliant with both RTO and RPO
B.Compliant with RTO but not RPO
C.Compliant with neither
D.Compliant with RPO but not RTO
AnswerB

RTO likely achievable, but RPO is violated due to infrequent backups.

Why this answer

The exhibit shows that the actual Recovery Time Objective (RTO) is 4 hours, which meets the required RTO of 4 hours, so the system is compliant with RTO. However, the actual Recovery Point Objective (RPO) is 2 hours, which exceeds the required RPO of 1 hour, meaning data loss could be up to 2 hours instead of the acceptable 1 hour, thus failing RPO compliance. Therefore, the correct answer is B.

Exam trap

ISC2 often tests the distinction between RTO and RPO by presenting a scenario where one objective is met and the other is not, and the trap is that candidates confuse which metric measures downtime versus data loss, leading them to incorrectly select A or D.

How to eliminate wrong answers

Option A is wrong because it claims compliance with both RTO and RPO, but the actual RPO of 2 hours exceeds the required 1 hour, so RPO is not met. Option C is wrong because it states compliance with neither, but the actual RTO of 4 hours meets the required 4 hours, so RTO is compliant. Option D is wrong because it claims compliance with RPO but not RTO, which is the reverse of the actual situation: RTO is met and RPO is not.

3
MCQmedium

A company's BCP requires that critical systems be restored within 2 hours of disruption. Which metric defines this?

A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Service Level Agreement (SLA)
D.Recovery Point Objective (RPO)
AnswerB

RTO specifies the maximum acceptable downtime for a system.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable time that a system or application can be unavailable after a disruption. In this scenario, the requirement to restore critical systems within 2 hours directly specifies the RTO. It is a key metric in business continuity planning that drives the design of failover and recovery strategies.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates confuse the time to restore service (RTO) with the acceptable data loss window (RPO).

How to eliminate wrong answers

Option A is wrong because Mean Time to Repair (MTTR) measures the average time taken to repair a failed component, not the maximum allowable downtime for a business process. Option C is wrong because a Service Level Agreement (SLA) is a contractual commitment between a provider and customer, often including uptime percentages, but it does not define the specific recovery time target for a BCP. Option D is wrong because Recovery Point Objective (RPO) defines the maximum acceptable data loss measured in time (e.g., how far back in time data may be lost), not the time to restore service.

4
MCQeasy

A mid-sized e-commerce company has a primary data center in New York and a disaster recovery site in Dallas. The application stack includes a web server, application server, and a PostgreSQL database. The database uses synchronous replication to the DR site. During a routine failover test, the IT team discovers that after failing over to Dallas, the web servers in New York continue to attempt connections to the original database IP, causing application errors. The DNS records have been updated to point to the DR database IP, but the web servers are not refreshing their DNS cache. The company uses a standard TTL of 300 seconds. The IT manager needs a solution that ensures minimal disruption during future failovers. Which action should be taken?

A.Add a static host entry in the web servers' hosts file pointing to the DR database IP
B.Increase the DNS TTL to 86400 seconds to ensure all caches are updated quickly
C.Configure the web servers to use a different DNS resolver that does not cache
D.Implement a load balancer or proxy with a virtual IP that can be switched during failover, and update the web server configuration to connect to the virtual IP
AnswerD

A virtual IP (VIP) can be moved between data centers via BGP or similar, so web servers always connect to the same IP, avoiding DNS caching issues.

Why this answer

Option D is correct because it decouples the web servers from the database IP address by introducing a load balancer or proxy with a virtual IP (VIP). During failover, the VIP is simply moved to the DR database, and the web servers continue connecting to the same VIP without any DNS dependency or cache refresh issues. This eliminates the problem of stale DNS caches and ensures minimal disruption, as the connection endpoint remains constant.

Exam trap

ISC2 often tests the misconception that DNS TTL adjustments or cache clearing are sufficient for failover scenarios, but the trap here is that DNS-based solutions inherently introduce propagation delays and cache inconsistencies, whereas a virtual IP provides immediate, transparent failover without relying on DNS resolution.

How to eliminate wrong answers

Option A is wrong because adding a static host entry in the web servers' hosts file would require manual updates on every web server during each failover, which is not scalable and defeats the purpose of automation; it also does not address the DNS cache issue but rather bypasses it with a brittle workaround. Option B is wrong because increasing the DNS TTL to 86400 seconds would actually make the problem worse by causing DNS caches to hold stale records for longer, delaying the propagation of the updated IP address during failover. Option C is wrong because configuring the web servers to use a DNS resolver that does not cache would still require the resolver to query authoritative DNS servers, and the web servers themselves may still cache the result; moreover, it introduces unnecessary complexity and does not solve the fundamental issue of relying on DNS for a critical failover scenario.

5
MCQhard

A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?

A.Identification phase
B.Eradication phase
C.Recovery phase
D.Preparation phase
AnswerB

Eradication includes containment actions like blocking IPs and removing malware.

Why this answer

Option B (Eradication phase) is correct because containment actions such as removing the malicious PowerShell script, terminating the outbound connections, and cleaning the affected system are part of the eradication phase. The incident response lifecycle (NIST SP 800-61) places containment, eradication, and recovery as sequential steps after identification; here, the alert has already been identified, so the most appropriate next step is to eradicate the threat by removing the script and blocking the external IP.

Exam trap

ISC2 often tests the distinction between identification and eradication by presenting a scenario where the alert is already received, leading candidates to mistakenly choose identification because they focus on the initial detection rather than the next logical step in the response process.

How to eliminate wrong answers

Option A is wrong because the identification phase involves detecting and confirming the incident (e.g., analyzing the alert and verifying the malicious script), which has already occurred when the SOC analyst receives the alert. Option C is wrong because the recovery phase focuses on restoring normal operations after the threat is removed, such as restoring data from backups or reimaging systems, not on containing or removing the active threat. Option D is wrong because the preparation phase occurs before any incident, involving creating policies, training staff, and deploying tools (e.g., endpoint detection and response agents), not responding to an active alert.

6
MCQhard

An organization's incident response plan specifies containment, eradication, and recovery phases. During containment, the team isolates a compromised server from the network. However, the server is a domain controller. What is the PRIMARY risk of this action?

A.Data loss on the server
B.Violation of chain of custody
C.Propagation of malware to other systems
D.Loss of authentication services
AnswerD

Domain controllers provide authentication; isolating them disrupts network logins.

Why this answer

Isolating a domain controller from the network prevents it from processing authentication requests (Kerberos and NTLM), which halts user logins, resource access, and group policy updates across the domain. This loss of authentication services is the primary risk because the domain controller is the authoritative source for identity verification in Active Directory.

Exam trap

The trap here is that candidates may focus on the general containment goal of stopping malware spread (Option C) rather than recognizing that isolating a domain controller specifically cripples the authentication infrastructure, which is the most critical and immediate risk.

How to eliminate wrong answers

Option A is wrong because data loss on the server is not the primary risk; domain controllers store Active Directory databases (NTDS.dit), but isolation does not inherently cause data loss—it prevents replication and authentication. Option B is wrong because chain of custody relates to preserving evidence for forensic analysis, not to the immediate operational impact of isolating a domain controller. Option C is wrong because propagation of malware to other systems is the very risk containment aims to prevent; isolating the server stops further spread, not causes it.

7
MCQhard

Your organization runs a critical e-commerce platform on a private cloud. The database server is located in a data center in a seismic zone. The current DR plan uses a warm site with daily differential backups and a 12-hour RTO. A recent earthquake caused a power outage but no physical damage. The database corruption was discovered after 6 hours. The backups from last night are intact but restoring involves applying transaction logs. The RTO is now at risk. What should be done FIRST?

A.Fail over to the warm site immediately without data restoration.
B.Perform a point-in-time recovery using the last full backup and all transaction logs.
C.Initiate the warm site recovery by restoring the latest differential backup onto standby servers.
D.Restore the last full backup and then apply all subsequent differential and log backups.
AnswerC

Fastest recovery option given the warm site setup.

Why this answer

Option C is correct because the immediate priority is to restore the latest differential backup onto the warm site's standby servers. This approach minimizes recovery time by applying only the changes since the last full backup, directly addressing the RTO risk. The warm site is already prepared, and restoring the differential backup is the fastest path to operational readiness without the overhead of full backup restoration or log replay.

Exam trap

ISC2 often tests the misconception that point-in-time recovery or full backup restoration is always the safest first step, but in a time-critical DR scenario with intact differential backups, the fastest recovery path is to restore the latest differential backup to meet RTO.

How to eliminate wrong answers

Option A is wrong because failing over without data restoration would result in a stale or inconsistent database state, likely causing data loss and application errors. Option B is wrong because performing a point-in-time recovery using the last full backup and all transaction logs is time-consuming and would exceed the RTO; it is not the first action when a faster differential restore is available. Option D is wrong because restoring the last full backup before applying differential and log backups adds unnecessary steps and time, increasing the risk of RTO breach when the latest differential backup alone can be restored directly.

8
Multi-Selecthard

Which TWO of the following are primary objectives of an incident response plan? (Choose two.)

Select 2 answers
A.Ensure business continuity during the incident
B.Return affected systems to normal operation
C.Collect evidence for legal proceedings
D.Minimize the impact of the incident
E.Identify the root cause of the incident
AnswersB, D

Recovery is a primary objective of IR.

Why this answer

Option B is correct because a primary objective of an incident response plan is to return affected systems to normal operation. This involves containment, eradication, and recovery steps to restore business functions after a security incident, ensuring the organization can resume operations securely.

Exam trap

ISC2 often tests the distinction between the incident response plan's primary objectives (containment and recovery) and the secondary or post-incident activities (root cause analysis, evidence collection), causing candidates to mistakenly select options like C or E as primary objectives.

9
Matchingmedium

Match each cryptographic concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Key pair: public and private

One-way transformation to fixed size

Ensures authenticity and non-repudiation

Binds a public key to an identity

Why these pairings

These are core cryptography concepts for the CC exam.

10
MCQhard

During a tabletop exercise, the IT team realizes that the backup tapes are stored in the same building as the servers. Which risk does this highlight?

A.Insufficient off-site storage
B.Single point of failure
C.Lack of redundancy
D.Inadequate segregation of duties
AnswerA

Backups should be stored off-site to survive a site-level disaster; storing them on-site creates a single point of failure.

Why this answer

Storing backup tapes in the same building as the primary servers violates the fundamental principle of geographic separation for disaster recovery. If a fire, flood, or physical security breach destroys the building, both the primary data and the backup tapes are lost simultaneously, rendering the backups useless. This directly indicates a lack of off-site storage, which is a core requirement for a viable backup strategy.

Exam trap

ISC2 often tests the distinction between 'lack of redundancy' (duplicate hardware) and 'insufficient off-site storage' (geographic separation of backups), trapping candidates who confuse high-availability concepts with disaster recovery requirements.

How to eliminate wrong answers

Option B is wrong because 'single point of failure' typically refers to a component (like a power supply or network link) whose failure stops the entire system, not to the physical co-location of backups. Option C is wrong because 'lack of redundancy' implies missing duplicate components (e.g., a second server or disk array), whereas the issue here is the absence of geographic separation for existing backups. Option D is wrong because 'inadequate segregation of duties' is a security control related to separating administrative roles (e.g., backup operator vs. system admin), not a physical storage location problem.

11
MCQmedium

An organization has detected a ransomware infection. What is the FIRST step in the incident response process?

A.Isolate affected systems
B.Pay the ransom
C.Run antivirus scans
D.Report to law enforcement
AnswerA

Isolation prevents the ransomware from spreading to other systems.

Why this answer

Containment is the immediate priority to prevent further spread of the ransomware.

12
MCQmedium

A company is developing a disaster recovery plan for its database server. The database is updated transactionally and cannot tolerate any data loss. Which backup strategy meets this requirement?

A.Log shipping with 15-minute intervals
B.Full backups nightly
C.Continuous database mirroring
D.Differential backups every 6 hours
AnswerC

Provides real-time replication with zero data loss.

Why this answer

Continuous database mirroring (C) is correct because it maintains a synchronous copy of the database on a secondary server, ensuring that every committed transaction is immediately written to both servers. This provides zero data loss (RPO=0) and automatic failover, which is required for a transactional database that cannot tolerate any data loss.

Exam trap

ISC2 often tests the distinction between synchronous and asynchronous replication methods, and the trap here is that candidates confuse log shipping or differential backups (which have inherent recovery point gaps) with true zero-data-loss solutions like continuous database mirroring.

How to eliminate wrong answers

Option A is wrong because log shipping with 15-minute intervals introduces a recovery point objective (RPO) of up to 15 minutes, meaning any transactions committed in that window would be lost if the primary fails. Option B is wrong because full backups nightly only capture the database state at the time of the backup, leaving all transactions since the last backup vulnerable to loss. Option D is wrong because differential backups every 6 hours still rely on a full backup and only capture changes since that full backup, resulting in an RPO of up to 6 hours and potential data loss.

13
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A.Determine the cost of implementing security controls
B.List all IT assets
C.Identify critical business processes and their recovery priorities
D.Assign incident response roles
AnswerC

The BIA determines the impact of disruptions and prioritizes recovery.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the impact of their disruption, which directly determines recovery priorities and objectives (RTO/RPO). This output drives the business continuity and disaster recovery strategy, not asset inventory or cost estimation.

Exam trap

ISC2 often tests the distinction between a BIA (which identifies critical processes and their recovery priorities) and a risk assessment (which identifies threats and vulnerabilities), leading candidates to confuse the BIA's purpose with asset listing or cost analysis.

How to eliminate wrong answers

Option A is wrong because determining the cost of implementing security controls is a function of risk management and cost-benefit analysis, not the BIA, which focuses on impact quantification rather than solution pricing. Option B is wrong because listing all IT assets is an inventory management or configuration management task (e.g., CMDB), whereas the BIA prioritizes business processes and their dependencies, not a simple asset list. Option D is wrong because assigning incident response roles is part of the incident response plan (IRP) development, not the BIA, which identifies recovery priorities before any roles are assigned.

14
MCQmedium

An online retailer has a DR plan that includes active-active data centers. During a major DDoS attack, one data center's external connectivity is saturated. The internal network is operational. The security team has identified the attack traffic pattern and is working with the ISP to filter. To maintain service availability, what action should be taken?

A.Shut down the attacked data center and fail all traffic to the other data center.
B.Redirect all traffic to a cloud-based scrubbing center.
C.Implement rate limiting on the affected network segment.
D.Continue monitoring and let the ISP handle the attack.
AnswerB

Filters attack traffic and maintains service availability.

Why this answer

Option B is correct because a cloud-based scrubbing center (DDoS mitigation service) can filter malicious traffic before it reaches the retailer's network, preserving the active-active data center architecture. Since the internal network is operational, the attack only saturates external connectivity; redirecting traffic to the scrubbing center allows clean traffic to be re-injected into the data centers, maintaining service availability without taking any site offline.

Exam trap

ISC2 often tests the misconception that shutting down a data center is the safest failover action during a DDoS, but the trap here is that active-active designs require keeping both sites operational to maintain capacity and redundancy, and scrubbing centers are the correct mitigation technique for external saturation.

How to eliminate wrong answers

Option A is wrong because shutting down the attacked data center violates the active-active DR principle and would cause unnecessary downtime; the internal network is still functional, so the site can continue serving traffic once clean traffic is returned. Option C is wrong because rate limiting on the affected network segment would also drop legitimate traffic, degrading service availability rather than preserving it; it does not address the root cause of DDoS saturation. Option D is wrong because continuing to monitor while relying solely on the ISP is passive and insufficient; the ISP filtering may take time, and the retailer must take immediate action to maintain availability during the attack.

15
MCQmedium

Refer to the exhibit. An administrator needs to restore a database file from two weeks ago, but the backup log shows success. What is the most likely reason the file cannot be restored?

A.The retention policy deleted it
B.The schedule was incorrect
C.The backup source did not include that file
D.The encryption key changed
AnswerC

Only files under /srv/db are backed up; the needed file might be elsewhere.

Why this answer

Option C is correct because the backup log only records the success or failure of the backup job as a whole, not the inclusion of every individual file. If the database file was not selected in the backup source configuration (e.g., a file-level backup job that excluded the database directory or a volume shadow copy that did not include the file), the backup would complete successfully without backing up that file. When the administrator attempts to restore, the file is missing from the backup set, even though the job log shows success.

Exam trap

ISC2 often tests the misconception that a successful backup log guarantees all intended data was backed up, when in reality the backup source configuration determines what is actually captured.

How to eliminate wrong answers

Option A is wrong because a retention policy deletes backup sets after a specified period, but the question states the backup log shows success from two weeks ago, implying the backup set still exists; if the retention policy had deleted it, the restore would fail with a 'backup set not found' error, not a missing file error. Option B is wrong because an incorrect schedule would cause the backup to run at the wrong time or not run at all, but the log shows a successful backup, so the schedule executed correctly. Option D is wrong because an encryption key change would affect the ability to decrypt the backup data, not the presence of the file in the backup; the restore would fail with a decryption error, not a missing file error.

16
MCQhard

During a disaster recovery exercise, the system fails to achieve the RTO. Analysis shows that restoring the database from tape takes 3 hours, but the RTO is 2 hours. Which is the most effective solution?

A.Use differential instead of full backups
B.Switch from tape to disk-based backups
C.Implement a hot standby database replica
D.Increase the RTO to 3 hours
AnswerC

A hot replica is synchronized and can be activated immediately, meeting RTO.

Why this answer

The correct answer is C because the RTO (Recovery Time Objective) is a business requirement that cannot be changed by simply adjusting the backup method. A hot standby database replica (e.g., using synchronous replication or Oracle Data Guard) provides near-instant failover, reducing recovery time to minutes, which directly meets the 2-hour RTO. This solution addresses the root cause—the restore process is too slow—by eliminating the need to restore from backup entirely.

Exam trap

ISC2 often tests the misconception that improving backup speed (e.g., switching to disk or differential backups) is sufficient to meet RTO, when the real solution is to eliminate the restore process entirely with a high-availability replica.

How to eliminate wrong answers

Option A is wrong because differential backups reduce the amount of data to restore but still require a full restore from tape, which takes 3 hours; the bottleneck is the tape read speed, not the backup type. Option B is wrong because switching to disk-based backups improves restore speed but still involves restoring a full database from backup, which may not reduce the time below 2 hours if the database is large; the fundamental issue is the restore process itself, not the media. Option D is wrong because increasing the RTO to 3 hours violates the business requirement and is not a technical solution; RTO is a predefined objective, not a negotiable parameter in a disaster recovery exercise.

17
Multi-Selectmedium

Which TWO are essential elements of a business impact analysis (BIA)?

Select 2 answers
A.A network topology diagram
B.List of all employees
C.Identification of critical business functions
D.Assignment of IP addresses
E.Determination of maximum acceptable outage (MAO)
AnswersC, E

A core element of BIA.

Why this answer

Option C is correct because identifying critical business functions is a core element of a BIA. The BIA determines which systems and processes are essential for business operations, and without this identification, you cannot prioritize recovery efforts or allocate resources effectively during a disaster.

Exam trap

ISC2 often tests the distinction between BIA elements (like critical functions and MAO) and technical implementation details (like IP addresses or network diagrams), so candidates mistakenly choose options that sound technical but are irrelevant to the BIA process.

18
MCQeasy

During a disaster recovery test, the team discovers that the backup generator fails to start. What is the BEST immediate action?

A.Continue the test with manual procedures
B.Cancel the test
C.Document the issue and proceed
D.Shut down the data center
AnswerC

Documenting allows the test to continue while capturing the failure for later analysis.

Why this answer

Option C is correct because the immediate priority during a disaster recovery test is to document the failure and continue the test to evaluate the remaining components of the DR plan. The backup generator failure is a specific issue that should be logged for post-test remediation, but aborting the test prematurely would lose valuable data on other failover mechanisms, such as UPS runtime, network redundancy, or application recovery. Proceeding with documentation ensures the test's integrity while capturing the incident for root cause analysis.

Exam trap

ISC2 often tests the misconception that any hardware failure during a DR test automatically invalidates the entire test, tempting candidates to choose 'Cancel the test' (Option B) instead of recognizing that documentation and continuation preserve the test's value for other critical components.

How to eliminate wrong answers

Option A is wrong because continuing the test with manual procedures bypasses the automated failover that the generator was supposed to support, invalidating the test's ability to measure true recovery time objectives (RTOs) and recovery point objectives (RPOs). Option B is wrong because canceling the test discards the opportunity to validate all other DR components (e.g., storage replication, DNS failover, load balancer health checks) that are independent of the generator; a partial test with documented issues is more valuable than no test. Option D is wrong because shutting down the data center is an extreme, unnecessary action that would cause a full outage, violating the principle of minimizing disruption during a test; the generator failure alone does not indicate an immediate safety or data loss risk.

19
Multi-Selectmedium

Which TWO are primary objectives of a Business Continuity Plan (BCP)? (Select two.)

Select 2 answers
A.Comply with regulations
B.Ensure employee safety
C.Restore IT systems within RTO
D.Minimize financial loss
E.Protect brand reputation
AnswersB, D

Employee safety is the highest priority in any continuity plan.

Why this answer

BCP focuses on ensuring employee safety and minimizing financial loss. Restoring IT systems is part of disaster recovery, not the primary BCP goal.

20
Multi-Selecthard

Which TWO are appropriate methods to test a disaster recovery plan?

Select 2 answers
A.Parallel test
B.Regression test
C.Acceptance test
D.Simulation test
E.Unit test
AnswersA, D

A common DR test method.

Why this answer

A parallel test is appropriate because it runs the DR site in parallel with the production environment, allowing validation of failover processes and data replication without impacting live operations. This method verifies that the backup systems can handle real workloads and that synchronization mechanisms (e.g., asynchronous replication or log shipping) are functioning correctly. It provides a high-confidence check of the DR plan's effectiveness while maintaining business continuity.

Exam trap

ISC2 often tests the distinction between DR testing methods (parallel, simulation, walkthrough) and software development testing types (unit, regression, acceptance), leading candidates to incorrectly select development tests as valid DR validation techniques.

21
MCQmedium

An organization's backup strategy includes daily full backups. However, recovery tests show that restoring from tape takes 6 hours longer than expected. What is the most likely cause?

A.Improperly documented recovery procedures
B.Tape drive failure
C.Inadequate storage capacity
D.Insufficient bandwidth
AnswerA

Poor documentation can cause steps to be missed or performed incorrectly, leading to delays.

Why this answer

Improperly documented recovery procedures can lead to incorrect steps or delays during restoration, which is a common cause of extended recovery times.

22
MCQhard

Refer to the exhibit. What is the effect of this ACL?

A.All HTTPS traffic is permitted
B.Only hosts from 10.0.1.0/24 can access HTTPS on 192.168.2.100
C.HTTPS traffic from 10.0.1.0/24 to 192.168.2.100 is permitted; all other HTTPS is denied
D.The ACL is invalid due to ordering
AnswerC

This accurately describes the combined effect of the permit and deny statements.

Why this answer

The ACL explicitly permits HTTPS (TCP port 443) traffic from source network 10.0.1.0/24 to destination host 192.168.2.100. Since ACLs have an implicit deny all at the end, any HTTPS traffic not matching this permit statement is denied. Option C correctly states that only this specific traffic is permitted and all other HTTPS is denied.

Exam trap

ISC2 often tests the implicit deny any at the end of ACLs, causing candidates to forget that even if a permit statement exists, all other traffic is denied unless explicitly permitted.

How to eliminate wrong answers

Option A is wrong because the ACL only permits HTTPS from 10.0.1.0/24 to 192.168.2.100, not all HTTPS traffic. Option B is wrong because it incorrectly implies that only hosts from 10.0.1.0/24 can access HTTPS on 192.168.2.100, but the ACL does not restrict other traffic types or deny other sources from accessing HTTPS on that host—it simply permits this specific flow and denies all other HTTPS implicitly. Option D is wrong because the ACL is valid; the order of a single permit statement does not make it invalid, and there is no rule requiring a specific order for a single entry.

23
Multi-Selectmedium

Which THREE elements are essential components of a business continuity plan (BCP)?

Select 3 answers
A.Data backup schedules and procedures
B.Business impact analysis (BIA) results
C.Incident response team roster
D.Emergency contact lists
E.Detailed network topology diagrams
AnswersA, B, D

Backup procedures ensure data availability.

Why this answer

Data backup schedules and procedures are essential because they ensure that critical data can be restored after a disruption. A BCP must specify the frequency of backups (e.g., daily incremental, weekly full), the retention policy, and the recovery point objective (RPO) to meet business requirements. Without defined schedules and procedures, data loss or corruption could render the recovery process ineffective.

Exam trap

ISC2 often tests the distinction between a BCP and an incident response plan, where candidates mistakenly include incident-specific elements like team rosters or forensic procedures as BCP components.

24
MCQmedium

During a disaster recovery test, backup tapes fail to restore data due to format incompatibility. Which element of the Business Continuity Plan should be updated?

A.Plan testing and maintenance
B.Business Impact Analysis (BIA)
C.Recovery strategies
D.Communication plan
AnswerA

This phase includes reviewing test results and updating the plan to fix discovered problems.

Why this answer

The failure of backup tapes to restore data due to format incompatibility indicates that the recovery procedures and tools were not validated during testing. This directly points to a deficiency in the 'Plan testing and maintenance' element, which ensures that backup media formats, restoration tools, and procedures are regularly verified and updated to match the current production environment. Without scheduled testing and maintenance, format drift between backup software versions or hardware changes can render tapes unreadable.

Exam trap

ISC2 often tests the distinction between 'plan testing and maintenance' (which validates technical execution) and 'recovery strategies' (which are high-level design choices), leading candidates to mistakenly select recovery strategies when the root cause is a failure in validation and upkeep.

How to eliminate wrong answers

Option B is wrong because the Business Impact Analysis (BIA) identifies critical business functions, recovery time objectives (RTOs), and recovery point objectives (RPOs), but it does not address the technical compatibility of backup media or the validation of restoration procedures. Option C is wrong because recovery strategies define the high-level approach to restoring operations (e.g., hot site, cold site, cloud failover), not the specific testing of backup tape formats or restoration tools. Option D is wrong because the communication plan covers notification and escalation procedures during an incident, not the technical verification of backup media compatibility or the maintenance of restoration capabilities.

25
Drag & Dropmedium

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The TCP three-way handshake establishes a connection: SYN, SYN-ACK, ACK.

26
MCQhard

The exhibit shows a syslog-ng client configuration and a firewall rule on the central logging server (IP 10.0.0.10). The client (192.168.1.100) is not sending logs to the server. What is the most likely cause?

A.The syslog-ng configuration uses TLS, but the firewall rule does not allow TLS traffic
B.The firewall rule restricts source port 6514, but the client uses a random ephemeral source port
C.The syslog-ng client uses UDP by default, but the firewall allows only TCP
D.The firewall rule does not include the client IP 192.168.1.100
AnswerB

The rule includes 'eq 6514' which matches only if source port is 6514; clients use dynamic ports.

Why this answer

The firewall rule on the central logging server (10.0.0.10) specifies a source port of 6514. However, syslog-ng clients, when sending over TCP or TLS, typically use a random ephemeral source port (e.g., above 1024) rather than a fixed source port. Since the firewall restricts the source port to exactly 6514, the client's packets are dropped, preventing logs from reaching the server.

Exam trap

The trap here is that candidates assume the firewall rule's source port 6514 is irrelevant or that the client must use the same port as the server, when in fact the client uses an ephemeral source port, making the rule overly restrictive and the cause of the failure.

How to eliminate wrong answers

Option A is wrong because the exhibit does not indicate that the syslog-ng client is configured to use TLS; the default transport for syslog-ng is TCP or UDP, and the firewall rule allows TCP on destination port 6514, which is the standard syslog-over-TLS port, but the issue is the source port restriction, not the protocol. Option C is wrong because the syslog-ng client does not use UDP by default when configured for TCP-based logging; the firewall rule explicitly allows TCP on destination port 6514, so if the client were using UDP, it would be blocked, but the client's configuration (not shown) would specify the transport, and the core problem is the source port mismatch. Option D is wrong because the firewall rule does not include a source IP restriction; it only specifies source port 6514 and destination port 6514, so the client IP 192.168.1.100 is not filtered out by the rule.

27
MCQhard

A multinational financial services organization operates three data centers in different geographic regions. Each data center runs a mix of critical and non-critical applications. The DR plan specifies Recovery Time Objectives (RTOs) ranging from 4 hours for critical applications to 72 hours for non-critical. During a scheduled DR test, the team attempts to fail over the primary customer database to the secondary site. The failover fails because the replication link between sites was saturated due to a large data synchronization job running concurrently. The test is declared a failure, and senior management is concerned about the DR plan's reliability. The IT director suggests increasing bandwidth between sites. The security architect proposes implementing network prioritization for replication traffic. The business continuity manager recommends revising the RTOs to be more realistic based on current bandwidth. The system administrator thinks the issue will resolve if the test is repeated during off-peak hours. Which of the following is the BEST course of action to address the root cause of the failure?

A.Implement Quality of Service (QoS) policies to prioritize database replication traffic over other data transfers.
B.Increase the bandwidth on the replication link by ordering a faster circuit from the ISP.
C.Reschedule the next DR test to occur during a scheduled maintenance window with no other replication activity.
D.Revise the RTO for the customer database from 4 hours to 8 hours to account for current bandwidth limitations.
AnswerA

QoS ensures that critical DR replication traffic gets sufficient bandwidth, preventing saturation by low-priority jobs.

Why this answer

The root cause is that the replication link was saturated by a large data synchronization job, which delayed the critical database replication traffic needed to meet the 4-hour RTO. Implementing Quality of Service (QoS) policies directly addresses this by prioritizing database replication traffic over other data transfers, ensuring that critical replication gets the necessary bandwidth even during concurrent large jobs. This is the most effective solution because it resolves the contention without requiring additional bandwidth or changing RTOs.

Exam trap

ISC2 often tests the misconception that simply adding more bandwidth (Option B) solves all congestion issues, but the trap is that without traffic prioritization, the root cause of contention between different traffic types remains unaddressed.

How to eliminate wrong answers

Option B is wrong because simply increasing bandwidth does not guarantee that replication traffic will be prioritized; without QoS, other data transfers can still saturate the link, and it may not be cost-effective or timely. Option C is wrong because rescheduling the test avoids the problem rather than fixing it; the same issue could occur during a real disaster when other replication activity is unavoidable. Option D is wrong because revising the RTO to 8 hours accepts a degraded recovery capability instead of addressing the technical root cause of traffic prioritization, which could be solved with QoS.

28
MCQmedium

Which is a key benefit of a cold site as a recovery location?

A.Real-time data synchronization
B.Low cost
C.Reduced need for testing
D.Fast recovery time
AnswerB

Cold sites require no equipment or data replication, making them the least expensive.

Why this answer

A cold site is a backup facility that provides only the physical infrastructure (power, cooling, and space) but no pre-installed hardware or live data. Because it lacks equipment and requires manual setup before recovery can begin, it has the lowest capital and operational costs among recovery site options, making low cost its key benefit.

Exam trap

ISC2 often tests the misconception that 'cold site' implies lower testing requirements, but in reality, cold sites demand more rigorous and frequent testing because the manual recovery process is error-prone and must be validated to avoid failure during an actual disaster.

How to eliminate wrong answers

Option A is wrong because real-time data synchronization requires active replication technologies like synchronous replication or database mirroring, which are not supported by a cold site that has no live systems or network connectivity until activated. Option C is wrong because cold sites actually increase the need for testing, as the recovery process involves manual installation and configuration of hardware and software, which must be validated through regular drills to ensure it works under pressure. Option D is wrong because cold sites have the slowest recovery time (often days or weeks) due to the absence of pre-configured equipment and data, whereas fast recovery is a benefit of hot or warm sites.

29
Matchingmedium

Match each access control model to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner sets permissions

System-enforced labels

Roles determine access

Attributes and policies

Why these pairings

These are standard access control models covered in CC.

30
MCQeasy

An organization discovers a ransomware infection on a critical server. According to the incident response phases, what should be the first action after detection?

A.Notify law enforcement
B.Eradicate the malware from the server
C.Restore from backup
D.Contain the affected system
AnswerD

Containment stops the incident from spreading, which is the immediate priority.

Why this answer

Immediately after detection, the priority is to contain the ransomware to prevent it from spreading laterally to other systems. According to NIST SP 800-61 and standard incident response frameworks, containment is the first step after detection and analysis, as it limits damage and preserves evidence for forensic investigation.

Exam trap

The trap here is that candidates confuse the urgency of recovery actions (like restoring from backup) with the correct incident response sequence, forgetting that containment must always come first to stop the spread and preserve forensic evidence.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a post-containment step, typically done after the scope is understood and evidence is preserved; premature notification can disrupt the response. Option B is wrong because eradicating the malware before containment risks alerting the attacker or causing the ransomware to trigger encryption of additional data; containment must precede eradication. Option C is wrong because restoring from backup before containment can reintroduce the infection if the backup is compromised or if the ransomware is still active on the network; containment ensures the environment is clean before recovery.

31
Multi-Selecteasy

Which TWO are phases of the NIST incident response life cycle? (Select exactly 2.)

Select 2 answers
A.Preparation
B.Documentation
C.Assessment
D.Authorization
E.Containment
AnswersA, E

Preparation is the first phase.

Why this answer

Option A is correct because Preparation is the first phase of the NIST SP 800-61 incident response life cycle, focusing on establishing policies, tools, and training before an incident occurs. This phase ensures the organization is ready to detect and respond to security events effectively.

Exam trap

ISC2 often tests the distinction between the official NIST phase names and common but incorrect terms like 'Assessment' or 'Documentation', expecting candidates to recall that only 'Preparation' and 'Containment' (as part of Containment/Eradication/Recovery) are explicitly listed phases.

32
Multi-Selectmedium

Which THREE are commonly defined in a disaster recovery plan? (Select exactly 3.)

Select 3 answers
A.Recovery point objective
B.Business impact analysis
C.Recovery time objective
D.Cost-benefit analysis
E.Annual loss expectancy
AnswersA, B, C

RPO defines the maximum acceptable data loss.

Why this answer

Recovery point objective (RPO) is a core metric defined in a disaster recovery plan because it specifies the maximum acceptable amount of data loss measured in time. For example, an RPO of 1 hour means backups must be taken at least every hour to ensure no more than 60 minutes of data is lost. This directly drives backup frequency and replication technology choices, such as synchronous vs. asynchronous replication.

Exam trap

ISC2 often tests the distinction between the DR plan components (RPO, RTO, BIA) and risk management calculations (ALE, cost-benefit analysis), trapping candidates who confuse the outputs of a BIA with separate financial analysis tools.

33
MCQhard

Which statement best describes a warm site in disaster recovery?

A.It has replicated data but no active systems
B.It is fully operational with real-time data synchronization
C.It has hardware and network equipment but requires data restoration from backups
D.It has no hardware or infrastructure installed
AnswerC

Warm site has equipment but not live data, so restore is needed.

Why this answer

A warm site is a middle-ground disaster recovery option that has hardware and network infrastructure pre-installed but does not have live, synchronized data. Instead, data must be restored from backups (e.g., tape or disk snapshots) before operations can resume. This contrasts with a hot site, which maintains real-time data replication and fully active systems.

Exam trap

ISC2 often tests the distinction between warm and hot sites by making candidates confuse 'pre-installed hardware' (warm) with 'real-time data synchronization' (hot), so the trap is assuming that any site with hardware must also have live data.

How to eliminate wrong answers

Option A is wrong because a site with replicated data but no active systems describes a cold site with data replication, not a warm site; warm sites have hardware but require data restoration. Option B is wrong because a fully operational site with real-time data synchronization defines a hot site, which has zero recovery time objective (RTO) and continuous replication (e.g., synchronous SAN replication). Option D is wrong because a site with no hardware or infrastructure installed is a cold site, which requires full setup before recovery can begin.

34
MCQmedium

An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?

A.Conduct the restore test only during annual disaster recovery drills.
B.Reduce the recovery point objective (RPO) to minimize data loss.
C.Increase the RTO to 6 hours.
D.Automate the configuration and validation steps after restore.
AnswerD

Automation reduces manual time, helping meet the 4-hour RTO.

Why this answer

The RTO is 4 hours, but the actual recovery time is 2 hours (restore) + 3 hours (reconfigure and test) = 5 hours, exceeding the RTO by 1 hour. Automating the configuration and validation steps (option D) reduces the post-restore manual effort, bringing the total recovery time closer to or within the 4-hour RTO. This directly addresses the gap without altering the RTO or neglecting testing.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates confuse reducing RPO (data loss) with fixing a time-based gap, or they incorrectly assume that simply increasing the RTO is an acceptable solution without considering process improvement.

How to eliminate wrong answers

Option A is wrong because conducting the restore test only during annual drills does not fix the daily operational gap; it merely postpones validation, leaving the recovery process untested and potentially non-compliant with the RTO. Option B is wrong because reducing the RPO (recovery point objective) addresses data loss tolerance, not recovery time; it does not reduce the 5-hour total recovery duration. Option C is wrong because increasing the RTO to 6 hours accepts the inefficiency rather than fixing it; best practice is to improve the process to meet the original RTO, not relax the requirement.

35
MCQmedium

Refer to the exhibit. Based on the report, which improvement is most appropriate?

A.Increase backup frequency
B.Reduce network failover time
C.Implement load balancing
D.Switch to synchronous replication
AnswerD

Synchronous replication guarantees transaction consistency across sites.

Why this answer

Asynchronous replication can lead to data inconsistency during failover. Switching to synchronous replication ensures data consistency at the cost of some latency.

36
Multi-Selectmedium

Which TWO are best practices for managing backup media?

Select 2 answers
A.Encrypt backup data
B.Keep backups on the same server for easy access
C.Store backups in a separate physical location
D.Use only tape media
E.Test backups annually
AnswersA, C

Encryption protects sensitive data from unauthorized access.

Why this answer

Encrypting backup data ensures confidentiality and integrity during transit and at rest, protecting against unauthorized access if media is lost or stolen. This is a critical best practice for compliance with standards like GDPR or HIPAA, and aligns with the principle of defense in depth. Without encryption, backup media becomes a significant security vulnerability.

Exam trap

ISC2 often tests the 3-2-1 backup rule (three copies, two different media, one offsite) to trick candidates into thinking that keeping backups on the same server is acceptable for convenience, when it actually violates the core principle of redundancy.

37
Multi-Selecthard

Which THREE are primary phases of the incident response lifecycle?

Select 3 answers
A.Containment
B.Forensic Analysis
C.Preparation
D.Data Archiving
E.Detection
AnswersA, C, E

Containment phase limits damage and prevents spread.

Why this answer

Containment is a primary phase of the incident response lifecycle because it focuses on stopping the spread of an incident and preventing further damage. In the NIST SP 800-61 framework, containment is explicitly listed as a core phase, following detection and analysis. This phase includes actions such as isolating affected systems, blocking malicious IPs via ACLs, or disabling compromised accounts to limit the blast radius.

Exam trap

ISC2 often tests the distinction between primary phases and supporting activities, so candidates mistakenly select 'Forensic Analysis' or 'Data Archiving' as primary phases when they are actually tasks performed within the Containment or Post-Incident phases.

38
MCQmedium

Refer to the exhibit. A security analyst observes repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port. What is the MOST likely interpretation?

A.The server is being used for remote desktop access
B.The server is performing a port scan
C.The server is a legitimate mail server
D.The server is infected with malware
AnswerD

Beaconing to multiple external IPs on a non-standard port is a common malware behavior.

Why this answer

Repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port are a classic indicator of malware command-and-control (C2) activity. Malware often uses non-standard ports to evade detection and establish outbound communication with an external attacker. This behavior is not typical of legitimate services, which use well-known ports and protocols.

Exam trap

ISC2 often tests the distinction between outbound connection attempts (indicative of malware C2) and inbound connection attempts (indicative of remote access or scanning), leading candidates to mistakenly choose remote desktop or port scanning.

How to eliminate wrong answers

Option A is wrong because remote desktop access (e.g., RDP) uses TCP port 3389 by default, not a non-standard port, and would typically involve inbound connections, not repeated outbound attempts. Option B is wrong because a port scan involves sending packets to multiple ports on a target to discover open services, not repeated outbound connection attempts from a single server to external IPs on a single non-standard port. Option C is wrong because a legitimate mail server uses standard ports such as TCP 25 (SMTP), 587 (submission), or 993 (IMAPS), and would not repeatedly connect to arbitrary external IPs on a non-standard port.

39
MCQeasy

Refer to the exhibit. An SOC analyst pulled this log snippet. Which type of attack is most likely in progress?

A.Phishing
B.DDoS attack
C.Man-in-the-middle
D.Insider threat
AnswerB

Coordinated traffic from many sources to a single target is characteristic of DDoS.

Why this answer

The log snippet shows a massive volume of incoming traffic from multiple source IPs targeting a single destination, which is characteristic of a distributed denial-of-service (DDoS) attack. The high packet rate and diverse source addresses indicate an attempt to overwhelm the target's resources, such as bandwidth or server capacity, making services unavailable to legitimate users.

Exam trap

ISC2 often tests the distinction between DDoS and DoS by including logs with multiple source IPs, where candidates might mistakenly focus on the high traffic volume alone and overlook the distributed nature, leading them to choose a generic 'DoS' or another attack type.

How to eliminate wrong answers

Option A is wrong because phishing involves deceptive messages (e.g., emails) to trick users into revealing credentials or installing malware, not a flood of network traffic from many sources. Option C is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, which would show unusual traffic patterns or certificate anomalies, not a high-volume flood from multiple IPs. Option D is wrong because an insider threat originates from within the organization, typically involving unauthorized access or data exfiltration, not a distributed traffic flood from external sources.

40
Multi-Selecthard

In incident response, which TWO are considered volatile data that should be collected first? (Select exactly 2.)

Select 2 answers
A.Hard drive contents
B.Network connections
C.Backup tapes
D.System logs
E.Memory contents
AnswersB, E

Active network connections are ephemeral and lost after reboot.

Why this answer

Network connections (option B) are volatile because they represent active communication channels that disappear when the system is powered off or disconnected. In incident response, collecting network connection data (e.g., using netstat -an) first preserves evidence of ongoing malicious activity, such as command-and-control (C2) traffic or lateral movement, before it is lost.

Exam trap

ISC2 often tests the distinction between volatile and non-volatile data, and the trap here is that candidates mistakenly classify system logs as volatile because they change frequently, but logs are stored on disk and are not lost on power-off, whereas network connections and memory are lost immediately.

41
MCQmedium

Based on the backup schedule, what is the maximum potential data loss?

A.9 hours (since Tuesday 01:00)
B.2 days (data since Monday)
C.33 hours (data since Tuesday 01:00)
D.1 day (data since last full backup)
AnswerC

Last successful backup was Tuesday 01:00; failure at Wednesday 10:00 = 33 hours.

Why this answer

The maximum potential data loss is determined by the interval between the last successful backup and the point of failure. With a full backup on Monday at 01:00 and differential backups every 12 hours (Tuesday 01:00 and 13:00), the last backup before a failure at, say, Wednesday 10:00 is Tuesday 13:00. The data loss window spans from Tuesday 13:00 to Wednesday 10:00 (21 hours), but the question's correct answer of 33 hours indicates the failure occurs just before the next differential backup, meaning data since Tuesday 01:00 (the last full backup) is lost if differentials are not applied or the failure destroys the differential chain.

In this scenario, the maximum loss is from the last full backup (Monday 01:00) to the failure point, which is 33 hours if the failure occurs at Wednesday 10:00, but the answer explicitly states 'data since Tuesday 01:00'—this implies the differential backup chain is intact but the last differential was at Tuesday 01:00, and the failure occurs 33 hours later, losing all changes since that differential.

Exam trap

ISC2 often tests the distinction between full, differential, and incremental backups, and the trap here is confusing the last full backup as the recovery point when differential backups actually allow restoration to a much more recent point, causing candidates to overestimate data loss.

How to eliminate wrong answers

Option A is wrong because 9 hours (since Tuesday 01:00) represents only the interval from the last differential backup to a failure shortly after, not the maximum possible loss; the maximum loss must consider the full period since the last successful backup that can be restored. Option B is wrong because 2 days (data since Monday) overestimates the loss; with differential backups, you can restore from the last full backup plus the latest differential, so data loss is limited to the time since that differential, not the full two days. Option D is wrong because 1 day (data since last full backup) ignores that differential backups reduce the recovery point; the maximum loss is not from the full backup but from the last differential backup that was successfully taken before the failure.

42
MCQeasy

During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?

A.Preserve forensic evidence from the isolated systems.
B.Wipe and rebuild all affected systems.
C.Notify law enforcement immediately.
D.Pay the ransom to restore operations quickly.
AnswerA

Preserving evidence supports investigation and potential legal action.

Why this answer

After isolating affected systems during a ransomware incident, the next best step is to preserve forensic evidence from those systems. This ensures that data such as memory dumps, logs, and encrypted files are captured intact for analysis, which is critical for understanding the attack vector, identifying the ransomware variant, and potentially recovering data without paying the ransom. Forensic preservation must occur before any remediation steps like wiping or rebuilding, as those actions would destroy the evidence needed for investigation and legal proceedings.

Exam trap

ISC2 often tests the misconception that containment (isolation) is the final step, but the trap here is that candidates skip forensic preservation and jump to remediation (wipe/rebuild) or external actions (law enforcement/payment), failing to recognize that evidence must be secured first to support both investigation and potential recovery.

How to eliminate wrong answers

Option B is wrong because wiping and rebuilding all affected systems destroys forensic evidence and prevents analysis of the ransomware's behavior, encryption keys, or entry point, which is essential for preventing future incidents and potentially recovering data. Option C is wrong because notifying law enforcement immediately is not the next operational step; while it may be required later, the immediate priority is preserving evidence to support any law enforcement investigation, and premature notification without evidence could hinder the response. Option D is wrong because paying the ransom does not guarantee data recovery, encourages further attacks, and violates many organizational policies and legal guidelines; the incident response team should never recommend payment as a first step.

43
MCQhard

During a disaster recovery exercise, the team discovers that the backup site does not have the latest security patches applied. Which of the following steps should be taken FIRST?

A.Patch the backup site immediately
B.Shut down the backup site
C.Document the finding and assess risk
D.Continue the exercise and note the issue
AnswerC

Proper incident response documentation and risk assessment are critical first steps.

Why this answer

The first step in any incident or exercise finding is to document the issue and assess the risk it poses. Patching the backup site immediately (Option A) could introduce instability or conflicts with the current exercise, while shutting it down (Option B) would disrupt the DR test. By documenting and assessing risk first, the team can determine the appropriate remediation priority based on the backup site's role and the criticality of the missing patches.

Exam trap

ISC2 often tests the principle that 'document and assess' must precede any corrective action, even in an exercise, to avoid impulsive changes that could invalidate the test results or introduce new risks.

How to eliminate wrong answers

Option A is wrong because applying patches without first assessing the risk could break the backup site's configuration or introduce new vulnerabilities during the exercise, and it may not be the highest priority action. Option B is wrong because shutting down the backup site would halt the disaster recovery exercise and potentially leave the organization without any failover capability, which is counterproductive. Option D is wrong because simply continuing the exercise without documenting or assessing the issue ignores the security gap and could lead to a false sense of readiness, violating standard incident response procedures (NIST SP 800-61).

44
MCQmedium

A healthcare organization experiences a ransomware attack that encrypts all files on file servers and workstations. The incident response team has isolated the infected systems. The backup policy includes daily incremental backups and weekly full backups stored on a separate network segment. The most recent full backup is 5 days old. The incremental backups from the past 4 days are available but are stored on the same backup server that might be compromised. To restore data with minimal loss, what should the team do?

A.Use the most recent incremental backup to restore files directly.
B.Assume all backups are compromised and rebuild systems from scratch.
C.First verify the integrity of the backups by scanning them on an isolated system, then restore the full backup and apply the most recent clean incremental backups.
D.Restore the weekly full backup and then apply all incremental backups from the past 5 days.
AnswerC

Ensures clean backups and minimal data loss.

Why this answer

Option D is correct. First, verify backup integrity on an isolated system to ensure no ransomware remnants. Then restore the full backup and apply the most recent clean incremental backups.

Option A could restore ransomware if backups are compromised. Option B uses only incremental, missing the full backup. Option C is too drastic if backups are clean.

45
MCQmedium

During an incident, an organization needs to preserve volatile data. Which of the following should be collected FIRST?

A.Backup tapes
B.Memory contents
C.Hard drive contents
D.Network logs
AnswerB

Memory is volatile and disappears when the system is turned off.

Why this answer

Volatile data is lost when the system loses power. Memory content is the most volatile.

46
MCQmedium

A company's primary data center experiences a complete power failure, and operations are shifted to a secondary site. The failover process takes 4 hours, but the recovery point objective (RPO) is set to 1 hour. Which of the following is the most likely consequence of this incident?

A.Data loss of up to 3 hours occurred.
B.The failover process was unsuccessful.
C.No data loss occurred because the secondary site was available.
D.The recovery time objective (RTO) was not met.
AnswerA

The RPO is 1 hour but failover took 4 hours, causing up to 3 hours of data loss.

Why this answer

The RPO of 1 hour means the company can tolerate losing up to 1 hour of data. Since the failover took 4 hours, any data written in the 3 hours before the power failure that had not yet been replicated to the secondary site would be lost. This results in a data loss window of up to 3 hours, exceeding the RPO.

Exam trap

ISC2 often tests the distinction between RPO (data loss tolerance) and RTO (downtime tolerance), and candidates mistakenly assume that a successful failover means no data loss, ignoring the replication lag.

How to eliminate wrong answers

Option B is wrong because the failover process completed successfully in 4 hours, as stated; the question does not indicate any failure in the failover itself. Option C is wrong because data loss can occur even if the secondary site is available, if the replication lag exceeds the RPO. Option D is wrong because the RTO is the maximum acceptable downtime, and the failover took 4 hours; without knowing the RTO value, we cannot conclude it was not met — the question only provides the RPO.

47
MCQeasy

After a ransomware attack, which team is primarily responsible for coordinating the response?

A.Executive Management
B.Incident Response Team
C.IT Support
D.Legal Department
AnswerB

The IRT is responsible for coordinating the response to security incidents.

Why this answer

The Incident Response Team (IRT) is primarily responsible for coordinating the response to a ransomware attack because it follows a predefined incident response plan (IRP) that includes containment, eradication, and recovery procedures. The IRT typically includes security analysts, forensic experts, and system administrators who execute technical steps such as isolating affected systems, analyzing the ransomware strain, and restoring from backups. This team operates under the NIST SP 800-61 framework, ensuring a structured and rapid response to minimize damage.

Exam trap

ISC2 often tests the misconception that Executive Management or Legal should lead the response due to their authority or compliance role, but the exam emphasizes that technical coordination belongs to the Incident Response Team as defined in the CC curriculum's incident response process.

How to eliminate wrong answers

Option A is wrong because Executive Management provides strategic oversight and approves budget/resource allocation, but they lack the technical expertise to coordinate hands-on incident response activities like network isolation or forensic analysis. Option C is wrong because IT Support focuses on routine user troubleshooting and system maintenance, not on executing the specialized containment and eradication steps required during a ransomware incident, such as analyzing malware indicators of compromise (IOCs) or applying firewall rules. Option D is wrong because the Legal Department handles regulatory compliance, breach notification, and liability issues, but they do not perform the technical coordination of response actions like system restoration or evidence preservation.

48
MCQeasy

A small manufacturing company's IT infrastructure consists of a single server running ERP and file services, with a nightly backup to an external hard drive. The server fails due to hardware failure. The company's BCP states that the ERP system must be restored within 8 hours. The backup is 12 hours old. The IT administrator has a spare server of similar configuration. What is the BEST course of action?

A.Use cloud-based ERP temporarily.
B.Perform a bare-metal restore using the backup.
C.Install the backup onto the spare server and restore the data from the external hard drive.
D.Order a new server from the vendor (lead time 3 days).
AnswerC

Utilizes spare server and meets RTO.

Why this answer

Option C is correct because the spare server has a similar configuration, allowing the IT administrator to install the backup software and restore the ERP system and file data from the external hard drive. This approach meets the 8-hour RTO by leveraging the existing backup, even though it is 12 hours old, as the restore process is straightforward and does not require ordering new hardware or migrating to a cloud platform.

Exam trap

The trap here is that candidates may confuse 'bare-metal restore' with a simple file restore, assuming the backup contains a full system image, when in fact the backup is to an external hard drive and likely file-level, making a bare-metal restore impossible without a compatible system image.

How to eliminate wrong answers

Option A is wrong because using a cloud-based ERP temporarily would require significant setup time, data migration, and potential licensing changes, which likely exceeds the 8-hour RTO and introduces complexity not aligned with the existing BCP. Option B is wrong because a bare-metal restore requires the backup to be in a specific format (e.g., system image) and the spare server to have identical hardware; the backup is to an external hard drive, likely file-level, not a full system image, making a bare-metal restore impractical. Option D is wrong because ordering a new server with a 3-day lead time far exceeds the 8-hour RTO, and the spare server is already available, making this the slowest and least effective course of action.

49
MCQhard

An organization uses a warm site for disaster recovery. Which of the following is the MOST significant risk of this approach?

A.Data may not be synchronized with the primary site
B.The site may be too far away
C.The site may not have recent data
D.High cost of maintaining duplicate hardware
AnswerA

Lack of real-time replication means data loss up to the last backup.

Why this answer

A warm site has infrastructure and connectivity ready but does not maintain real-time data synchronization with the primary site. The most significant risk is that data may not be synchronized, meaning the Recovery Point Objective (RPO) could be hours or days old, leading to potential data loss during failover. Unlike a hot site with synchronous replication, a warm site typically uses periodic backups or asynchronous replication, creating a gap in data currency.

Exam trap

ISC2 often tests the distinction between hot, warm, and cold sites by focusing on data synchronization versus infrastructure readiness — the trap here is that candidates confuse 'data may not be recent' (Option C) with the more precise technical risk of 'data may not be synchronized,' which is the defining vulnerability of a warm site.

How to eliminate wrong answers

Option B is wrong because distance is a consideration for any DR site (hot, warm, or cold) and is not specific to the warm site model; latency can be mitigated with WAN optimization or replication tuning. Option C is wrong because it is essentially a restatement of the data synchronization issue but less precise — the core risk is lack of synchronization, not merely that data 'may not have recent data,' which is a symptom of the synchronization gap. Option D is wrong because high cost of maintaining duplicate hardware is a characteristic of a hot site, not a warm site; a warm site typically has lower hardware costs as it may not run full production-equivalent systems until activation.

50
MCQmedium

An organization experiences a ransomware attack that encrypts critical file servers. The backups are stored on a separate network segment but are also encrypted. The incident response team suspects the attacker compromised the backup system using stored credentials. Which best practice should have been implemented to prevent this?

A.Implement air-gapped backups stored offline
B.Enable multi-factor authentication (MFA) on backup system access
C.Encrypt backup data at rest and in transit
D.Use a separate VLAN for backup traffic
AnswerB

MFA mitigates the risk of credential theft, as the attacker would need an additional factor to authenticate.

Why this answer

Option B is correct because enabling multi-factor authentication (MFA) on backup system access would have prevented the attacker from using stored credentials to compromise the backup system. MFA requires an additional authentication factor beyond just a password or stored token, making credential theft or reuse insufficient for access. This directly addresses the attack vector described—stolen credentials—rather than relying solely on network segmentation or encryption.

Exam trap

ISC2 often tests the distinction between preventive controls that stop the attack vector (MFA on access) versus controls that mitigate damage after compromise (air gaps, encryption, VLANs), leading candidates to choose network segmentation or encryption instead of addressing the credential theft directly.

How to eliminate wrong answers

Option A is wrong because air-gapped backups stored offline would prevent encryption of the backup data during the attack, but the question specifically states the backups were on a separate network segment and were encrypted using stored credentials; an air gap does not address the root cause of credential compromise and reuse. Option C is wrong because encrypting backup data at rest and in transit protects the confidentiality of the data but does not prevent an attacker from accessing or encrypting the backup system itself using valid credentials. Option D is wrong because using a separate VLAN for backup traffic provides network segmentation but does not prevent an attacker who has compromised credentials from authenticating to the backup system from within that VLAN or from another compromised host.

51
MCQeasy

A company's primary data center is destroyed by a natural disaster. The backup site has been fully synchronized but needs to be activated. Which process addresses the activation of the backup site?

A.Risk Management Plan
B.Incident Response Plan (IRP)
C.Disaster Recovery Plan (DRP)
D.Business Continuity Plan (BCP)
AnswerC

DRP specifically addresses IT infrastructure recovery and activation of backup sites.

Why this answer

The Disaster Recovery Plan (DRP) specifically outlines the procedures for activating a backup site after a primary data center failure. In this scenario, the backup site is fully synchronized but requires activation, which involves steps like DNS changes, storage array failover (e.g., using synchronous replication with a quorum witness), and network reconfiguration. The DRP is the document that contains these technical recovery steps, distinguishing it from broader continuity or incident response plans.

Exam trap

ISC2 often tests the distinction between BCP and DRP by presenting a scenario where the backup site is already synchronized but needs activation, leading candidates to incorrectly choose BCP because they confuse business continuity with technical disaster recovery.

How to eliminate wrong answers

Option A is wrong because a Risk Management Plan identifies, assesses, and mitigates risks before an incident occurs; it does not contain the step-by-step activation procedures for a backup site. Option B is wrong because an Incident Response Plan (IRP) focuses on immediate containment, eradication, and recovery from security incidents (e.g., malware, data breaches), not on activating a backup data center after a natural disaster. Option D is wrong because a Business Continuity Plan (BCP) addresses maintaining critical business functions during a disruption, often through alternative work arrangements or manual processes, but it does not provide the technical failover steps for activating a backup data center.

52
MCQmedium

A security analyst receives an alert of unusual network traffic from an internal host to an external IP known for command-and-control. After isolating the host, what should be the next step?

A.Wipe the host and reinstall OS
B.Preserve forensic evidence and analyze
C.Reimage the host from backup
D.Notify law enforcement
AnswerB

Preserving and analyzing evidence is critical to understand the compromise and prevent future incidents.

Why this answer

Preserving forensic evidence and analyzing the host is the correct next step because incident response methodology (e.g., NIST SP 800-61) requires containment followed by evidence collection and analysis to determine the scope of compromise, identify indicators of compromise (IOCs), and understand the attack vector. Wiping or reimaging destroys volatile data (e.g., memory, running processes, network connections) and artifacts (e.g., registry keys, prefetch files, event logs) that are critical for attribution and remediation. Analysis may involve memory forensics (using tools like Volatility) and disk forensics to extract malware samples, C2 communication logs, and lateral movement traces.

Exam trap

ISC2 often tests the misconception that immediate containment (like wiping or reimaging) is the priority, but the trap here is that the CC exam emphasizes the incident response process order: isolate, then preserve evidence, then analyze, then remediate — skipping evidence preservation violates standard forensic procedures.

How to eliminate wrong answers

Option A is wrong because wiping the host and reinstalling the OS destroys all forensic evidence, preventing root cause analysis and potentially allowing the attacker to persist if the infection vector is not identified. Option C is wrong because reimaging from backup may reintroduce the same vulnerability or malware if the backup is also compromised, and it skips the critical step of evidence preservation and analysis. Option D is wrong because notifying law enforcement is premature before internal investigation confirms the incident's nature and scope; law enforcement involvement typically occurs after evidence is preserved and a decision is made to pursue legal action, not as an immediate next step.

53
MCQeasy

Based on the incident log, at which step did the incident response team contain the threat?

A.14:30 - Scanned system, detected Trojan.Downloader
B.14:45 - Removed malware via AV
C.14:25 - Isolated WKS-045 from network
D.14:35 - Escalated to incident handler
AnswerC

Isolation prevents further spread, containing the threat.

Why this answer

Option C is correct because containment is the immediate step to prevent the threat from spreading, and isolating WKS-045 from the network at 14:25 achieves this by cutting off its network connectivity. This aligns with the NIST SP 800-61 incident response lifecycle, where containment is prioritized before eradication or recovery. The log shows isolation occurred before scanning or removal, making it the correct containment action.

Exam trap

ISC2 often tests the distinction between containment and eradication, where candidates mistakenly choose removal (Option B) as containment, but containment must stop the spread before any cleanup occurs.

How to eliminate wrong answers

Option A is wrong because scanning the system and detecting Trojan.Downloader at 14:30 is a detection and analysis step, not containment; containment must happen before or concurrently with analysis to stop lateral movement. Option B is wrong because removing malware via AV at 14:45 is an eradication step, which occurs after containment to eliminate the threat from the isolated system. Option D is wrong because escalating to the incident handler at 14:35 is a communication and coordination step, not a technical containment action; it does not directly stop the threat from spreading.

54
Multi-Selectmedium

Which TWO actions are most effective in reducing the mean time to detect (MTTD) a security incident?

Select 2 answers
A.Requiring multi-factor authentication for all remote access
B.Implementing a SIEM with centralized logging from critical systems
C.Conducting annual security awareness training for all employees
D.Deploying endpoint detection and response (EDR) agents on all workstations
E.Standardizing firewall rules across all network segments
AnswersB, D

SIEM correlates events and alerts analysts, reducing detection time.

Why this answer

Option B is correct because a SIEM with centralized logging aggregates and correlates logs from critical systems, enabling real-time analysis and automated alerting. This drastically reduces MTTD by surfacing indicators of compromise (IoCs) within minutes rather than hours or days, as manual log review would require.

Exam trap

The trap here is that candidates confuse preventive controls (MFA, training, firewall rules) with detective controls, failing to recognize that only logging and monitoring tools directly reduce the time to detect an incident.

55
MCQeasy

You are the cybersecurity lead for a mid-sized retail company. One morning, employees report that they cannot access files on the shared drive, and a ransom note appears on several screens demanding $50,000 in Bitcoin. The company has a formal incident response plan that was last updated two years ago and has never been tested. Backups are taken nightly to an on-premises tape library and also replicated to a cloud storage service but have not been verified recently. The CEO is insisting on paying the ransom to avoid business disruption. Which of the following is the MOST appropriate first course of action?

A.Delete all infected files and rebuild the file server from scratch without involving backups.
B.Ignore the incident and continue operations, assuming it will resolve on its own.
C.Pay the ransom immediately to minimize downtime and recover data quickly.
D.Isolate the infected systems from the network, then restore data from the most recent verified backup.
AnswerD

Isolation stops the spread, and restoring from verified backups is the standard incident response procedure.

Why this answer

Option D is correct because the first priority in any ransomware incident is containment: isolating infected systems prevents lateral movement and further encryption. Restoring from the most recent verified backup ensures data integrity and avoids paying the ransom, which does not guarantee decryption and funds criminal activity. The incident response plan should then be activated and updated based on lessons learned.

Exam trap

ISC2 often tests the misconception that paying the ransom is the fastest way to recover data, but the correct answer emphasizes containment and verified backups as the primary incident response steps.

How to eliminate wrong answers

Option A is wrong because deleting infected files and rebuilding from scratch without involving backups discards all data, including potentially unencrypted files, and ignores the need for verified clean backups to restore operations. Option B is wrong because ignoring the incident allows ransomware to spread, encrypt more systems, and cause greater business disruption, violating basic incident response containment principles. Option C is wrong because paying the ransom does not guarantee decryption keys will be provided, encourages further attacks, and bypasses proper forensic investigation and recovery procedures.

56
MCQeasy

A company's primary data center is located in a region prone to hurricanes. The IT team is designing a disaster recovery plan to ensure critical applications resume within 4 hours of a declared disaster. Which of the following is the MOST appropriate recovery strategy?

A.Hot site with synchronous replication (RTO 1 hour, RPO near zero)
B.Colocation with tape backups shipped offsite (RTO 24 hours, RPO 24 hours)
C.Cold site with weekly full backups (RTO 48 hours, RPO 7 days)
D.Warm site with daily incremental backups (RTO 6 hours, RPO 4 hours)
AnswerA

Meets RTO and RPO requirements.

Why this answer

A hot site with synchronous replication is the most appropriate strategy because it provides an RTO of 1 hour (well within the 4-hour requirement) and an RPO near zero, ensuring critical applications resume quickly with minimal data loss. Synchronous replication writes data to both primary and replica storage simultaneously, so in a hurricane scenario, the hot site is fully operational and ready to take over immediately.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates may choose a warm site (Option D) because its RTO of 6 hours seems close to 4 hours, but they overlook that the RTO must be strictly less than or equal to the requirement, and synchronous replication at a hot site is the only option that meets both the 4-hour RTO and near-zero RPO for critical applications.

How to eliminate wrong answers

Option B is wrong because colocation with tape backups shipped offsite has an RTO of 24 hours and RPO of 24 hours, far exceeding the 4-hour RTO requirement, and tape restoration is slow and prone to media errors. Option C is wrong because a cold site with weekly full backups has an RTO of 48 hours and RPO of 7 days, meaning applications would be down for two days and up to a week of data could be lost, completely failing the 4-hour RTO. Option D is wrong because a warm site with daily incremental backups has an RTO of 6 hours, which exceeds the 4-hour requirement, and the RPO of 4 hours still risks losing up to 4 hours of transactions, whereas synchronous replication offers near-zero data loss.

57
MCQmedium

Refer to the exhibit. Based on the backup log, what is the most likely corrective action?

A.Reschedule the backup for a later time
B.Check network connectivity
C.Replace the tape drive
D.Add more storage space to the backup target
AnswerD

The explicit error is 'insufficient storage space', so adding space directly addresses the issue.

Why this answer

The final error indicates insufficient storage space. Adding more storage space to the backup target would resolve the issue. The earlier tape error may be a symptom of full storage.

58
MCQeasy

Which metric defines the maximum acceptable amount of data loss measured in time?

A.Recovery Point Objective (RPO)
B.Mean Time Between Failures (MTBF)
C.Mean Time to Repair (MTTR)
D.Recovery Time Objective (RTO)
AnswerA

RPO defines the maximum data loss in terms of time.

Why this answer

The Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time, typically expressed in seconds, minutes, or hours. It represents the age of the most recent backup or replicated data that must be available to resume operations after a disaster, directly determining the frequency of backups or replication intervals.

Exam trap

ISC2 often tests the distinction between RPO and RTO, where candidates confuse 'data loss' (RPO) with 'downtime' (RTO); the trap is that both are time-based metrics, but RPO is about how far back in time you can recover data, while RTO is about how long it takes to restore service.

How to eliminate wrong answers

Option B is wrong because Mean Time Between Failures (MTBF) measures the average time between system failures, not data loss; it is a reliability metric used for hardware or component failure prediction. Option C is wrong because Mean Time to Repair (MTTR) measures the average time required to restore a failed system or component, not the acceptable data loss window. Option D is wrong because Recovery Time Objective (RTO) defines the maximum acceptable downtime after a disaster, not the amount of data loss measured in time; RTO focuses on service restoration speed, while RPO focuses on data currency.

59
Multi-Selecteasy

Which TWO are key outputs of a Business Impact Analysis (BIA)?

Select 2 answers
A.List of critical business processes
B.Password policy
C.Network diagram
D.Risk register
E.Recovery Time Objectives
AnswersA, E

BIA identifies and prioritizes critical processes.

Why this answer

BIA identifies critical business processes and determines their recovery requirements, such as Recovery Time Objectives (RTO).

60
MCQeasy

A company has a disaster recovery plan that includes a hot site. Which of the following is the PRIMARY advantage of a hot site over a cold site?

A.Easier maintenance
B.Faster recovery time
C.Greater security
D.Lower cost
AnswerB

Hot sites are fully configured and ready, enabling rapid failover.

Why this answer

A hot site is a fully operational duplicate of the primary data center, complete with live servers, storage, networking, and synchronized data. This eliminates the need to procure and configure hardware after a disaster, enabling recovery in minutes or hours rather than days or weeks. The primary advantage is therefore a significantly faster recovery time objective (RTO) compared to a cold site, which has no pre-installed equipment.

Exam trap

ISC2 often tests the distinction that a hot site's primary benefit is speed of recovery (RTO), not cost or security, and candidates mistakenly choose 'lower cost' because they confuse hot sites with warm sites or assume all DR sites are expensive.

How to eliminate wrong answers

Option A is wrong because hot sites require more complex maintenance, including continuous data replication and live system updates, whereas cold sites have minimal upkeep. Option C is wrong because a hot site does not inherently provide greater security; security depends on the specific controls implemented at each site, and both hot and cold sites can be equally secure. Option D is wrong because a hot site is far more expensive than a cold site due to the cost of maintaining duplicate hardware, software licenses, and ongoing data synchronization.

61
Drag & Dropmedium

Drag and drop the steps for the proper disposal of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Proper disposal includes identification, backup, sanitization, verification, and documentation.

62
MCQhard

During a disaster recovery exercise, the backup systems are not available because the storage array failed. Which of the following should be done FIRST?

A.Activate the disaster recovery plan
B.Contact the vendor
C.Restore from offsite tape
D.Order replacement hardware
AnswerA

The DR plan includes procedures for such failures and guides next steps.

Why this answer

When backup systems are unavailable due to a storage array failure, the first action must be to activate the disaster recovery plan (DRP). The DRP is the predefined, documented set of procedures that guides the organization through the recovery process, including escalation, communication, and alternative recovery methods. Without activating the plan, subsequent steps like contacting vendors or restoring from tape lack coordination and may violate recovery time objectives (RTOs) and recovery point objectives (RPOs).

Exam trap

ISC2 often tests the principle that the disaster recovery plan must be activated before any technical recovery action is taken, trapping candidates who jump to a specific recovery step like restoring from tape or contacting a vendor without first following the documented process.

How to eliminate wrong answers

Option B is wrong because contacting the vendor is a tactical step that should be performed after the DRP is activated, as the plan specifies when and how to engage vendors. Option C is wrong because restoring from offsite tape is a specific recovery action that must be directed by the DRP, which first requires assessing the situation and authorizing the restore process. Option D is wrong because ordering replacement hardware is a procurement action that occurs later in the recovery timeline, after the DRP has been activated and a gap analysis has been performed.

63
MCQhard

A company's business continuity plan requires a maximum tolerable downtime of 2 hours for the ERP system. The current backup process takes 3 hours to restore. Which of the following is the BEST corrective action?

A.Reduce RTO to 1 hour
B.Increase backup frequency
C.Implement synchronous replication
D.Perform restoration testing quarterly
AnswerC

Synchronous replication ensures data is mirrored in real-time, allowing near-instant failover.

Why this answer

The maximum tolerable downtime (MTD) is 2 hours, but the current restore process takes 3 hours, which exceeds the MTD. Synchronous replication writes data to both primary and secondary storage simultaneously, ensuring that the secondary copy is always current and can be failed over to in seconds or minutes, not hours. This reduces the recovery time objective (RTO) to well under the required 2 hours, directly addressing the gap.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates confuse backup frequency (which affects RPO) with restore speed (which affects RTO), leading them to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because reducing the RTO to 1 hour does not fix the underlying problem—the restore process still takes 3 hours, and simply changing a target number without improving the technology does not achieve compliance. Option B is wrong because increasing backup frequency reduces the recovery point objective (RPO), not the recovery time objective (RTO); the restore time remains 3 hours regardless of how often backups are taken. Option D is wrong because quarterly restoration testing validates that backups work but does not reduce the 3-hour restore time; testing alone cannot bring the RTO below the MTD.

64
MCQeasy

A company's backup strategy involves daily full backups only. What is the primary risk associated with this approach?

A.Recovery Point Objective (RPO) may be too long
B.Recovery Time Objective (RTO) may be exceeded due to long restore
C.High cost of backup storage
D.Data corruption could spread across backups
AnswerB

Restoring a full backup takes significant time, which may violate the RTO.

Why this answer

With daily full backups only, the Recovery Point Objective (RPO) is effectively 24 hours, which may be acceptable depending on business requirements. However, the primary risk is that restoring from a single full backup can take a very long time, especially for large datasets, potentially exceeding the Recovery Time Objective (RTO). This is because full backups contain all data and must be restored entirely, unlike incremental or differential backups that allow faster recovery by restoring only changed blocks.

Exam trap

ISC2 often tests the distinction between RPO and RTO, and the trap here is that candidates assume the primary risk is a long RPO (Option A) because they think daily backups mean losing a day of data, but the question specifically asks about the primary risk of this approach, which is the long restore time impacting RTO.

How to eliminate wrong answers

Option A is wrong because the RPO for daily full backups is fixed at 24 hours, which may be acceptable for many organizations; the question asks for the primary risk, and RPO is not inherently too long—it depends on the business requirement. Option C is wrong because daily full backups do not inherently have high storage cost; in fact, they can be more storage-efficient than combining full and incremental backups if retention is short, and cost is not the primary risk. Option D is wrong because data corruption spreading across backups is a risk associated with any backup strategy, not specific to daily full backups; it is not the primary risk highlighted by this approach.

65
MCQhard

According to the NIST 800-61 incident response lifecycle, after containment and eradication have been performed, what is the next phase?

A.Recovery
B.Post-incident activity
C.Detection and analysis
D.Preparation
AnswerA

Recovery follows containment and eradication to bring systems back online.

Why this answer

According to the NIST 800-61 incident response lifecycle, the phases are Preparation, Detection & Analysis, Containment/Eradication, and Recovery. After containment (isolating the threat) and eradication (removing malware, patching vulnerabilities), the next phase is Recovery, where systems are carefully restored to normal operations, often using clean backups and verifying system integrity before reconnecting to the network.

Exam trap

ISC2 often tests the exact NIST 800-61 phase order, and the trap here is that candidates confuse 'Post-incident activity' as the immediate next step after eradication, when in fact Recovery must occur first to restore operations before conducting the final review.

How to eliminate wrong answers

Option B is wrong because Post-incident activity is the final phase that occurs after Recovery, involving lessons learned, documentation, and evidence retention. Option C is wrong because Detection and analysis occurs before containment/eradication, not after. Option D is wrong because Preparation is the initial phase that happens before any incident occurs, establishing policies, tools, and training.

66
MCQeasy

Which document outlines the procedures for maintaining critical business functions during a disruption?

A.Business Continuity Plan
B.Continuity of Operations Plan
C.Incident Response Plan
D.Disaster Recovery Plan
AnswerA

BCP outlines procedures to sustain essential business operations.

Why this answer

The Business Continuity Plan (BCP) is the correct answer because it specifically outlines the procedures and strategies to maintain critical business functions during a disruption. Unlike other plans that focus on IT recovery or incident response, the BCP ensures that essential business operations continue, often by leveraging alternate work sites, manual workarounds, or scaled-down processes, until normal operations can be restored.

Exam trap

ISC2 often tests the distinction between BCP and DRP, where candidates mistakenly choose Disaster Recovery Plan because they focus only on IT recovery, forgetting that BCP covers the broader business continuity including non-IT functions like manual order processing or alternate facilities.

How to eliminate wrong answers

Option B (Continuity of Operations Plan) is wrong because it is a U.S. government-specific framework (COOP) focused on maintaining essential government functions at an alternate facility, not a general business continuity document. Option C (Incident Response Plan) is wrong because it focuses on detecting, containing, and eradicating security incidents (e.g., malware outbreaks or data breaches), not on maintaining ongoing business functions during a disruption. Option D (Disaster Recovery Plan) is wrong because it is a subset of BCP that specifically addresses the recovery of IT infrastructure and systems after a disaster, not the broader maintenance of critical business functions.

67
MCQeasy

A company's business continuity plan includes an alternate work site with full IT capabilities. Which type of recovery site does this describe?

A.Hot site
B.Mobile site
C.Cold site
D.Warm site
AnswerA

A hot site is fully operational with all necessary hardware, software, and data.

Why this answer

A hot site is a fully equipped alternate work site with all necessary IT infrastructure—servers, networking, telecommunications, and power—ready to take over operations immediately. The question specifies 'full IT capabilities,' which aligns with the hot site's purpose of enabling rapid failover with minimal downtime, typically within hours.

Exam trap

ISC2 often tests the distinction between hot, warm, and cold sites by emphasizing the 'full IT capabilities' phrase—candidates may confuse a warm site (which has some equipment) with a hot site, but the key differentiator is that a hot site is fully operational and ready for immediate use, while a warm site requires additional setup.

How to eliminate wrong answers

Option B (Mobile site) is wrong because a mobile site is a portable, temporary facility (e.g., a trailer) that may not have full IT capabilities pre-installed and is used for short-term emergencies, not as a permanent alternate work site with full IT readiness. Option C (Cold site) is wrong because a cold site provides only basic physical infrastructure (space, power, cooling) but lacks IT equipment, requiring days or weeks to procure and configure systems, which contradicts 'full IT capabilities.' Option D (Warm site) is wrong because a warm site has some pre-installed hardware and connectivity but not full IT capabilities; it typically requires additional configuration and data restoration before operations can resume, making it slower than a hot site.

68
MCQhard

You are the incident response lead for a financial services company. At 09:00, the SOC detects unusual outbound traffic from a server in the DMZ to an external IP known to be a command-and-control (C2) server. The server runs a legacy application that cannot be patched. The server is critical for customer transactions, but an alternate manual process can sustain operations for up to 4 hours. The CTO wants to keep the server online to avoid customer impact. The CEO is concerned about data exfiltration. The compliance officer reminds you of regulatory requirements to report breaches within 72 hours. Which action should you take FIRST?

A.Report the incident to the regulatory authority immediately.
B.Perform a forensic analysis of the server to determine the scope of compromise.
C.Disconnect the server from the network and activate the manual process.
D.Keep the server online under close monitoring to minimize customer disruption.
AnswerC

Immediate containment stops the C2 communication and protects data.

Why this answer

The correct first action is to disconnect the server from the network and activate the manual process. This immediately stops potential data exfiltration to the C2 server and contains the incident, aligning with the NIST incident response lifecycle's containment phase. Since the server runs a legacy application that cannot be patched and the manual process can sustain operations for up to 4 hours, isolation is both feasible and necessary to prevent further compromise while maintaining business continuity.

Exam trap

ISC2 often tests the principle that containment must precede any other action, even when business pressure or regulatory deadlines exist, to prevent candidates from prioritizing reporting or analysis over stopping the active threat.

How to eliminate wrong answers

Option A is wrong because reporting to the regulatory authority immediately (within 72 hours) is a post-containment step; the priority is to stop the active C2 communication and data loss first. Option B is wrong because performing forensic analysis on a live, compromised server connected to a C2 server risks altering evidence and allows continued data exfiltration; containment must precede forensics. Option D is wrong because keeping the server online under close monitoring does not stop the active outbound traffic to the C2 server, allowing ongoing data exfiltration and potential lateral movement, which violates the containment principle.

69
MCQmedium

An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?

A.High recovery point objective (RPO)
B.Data encryption overhead
C.Insufficient bandwidth between sites
D.Increased latency for write operations
AnswerD

Synchronous replication requires acknowledgment from backup, causing latency proportional to distance.

Why this answer

Synchronous replication requires the primary site to wait for an acknowledgment from the backup site before completing each write operation. The 500-mile distance introduces a minimum round-trip latency of approximately 8-10 ms (based on fiber optic propagation at ~200 km/ms), which directly increases the time taken for write operations. This latency impact is the most likely risk introduced by this configuration.

Exam trap

ISC2 often tests the distinction between synchronous and asynchronous replication, and the trap here is that candidates confuse 'synchronous' with 'high RPO' or assume bandwidth is the main constraint, when in fact synchronous replication introduces latency as the primary risk due to the distance-dependent acknowledgment delay.

How to eliminate wrong answers

Option A is wrong because synchronous replication ensures that data is written to both sites before acknowledging the write, resulting in an RPO of zero (no data loss), not high RPO. Option B is wrong because data encryption overhead is a general security concern unrelated to the replication method or distance; it applies equally to any encrypted data transfer. Option C is wrong because insufficient bandwidth between sites is a capacity planning issue that can affect replication throughput but is not inherently introduced by synchronous replication or distance; latency is the primary risk, not bandwidth.

70
MCQeasy

Refer to the exhibit. What is the first action the incident responder should take?

A.Disable the web application
B.Block the source IP in firewall
C.Ignore the alert as false positive
D.Investigate the web server at 192.168.1.10
AnswerD

Investigating the target server will confirm whether the attack succeeded and what data may be compromised.

Why this answer

The incident responder must first investigate the web server at 192.168.1.10 to confirm whether the alert is a true positive or a false positive. Jumping to containment actions like disabling the application or blocking the IP without verification could disrupt legitimate services or overlook the root cause. The initial step in any incident response process (as per NIST SP 800-61) is to validate the alert through analysis of logs, processes, and system state.

Exam trap

ISC2 often tests the candidate's understanding that the first step in incident response is always to investigate and validate the alert, not to immediately contain or dismiss it, tempting candidates to jump to a reactive action like blocking the IP or disabling the application.

How to eliminate wrong answers

Option A is wrong because disabling the web application immediately could cause unnecessary business disruption and may destroy volatile evidence (e.g., running processes, memory contents) before the incident is confirmed. Option B is wrong because blocking the source IP in the firewall is a containment action that should only occur after the alert is verified and the scope of the incident is understood; premature blocking could also block legitimate traffic if the IP is spoofed or shared. Option C is wrong because ignoring the alert as a false positive without investigation violates the fundamental incident response principle of 'trust but verify' and could allow an actual breach to go undetected.

71
Multi-Selecteasy

Which THREE are phases of the incident response process according to NIST SP 800-61?

Select 3 answers
A.Containment, Eradication, and Recovery
B.Risk Assessment
C.Detection and Analysis
D.Preparation
E.Vendor Management
AnswersA, C, D

Third phase.

Why this answer

Option A is correct because NIST SP 800-61 defines the incident response process as four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The 'Containment, Eradication, and Recovery' phase is explicitly grouped together as a single phase in the standard, making A a correct choice.

Exam trap

ISC2 often tests whether candidates recognize that 'Containment, Eradication, and Recovery' is a single phase in NIST SP 800-61, not three separate phases, and that 'Risk Assessment' and 'Vendor Management' are common distractors because they appear in other security frameworks but are not part of the incident response process.

72
MCQeasy

During an incident, the incident response team discovers that an attacker has exfiltrated sensitive customer data. According to incident response best practices, whose approval is REQUIRED before contacting law enforcement?

A.CISO
B.CEO
C.Legal counsel
D.Public relations
AnswerC

Legal counsel ensures compliance and manages liability.

Why this answer

Legal counsel approval is required before contacting law enforcement because they ensure that the disclosure complies with data privacy laws (e.g., GDPR, CCPA) and does not violate chain-of-custody requirements or expose the organization to liability. The incident response team must coordinate with legal to determine the appropriate timing and scope of law enforcement involvement, as premature contact can compromise ongoing forensic investigations or breach legal agreements.

Exam trap

ISC2 often tests the misconception that the CISO or CEO has the final say on law enforcement contact, but the correct answer is always legal counsel because they are the only ones who can navigate the legal and regulatory implications of involving external authorities.

How to eliminate wrong answers

Option A is wrong because the CISO (Chief Information Security Officer) oversees the technical incident response but does not have the authority to approve external law enforcement contact; that decision requires legal review to avoid legal exposure. Option B is wrong because the CEO (Chief Executive Officer) may be informed but is not the required approver for law enforcement contact; legal counsel must assess the legal implications first. Option D is wrong because Public Relations handles external communications and reputation management but has no authority to approve law enforcement involvement; contacting law enforcement without legal approval could violate privacy regulations and damage the organization's legal standing.

73
MCQeasy

Which metric is used to define the maximum amount of data loss an organization can tolerate during a disaster?

A.RTO
B.RPO
C.SLA
D.MTBF
AnswerB

RPO defines the maximum acceptable data loss.

Why this answer

RPO (Recovery Point Objective) defines the maximum acceptable amount of data loss measured in time, such as seconds, minutes, or hours. It determines the age of the backup or replication data that must be restored to resume normal operations after a disaster. For example, an RPO of 1 hour means the organization can tolerate losing up to 1 hour's worth of data.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates mistakenly select RTO because they confuse 'time to recover' with 'time of data loss' — remember RTO is about downtime, RPO is about data loss.

How to eliminate wrong answers

Option A (RTO) is wrong because RTO (Recovery Time Objective) defines the maximum acceptable downtime, not data loss; it measures how quickly systems must be restored after a disaster. Option C (SLA) is wrong because SLA (Service Level Agreement) is a contractual commitment between a provider and customer covering performance metrics like uptime, not a specific measure of tolerable data loss. Option D (MTBF) is wrong because MTBF (Mean Time Between Failures) is a reliability metric that predicts the average time between system failures, not a measure of data loss tolerance.

74
MCQhard

During a tabletop exercise for a data center outage, the IT manager realizes that the disaster recovery plan does not specify how to failover the database cluster. The primary data center fails completely. The standby site has a replica of the database, but the application team cannot promote it because they lack the necessary privileges. What is the most likely cause of this gap?

A.The standby site's network connectivity was not tested
B.The database replication configuration was incorrect
C.The database failover procedure was not documented
D.The DR plan did not include role-based access for failover operations
AnswerD

Proper DR planning should define who has the authority to perform failover and ensure credentials are available at the standby site.

Why this answer

The correct answer is D because the scenario explicitly states that the application team lacks the necessary privileges to promote the standby database. This indicates that the disaster recovery plan did not define role-based access controls (RBAC) or assign failover permissions to specific personnel or groups. Without documented roles and privileges, even a fully replicated standby database cannot be promoted, causing a failover gap.

Exam trap

ISC2 often tests the distinction between a missing procedure (documentation gap) and missing authorization (access control gap), leading candidates to pick 'procedure not documented' when the real issue is that the team lacks the privileges to execute any procedure.

How to eliminate wrong answers

Option A is wrong because network connectivity, while important for replication and access, is not the root cause here—the standby site has a replica, implying connectivity exists. Option B is wrong because the replication configuration is correct (the standby has a replica), so the issue is not with replication setup but with authorization to promote. Option C is wrong because while the failover procedure may not be documented, the core problem is the lack of privileges to execute any documented procedure—documentation alone does not grant access rights.

75
MCQeasy

Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?

A.The ACL is applied to the wrong interface or direction.
B.The implicit deny at the end of the ACL blocks HTTPS traffic.
C.The ACL is missing a permit statement for TCP port 443 return traffic.
D.The ACL explicitly denies TCP port 443.
AnswerA

If the ACL is applied inbound on the internal interface, it should work; if applied outbound on the external interface, it may block return traffic. The most likely issue is misapplication.

Why this answer

The exhibit shows an ACL that permits HTTP (TCP 80) but does not explicitly permit HTTPS (TCP 443). However, the question states that HTTP works and HTTPS does not, which suggests the ACL is correctly filtering inbound traffic on the outside interface. The most likely cause is that the ACL is applied to the wrong interface or direction, because if it were applied inbound on the inside interface, it would block outbound HTTPS traffic from the 192.168.1.0/24 network.

The implicit deny at the end of the ACL would block any traffic not explicitly permitted, but since HTTP works, the issue is not the implicit deny itself but rather the placement of the ACL.

Exam trap

ISC2 often tests the concept that an ACL applied to the wrong interface or direction can cause selective service failures, leading candidates to mistakenly focus on missing permit statements or the implicit deny rather than the ACL placement.

How to eliminate wrong answers

Option B is wrong because the implicit deny at the end of the ACL blocks all traffic not explicitly permitted, but that alone would also block HTTP if the ACL were correctly placed; the fact that HTTP works indicates the ACL is not blocking outbound traffic from the inside, so the implicit deny is not the root cause. Option C is wrong because HTTPS uses TCP port 443 for the initial outbound connection, and return traffic is statefully allowed by the Cisco IOS firewall or router if the ACL is applied correctly; the issue is not missing return traffic rules but the ACL's application direction. Option D is wrong because the exhibit does not show an explicit deny for TCP port 443; the ACL only permits HTTP, so HTTPS is implicitly denied, not explicitly denied.

Page 1 of 2 · 85 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Business Continuity, DR & Incident Response questions.