CCNA Cc Security Principles Questions

55 of 130 questions · Page 2/2 · Cc Security Principles topic · Answers revealed

76
MCQhard

A company implements a new firewall and intrusion detection system to reduce the risk of network breaches. This is an example of:

A.Risk avoidance
B.Risk acceptance
C.Risk transfer
D.Risk mitigation
AnswerD

Correct. Controls are put in place to mitigate risk.

Why this answer

Risk mitigation involves implementing controls to reduce the likelihood or impact of a risk.

77
MCQhard

A security analyst discovers that a vendor's software contains a known vulnerability that could lead to data exposure. The analyst reports this to management. According to risk management principles, which action represents risk transfer?

A.Discontinuing use of the vendor's software
B.Purchasing cyber insurance to cover potential losses
C.Installing a patch to fix the vulnerability
D.Accepting the risk and documenting the decision
AnswerB

Correct. Transfers financial risk to insurer.

Why this answer

Risk transfer shifts the financial impact to another party, such as through cyber insurance.

78
MCQhard

In risk management, which term describes the probability that a threat will exploit a vulnerability and cause harm to an asset?

A.Vulnerability
B.Control
C.Risk
D.Threat
AnswerC

Correct. Risk is the combination of threat, vulnerability, and impact.

Why this answer

Risk is defined as the likelihood of a threat exploiting a vulnerability, resulting in harm to an asset.

79
MCQmedium

An organization implements a policy requiring employees to use a smart card and a PIN to access the data center. This is an example of which type of authentication?

B.Type 3 authentication
C.Single-factor authentication
D.Type 2 authentication only
AnswerA

Correct. Combines Type 2 (possession) and Type 1 (knowledge).

Why this answer

Multi-factor authentication combines two or more types: smart card (possession) and PIN (knowledge).

80
MCQhard

According to the (ISC)² Code of Ethics, if a conflict arises between protecting society and providing diligent service to your employer, which should take precedence?

A.Advance the profession
B.Act honorably
C.Protect society
D.Provide diligent service
AnswerC

The first canon is to protect society, the common good, and the infrastructure.

Why this answer

The (ISC)² Code of Ethics has a priority order: protect society first, then act honorably, provide diligent service, and advance the profession.

81
MCQmedium

According to the (ISC)² Code of Ethics, which obligation has the highest priority?

A.Provide diligent and competent service to principals
B.Advance and protect the profession
C.Act honorably, honestly, justly, responsibly, and legally
D.Protect society, the common good, and the public trust
AnswerD

This is the first and highest priority.

Why this answer

The Code of Ethics states the highest priority is to protect society, the common good, and the public trust.

82
MCQeasy

Which of the following is a control that can reduce the risk of a DDoS attack?

A.Access control lists
C.Encryption
D.Digital signatures
AnswerB

Load balancing helps distribute traffic and can mitigate the impact of DDoS attacks.

Why this answer

Load balancers can distribute traffic and absorb some DDoS attacks; DDoS protection services are also common controls.

83
Multi-Selectmedium

A security analyst is evaluating controls to protect the confidentiality of customer data. Which TWO of the following are effective controls? (Select TWO).

Select 2 answers
A.Hashing of passwords
B.Redundant network links
C.Encryption of data at rest
D.Regular data backups
E.Role-based access controls
AnswersC, E

Encryption prevents unauthorized disclosure.

Why this answer

Encryption protects data at rest and in transit; access controls restrict unauthorized access.

84
MCQhard

An organization is evaluating a new vendor that will process customer data. The security team performs a thorough assessment of the vendor's security controls and background checks. This process best demonstrates:

A.Risk acceptance
B.Risk transfer
C.Due care
D.Due diligence
AnswerD

Due diligence is the investigation and assessment before engagement.

Why this answer

Due diligence involves investigating and verifying before making a decision, such as vendor risk assessments and background checks.

85
MCQeasy

An organization uses hashing to ensure that data has not been altered during transmission. Which security principle is being implemented?

A.Availability
B.Authentication
C.Integrity
D.Confidentiality
AnswerC

Hashing ensures data integrity by producing a unique hash that changes if data is modified.

Why this answer

Hashing verifies data integrity by detecting changes to the original data.

86
MCQeasy

Which principle of the CIA triad ensures that data is not disclosed to unauthorized individuals?

A.Authentication
B.Confidentiality
C.Integrity
D.Availability
AnswerB

Confidentiality protects data from unauthorized access and disclosure.

Why this answer

Confidentiality is the principle that prevents unauthorized disclosure of information.

87
MCQmedium

Which of the following controls is primarily designed to ensure availability?

A.Redundant servers
B.Encryption
C.Digital signatures
D.Access control lists
AnswerA

Redundant servers provide failover capability, maintaining availability.

Why this answer

Redundancy (e.g., backup servers, failover) ensures systems remain available even if one component fails.

88
Multi-Selecthard

An organization is conducting a risk assessment. Which THREE of the following are considered assets? (Select THREE)

Select 3 answers
A.Probability of a data breach
B.Customer database
C.Vulnerability in software
E.Employee expertise
AnswersB, D, E

Correct. Data is an asset.

Why this answer

Assets are items of value to the organization, including data, hardware, and personnel.

89
Multi-Selectmedium

A security analyst is designing a multi-factor authentication system for remote access. Which TWO of the following combinations represent true multi-factor authentication? (Select TWO)

Select 2 answers
A.Smart card and OTP token
B.Fingerprint and password
C.Password and smart card
D.Fingerprint and retina scan
E.Password and PIN
AnswersB, C

Correct. Fingerprint (Type 3) and password (Type 1) are different factors.

Why this answer

Multi-factor requires at least two different types. A password (Type 1) and smart card (Type 2) are different factors. A fingerprint (Type 3) and password (Type 1) are also different factors.

90
MCQmedium

Which of the following is classified as sensitive PII?

A.Medical records
B.Email address
C.Telephone number
D.Date of birth
AnswerA

Medical records are sensitive PII due to privacy laws.

Why this answer

Sensitive PII includes medical records, financial data, and biometrics.

91
MCQhard

Which of the following best describes the difference between due care and due diligence in security governance?

A.Due care is proactive, due diligence is reactive
B.They are synonymous
C.Due care applies to vendors; due diligence applies to employees
D.Due care is the minimum standard of care; due diligence is the investigation and assessment
AnswerD

Due care involves implementing controls; due diligence involves verifying.

Why this answer

Due care is implementing basic security; due diligence is investigating and assessing risks.

92
MCQeasy

Which of the following is an example of a Type 2 authentication factor?

A.PIN
B.Password
C.Smart card
D.Fingerprint
AnswerC

Smart card is a possession factor (Type 2).

Why this answer

Type 2 authentication is based on possession, such as a smart card.

93
MCQmedium

Which of the following is an example of a Type 1 authentication factor?

A.One-time password (OTP) token
B.PIN code
C.Smart card
D.Fingerprint scan
AnswerB

Correct. PIN is something you know.

Why this answer

Type 1 is knowledge-based, such as a password.

94
MCQmedium

A security analyst implements a hashing algorithm to verify that a downloaded file has not been altered. Which security goal is being achieved?

A.Authentication
B.Availability
C.Integrity
D.Confidentiality
AnswerC

Hashing verifies that data has not been modified.

Why this answer

Hashing ensures data integrity by detecting changes.

95
MCQmedium

An organization requires both a password and a fingerprint scan to access a secure system. This is an example of:

A.Biometric authentication
B.Single-factor authentication
D.Two-step authentication
AnswerC

Two different authentication types are used.

Why this answer

Combining a knowledge factor (password) and an inherence factor (fingerprint) constitutes multi-factor authentication.

96
Multi-Selectmedium

An organization wants to implement multi-factor authentication for remote access. Which TWO of the following would provide multi-factor authentication? (Select TWO)

Select 2 answers
A.Fingerprint and iris scan
B.Password and security questions
C.Password and SMS one-time code
D.Smart card and PIN
E.Two different passwords
AnswersC, D

Password (knowledge) + SMS code (possession) provides multi-factor.

Why this answer

Multi-factor authentication requires combining two different types. Options A (password + SMS code) and C (smart card + PIN) combine different types. Option B is single type (knowledge).

Option D is single type (possession). Option E is single type (inherence).

97
MCQmedium

A company stores customer records that include names, addresses, and Social Security numbers. According to ISC2 Code of Ethics, which canon has the highest priority when handling this sensitive data?

A.Act honorably, honestly, justly, and responsibly
B.Protect society, the common good, and the public trust
C.Advance and protect the profession
D.Provide diligent and competent service to principals
AnswerB

Correct. This is the first and highest priority canon.

Why this answer

The Code of Ethics prioritizes: Protect society, the common good, and the public trust first.

98
MCQeasy

An organization implements encryption for data at rest and in transit. Which principle of the CIA triad is primarily being addressed?

A.Non-repudiation
B.Availability
C.Integrity
D.Confidentiality
AnswerD

Correct. Encryption protects data from unauthorized disclosure.

Why this answer

Encryption ensures data is not readable by unauthorized parties, thereby protecting confidentiality.

99
MCQhard

An organization labels data as 'Confidential' and requires encryption both at rest and in transit. This classification is an example of:

A.Risk transfer
B.Due care
C.Data classification
D.Data retention
AnswerC

Data classification assigns labels and dictates protection requirements.

Why this answer

Data classification labels (e.g., Confidential) define handling requirements, such as encryption, to protect the data.

100
MCQmedium

According to the (ISC)² Code of Ethics, which principle has the highest priority?

A.Act honorably
B.Protect society
C.Advance the profession
D.Provide diligent service
AnswerB

Protect society is the first and highest priority.

Why this answer

The (ISC)² Code of Ethics prioritizes protecting society, the common good, and public safety above all.

101
MCQmedium

An organization wants to ensure that an email message has not been altered during transmission. Which security control should be used?

A.Access control
B.Digital signature
C.Encryption
AnswerB

Digital signatures use hashing and asymmetric encryption to verify integrity and authenticity.

Why this answer

Digital signatures provide integrity and non-repudiation by detecting any changes to the message.

102
MCQeasy

What is the primary purpose of hashing in information security?

A.To provide availability
B.To encrypt data for confidentiality
C.To ensure data integrity
D.To authenticate users
AnswerC

Hashing produces a digest that changes if the data is modified, ensuring integrity.

Why this answer

Hashing is used to verify data integrity by detecting changes to the data.

103
MCQhard

A company decides to accept the risk of using a legacy system because the cost of replacing it exceeds potential losses. This is an example of:

A.Risk avoidance
B.Risk acceptance
C.Risk transfer
D.Risk mitigation
AnswerB

The company accepts the risk as is.

Why this answer

Risk acceptance means acknowledging the risk and not taking further action.

104
Multi-Selectmedium

A company is classifying data and wants to ensure that personally identifiable information (PII) receives appropriate protection. Which two of the following are considered PII? (Choose two.)

Select 2 answers
A.Social Security Number
B.Email address
C.Employee ID number
D.Job title
E.Department name
AnswersA, B

SSN is a classic example of PII.

Why this answer

PII includes any data that can identify an individual. Social Security Number (SSN) and email address are both considered PII because they can be used to identify a person.

105
MCQeasy

Which of the following is an example of a Type 2 authentication factor?

A.Smart card
B.PIN
C.Password
D.Fingerprint
AnswerA

Smart card is a possession factor (Type 2).

Why this answer

Type 2 factors are something you have, such as a physical token.

106
Multi-Selectmedium

Which TWO of the following are examples of multi-factor authentication? (Select TWO.)

Select 2 answers
A.Smart card and RSA token
B.Password and SMS one-time code
C.Biometric and PIN
D.Fingerprint and retina scan
E.Password and security question
AnswersB, C

Correct. Combines knowledge and possession.

Why this answer

MFA requires two or more different factor types. Password (knowledge) + SMS code (possession) and smart card (possession) + fingerprint (inherence) qualify.

107
Multi-Selecthard

A company is implementing risk management for a new project. Which THREE of the following are valid risk treatment options? (Select THREE.)

Select 3 answers
A.Risk acceptance
B.Risk transfer
C.Risk communication
D.Risk mitigation
E.Risk analysis
AnswersA, B, D

Correct. Acknowledging and tolerating risk.

Why this answer

Risk treatment options include mitigation, transfer, avoidance, and acceptance. All four are correct, but only three are listed.

108
MCQmedium

Which of the following is considered sensitive personally identifiable information (PII)?

A.Date of birth
B.Telephone number
C.Medical records
D.Email address
AnswerC

Medical records are sensitive PII due to privacy laws and potential harm if disclosed.

Why this answer

Sensitive PII includes medical records, financial information, and biometrics, which require extra protection.

109
MCQeasy

Which of the following best describes the purpose of due care in information security?

A.Implementing reasonable security measures to protect data
B.Prioritizing security incidents based on impact
C.Transferring risk to a third party
D.Investigating a vendor's background before contracting
AnswerA

Correct. Due care is about taking prudent steps to protect assets.

Why this answer

Due care means exercising a minimum standard of care to protect information assets, such as implementing basic security controls.

110
Multi-Selecthard

A security analyst is reviewing data handling procedures. Which THREE of the following are considered sensitive PII?

Select 3 answers
A.Financial account numbers
B.Phone number
C.Name and email address
D.Biometric data
E.Medical records
AnswersA, D, E

Correct. Financial data is sensitive PII.

Why this answer

Sensitive PII includes medical records, financial account numbers, and biometric data. Name and phone number are general PII.

111
MCQhard

A security professional is asked to ensure that a document has not been altered since it was signed. Which technology best supports this requirement?

A.Symmetric encryption
B.Digital signature
D.Hashing
AnswerB

Digital signatures provide integrity and authentication.

Why this answer

Digital signatures provide integrity and non-repudiation.

112
Multi-Selecteasy

An organization wants to implement multi-factor authentication (MFA) for remote access. Which two types of authentication factors would meet the definition of MFA? (Choose two.)

Select 2 answers
A.Password
B.Smart card
C.Retina scan
D.Fingerprint scan
E.OTP token
AnswersB, E

Smart card is Type 2 (possession) and when combined with a password (Type 1) creates MFA.

Why this answer

Multi-factor authentication requires at least two different types of factors. A password is Type 1 (knowledge) and a smart card is Type 2 (possession), so combining them qualifies as MFA.

113
Multi-Selectmedium

A security professional is reviewing authentication methods. Which TWO are examples of Type 2 (possession) factors? (Select TWO)

Select 2 answers
A.A PIN
B.A hardware OTP token
C.A fingerprint
D.A password
E.A smart card
AnswersB, E

A hardware token is a possession.

Why this answer

Type 2 factors are something you have; a smart card and a hardware token are physical devices.

114
MCQhard

According to the (ISC)² Code of Ethics, which of the following has the highest priority?

A.Provide diligent and competent service to principals
B.Act honorably, honestly, justly, responsibly, and legally
C.Protect society, the common good, necessary public trust and confidence, and the infrastructure
D.Advance and protect the profession
AnswerC

Correct. This is the first and highest priority canon.

Why this answer

The (ISC)² Code of Ethics has four canons in order of priority: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession.

115
MCQeasy

Which of the following is considered sensitive Personally Identifiable Information (PII)?

A.Email address
B.Date of birth
C.Medical records
D.Phone number
AnswerC

Medical records are sensitive PII.

Why this answer

Medical records are sensitive PII because they can cause significant harm if disclosed.

116
MCQmedium

A vulnerability assessment reveals that a legacy system has unpatched software. The organization decides to accept the risk because the system is isolated and has compensating controls. This decision is an example of:

A.Risk avoidance
B.Risk acceptance
C.Risk mitigation
D.Risk transfer
AnswerB

The organization accepts the residual risk.

Why this answer

Risk acceptance is acknowledging the risk and deciding not to mitigate it.

117
MCQmedium

Which of the following best describes a vulnerability in the context of risk management?

A.A potential cause of an unwanted incident
B.The likelihood of a threat exploiting a weakness
C.A measure that reduces risk
D.A weakness that can be exploited
AnswerD

Correct. A vulnerability is a weakness.

Why this answer

A vulnerability is a weakness that can be exploited by a threat to cause harm.

118
MCQmedium

A company implements redundant servers to ensure that if one server fails, another can take over immediately. Which security principle is primarily being addressed?

A.Authentication
B.Integrity
C.Availability
D.Confidentiality
AnswerC

Redundancy ensures systems remain accessible despite failures.

Why this answer

Redundancy supports availability by minimizing downtime.

119
Multi-Selecthard

A financial institution is implementing data classification to protect customer information. They have identified data that includes medical records and financial account numbers. Which three labels are most appropriate for this data? (Choose three.)

Select 3 answers
A.Restricted
B.Sensitive
C.Confidential
D.Internal
E.Public
AnswersA, B, C

Restricted is often the highest classification, appropriate for extremely sensitive data like medical records.

Why this answer

Medical records and financial account numbers are considered sensitive PII and should be classified as confidential or restricted. Common classification labels include 'Confidential', 'Restricted', and 'Sensitive'. In many frameworks, 'Confidential' and 'Restricted' are used for highly sensitive data. 'Sensitive' is also a common label. 'Public' and 'Internal' are not appropriate for this level of sensitivity.

120
Multi-Selectmedium

A security professional is advising a company on adherence to the (ISC)² Code of Ethics. Which two of the following actions align with the Code's canons? (Choose two.)

Select 2 answers
A.Using a vendor's software without a license to test its security
B.Sharing a colleague's password with a manager without the colleague's consent to improve efficiency
C.Reporting a discovered vulnerability to the software vendor promptly
D.Refusing to share a confidential client password with an unauthorized third party
E.Concealing a security breach to avoid negative publicity
AnswersC, D

This protects society and the infrastructure by allowing fixes to be developed.

Why this answer

The (ISC)² Code of Ethics includes four canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; and Advance and protect the profession. Reporting vulnerabilities to the vendor protects society. Refusing to share confidential credentials demonstrates honorable behavior.

121
MCQmedium

A security team identifies a vulnerability in a web application that could allow attackers to steal customer data. The team decides to accept the risk because the cost to fix exceeds the potential loss. This is an example of:

A.Risk transfer
B.Risk avoidance
C.Risk acceptance
D.Risk mitigation
AnswerC

The team consciously accepted the risk after evaluating costs.

Why this answer

Risk acceptance means acknowledging the risk and choosing not to mitigate it, often due to cost-benefit analysis.

122
MCQmedium

A company is evaluating a new cloud service provider and performs a thorough investigation of the provider's security practices and compliance with industry standards. This activity is best described as:

A.Due diligence
B.Risk transfer
C.Risk avoidance
D.Due care
AnswerA

Correct. Due diligence is the investigation and assessment of risks.

Why this answer

Due diligence involves investigating and assessing risks before making decisions, such as vendor selection.

123
MCQeasy

Which of the following is an example of Type 2 (possession) authentication?

A.PIN
B.Smart card
C.Password
D.Fingerprint scan
AnswerB

Smart card is something you have.

Why this answer

A smart card is a physical item you possess, making it Type 2.

124
MCQeasy

What is the primary goal of data classification?

A.To improve data access speed
B.To comply with marketing requirements
C.To determine the appropriate level of security controls
D.To reduce storage costs
AnswerC

Correct. Classification drives handling requirements.

Why this answer

Data classification assigns sensitivity labels to enable appropriate protection.

125
MCQmedium

Which of the following is an example of sensitive PII?

A.Phone number
B.Medical records
C.Social Security number
D.Name and email address
AnswerB

Correct. Medical records are classified as sensitive PII.

Why this answer

Sensitive PII includes information that, if disclosed, could cause significant harm, such as medical records, financial information, and biometric data.

126
MCQmedium

Which of the following is an example of a Type 2 authentication factor?

A.Fingerprint scan
B.Password
C.One-time passcode from a hardware token
D.PIN
AnswerC

Correct. A hardware token is a possession factor.

Why this answer

Type 2 (possession) factors include something the user has, such as a smart card, OTP token, or mobile authenticator app.

127
MCQeasy

Which of the following best describes the principle of confidentiality in the CIA triad?

A.Ensuring data is accurate and complete
B.Verifying the identity of users
C.Preventing unauthorized disclosure of information
D.Ensuring systems and data are accessible when needed
AnswerC

Correct. Confidentiality is about preventing unauthorized access or disclosure.

Why this answer

Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes. Encryption and access controls are primary mechanisms to enforce confidentiality.

128
MCQeasy

An organization encrypts all sensitive data at rest and in transit. Which principle of the CIA triad is primarily being addressed?

A.Availability
B.Non-repudiation
C.Integrity
D.Confidentiality
AnswerD

Encryption prevents unauthorized access to data.

Why this answer

Encryption protects data from unauthorized disclosure, directly supporting confidentiality.

129
MCQhard

After a data breach, an organization discovers that an attacker exploited a known vulnerability in an outdated web server. The organization had previously identified the vulnerability but decided not to patch it due to potential downtime. Which risk management strategy did the organization employ?

A.Risk transfer
B.Risk acceptance
C.Risk avoidance
D.Risk mitigation
AnswerB

By not patching despite knowing the vulnerability, the organization accepted the risk.

Why this answer

Risk acceptance means acknowledging the risk and its potential impact without taking action to reduce it.

130
MCQmedium

An organization implements redundant servers and failover mechanisms to ensure continuous operation during a power outage. Which goal of the CIA triad is primarily being addressed?

A.Confidentiality
B.Integrity
C.Authentication
D.Availability
AnswerD

Redundancy and failover enhance availability.

Why this answer

Redundancy and failover ensure systems remain accessible, which supports availability.

← PreviousPage 2 of 2 · 130 questions total

Ready to test yourself?

Try a timed practice session using only Cc Security Principles questions.