CCNA Cc Bc Dr Ir Questions

75 of 95 questions · Page 1/2 · Cc Bc Dr Ir topic · Answers revealed

1
Multi-Selectmedium

An organization is implementing backup strategies. Which THREE are characteristics of differential backups? (Select THREE)

Select 3 answers
A.Backup time is generally faster than incremental backups
B.Requires all differential backups since the last full backup for a full restore
C.Requires only the last full backup and the latest differential backup for a full restore
D.Backs up all data changed since the last full backup
E.Restore time is generally faster than incremental backups
AnswersC, D, E

Only two sets needed: full and latest differential.

Why this answer

Differential backups copy all changes since the last full backup, making them medium-sized and faster to restore than incremental, but slower to back up than incremental.

2
MCQeasy

An organization is developing a Business Continuity Plan (BCP). Which analysis is performed first to identify critical business functions and their dependencies?

A.Risk assessment
B.Business Impact Analysis (BIA)
C.Vulnerability assessment
D.Gap analysis
AnswerB

The BIA focuses on identifying critical business functions and their recovery requirements.

Why this answer

A Business Impact Analysis (BIA) identifies critical functions, dependencies, and recovery priorities, forming the foundation for the BCP.

3
MCQmedium

During a disaster recovery test, the IT team successfully restored systems from backups and achieved the recovery time objective (RTO). However, users could not resume normal work because additional configuration and data validation were needed. Which metric was NOT met?

A.Recovery Point Objective (RPO)
B.Work Recovery Time (WRT)
C.Maximum Tolerable Downtime (MTD)
D.Recovery Time Objective (RTO)
AnswerB

WRT is the time to restore normal operations after systems are back, and it was not met.

Why this answer

Work Recovery Time (WRT) is the time needed to return to normal operations after systems are restored; it is separate from RTO.

4
Multi-Selectmedium

During a ransomware incident, the incident response team needs to communicate with stakeholders. According to best practices, which TWO groups should be notified immediately? (Select TWO.)

Select 2 answers
A.Affected customers
B.Legal and public relations
C.All employees
D.Competitors
E.Internal management
AnswersB, E

Legal and PR help manage regulatory and public communication.

Why this answer

Internal management and legal/PR need to be informed early to coordinate response and manage communications.

5
MCQmedium

A small business wants to minimize backup storage space and backup time, knowing that restoration may be slower. Which backup strategy should they choose?

A.Full backup weekly and incremental daily
B.Full backup daily
C.Differential backup daily
D.Incremental backup daily
AnswerD

Incremental backups are fastest and smallest, but restore is slower.

Why this answer

Incremental backups capture only changes since the last backup (full or incremental), saving time and space, but restoration requires all incrementals since the last full backup.

6
Multi-Selecteasy

Which TWO of the following are common indicators of a potential data breach? (Choose two.)

Select 2 answers
A.Unauthorized access to sensitive files
B.Increased employee productivity
C.Regular software updates
D.Multiple failed login attempts from a single account
E.Unusual outbound network traffic
AnswersA, E

Access by unauthorized users is a clear breach indicator.

Why this answer

Unusual outbound network traffic (e.g., data exfiltration) and unauthorized access attempts are typical signs of a breach.

7
MCQeasy

After an incident is resolved, which phase involves reviewing what happened, documenting lessons learned, and updating procedures?

A.Eradication
B.Containment
C.Lessons learned
D.Recovery
AnswerC

This phase focuses on post-incident review and improvement.

Why this answer

The lessons learned phase captures improvements for future incidents.

8
MCQmedium

An organization is selecting a recovery site strategy that offers the fastest recovery time, measured in hours, to minimize downtime for critical applications. Which recovery site type best meets this requirement?

A.Cloud-based recovery
B.Cold site
C.Warm site
D.Hot site
AnswerD

Hot site is fully operational and can achieve RTO in hours.

Why this answer

A hot site is fully configured and mirrors the production environment, enabling recovery in hours, unlike warm sites (days) or cold sites (weeks).

9
MCQmedium

A company experiences a data breach involving personal data of EU residents. Under GDPR, what is the maximum time within which the organization must notify the supervisory authority?

A.48 hours
B.72 hours
C.7 days
D.24 hours
AnswerB

GDPR mandates notification within 72 hours.

Why this answer

GDPR requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach.

10
Multi-Selectmedium

An organization is re-evaluating its disaster recovery site options. Which TWO of the following describe characteristics of a warm site?

Select 2 answers
A.It typically provides a Recovery Time Objective (RTO) of several days.
B.It is an empty facility with power and cooling, but no IT equipment installed.
C.It is a fully operational duplicate of the primary site, ready to take over within hours.
D.It has partially configured hardware and software, requiring some setup before production use.
E.It uses virtual machines in the cloud that can be spun up on demand.
AnswersA, D

Correct. Warm sites have an RTO of days.

Why this answer

A warm site has partially configured hardware and software, but requires some setup before use. It typically has a longer RTO (days) compared to a hot site (hours). Hot sites mirror production exactly, cold sites are empty, and cloud-based recovery can be quickly spun up.

11
MCQmedium

During a data breach incident, the incident response team discovers that personally identifiable information (PII) of European Union residents was compromised. According to GDPR, what is the maximum time frame for notifying the supervisory authority?

A.72 hours
B.48 hours
C.7 days
D.24 hours
AnswerA

GDPR mandates notification within 72 hours.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.

12
MCQhard

A company experiences a ransomware attack that encrypts all files on a file server. The IT team decides to restore the server from the most recent full backup taken 24 hours ago, followed by all differential backups taken since then. If the last full backup was on Sunday at midnight, and the attack occurs on Wednesday at 6:00 AM, with differential backups taken daily at noon, how many differential backups must be restored?

A.3
B.4
C.1
D.2
AnswerD

Two differential backups (Monday and Tuesday) were taken after the full backup and before the attack.

Why this answer

Differential backups contain changes since the last full backup. The last full backup was Sunday midnight. Differential backups were taken Monday noon, Tuesday noon, and Wednesday noon (but the attack was at 6 AM Wednesday, so Wednesday's backup hadn't occurred yet).

So differential backups available: Monday and Tuesday. That's 2 differential backups to restore.

13
MCQmedium

Which phase of the incident response process involves restoring systems to normal operation and applying patches to prevent recurrence?

A.Containment
B.Eradication
C.Detection
D.Recovery
AnswerD

Recovery involves restoring systems and applying lessons learned.

Why this answer

Eradication removes the cause, and recovery restores systems. The question describes both eradication (patches) and recovery (restore), but 'recovery' is the phase where normal operations resume after eradication.

14
MCQeasy

An organization wants to ensure that its critical business functions can continue operating during a disruption. Which plan specifically addresses keeping the business running during a disruption?

A.Incident Response Plan (IRP)
B.Disaster Recovery Plan (DRP)
C.Business Continuity Plan (BCP)
D.Business Impact Analysis (BIA)
AnswerC

BCP is designed to keep business running during a disruption.

Why this answer

The Business Continuity Plan (BCP) focuses on maintaining business operations during a disruption, while the Disaster Recovery Plan (DRP) focuses on restoring IT systems after a disruption.

15
MCQhard

A security analyst detects unusual outbound traffic from a server that suggests a data breach. According to GDPR, within what timeframe must the organization notify the supervisory authority?

A.72 hours
B.48 hours
C.7 days
D.24 hours
AnswerA

GDPR Article 33 requires notification within 72 hours.

Why this answer

GDPR mandates notification within 72 hours of awareness of a breach.

16
Multi-Selectmedium

A company is creating a backup strategy for its critical database. The database is updated continuously, and the company can tolerate up to 2 hours of data loss. Which TWO backup methods would best help achieve a recovery point objective (RPO) of 2 hours? (Select TWO.)

Select 2 answers
A.Monthly full backups
B.Weekly full backups
C.Daily full backups
D.Hourly full backups
E.Transaction log backups every 30 minutes
AnswersD, E

Hourly backups limit data loss to at most 1 hour, within the 2-hour RPO.

Why this answer

To achieve an RPO of 2 hours, backups must be taken at least every 2 hours. Hourly full backups or transaction log backups (which capture changes frequently) can meet this RPO. Daily full backups alone would cause up to 24 hours of loss.

17
MCQmedium

An organization's recovery time objective (RTO) for its customer database is 4 hours, and the recovery point objective (RPO) is 1 hour. The database is backed up every hour using full backups. A disaster occurs at 2:00 PM, and the last successful backup was at 1:00 PM. The system is restored and operational at 5:30 PM, but data from 1:00 PM to 2:00 PM is lost. Which statement is correct?

A.Both the RTO and RPO were met.
B.The RTO was met, but the RPO was exceeded.
C.The RTO was exceeded, but the RPO was met.
D.Both the RTO and RPO were exceeded.
AnswerA

RTO: 3.5 hours < 4 hours. RPO: 1 hour loss = 1 hour RPO, so both are met.

Why this answer

The RTO (4 hours) was met because recovery took 3.5 hours (2:00 PM to 5:30 PM). The RPO (1 hour) was exceeded because the data loss was 1 hour (consistent with backup frequency), but the question implies the loss is exactly 1 hour; however, the backup at 1:00 PM covers up to that time, and the loss of 1 hour is within the RPO of 1 hour. Actually, the loss is from 1:00 PM to 2:00 PM = 1 hour, which meets the RPO.

So both RTO and RPO were met.

18
MCQmedium

A company uses a reciprocal agreement for disaster recovery. What is a primary risk of this strategy?

A.Data confidentiality issues
B.Both organizations may be impacted by the same disaster
C.Slow recovery due to lack of equipment
D.High cost of maintaining the agreement
AnswerB

If they are in the same geographic area, a disaster could affect both.

Why this answer

In a reciprocal agreement, two organizations agree to host each other's systems. A key risk is that both may be affected by the same disaster (e.g., regional power outage) or that the partner's capacity may be insufficient.

19
MCQhard

An organization uses a 3-2-1 backup strategy. They have a primary full backup on a local NAS, a second copy on tape stored offsite, and a third copy in the cloud. During a ransomware attack, the local NAS and the tape library are both encrypted. Which copy should be used for recovery?

A.The tape backup
B.The local NAS backup
C.The cloud backup
D.A new full backup from production data
AnswerC

The cloud copy is offsite and likely unaffected by the local attack.

Why this answer

The 3-2-1 rule ensures one copy is offsite and isolated. The cloud copy is likely immutable or separate, so it can be used for recovery.

20
MCQmedium

A financial institution's incident response team is handling a denial-of-service (DoS) attack that is affecting customer access. The team has identified the attack source IPs and implemented filtering rules on the perimeter firewall. Which phase of incident response is being performed?

A.Detection
B.Recovery
C.Eradication
D.Containment
AnswerD

Containment involves actions to limit the impact, such as blocking attack sources.

Why this answer

Implementing filtering rules to stop the attack is containment, as it prevents the attack from affecting systems further.

21
MCQhard

An organization has an RTO of 4 hours and an RPO of 1 hour for its customer database. After a disaster, the IT team restores the database from backups that are 2 hours old, and the system becomes operational in 3 hours. Which of the following is true?

A.Neither the RTO nor RPO was met.
B.The RPO was met, but the RTO was not.
C.Both the RTO and RPO were met.
D.The RTO was met, but the RPO was not.
AnswerD

RTO met (3h < 4h), but RPO exceeded (2h data loss > 1h allowed).

Why this answer

The system was restored in 3 hours, which is within the 4-hour RTO. However, data loss is 2 hours, exceeding the 1-hour RPO.

22
MCQmedium

An organization's backup schedule: Full backup every Sunday, incremental backups Monday-Saturday. If a failure occurs on Thursday, how many backup sets are needed to restore the data?

A.5 (Sunday full and all incrementals through Thursday)
B.4 (Sunday full and Monday, Tuesday, Wednesday incrementals)
C.1 (Sunday full only)
D.2 (Sunday full and Wednesday incremental)
AnswerB

Full backup plus each incremental since then.

Why this answer

For incremental backups, you need the last full backup and all incrementals since then. So Sunday full + Monday, Tuesday, Wednesday incrementals (4 sets).

23
MCQmedium

During a disaster recovery test, the IT team discovers that restoring all data from full backups takes 48 hours, exceeding the RTO. Which backup strategy would reduce restore time while maintaining a similar backup window?

A.Increasing backup frequency to hourly
B.Implementing the 3-2-1 backup rule
C.Switching from full to incremental backups only
D.Using differential backups instead of incremental
AnswerD

Differential backups capture all changes since the last full, enabling faster restore with only two tapes.

Why this answer

A differential backup backs up all changes since the last full backup, so restore requires only the full backup and the latest differential, reducing restore time compared to incremental.

24
MCQeasy

Which recovery site strategy provides the shortest recovery time objective (RTO), typically measured in hours, by maintaining a fully mirrored environment that can be activated immediately?

A.Warm site
B.Reciprocal agreement
C.Cold site
D.Hot site
AnswerD

Hot site mirrors production and can be activated quickly, achieving RTO of hours.

Why this answer

A hot site is fully configured with hardware, software, and real-time data replication, enabling recovery within hours.

25
MCQeasy

Which recovery site strategy provides the fastest Recovery Time Objective (RTO), typically within hours, by maintaining a fully operational mirrored environment?

A.Cold site
B.Warm site
C.Hot site
D.Cloud-based recovery
AnswerC

Hot sites are fully mirrored and can be operational within hours.

Why this answer

A hot site is a fully operational facility that mirrors the production environment, allowing recovery within hours.

26
MCQeasy

An organization is creating a Business Continuity Plan (BCP). Which analysis should be performed first to identify critical business functions and their dependencies?

A.Risk Assessment
B.Business Impact Analysis
C.Vulnerability Assessment
D.Gap Analysis
AnswerB

BIA identifies critical business functions and their recovery requirements.

Why this answer

A Business Impact Analysis (BIA) is the first step in BCP to identify critical functions, dependencies, and recovery priorities.

27
Multi-Selecthard

An organization is updating its incident response plan. Which THREE elements should be included in the preparation phase? (Select THREE.)

Select 3 answers
A.Restoring data from backups
B.Notifying law enforcement
C.Conducting tabletop exercises
D.Acquiring forensic analysis tools
E.Creating an incident response team
AnswersC, D, E

Exercises test the plan and train staff.

Why this answer

Preparation includes establishing tools, training staff, and developing the plan.

28
MCQmedium

A security analyst detects unusual outbound network traffic from a server that normally does not communicate externally. After confirming a malware infection, the analyst isolates the server from the network. Which incident response phase is the analyst performing?

A.Recovery
B.Detection
C.Containment
D.Eradication
AnswerC

Isolation is a containment measure.

Why this answer

Isolating the server is a containment action to prevent spread.

29
MCQmedium

A healthcare organization experiences a data breach involving protected health information (PHI). Under GDPR, within how many hours must the organization notify the relevant supervisory authority?

A.24 hours
B.48 hours
C.72 hours
D.7 days
AnswerC

GDPR requires notification within 72 hours.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.

30
MCQhard

A company has a Recovery Point Objective (RPO) of 1 hour for its financial database. It performs full backups every night at 11 PM and incremental backups every 4 hours. If the system fails at 2:30 PM, what is the maximum data loss in terms of time?

A.1 hour
B.15.5 hours
C.3.5 hours
D.1.5 hours
AnswerC

Data from the last incremental backup at 11 AM to the failure at 2:30 PM could be lost.

Why this answer

The last backup was the incremental backup at 11 AM (assuming 4-hour intervals from 11 PM). The failure at 2:30 PM means data from 11 AM to 2:30 PM (3.5 hours) could be lost, which exceeds the 1-hour RPO.

31
MCQhard

An organization's business continuity plan designates a maximum tolerable downtime (MTD) of 8 hours for its order processing system. The system's recovery time objective (RTO) is set at 4 hours, and work recovery time (WRT) is estimated at 2 hours. If a disaster occurs at 10:00 AM and the system is restored at 2:00 PM, but additional configuration and data validation take until 3:30 PM to complete, what is the total downtime and is the MTD met?

A.4 hours, MTD exceeded
B.5.5 hours, MTD met
C.4 hours, MTD met
D.5.5 hours, MTD exceeded
AnswerB

Total downtime includes recovery and work recovery time: 5.5 hours, which is less than MTD of 8 hours.

Why this answer

Total downtime is from 10:00 AM to 3:30 PM = 5.5 hours. MTD is 8 hours, so 5.5 hours is within MTD. However, note that RTO (4 hours) was exceeded because system restoration at 2:00 PM is 4 hours after 10:00 AM (exactly 4 hours? Actually 10 AM to 2 PM is 4 hours, so RTO exactly met.

WRT is separate. MTD is met.

32
Multi-Selecthard

During a ransomware incident, the incident response team has completed the containment and eradication phases. According to the NIST incident response framework, which THREE of the following activities are part of the post-incident activity phase?

Select 3 answers
A.Conduct a lessons learned meeting to identify improvements.
B.Retain evidence and logs for legal or regulatory purposes.
C.Notify affected customers of the data breach.
D.Update the incident response plan based on findings.
E.Harden system configurations to prevent reinfection.
AnswersA, B, D

Correct. Lessons learned is a key post-incident activity.

Why this answer

The post-incident activity phase includes lessons learned, evidence retention, and updating incident response plans. System hardening is part of eradication, and customer notification may occur during recovery or communication, but not strictly part of the post-incident phase in the NIST framework.

33
MCQmedium

After a ransomware attack, the IT team restores systems from backups. The CEO asks how quickly data can be recovered. Which metric addresses the acceptable amount of data loss?

A.Work Recovery Time (WRT)
B.Recovery Time Objective (RTO)
C.Maximum Tolerable Downtime (MTD)
D.Recovery Point Objective (RPO)
AnswerD

RPO defines maximum data loss (e.g., last backup).

Why this answer

RPO defines the maximum acceptable data loss measured in time.

34
Multi-Selecthard

A company is planning its backup strategy and wants to minimize storage usage while ensuring fast restores. Which TWO backup types should the company consider as primary and secondary backups? (Select TWO)

Select 1 answer
A.Full backup weekly, incremental daily
B.Full backup daily, no other backups
C.Full backup weekly, differential daily
D.Full backup monthly, incremental weekly
E.Full backup weekly, incremental daily, and differential weekly
AnswersC

Differential restores are fast (full + latest diff), and storage is moderate.

Why this answer

Differential backup requires only full + latest differential for restore, faster than incremental. Incremental uses less storage but slower restore. Full backup uses most storage.

35
MCQmedium

During an incident, the incident response team identifies that a malware infection is spreading. They isolate affected systems to prevent further damage. Which phase of the incident response process are they performing?

A.Recovery
B.Eradication
C.Detection
D.Containment
AnswerD

Containment stops the spread and limits damage.

Why this answer

Containment aims to limit the scope of the incident.

36
MCQeasy

Which type of backup copies all data that has changed since the last full backup, regardless of any subsequent incremental or differential backups?

A.Full backup
B.Differential backup
C.Incremental backup
D.Synthetic full backup
AnswerB

Differential backup copies all changes since the last full backup.

Why this answer

Differential backup backs up all changes since the last full backup. Incremental backs up changes since any last backup.

37
MCQhard

During an incident, the security team detects unusual outbound traffic from a server that normally does not communicate externally. The traffic appears to be encrypted and is sent to an unknown IP address. Which incident category best describes this scenario?

A.Malware
B.Denial of service
C.Social engineering
D.Data breach
AnswerD

Unusual outbound encrypted traffic to an unknown IP is a strong indicator of data exfiltration, which is a data breach incident.

Why this answer

Unauthorized access or data exfiltration is indicated by unusual outbound traffic to an unknown IP, suggesting a compromised server sending data externally.

38
MCQeasy

A company is developing a business continuity plan. Which document identifies critical business functions and their dependencies, including the maximum acceptable downtime?

A.Disaster Recovery Plan (DRP)
B.Business Continuity Plan (BCP)
C.Incident Response Plan (IRP)
D.Business Impact Analysis (BIA)
AnswerD

The BIA identifies critical functions, dependencies, and metrics like MTD, RTO, and RPO.

Why this answer

A Business Impact Analysis (BIA) identifies critical business functions, dependencies, and quantifies the impact of disruptions, including maximum tolerable downtime (MTD).

39
MCQmedium

A company's critical database must be recovered within 4 hours after a disaster, and they can tolerate losing up to 1 hour of data. During a disaster, after the systems are restored, it takes an additional 30 minutes to verify data integrity and resume normal operations. Which metric is represented by the 4-hour requirement?

A.Maximum Tolerable Downtime (MTD)
B.Recovery Time Objective (RTO)
C.Recovery Point Objective (RPO)
D.Work Recovery Time (WRT)
AnswerB

RTO is the maximum time allowed to restore systems and data.

Why this answer

Recovery Time Objective (RTO) is the maximum acceptable time to restore systems and data after a disaster.

40
MCQmedium

Which backup strategy offers the fastest restore time but requires the most storage space?

A.Incremental backup
B.Differential backup
C.Snapshot backup
D.Full backup
AnswerD

Full backup has fast restore but high storage.

Why this answer

A full backup copies all data, making restore fastest (only one set needed), but it consumes the most storage and time to perform.

41
MCQhard

During an incident, a security analyst identifies a SQL injection attack. The team contains the threat by blocking the attacker's IP. Which step should be performed next in the incident response process?

A.Detection
B.Lessons Learned
C.Recovery
D.Eradication
AnswerD

Eradication removes the cause of the incident.

Why this answer

After containment, the next step is eradication to remove the root cause (e.g., fix the vulnerability) before recovery.

42
MCQmedium

Which incident category involves an attempt to make a system or network resource unavailable to its intended users?

A.Malware
B.Data breach
C.Denial of service
D.Social engineering
AnswerC

Denial of service attacks target availability.

Why this answer

A denial of service (DoS) attack aims to disrupt service availability by overwhelming resources.

43
MCQmedium

A company performs a full backup every Sunday and incremental backups on other days. On Wednesday, a server failure occurs. Which backups are needed to restore the server to its state at Tuesday's backup?

A.Only Tuesday incremental backup
B.Sunday full backup, Monday incremental, and Tuesday incremental
C.Only the Sunday full backup
D.Sunday full backup and Monday incremental backup
AnswerB

Incremental restores require full plus all incrementals since the full.

Why this answer

With incremental backups, you need the last full backup and all subsequent incremental backups up to the point of failure. Here, Sunday full + Monday incremental + Tuesday incremental.

44
MCQmedium

Which type of incident involves an attacker attempting to make a system or network resource unavailable to legitimate users?

A.Denial of service
B.Social engineering
C.Malware
D.Data breach
AnswerA

DoS attacks target availability.

Why this answer

A denial of service (DoS) attack aims to disrupt services by overwhelming resources.

45
Multi-Selectmedium

During a security incident, a company must notify stakeholders without revealing sensitive details that could worsen the situation. Which TWO groups should typically be notified immediately according to incident response best practices? (Select TWO)

Select 2 answers
A.All affected customers immediately
B.General public via press release
C.Legal department
D.Executive management
E.Local law enforcement automatically
AnswersC, D

Legal needs to assess notification requirements and potential liability.

Why this answer

Legal must be notified for regulatory and liability issues, and management/executives for decision-making and resource allocation. Customers and PR may be notified later, and law enforcement depends on the incident.

46
MCQeasy

Which incident category involves an attacker tricking an employee into revealing their login credentials through a fraudulent email?

A.Social engineering
B.Malware
C.Unauthorised access
D.Denial of service
AnswerA

Social engineering manipulates people into divulging confidential information.

Why this answer

Social engineering, specifically phishing, uses deception to obtain sensitive information.

47
MCQmedium

An organization is adopting the 3-2-1 backup rule. They currently have data on a primary server and a daily backup to an external hard drive. To comply with the rule, what is the minimum additional requirement?

A.A second external hard drive stored on-site
B.An incremental backup to a network share
C.A full backup on tape stored in the same room
D.A cloud backup stored offsite
AnswerD

Adds a third copy on different media (cloud) and offsite.

Why this answer

3-2-1 rule: 3 copies, 2 different media, 1 offsite. They have 2 copies on 1 media (hard drive). Need a third copy on different media and offsite.

48
MCQmedium

An organization adopts the 3-2-1 backup rule. Which combination of backups satisfies this rule?

A.Primary storage and one tape backup stored offsite
B.Primary storage and two tape backups in the same room
C.Primary storage, backup server (disk), and a second backup server (disk) in the same building
D.Primary storage, backup server (disk), and cloud storage
AnswerD

Three copies: primary, backup server, cloud; two media: disk and cloud; one offsite: cloud.

Why this answer

3-2-1 rule: 3 copies of data, on 2 different media types, 1 offsite. Option A meets all: 3 copies (primary, backup server, cloud), 2 media (disk and cloud), 1 offsite (cloud).

49
MCQmedium

An organization determines that its critical financial application has a maximum tolerable downtime (MTD) of 8 hours. The recovery time objective (RTO) is set to 6 hours, and the work recovery time (WRT) is 2 hours. If the application is restored from backup in 5 hours, but additional configuration takes 3 hours, what is the total downtime, and is the MTD met?

A.Total downtime 10 hours, MTD exceeded
B.Total downtime 8 hours, MTD met
C.Total downtime 8 hours, MTD exceeded
D.Total downtime 5 hours, MTD met
AnswerB

Total 8 hours equals MTD of 8 hours, so it is met.

Why this answer

Total downtime = restoration (5 hours) + configuration (3 hours) = 8 hours, which equals MTD of 8 hours. So MTD is met (equal to MTD is acceptable).

50
MCQmedium

A security analyst detects unusual outbound network traffic from a server that typically only handles internal file sharing. The traffic appears to be exfiltrating sensitive data. Which phase of the incident response process should the analyst initiate next?

A.Containment
B.Analysis
C.Lessons learned
D.Eradication
AnswerB

Analysis is the third phase, following detection, to investigate the alert and confirm it is a real incident.

Why this answer

After detection (phase 2), the next step is analysis to confirm the incident and understand its scope before containment.

51
Multi-Selectmedium

A security analyst is prioritizing incidents based on severity. Which TWO factors are most important for determining incident severity?

Select 2 answers
A.Sensitivity of the data potentially compromised
B.Type of operating system involved
C.Number of users affected
D.Time of day the incident occurred
E.Color of the server room
AnswersA, C

Data sensitivity impacts severity.

Why this answer

Severity is based on impact (e.g., data sensitivity, criticality) and scope (affected users/systems).

52
MCQmedium

An organization experiences a ransomware attack that encrypts critical files. The incident response team follows the standard IR phases. After containing the infection and eradicating the malware, what is the next phase?

A.Detection
B.Preparation
C.Recovery
D.Lessons learned
AnswerC

Recovery follows eradication to restore operations.

Why this answer

After eradication, the next phase is recovery, where systems are restored and returned to normal operations.

53
Multi-Selecthard

During a security incident, the crisis communication team must notify stakeholders. According to best practices, which THREE groups should always be included in initial notifications? (Select THREE.)

Select 3 answers
A.Legal department
B.Internal management
C.Affected customers
D.Law enforcement
E.Public relations
AnswersA, B, E

Legal must be involved to ensure compliance and protect the organization.

Why this answer

Initial notifications should include internal management (for decision-making), legal (to address liability and regulatory requirements), and public relations (to manage external messaging). Affected customers may be notified later, and law enforcement is notified if required, but not always initially.

54
MCQmedium

A company’s backup strategy: Full backup every Sunday, differential backups Monday through Saturday. On Thursday, the system fails. How many backups are needed to restore the data?

A.Two: Sunday full and Thursday differential
B.One: Thursday differential only
C.Four: Monday through Thursday differentials
D.Five: Monday through Thursday differentials plus full
AnswerA

Correct: full + differential.

Why this answer

A differential backup contains all changes since the last full backup. So you only need the full backup from Sunday and the differential from Thursday.

55
MCQeasy

Which phase of the incident response process involves actions to stop the incident from causing further damage, such as isolating affected systems?

A.Eradication
B.Analysis
C.Containment
D.Detection
AnswerC

Containment prevents further damage.

Why this answer

Containment is the phase where actions are taken to limit the scope and impact of the incident.

56
MCQhard

During a data breach investigation, the incident response team discovers that personally identifiable information (PII) of EU residents was exfiltrated. Under GDPR, what is the maximum time frame for notifying the supervisory authority?

A.72 hours
B.7 days
C.48 hours
D.24 hours
AnswerA

GDPR Article 33 requires notification within 72 hours.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.

57
MCQmedium

A hospital's electronic health record (EHR) system must be available 24/7. The disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour. Which combination of backup and site strategy best meets these objectives?

A.Cloud-based recovery with daily snapshots
B.Warm site with weekly full backups
C.Hot site with continuous data replication
D.Cold site with daily full backups
AnswerC

Hot site can achieve RTO of hours and continuous replication meets RPO of minutes.

Why this answer

A warm site with hourly incremental backups can achieve RTO of days? Actually, warm site RTO is typically days, so more suitable is hot site. But given options, warm site plus differential may be plausible? Better: hot site with frequent backups. However, the correct answer should be hot site with continuous replication to meet RPO of 1 hour and RTO of 4 hours.

58
MCQeasy

Which of the following best describes a Disaster Recovery Plan (DRP)?

A.A plan to restore IT systems after a disruption
B.A plan to evacuate personnel during an emergency
C.A plan to identify critical business functions
D.A plan to keep the business running during a disruption
AnswerA

Correct definition of DRP.

Why this answer

A DRP focuses specifically on restoring IT systems and infrastructure after a disruption.

59
MCQeasy

Which of the following is a key component of the 3-2-1 backup rule?

A.Two copies on different media, one off-site
B.One copy on two different media, two off-site
C.Three copies on different media, two off-site
D.Three copies, two different media types, one off-site
AnswerD

This is the exact description of the 3-2-1 rule.

Why this answer

The 3-2-1 rule states: have 3 copies of data, on 2 different media types, with 1 copy off-site.

60
MCQhard

A company has a reciprocal agreement with another organization for disaster recovery. During a major outage, the company attempts to activate the agreement but finds that the partner's facility is also impacted by the same disaster. This scenario highlights a primary disadvantage of which recovery strategy?

A.Cold site
B.Warm site
C.Reciprocal agreement
D.Hot site
AnswerC

Reciprocal agreements rely on the partner's availability, which may be compromised in a widespread disaster.

Why this answer

Reciprocal agreements depend on the partner not being affected by the same disaster. If both are impacted, the agreement fails.

61
MCQeasy

A company is creating a business continuity plan. Which analysis should be performed first to identify critical business functions and their dependencies?

A.Vulnerability assessment
B.Business Impact Analysis (BIA)
C.Risk assessment
D.Gap analysis
AnswerB

BIA identifies critical business functions, dependencies, and recovery priorities.

Why this answer

A Business Impact Analysis (BIA) is the first step in BCP to identify critical functions, dependencies, and recovery requirements.

62
MCQmedium

An organization needs to prioritize recovery of systems after a disaster. Which metric directly indicates the maximum acceptable outage time for a business function?

A.Recovery Time Objective (RTO)
B.Maximum Tolerable Downtime (MTD)
C.Recovery Point Objective (RPO)
D.Work Recovery Time (WRT)
AnswerB

MTD is the maximum acceptable outage time.

Why this answer

Maximum Tolerable Downtime (MTD) is the maximum time a business function can be unavailable before causing unacceptable harm.

63
MCQmedium

During a BIA, the maximum tolerable downtime for a critical application is determined to be 4 hours. The IT team estimates system recovery will take 2 hours, but additional manual work to reconcile data will take 1 hour. What is the Recovery Time Objective (RTO)?

A.1 hour
B.2 hours
C.4 hours
D.3 hours
AnswerB

The RTO is the time to restore the system, which is 2 hours.

Why this answer

RTO is the time within which systems must be recovered to avoid unacceptable consequences. Here, the system must be back within 2 hours to meet the 4-hour MTD, but recovery includes both system restoration and work recovery. The RTO is typically the time to restore systems to a functional state, which is 2 hours.

64
MCQmedium

An organization stores backup data on a tape drive (onsite) and also replicates critical data to a cloud storage service. This practice best exemplifies which backup rule?

A.Incremental backup strategy
B.Differential backup strategy
C.Full backup strategy
D.3-2-1 backup rule
AnswerD

The scenario describes 2 copies (tape and cloud), 2 media types (tape and cloud storage), and 1 offsite (cloud), meeting the 3-2-1 rule.

Why this answer

The 3-2-1 rule states: have at least 3 copies of data, on 2 different media types, with 1 copy offsite. Here, tape (onsite) and cloud (offsite) provide two media types and an offsite copy.

65
Multi-Selecteasy

A company is evaluating backup strategies for its critical database. Which TWO of the following are correct statements about backup types?

Select 3 answers
A.A full backup copies all data regardless of change status.
B.Restoring from a full backup is faster than restoring from a differential backup.
C.A differential backup copies data that has changed since the last full backup.
D.An incremental backup only copies data that has changed since the last full backup.
E.Incremental backups require less storage space than differential backups.
AnswersA, C, E

Correct. A full backup copies all selected data.

Why this answer

Incremental backup only backs up changes since the last backup (any type), and differential backup backs up changes since the last full backup. Full backup does not require a previous backup, and full backup is not faster than incremental; it is slower. Differential backup restore is faster than incremental because only the last full plus one differential are needed.

66
MCQeasy

An organization is preparing its Business Continuity Plan (BCP). Which process identifies critical business functions and the impact of disruptions?

A.Incident Response Plan (IRP)
B.Disaster Recovery Plan (DRP)
C.Risk Assessment
D.Business Impact Analysis (BIA)
AnswerD

The BIA identifies critical business functions and the impact of disruptions.

Why this answer

A Business Impact Analysis (BIA) identifies critical business functions, dependencies, and the impact of disruptions, providing metrics like MTD, RTO, and RPO.

67
MCQhard

A company follows the 3-2-1 backup rule. It has two full backups: one on an external hard drive in the server room and one on tape in a safe on-site. Which step should be taken to fully comply with the rule?

A.No action needed; the rule is satisfied
B.Store the tape copy in a secure offsite location
C.Use cloud storage as an additional copy
D.Add a third copy to the external hard drive
AnswerB

This ensures one copy is offsite.

Why this answer

The 3-2-1 rule requires three copies of data (including the original), stored on at least two different media types, with at least one copy stored offsite. Currently, the company has the original data plus two backups (external HDD and tape) — three copies total — but both backups are on-site. To fully comply, one of the backup copies must be moved to an offsite location.

Option B, storing the tape copy offsite, satisfies the '1 offsite' requirement.

68
MCQhard

A financial institution requires near-instantaneous recovery of its trading platform after a disaster. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which recovery site strategy best meets these requirements?

A.Reciprocal agreement
B.Warm site
C.Cold site
D.Hot site
AnswerD

Hot sites have real-time replication and can achieve RTO of hours and RPO of minutes.

Why this answer

A hot site mirrors the production environment continuously, allowing recovery within hours and minimal data loss.

69
MCQhard

A company’s disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. The database is backed up every hour using incremental backups. After a catastrophic failure, restoration takes 3 hours, but the database must be rolled forward using transaction logs. The total time to make the database fully operational is 5 hours. Which statement is correct?

A.Both RTO and RPO are exceeded
B.RPO is exceeded but RTO is met
C.Both RTO and RPO are met
D.RTO is exceeded but RPO is likely met
AnswerD

Total recovery took 5 hours > RTO 4 hours; RPO is likely met because the backup was within 1 hour.

Why this answer

The RTO was exceeded (5 hours > 4 hours), but the RPO may still be met if the last backup was within 1 hour; the scenario does not indicate data loss beyond 1 hour.

70
Multi-Selectmedium

An organization is choosing a backup strategy to minimize restore time. Which TWO backup types require only the most recent full backup and the latest differential backup to restore?

Select 1 answer
A.Full backup
B.Synthetic full backup
C.Incremental backup
D.Reverse incremental backup
E.Differential backup
AnswersE

Latest differential contains all changes since full.

Why this answer

Restore from full + latest differential is fastest, but incremental requires all incrementals. So full + differential is correct.

71
Multi-Selectmedium

A company is implementing a backup strategy. Which TWO of the following are characteristics of incremental backups? (Choose two.)

Select 2 answers
A.Backs up data changed since the last full backup
B.Fast restore process
C.Requires the least storage space of all backup types
D.Fast backup process
E.Backs up data changed since the last backup (any type)
AnswersD, E

Because only small changes are backed up.

Why this answer

Incremental backups back up data changed since the last backup (of any type), making them fast to perform but slow to restore because multiple backup sets may be needed.

72
MCQeasy

Which incident category involves an attacker tricking an employee into revealing credentials?

A.Data breach
B.Social engineering
C.Malware
D.Denial of service
AnswerB

Social engineering exploits human psychology to gain access.

Why this answer

Social engineering includes phishing, pretexting, etc., to manipulate people.

73
MCQhard

During a disaster recovery test, an organization uses a warm site. The site has partially configured servers and network infrastructure but lacks recent data. The recovery team expects to have the system operational within 2 days. Which recovery metric is most directly addressed by the warm site's capabilities?

A.Recovery Point Objective (RPO)
B.Recovery Time Objective (RTO)
C.Maximum Tolerable Downtime (MTD)
D.Work Recovery Time (WRT)
AnswerB

RTO is the targeted time to restore operations; a warm site with 2-day recovery aligns with an RTO of days.

Why this answer

A warm site typically has hardware and partial configuration, allowing recovery in days. This directly impacts the recovery time objective (RTO), which is the target time for restoring systems and data.

74
Multi-Selecthard

An organization experiences a data breach involving personally identifiable information (PII) of European Union residents. According to GDPR, which THREE of the following are required actions?

Select 3 answers
A.Document the breach, its effects, and the remedial actions taken.
B.Restore all affected systems from the latest full backup.
C.Communicate the breach to affected data subjects without undue delay if it poses a risk to their rights and freedoms.
D.Conduct a Business Impact Analysis (BIA) to determine the financial impact.
E.Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
AnswersA, C, E

Correct. GDPR requires documentation of all breaches.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours, communication to affected data subjects without undue delay, and documentation of the breach. Conducting a BIA is not a GDPR breach notification requirement, and restoring systems is part of recovery but not a specific GDPR requirement.

75
Multi-Selectmedium

An organization is developing an incident response plan. Which TWO phases are part of the incident response lifecycle according to the NIST framework? (Select two.)

Select 2 answers
A.Preparation
B.Business impact analysis
C.Recovery
D.Risk assessment
E.Vulnerability scanning
AnswersA, C

Preparation is the first phase.

Why this answer

The NIST incident response lifecycle includes: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity (lessons learned). The correct two from options are Preparation and Recovery.

Page 1 of 2 · 95 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cc Bc Dr Ir questions.