CCNA Security Principles Questions

9 of 159 questions · Page 3/3 · Security Principles topic · Answers revealed

151
Multi-Selecthard

Which THREE of the following are acceptable risk treatment options according to NIST risk management framework?

Select 3 answers
A.Risk mitigation
B.Risk duplication
C.Risk transfer
D.Risk identification
E.Risk acceptance
AnswersA, C, E

Risk mitigation involves implementing controls to reduce risk.

Why this answer

Risk avoidance, mitigation, transfer, and acceptance are standard. Risk identification is a step, not treatment. Risk duplication is not a term.

152
Multi-Selecteasy

Which TWO of the following are core components of the CIA triad?

Select 2 answers
A.Authentication
B.Non-repudiation
C.Confidentiality
D.Authorization
E.Availability
AnswersC, E

Confidentiality is one of the three CIA triad components.

Why this answer

Confidentiality, Integrity, and Availability are the three core principles. Authentication and Non-repudiation are additional security goals.

153
MCQhard

An organization is implementing a new identity management system. They want to ensure that users can only access resources necessary for their job roles. Which principle should guide the access control design?

A.Separation of duties
B.Least privilege
C.Need to know
D.Defense in depth
AnswerB

Least privilege grants only necessary access for job roles.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions and nothing more. In an identity management system, this is implemented by assigning minimal access rights to resources, reducing the attack surface and limiting potential damage from compromised accounts. This directly aligns with the scenario of ensuring users can only access resources essential for their roles.

Exam trap

ISC2 often tests least privilege versus need to know, where candidates mistakenly choose need to know because it sounds more specific, but least privilege is the broader, correct principle for general access control design in identity management.

How to eliminate wrong answers

Option A is wrong because separation of duty is a principle that prevents fraud by requiring multiple users to complete a sensitive task (e.g., one user creates a purchase order, another approves it), not about limiting individual access to job-necessary resources. Option C is wrong because need to know is a subset of least privilege focused specifically on access to classified or sensitive information on a per-case basis, not the broader principle of limiting all resource access to job-role requirements. Option D is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS, encryption) to protect assets, not a principle for designing user access rights.

154
MCQmedium

You are the IT security officer for a hospital that handles protected health information (PHI). The hospital uses an electronic health record (EHR) system. You receive a report that a nurse accessed the medical records of a celebrity patient without a legitimate medical reason. The access was logged. The hospital policy requires all employees to access only the minimum necessary information for their job duties. The nurse claims they were just curious. This is a violation of which security principle, and what is the best course of action?

A.Confidentiality; encrypt all patient records
B.Accountability; disable access for all nurses to the EHR
C.Least privilege; revoke the nurse's access to the EHR system and initiate disciplinary proceedings
D.Least privilege; send a warning to the nurse
AnswerC

This enforces the principle and addresses the violation appropriately.

Why this answer

Correct: Violation of least privilege; the nurse should have only been granted access to records necessary for their job. The best course is to revoke access and follow disciplinary procedures (B). Option A is wrong because it doesn't address the root cause; Option C is wrong because encryption doesn't prevent unauthorized access; Option D is wrong because disabling access for all nurses is excessive.

155
Multi-Selecteasy

Which TWO of the following are examples of administrative security controls?

Select 2 answers
A.Firewall rule sets
B.Data encryption
C.Biometric access controls
D.Security policies and procedures
E.Security awareness training
AnswersD, E

Policies are administrative controls that govern behavior.

Why this answer

Options B and D are correct because security policies and security awareness training are administrative controls. Firewalls (A) are technical controls. Biometrics (C) is physical/technical.

Encryption (E) is technical.

156
Multi-Selectmedium

Which THREE of the following are recognized security principles according to NIST and ISC2?

Select 3 answers
A.Separation of duties
B.Security through obscurity
C.Least privilege
D.Defense in depth
E.Single point of failure
AnswersA, C, D

Separation of duties prevents fraud and error.

Why this answer

Least privilege, separation of duties, and defense in depth are fundamental. Security through obscurity is not a recognized principle.

157
MCQmedium

Refer to the exhibit. ``` -rw-r-x--- 1 user1 developers 1024 Apr 12 10:00 config.cfg ``` The security policy states that only the file owner (user1) and members of the developers group should be able to read the file. Which change is necessary to align with the principle of least privilege?

A.Add world read permission.
B.Change group permissions to rw-r--.
C.Change the file mode to 640.
D.Change the owner to user2.
AnswerC

640 (rw-r-----) removes the execute permission that is not required for read-only access, adhering to least privilege.

158
MCQeasy

An organization requires that two different administrators approve changes to firewall rules. This is an example of which security principle?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Need-to-know
AnswerC

Requiring two approvals divides the task, preventing a single person from making unauthorized changes.

Why this answer

Separation of duties requires multiple people to complete a sensitive task to reduce fraud and errors. Option B is correct. Option A (least privilege) limits permissions.

Option C (defense in depth) uses layers. Option D (need-to-know) restricts data access.

159
MCQeasy

A security team implements a policy that requires all access to sensitive data to be logged and audited. Which principle is being enforced?

A.Accountability
B.Non-repudiation
C.Integrity
D.Least privilege
AnswerA

Correct. Logging creates accountability.

Why this answer

Accountability is enforced because logging and auditing create a traceable record of who accessed sensitive data and what actions they performed. This allows security teams to hold individuals responsible for their actions by correlating log entries with specific user identities, typically via authentication systems like LDAP or SAML. The policy directly supports the principle that users must be answerable for their access to protected resources.

Exam trap

ISC2 often tests the distinction between accountability (tracking and attributing actions) and non-repudiation (cryptographic proof of origin), leading candidates to confuse logging with the stronger assurance provided by digital signatures.

How to eliminate wrong answers

Option B is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures or cryptographic proof (e.g., HMAC, RSA signatures), not through logging and auditing alone. Option C is wrong because integrity focuses on protecting data from unauthorized modification (e.g., via checksums, hashing like SHA-256, or access controls), not on tracking who accessed it. Option D is wrong because least privilege restricts access rights to the minimum necessary for a role, whereas logging and auditing are about monitoring and reviewing access after it has occurred, not about limiting permissions upfront.

← PreviousPage 3 of 3 · 159 questions total

Ready to test yourself?

Try a timed practice session using only Security Principles questions.