Which risk management strategy involves implementing security controls to reduce the likelihood or impact of a risk?
Mitigation reduces risk through controls.
Why this answer
Risk mitigation applies controls to reduce risk.
75 of 130 questions · Page 1/2 · Cc Security Principles topic · Answers revealed
Which risk management strategy involves implementing security controls to reduce the likelihood or impact of a risk?
Mitigation reduces risk through controls.
Why this answer
Risk mitigation applies controls to reduce risk.
A security policy requires that data classified as 'Confidential' must be encrypted both at rest and in transit. Which TWO of the following are likely data handling requirements for 'Confidential' data? (Select TWO)
Correct. Access controls are essential.
Why this answer
Confidential data typically requires encryption and strict access controls. Public posting would be inappropriate.
An organization implements a redundant server infrastructure to ensure that services remain operational even if one server fails. This is an example of protecting which principle?
Correct. Redundancy and failover are key availability mechanisms.
Why this answer
Redundancy ensures that systems remain available despite failures, directly supporting availability.
A security analyst recommends implementing digital signatures to ensure that a software update has not been altered during distribution. Which aspect of the CIA triad is primarily being addressed?
Correct. Digital signatures ensure data integrity and authenticity.
Why this answer
Digital signatures provide integrity by allowing verification that data has not been modified and confirming the source.
What is the primary purpose of a digital signature?
Digital signatures verify authenticity and integrity.
Why this answer
Digital signatures provide integrity (detect tampering) and non-repudiation (proof of origin).
A security team identifies that a server has a known vulnerability. A threat actor could exploit it to gain unauthorized access. The combination of these factors represents:
Risk is the potential for loss when a threat exploits a vulnerability.
Why this answer
Risk is the probability that a threat exploits a vulnerability, causing harm.
Which of the following best describes a vulnerability in the context of risk management?
This is the definition of vulnerability.
Why this answer
A vulnerability is a weakness that can be exploited by a threat to cause harm.
Which security principle ensures that data cannot be accessed by unauthorized individuals?
Confidentiality prevents unauthorized disclosure of information.
Why this answer
Confidentiality ensures that data is not disclosed to unauthorized individuals, systems, or processes.
Which authentication type is a smart card an example of?
Possession factors include smart cards, tokens, and authenticator apps.
Why this answer
Smart cards are physical devices that a user possesses, making them Type 2 (possession) authentication.
Which data classification level typically requires the highest level of protection and is reserved for information that could cause catastrophic harm if disclosed?
Correct. Restricted (or top secret) is the highest classification.
Why this answer
Restricted or top secret classification is used for information that could cause exceptionally grave damage to the organization or nation if disclosed.
Which TWO of the following are examples of integrity controls? (Select TWO)
Digital signatures ensure integrity and authenticity.
Why this answer
Hashing and digital signatures are integrity controls that verify data has not been altered.
A user logs into a system using a password and a one-time passcode from a mobile authenticator app. This is an example of:
Password (Type 1) and OTP (Type 2) are used.
Why this answer
Combining two different authentication types (knowledge and possession) is multi-factor authentication.
An organization decides to accept the risk of using a legacy system that cannot be patched due to critical business operations. This is an example of:
The organization is aware of the risk and accepts it without additional action.
Why this answer
Risk acceptance means acknowledging the risk and choosing not to mitigate, transfer, or avoid it.
A data breach exposed customers' names, addresses, and Social Security numbers. Which type of data was compromised?
SSN is sensitive PII requiring high protection.
Why this answer
Social Security numbers combined with names and addresses are considered sensitive PII that can cause significant harm if disclosed.
An organization is implementing a risk management strategy for a new system. Which THREE actions are examples of risk mitigation?
Patching reduces the risk of exploitation.
Why this answer
Risk mitigation involves implementing controls to reduce risk. Installing firewalls, patching vulnerabilities, and training users all reduce risk.
A security team is conducting a risk assessment for a new cloud application. They have identified a vulnerability in the application that could allow unauthorized access to sensitive data. Which three risk management strategies should they consider? (Choose three.)
Eliminating the activity that introduces the risk, such as removing the vulnerable component.
Why this answer
Risk avoidance (B) is correct because it involves eliminating the vulnerability by not deploying the cloud application or removing the vulnerable component entirely, thus preventing any possibility of unauthorized access to sensitive data. This strategy is appropriate when the risk exceeds the organization's risk appetite and cannot be effectively reduced through other means.
Exam trap
Cisco often tests the distinction between risk acceptance and risk ignorance, where candidates mistakenly think 'doing nothing' is a valid strategy, but acceptance requires formal documentation and approval from management, not simply ignoring the risk.
An organization implements full-disk encryption on all laptops. Which element of the CIA triad is primarily being addressed?
Encryption prevents unauthorized viewing of data, ensuring confidentiality.
Why this answer
Encryption protects data from unauthorized disclosure, which is the goal of confidentiality.
An organization labels its financial reports as "Confidential" and requires encryption at rest and in transit. This is an example of:
Correct. The label and controls are part of data classification.
Why this answer
Data classification determines handling requirements (e.g., encryption for confidential data).
A company is deploying a multi-factor authentication (MFA) solution. Which combination represents two different authentication factors?
Smart card is Type 2 (possession) and PIN is Type 1 (knowledge), providing two different factors.
Why this answer
MFA requires two or more different types: something you know (password), something you have (OTP token), and something you are (fingerprint).
A security team decides to implement multi-factor authentication for all remote access. Which combination of factors would constitute multi-factor authentication?
Correct. Smart card is Type 2 and fingerprint is Type 3, combining two different factors.
Why this answer
Multi-factor authentication requires two or more different types of factors (knowledge, possession, inherence). Using a password (knowledge) and a smart card (possession) qualifies.
According to the (ISC)² Code of Ethics, which canon has the highest priority?
Correct. This is the first and highest priority canon.
Why this answer
The Code of Ethics prioritizes protecting society first, then acting honorably, providing diligent service, and advancing the profession.
A security team implements a load balancer to distribute traffic across multiple web servers. This control primarily supports which principle?
Correct. Load balancing improves uptime and availability.
Why this answer
Load balancing helps ensure availability by preventing server overload.
An employee uses a password and a one-time code from a mobile authenticator app to log in. Which authentication type is being used?
Two different factors (knowledge and possession) are used.
Why this answer
Combining password (Type 1) and OTP (Type 2) is multi-factor authentication.
According to the (ISC)² Code of Ethics, which canon has the highest priority?
This is the first canon.
Why this answer
The first canon is to protect society, the common good, and the public trust.
Which of the following is an example of a Type 2 authentication factor?
A security token is a physical device the user possesses, making it Type 2.
Why this answer
Type 2 (possession) factors are items a user has, such as a smart card or OTP token.
What is the primary purpose of a digital signature?
Digital signatures bind the signer to the document and detect tampering.
Why this answer
Digital signatures provide integrity by ensuring data has not been altered, and non-repudiation by proving the signer's identity and intent.
Which of the following is an example of a vulnerability?
An unlocked door is a physical weakness that can be exploited.
Why this answer
A vulnerability is a weakness that can be exploited. An unpatched software flaw is a classic example.
A security analyst is implementing controls to protect the integrity of a database. Which TWO of the following controls would best achieve this goal?
Digital signatures provide integrity and non-repudiation.
Why this answer
Hashing and digital signatures both ensure data has not been altered.
A security manager is advised to implement 'due care' in their organization. Which action best exemplifies due care?
Regular updates demonstrate a minimum standard of care to protect systems.
Why this answer
Due care means taking reasonable steps to protect assets, such as implementing basic security controls like patch management.
Which TWO of the following are examples of Type 3 (inherence) authentication factors?
Retina scan is a biometric (inherence) factor.
Why this answer
Type 3 factors are biometric characteristics unique to an individual.
After a major DDoS attack, a company deploys redundant internet connections and load balancers to ensure continued access to its web services. Which principle of the CIA triad is being strengthened?
Correct. Redundancy and load balancing ensure services remain available.
Why this answer
Redundancy and load balancing help maintain access for authorized users, supporting availability.
An organization requires employees to enter a password and then approve a push notification on their mobile device to access the corporate network. What type of authentication is this?
Correct. It uses two different factors: knowledge and possession.
Why this answer
Combining a password (Type 1) and a mobile device approval (Type 2) constitutes multi-factor authentication.
A security professional is asked to choose an authentication method for a high-security facility. The requirement is to use something the user 'is'. Which authentication type should be selected?
Biometrics are inherent traits; they are something you are.
Why this answer
Biometrics (fingerprint, retina, iris) fall under Type 3 (inherence) authentication, which checks 'something you are'.
Which data classification level typically requires the highest level of protection?
Top secret is the most sensitive.
Why this answer
Top secret is the highest classification and requires strict controls.
An organization is developing a data classification policy. Which THREE of the following should be classified as Confidential or higher? (Select THREE)
PII is typically classified as Confidential or higher due to privacy laws.
Why this answer
Confidential data typically includes trade secrets, customer PII, and financial records. Public information and marketing brochures are public data.
After a security breach, the organization conducts a background check on a new vendor before signing a contract. This practice is known as:
Correct. Background checks are part of due diligence.
Why this answer
Due diligence involves investigating and verifying before acting.
A company conducts a background check on a new vendor before signing a contract. This activity is an example of:
Background checks are part of due diligence to assess risks before commitment.
Why this answer
Due diligence involves investigating and verifying a vendor's security posture and trustworthiness before engagement.
A company uses redundant servers and automated failover to ensure that its website remains accessible during a server outage. Which principle of the CIA triad is being addressed?
Redundancy and failover increase system uptime, ensuring availability.
Why this answer
Redundancy and failover ensure that authorized users can access systems when needed, which is availability.
Which type of authentication factor involves something the user knows?
Correct. Knowledge factors are things the user knows.
Why this answer
Type 1 (knowledge) factors include passwords, PINs, and passphrases.
A company performs background checks on potential employees before hiring. This action demonstrates which concept?
Background checks are an investigative process.
Why this answer
Due diligence involves investigating before acting, such as background checks.
Which THREE of the following are considered risk management strategies? (Select THREE)
Acceptance is a valid risk management strategy.
Why this answer
Risk management strategies include acceptance, mitigation, transfer, and avoidance. Acceptance, mitigation, and transfer are correct.
Which TWO of the following are examples of sensitive PII? (Select TWO.)
Correct. Medical records are sensitive PII.
Why this answer
Sensitive PII includes medical records and biometrics. Name and email are general PII; IP address is not PII alone.
When implementing multi-factor authentication, which combination of factors is considered strongest?
Smart card is Type 2 (possession) and biometric is Type 3 (inherence), combining two different types.
Why this answer
MFA is strongest when combining two different types; using a password (Type 1) and a biometric (Type 3) uses two distinct categories.
What is the difference between due care and due diligence in security governance?
Due care is about doing what a reasonable person would do; due diligence is about assessing and verifying.
Why this answer
Due care is the minimum standard of care (implementing basic security), while due diligence is investigating before acting (e.g., vendor assessments).
A company is evaluating a new cloud service provider. As part of due diligence, they review the provider's security certifications, conduct a site visit, and check references. This process is an example of which risk management strategy?
Due diligence is investigating before making decisions.
Why this answer
Due diligence involves investigating before taking action to identify and assess risks.
Which THREE of the following are examples of risk mitigation? (Select THREE)
Access controls reduce risk of unauthorized access.
Why this answer
Risk mitigation involves implementing controls to reduce risk. Installing antivirus, implementing access controls, and using encryption all reduce risk. Transferring risk to insurer is risk transfer, and accepting risk is risk acceptance.
An organization uses a digital signature to verify the authenticity of a software update. This supports which part of the CIA triad?
Correct. Digital signatures ensure data has not been altered.
Why this answer
Digital signatures verify integrity and authenticity.
A company classifies its data into four categories: Public, Internal, Confidential, and Restricted. Which classification requires the highest level of protection?
Correct. Restricted data is the most sensitive and requires the highest protection.
Why this answer
Restricted is the highest classification, often equated with top secret, requiring stringent controls.
Which of the following is an example of Type 2 authentication?
Correct. Smart card is a possession factor.
Why this answer
Type 2 authentication relies on something the user possesses, such as a smart card or token.
A company is implementing a data classification policy. According to best practices, which THREE of the following should be classified as 'restricted' or 'top secret'? (Select THREE).
Government classified data is restricted.
Why this answer
Restricted data includes trade secrets, classified government info, and biometric data.
A security administrator is configuring a system to detect unauthorized changes to critical files by calculating and storing a hash value for each file. Which security goal is primarily supported?
Correct. Hashing verifies that data has not been altered.
Why this answer
Hashing ensures that any modification to the file can be detected, supporting integrity.
A security consultant is evaluating a vendor's security practices before signing a contract. The consultant reviews the vendor's security policies, incident response plans, and conducts background checks on key personnel. This activity is an example of:
Correct. This is a thorough investigation to ensure security.
Why this answer
Due diligence involves investigating and verifying security practices before making a decision, such as vendor risk assessment.
An organization decides to accept the risk of using an older software version known to have vulnerabilities because the cost of upgrading outweighs the potential impact. This is an example of:
Correct. The organization accepts the risk without further action.
Why this answer
Risk acceptance means acknowledging the risk and choosing not to mitigate it, often due to cost-benefit analysis.
Which TWO of the following are examples of Type 3 authentication? (Select TWO).
Retina scan is a biometric (inherence).
Why this answer
Type 3 authentication relies on biometric characteristics.
A security analyst is evaluating a new vendor for cloud services. The analyst reviews the vendor's security certifications, conducts background checks, and visits the data center. This process is an example of:
Due diligence is the investigation and verification before an action, as described.
Why this answer
Due diligence involves investigating and verifying before making a decision, such as vendor risk assessment.
A security professional is implementing a file integrity monitoring (FIM) system on critical servers. Which element of the CIA triad does this primarily address?
FIM detects unauthorized modifications, directly supporting integrity.
Why this answer
File integrity monitoring detects unauthorized changes to files, ensuring data accuracy and completeness, which is the integrity element.
An organization is developing a security policy. Which TWO of the following are core components of the CIA triad?
Correct. Confidentiality is a core CIA principle.
Why this answer
The CIA triad consists of Confidentiality, Integrity, and Availability. Authentication and Non-repudiation are related but not part of the core triad.
An organization is implementing a new access control system. Which TWO of the following are examples of Type 3 authentication factors?
Correct. Fingerprint is a biometric factor.
Why this answer
Type 3 (inherence) factors are biometric characteristics. Fingerprint and retina scan are biometrics. Password and smart card are not.
PIN is knowledge.
A security analyst is implementing controls to prevent unauthorized disclosure of sensitive information. Which element of the CIA triad is being addressed?
Confidentiality ensures information is not disclosed to unauthorized parties.
Why this answer
Preventing unauthorized disclosure directly relates to confidentiality.
A company stores customer PII including social security numbers and medical records. Under privacy principles, these data elements are best described as:
SSN and medical records are considered sensitive PII.
Why this answer
Medical records and SSNs are examples of sensitive PII that require additional protection.
An organization wants to ensure the integrity of a software update before deployment. Which two methods can be used to verify integrity? (Choose two.)
Digital signatures provide both authenticity and integrity verification.
Why this answer
Integrity ensures data has not been altered. Hashing produces a digest that can be compared to verify the file has not changed. Digital signatures use asymmetric cryptography to verify authenticity and integrity.
Encryption provides confidentiality, not integrity. Access controls limit who can modify data but do not verify integrity after the fact. Redundancy supports availability.
An organization is developing a data classification policy. Which THREE of the following are common classification levels?
Confidential data requires protection.
Why this answer
Public, confidential, and restricted are typical classification levels.
A system administrator implements version control for all configuration files. Which principle is being strengthened?
Version control tracks changes and maintains data integrity.
Why this answer
Version control helps ensure data accuracy and prevents unauthorized changes, supporting integrity.
An organization classifies data as 'confidential' and requires encryption at rest and in transit. Which data classification level is likely being used?
Confidential data typically requires encryption to prevent unauthorized disclosure.
Why this answer
Confidential data is sensitive and requires protection; it is a common classification level.
A security analyst is reviewing a log that shows an unauthorized user attempted to modify a payroll database. Which security principle is most directly threatened?
Integrity ensures data is not altered by unauthorized parties.
Why this answer
Unauthorized modification threatens integrity.
During a vendor risk assessment, a company discovers that a potential vendor has poor security practices. The company decides not to hire the vendor. This is an example of:
Avoiding the vendor altogether eliminates the risk.
Why this answer
Risk avoidance involves eliminating the risk by not engaging in the activity.
A security administrator is selecting controls to protect the confidentiality of a database containing customer PII. Which TWO controls are most appropriate?
Access controls prevent unauthorized access.
Why this answer
Encryption protects data confidentiality; access controls restrict who can view data.
A multinational corporation deploys redundant servers in geographically diverse data centers and uses a load balancer to distribute traffic. This setup primarily addresses which security concern?
Redundant systems and load balancing prevent single points of failure.
Why this answer
Redundancy and load balancing ensure that systems remain accessible, supporting availability.
An organization decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment strategy?
Correct. Insurance transfers the financial risk to the insurer.
Why this answer
Risk transfer involves shifting the financial impact of a risk to another party, such as through insurance.
Which of the following ensures that data has not been tampered with during transmission?
Correct. Hashing verifies integrity.
Why this answer
Integrity ensures data accuracy and completeness; hashing detects changes.
According to the (ISC)² Code of Ethics, which of the following obligations takes the highest priority?
Protect society is the highest priority.
Why this answer
The Code of Ethics prioritizes protecting society, the common good, and the public trust.
Which of the following is considered Sensitive PII?
Correct. SSN is sensitive because it can lead to identity theft.
Why this answer
Sensitive PII includes information that could cause harm if disclosed, such as medical records, financial account numbers, and biometric data.
A security analyst is implementing a solution to ensure that data transmitted between two servers cannot be read by unauthorized parties. Which security principle is the analyst primarily addressing?
Correct. Encryption protects confidentiality by preventing unauthorized disclosure.
Why this answer
Confidentiality ensures that data is not disclosed to unauthorized individuals or systems. Encryption is a key mechanism to protect confidentiality of data in transit.
Which of the following is an example of a physical control that supports the availability principle of the CIA triad?
Correct. Redundancy ensures availability if one server fails.
Why this answer
Availability ensures systems are accessible when needed. Redundant servers provide failover capability, minimizing downtime.
An organization classifies data as 'Confidential' and requires encryption both at rest and in transit. Which data classification level best fits this requirement?
Confidential data typically requires encryption to protect against unauthorized disclosure.
Why this answer
Confidential data typically requires strong protection like encryption; restricted/top secret may require even higher controls.
Ready to test yourself?
Try a timed practice session using only Cc Security Principles questions.