CCNA Cissp Security Ops Questions

60 questions · Cissp Security Ops topic · All types, answers revealed

1
MCQmedium

A business continuity plan (BCP) differs from a disaster recovery plan (DRP) in that the BCP primarily focuses on:

A.Securing physical facilities
B.Restoring IT systems and infrastructure
C.Maintaining critical business processes during a disruption
D.Replacing hardware and software
AnswerC

BCP ensures continuity of business operations.

Why this answer

BCP aims to maintain business functions during and after a disruption, while DRP focuses on IT restoration.

2
MCQhard

An organization's data loss prevention (DLP) solution is configured to block emails containing credit card numbers. This is an example of which type of DLP control?

A.Classification-based DLP
B.Network DLP
C.Cloud DLP
D.Endpoint DLP
AnswerB

Network DLP inspects network traffic, including email.

Why this answer

Network DLP monitors and controls data in motion, such as email traffic.

3
MCQmedium

During a digital forensics investigation, a security analyst must preserve evidence in order of volatility. Which of the following represents the correct sequence from most volatile to least volatile?

A.CPU registers → Cache → RAM → Swap → Disk → Remote logging → Physical media
B.Physical media → Remote logging → Disk → Swap → RAM → Cache → CPU registers
C.Cache → CPU registers → RAM → Swap → Remote logging → Disk → Physical media
D.RAM → CPU registers → Cache → Swap → Disk → Remote logging → Physical media
AnswerA

This sequence correctly orders from most volatile (CPU registers) to least volatile (physical media).

Why this answer

The order of volatility prioritizes capturing data that changes most quickly first.

4
Multi-Selecthard

A security analyst is configuring a SIEM to improve threat detection. Which THREE of the following are essential capabilities of a SIEM system?

Select 3 answers
A.Vulnerability scanning
B.Automated patch deployment
C.Reporting and dashboarding
D.Real-time correlation and alerting
E.Log aggregation and normalization
AnswersC, D, E

SIEM provides reports and dashboards for analysis.

Why this answer

Reporting and dashboarding (C) is a core SIEM capability because it transforms raw security event data into actionable intelligence through visualizations, summaries, and compliance reports. This allows security analysts to quickly identify trends, measure security posture, and demonstrate regulatory compliance (e.g., PCI DSS, HIPAA) without manually sifting through logs.

Exam trap

The trap here is confusing SIEM's passive analysis and reporting role with active remediation tools (vulnerability scanners and patch managers), leading candidates to select options that describe functions SIEMs do not perform themselves.

5
MCQmedium

An organization wants to ensure that its critical database can be restored to a point within the last 15 minutes in case of failure. Which metric defines this requirement?

A.MTD
B.MTTR
C.RPO
D.RTO
AnswerC

RPO specifies how much data loss is acceptable (15 minutes).

Why this answer

RPO (Recovery Point Objective) defines the acceptable data loss in terms of time.

6
MCQmedium

A SOC analyst (Tier 1) receives an alert from the SIEM indicating a potential malware infection on a critical server. According to SOC tier responsibilities, what is the analyst's primary action?

A.Perform in-depth forensic analysis of the server
B.Implement a permanent firewall rule to block the malware
C.Isolate the server and then escalate to Tier 2
D.Delete the malware sample without preserving evidence
AnswerC

Tier 1 performs initial triage, containment (isolation), and escalation.

Why this answer

Tier 1 analysts triage alerts and escalate confirmed incidents to Tier 2 for deeper analysis.

7
MCQmedium

A security team is implementing data loss prevention (DLP) to protect sensitive information. Which DLP type is best suited to monitor and block sensitive data leaving the corporate network via email or web traffic?

A.Network DLP
B.Cloud DLP
C.Endpoint DLP
D.Classification-based controls
AnswerA

Network DLP analyzes outbound traffic, such as email and web, to prevent data leakage.

Why this answer

Network DLP inspects traffic at egress points to prevent unauthorized data transmission.

8
MCQhard

A SOC analyst receives an alert from the SIEM indicating a large volume of outbound data from a sensitive database server to an external IP address. The analyst queries the SIEM and finds the server communicated with the external IP during non-business hours. Which type of incident is most likely occurring?

A.Unauthorized access
B.Denial of Service (DoS)
C.Malware infection
D.Data breach
AnswerD

Unauthorized data transfer out of the network is a classic indicator of a data breach.

Why this answer

Large outbound data transfer to an external IP outside business hours suggests a data breach, possibly exfiltration.

9
Multi-Selectmedium

A security analyst is selecting forensic tools for an investigation. Which TWO tools are best suited for memory forensics? (Select TWO.)

Select 2 answers
A.Wireshark
B.Volatility
C.Autopsy
D.EnCase
E.FTK
AnswersB, E

Volatility is the leading memory forensics tool.

Why this answer

Volatility is a dedicated memory forensics framework; FTK can also capture and analyze memory, though it's more general. EnCase is disk forensics, Wireshark network, Autopsy disk.

10
MCQmedium

During a security incident, an organization's SOC team identifies a series of unauthorized access attempts from an external IP address. The incident manager needs to escalate this to the appropriate team. According to the incident response plan, which role is primarily responsible for coordinating the response and communicating with stakeholders?

A.Forensic investigator
B.Communications lead
C.SOC Tier 1 analyst
D.Incident manager
AnswerD

The incident manager oversees the response and communication.

Why this answer

The incident manager leads the response, coordinates resources, and communicates with stakeholders.

11
MCQmedium

During a vulnerability management lifecycle, after vulnerabilities are identified and prioritized, what is the NEXT step?

A.Verification
B.Reporting
C.Remediation
D.Risk acceptance
AnswerC

Vulnerabilities must be remediated after prioritization.

Why this answer

Remediation (patching or mitigating) follows prioritization.

12
MCQhard

An organization has a maximum tolerable downtime (MTD) of 8 hours for its critical e-commerce platform. The recovery time objective (RTO) is set to 4 hours, and the recovery point objective (RPO) is 30 minutes. Which disaster recovery strategy is most cost-effective while meeting these requirements?

A.Cloud DR with continuous replication
B.Hot site with real-time replication
C.Cold site with daily backups
D.Warm site with hourly backups
AnswerD

Meets RTO of 4 hours and RPO of 30 min.

Why this answer

A warm site can be operational within hours and meets the 4-hour RTO, while a hot site is more expensive and a cold site is too slow.

13
MCQmedium

A security team implements a Data Loss Prevention (DLP) solution to monitor email attachments for sensitive data. Which type of DLP is being used?

A.Classification-based controls
B.Cloud DLP
C.Network DLP
D.Endpoint DLP
AnswerC

Network DLP inspects traffic at network egress points, including email.

Why this answer

Network DLP monitors data in motion by inspecting network traffic, such as email attachments, as they traverse the network perimeter. This is the correct type because the scenario explicitly describes monitoring email attachments, which are transmitted over the network, and Network DLP is designed to inspect SMTP, HTTP, FTP, and other protocols for sensitive content at the network layer.

Exam trap

The trap here is that candidates confuse 'monitoring email attachments' with endpoint-based controls, but the key distinction is that Network DLP inspects data in motion across the network, whereas Endpoint DLP focuses on local device actions like saving to USB or printing.

How to eliminate wrong answers

Option A is wrong because classification-based controls are not a type of DLP; they are a data governance mechanism that labels data based on sensitivity, but they do not actively monitor or block data in transit. Option B is wrong because Cloud DLP is a service provided by cloud providers (e.g., AWS Macie, Google Cloud DLP) that inspects data stored in cloud repositories, not email attachments traversing an on-premises or hybrid network. Option D is wrong because Endpoint DLP monitors data at rest or in use on endpoints (e.g., USB copy, clipboard operations), not data in motion over the network like email attachments.

14
MCQeasy

Which of the following best describes the primary purpose of an incident response plan?

A.To replace the need for a disaster recovery plan
B.To assign blame after an incident occurs
C.To document all security controls in place
D.To provide a structured approach for managing and resolving security incidents
AnswerD

This is the core purpose of an IR plan.

Why this answer

An incident response plan provides a structured approach to manage and resolve security incidents, minimizing impact.

15
Multi-Selecthard

During a forensic investigation, which THREE of the following are essential to maintain chain of custody? (Select THREE)

Select 3 answers
A.Storing evidence in a publicly accessible location
B.Documenting every person who handled the evidence
C.Using write-blockers when acquiring disk images
D.Encrypting the evidence at all times
E.Recording the date and time of each transfer
AnswersB, C, E

This tracks accountability.

Why this answer

Chain of custody requires documenting who handled evidence, when, and ensuring integrity.

16
Multi-Selecthard

A company is evaluating disaster recovery strategies and wants to minimize both RTO and RPO. Which THREE options provide the best combination of low RTO and low RPO? (Select THREE)

Select 3 answers
A.Reciprocal agreement
B.Cloud DR with replication
C.Synchronous replication to a secondary site
D.Hot site
E.Cold site
AnswersB, C, D

Cloud DR can spin up quickly with frequent replication.

Why this answer

Hot sites, cloud DR, and replication provide rapid recovery with minimal data loss.

17
MCQeasy

Which role in an incident response team is primarily responsible for coordinating communication with external parties, such as the media and regulators?

A.Legal counsel
B.Incident manager
C.Forensic investigator
D.Communications lead
AnswerD

The communications lead handles all external and internal communications.

Why this answer

The communications lead manages external messaging during an incident.

18
MCQmedium

A security analyst is reviewing SIEM logs and notices multiple failed login attempts from a single IP address followed by a successful login. The account belongs to a user in finance. Which incident category is most appropriate?

A.DoS
B.Insider threat
C.Social engineering
D.Unauthorized access
AnswerD

The pattern indicates a brute-force attack resulting in unauthorized access.

Why this answer

The sequence of multiple failed login attempts followed by a successful login from the same external IP address indicates a brute-force or password-spraying attack that succeeded. This constitutes unauthorized access because the attacker gained entry to an account without legitimate authorization, violating the confidentiality and integrity of the finance user's account.

Exam trap

The trap here is that candidates may confuse 'insider threat' with any unauthorized access, but the external IP address clearly indicates the attacker is not an insider, making unauthorized access the correct category.

How to eliminate wrong answers

Option A is wrong because a DoS (Denial of Service) attack aims to disrupt service availability by overwhelming resources, not to gain authenticated access through repeated login attempts. Option B is wrong because an insider threat involves a trusted user misusing their legitimate access, whereas this scenario shows an external IP address performing the login attempts, not an internal user. Option C is wrong because social engineering relies on manipulating human psychology (e.g., phishing calls or emails) to trick users into revealing credentials, not on automated brute-force attempts against a login interface.

19
MCQeasy

Which metric defines the maximum amount of data loss an organization can tolerate during a disaster?

A.RPO
B.MTD
C.MTTR
D.RTO
AnswerA

RPO defines the maximum data loss (e.g., last backup) that is acceptable.

Why this answer

Recovery Point Objective (RPO) determines the acceptable data loss measured in time.

20
MCQeasy

An organization is developing an incident response plan. Which component is responsible for defining the specific conditions that constitute an incident?

A.Communication plan
B.Recovery procedures
C.Legal notification requirements
D.Incident categories
AnswerD

Incident categories define specific conditions that qualify as incidents, such as malware or data breach.

Why this answer

Incident categories define what events are considered incidents, enabling consistent classification and response.

21
MCQmedium

An organization is implementing a change management process. Which group is responsible for reviewing and approving major changes?

A.Project management office
B.Incident response team
C.Change Advisory Board (CAB)
D.Security operations center
AnswerC

CAB is responsible for change approval.

Why this answer

The Change Advisory Board (CAB) is the formal group within ITIL-based change management responsible for reviewing, assessing, and approving major or high-risk changes. Major changes typically require a CAB meeting to evaluate impact, resource requirements, and rollback plans before authorization. This ensures changes do not introduce security vulnerabilities or disrupt critical operations.

Exam trap

Cisco often tests the distinction between operational roles (SOC, Incident Response) and governance/approval bodies (CAB), leading candidates to confuse real-time monitoring functions with change authorization responsibilities.

How to eliminate wrong answers

Option A is wrong because the Project Management Office (PMO) oversees project portfolios and ensures alignment with business goals, but it does not have the authority or technical mandate to approve operational changes to production systems. Option B is wrong because the Incident Response Team handles active security incidents and post-incident remediation, not the proactive review and approval of planned changes. Option D is wrong because the Security Operations Center (SOC) monitors real-time security events and alerts, but it is not chartered to approve changes; its role is to detect and respond to anomalies that may result from changes, not to authorize them.

22
Multi-Selecteasy

A company is implementing a Data Loss Prevention (DLP) program. Which THREE of the following are common types of DLP controls?

Select 3 answers
A.Application DLP
B.Network DLP
C.Cloud DLP
D.Endpoint DLP
E.Physical DLP
AnswersB, C, D

Network DLP monitors data in motion.

Why this answer

Common DLP types are network, endpoint, and cloud DLP.

23
Multi-Selectmedium

An organization is designing a security operations center (SOC) with three tiers. Which TWO of the following are typical responsibilities of Tier 1 analysts? (Select TWO)

Select 2 answers
A.Performing threat hunting
B.Monitoring SIEM alerts and performing initial triage
C.Escalating incidents to Tier 2 when necessary
D.Conducting in-depth forensic analysis
E.Developing new detection rules for the SIEM
AnswersB, C

Tier 1 is responsible for monitoring and triage.

Why this answer

Tier 1 analysts monitor alerts, perform initial triage, and escalate as needed.

24
MCQmedium

A SOC team is using a SIEM to correlate events from multiple sources. They want to automate responses to common threats. Which technology should they integrate to achieve security orchestration and automation?

A.Vulnerability scanner
B.SOAR
C.Endpoint detection and response (EDR)
D.Network-based IDS
AnswerB

SOAR provides security orchestration, automation, and response.

Why this answer

SOAR tools automate and orchestrate security responses, integrating with SIEM.

25
Multi-Selecthard

A security manager is reviewing incident categories for inclusion in the incident response plan. Which THREE of the following are common incident categories? (Select THREE.)

Select 3 answers
A.Data breach
B.Malware
C.Social engineering
D.Unauthorized access
E.Denial of Service (DoS)
AnswersA, B, E

Data breaches are a key incident type.

Why this answer

A data breach is a common incident category because it involves the unauthorized access and exfiltration of sensitive information, such as personally identifiable information (PII) or protected health information (PHI). In incident response, data breaches require specific containment and notification procedures under regulations like GDPR or HIPAA, making them a distinct category for legal and forensic reasons.

Exam trap

The trap here is that candidates often confuse attack vectors (like social engineering) or general states (like unauthorized access) with formal incident categories, which are defined by the type of impact (e.g., data loss, service disruption) rather than the method of intrusion.

26
MCQmedium

Which of the following is the primary purpose of a Change Advisory Board (CAB)?

A.To provide oversight and approval for significant changes
B.To implement changes as requested by management
C.To review security incidents after they occur
D.To approve all changes to the production environment
AnswerA

The CAB focuses on assessing risk and approving major changes.

Why this answer

The CAB reviews and approves changes to ensure they are properly assessed and minimize risk.

27
MCQmedium

An organization is developing an incident response plan. Which component is primarily responsible for defining the criteria for escalating an incident to senior management and legal counsel?

A.Escalation paths
B.Communication plan
C.Recovery procedures
D.Incident categories
AnswerA

Escalation paths outline the triggers and notification hierarchy for senior management and legal counsel.

Why this answer

Escalation paths specify the conditions and hierarchy for notifying higher-level management and legal teams based on incident severity and impact.

28
Multi-Selectmedium

A SOC manager is designing a tiered incident response team. Which THREE of the following are standard roles in an incident response team according to industry best practices?

Select 3 answers
A.Forensic Investigator
B.Human Resources Representative
C.Incident Response Manager
D.Chief Financial Officer
E.Communications Lead
AnswersA, C, E

Forensic investigators handle evidence collection and analysis.

Why this answer

Standard IR team roles include IR manager, security analyst, forensic investigator, communications lead, and legal counsel.

29
MCQhard

An organization is recovering from a ransomware attack that encrypted critical servers. The backup strategy must ensure that the Recovery Point Objective (RPO) of 1 hour is met. Which backup method is MOST appropriate?

A.Continuous data protection (CDP)
B.Daily full backups
C.Weekly full backups with daily differentials
D.Snapshot every 4 hours
AnswerA

CDP captures every change, allowing recovery to any point in time.

Why this answer

Continuous data protection (CDP) captures changes in real time, meeting a 1-hour RPO.

30
MCQeasy

An organization has a maximum tolerable downtime (MTD) of 8 hours for a critical application. The recovery time objective (RTO) is set to 4 hours. Which of the following best describes the purpose of the RTO?

A.The total downtime the organization can tolerate
B.The time within which IT systems must be restored
C.The maximum amount of data loss acceptable
D.The time required to repair a failed component
AnswerB

RTO is the targeted time for restoring IT services after an outage.

Why this answer

RTO defines the maximum time allowed to restore IT services after a disaster, ensuring the MTD is not exceeded.

31
MCQeasy

Which of the following metrics is used to determine the maximum amount of data loss an organization can tolerate in a disaster?

A.MTTR
B.RPO
C.RTO
D.MTD
AnswerB

RPO defines acceptable data loss (e.g., last backup).

Why this answer

RPO defines the acceptable data loss in terms of time.

32
MCQeasy

Which of the following is an example of a social engineering attack?

A.A brute-force attack on a password
B.SQL injection on a web application
C.A DDoS attack on a server
D.A phishing email requesting credentials
AnswerD

Phishing is a common social engineering technique.

Why this answer

Social engineering exploits human psychology to gain information or access.

33
MCQhard

Which of the following is the most important factor when prioritizing vulnerability remediation in a vulnerability management program?

A.CVSS base score
B.Exploitability and business impact
C.Number of systems affected
D.Time since discovery
AnswerB

Risk-based prioritization accounts for actual exploit likelihood and asset criticality.

Why this answer

Risk-based prioritization considers exploitability and potential impact, not just CVSS score.

34
MCQmedium

An organization's disaster recovery plan specifies a Recovery Time Objective (RTO) of 4 hours for its critical financial application. Which disaster recovery site would be MOST appropriate to meet this RTO?

A.Reciprocal agreement
B.Warm site
C.Cold site
D.Hot site
AnswerD

A hot site is immediately available and meets the RTO.

Why this answer

A hot site is fully configured with hardware, software, and real-time data replication, enabling the critical financial application to be operational within minutes to a few hours. With an RTO of 4 hours, a hot site provides the necessary infrastructure and up-to-date data to meet this stringent recovery timeline, as cold and warm sites require significant setup and data restoration time.

Exam trap

The trap here is that candidates often confuse a warm site with a hot site, assuming pre-installed hardware is sufficient, but they overlook the critical need for current data replication to meet a tight RTO like 4 hours.

How to eliminate wrong answers

Option A is wrong because a reciprocal agreement relies on another organization's spare capacity, which is not guaranteed to be available or compatible within 4 hours, and typically involves manual setup and data restoration. Option B is wrong because a warm site has pre-installed hardware and software but lacks current data, requiring time to restore from backups, which often exceeds a 4-hour RTO for critical applications. Option C is wrong because a cold site provides only physical space and basic utilities, requiring days or weeks to procure, install, and configure hardware and software, making it impossible to meet a 4-hour RTO.

35
MCQeasy

What type of DLP system monitors data in motion across the network?

A.Network DLP
B.Storage DLP
C.Endpoint DLP
D.Cloud DLP
AnswerA

Network DLP scans traffic for sensitive content.

Why this answer

Network DLP inspects network traffic for sensitive data leaving the organization.

36
MCQhard

During a forensic investigation, an analyst must collect volatile data in the correct order. Which of the following sequences correctly follows the order of volatility?

A.CPU registers → cache → RAM → swap → disk
B.Disk → RAM → CPU registers → cache → swap
C.RAM → CPU registers → swap → disk → remote logging
D.Swap → RAM → cache → CPU registers → disk
AnswerA

This sequence correctly follows the order of volatility from most volatile (CPU registers) to least (disk).

Why this answer

The order of volatility prioritizes collecting data from most volatile to least volatile to avoid loss.

37
MCQmedium

During a forensic investigation, the investigator must ensure that evidence is properly handled and documented. What is the primary purpose of maintaining a chain of custody?

A.To speed up the investigation process
B.To document who accessed the evidence and when
C.To encrypt the evidence at rest
D.To store evidence in a fireproof safe
AnswerB

This ensures accountability and prevents tampering.

Why this answer

Chain of custody ensures evidence integrity and admissibility in legal proceedings.

38
MCQeasy

Which digital forensics tool is specifically designed for memory forensics?

A.Volatility
B.Wireshark
C.EnCase
D.FTK
AnswerA

Volatility specializes in memory forensics.

Why this answer

Volatility is an open-source framework for extracting artifacts from RAM dumps.

39
MCQhard

A Change Advisory Board (CAB) is evaluating a request to implement a critical security patch. Which RACI element is typically assigned to the CAB for the 'Approve' activity?

A.Responsible
B.Informed
C.Consulted
D.Accountable
AnswerD

The CAB is accountable for the approval decision.

Why this answer

In RACI, 'Accountable' means the person ultimately answerable for the decision. The CAB is accountable for approving changes.

40
Multi-Selectmedium

During a forensic investigation, which TWO of the following are essential steps to maintain chain of custody?

Select 2 answers
A.Storing evidence on a shared network drive
B.Encrypting the evidence file to prevent viewing
C.Labeling evidence with date, time, and collector's name
D.Performing a hash of the evidence immediately
E.Documenting each person who handled the evidence
AnswersC, E

Labeling is a key step in establishing chain of custody.

Why this answer

Chain of custody requires documenting every transfer of evidence and ensuring it is signed and secured.

41
Multi-Selecthard

A company is designing a disaster recovery strategy for its e-commerce platform. The platform requires an RTO of 2 hours and an RPO of 15 minutes. Which TWO strategies would BEST meet these requirements?

Select 2 answers
A.Tape backup restoration
B.Cloud DR with continuous data replication
C.Cold site
D.Hot site with real-time replication
E.Warm site
AnswersB, D

Cloud DR can spin up quickly and continuous replication meets RPO.

Why this answer

Hot site and cloud DR with continuous replication can meet aggressive RTO/RPO.

42
MCQmedium

What is the primary purpose of a Change Advisory Board (CAB) in change management?

A.To conduct vulnerability assessments
B.To approve and oversee changes to IT systems
C.To implement changes in the IT environment
D.To respond to security incidents
AnswerB

The CAB evaluates change requests and authorizes them.

Why this answer

The CAB reviews and approves changes to ensure they are properly assessed and minimize risk.

43
MCQmedium

An organization's security operations center (SOC) uses a SIEM to correlate logs. The SOC manager wants to automate response actions for low-severity alerts. Which technology would best support this goal?

A.Network firewall
B.Threat intelligence platform
C.SOAR platform
D.Vulnerability scanner
AnswerC

SOAR automates response actions based on playbooks.

Why this answer

SOAR (Security Orchestration, Automation and Response) enables automated playbooks for incident response.

44
MCQmedium

A SOC has three tiers: Tier 1 triages alerts, Tier 2 investigates, and Tier 3 performs advanced analysis. An alert about a potential data exfiltration using DNS tunneling is escalated from Tier 1. Which tier is BEST suited to perform deep packet inspection and memory forensics to confirm the exfiltration?

A.Incident manager
B.Tier 2
C.Tier 1
D.Tier 3
AnswerD

Tier 3 has advanced forensic capabilities.

Why this answer

Tier 3 handles advanced analysis including memory forensics.

45
MCQeasy

Which of the following BEST describes the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

A.BCP deals with natural disasters, DRP deals with cyberattacks
B.BCP is for IT systems, DRP is for business processes
C.BCP is a subset of DRP
D.BCP ensures business functions continue, DRP restores IT operations
AnswerD

This is the correct distinction.

Why this answer

D is correct because the Business Continuity Plan (BCP) focuses on maintaining critical business functions during and after a disruption, ensuring minimal impact on operations, while the Disaster Recovery Plan (DRP) is a subset of BCP that specifically addresses the restoration of IT infrastructure, systems, and data after a disaster. The BCP encompasses broader organizational resilience, including manual workarounds and alternate sites, whereas the DRP targets technical recovery procedures such as system rebuilds, data restoration from backups, and failover to redundant systems.

Exam trap

The trap here is that candidates often confuse the scope of BCP and DRP, mistakenly thinking BCP is only for business processes and DRP only for IT, when in fact BCP is the overarching plan that includes DRP as a component for IT recovery.

How to eliminate wrong answers

Option A is wrong because BCP and DRP are not distinguished by the type of disaster; both plans address a wide range of incidents including natural disasters, cyberattacks, and human errors. Option B is wrong because it reverses the roles: BCP covers business processes and continuity strategies, while DRP is specifically for IT systems and technical recovery. Option C is wrong because it incorrectly states that BCP is a subset of DRP; in reality, the DRP is a subset of the BCP, as the BCP includes the DRP along with other continuity elements like crisis communication and alternate site activation.

46
MCQhard

An organization is designing its incident response team roles. Which role is primarily responsible for collecting and preserving evidence for legal proceedings?

A.Forensic investigator
B.Communications lead
C.Incident manager
D.Security analyst
AnswerA

This role is dedicated to forensic collection and preservation.

Why this answer

The forensic investigator is trained to handle evidence collection and preservation.

47
MCQmedium

A company is selecting a disaster recovery site for critical applications that must be restored within 4 hours with minimal data loss. Which site type best meets these requirements?

A.Hot site
B.Cold site
C.Reciprocal agreement
D.Warm site
AnswerA

Hot sites are fully configured and can be operational within minutes to hours, meeting a 4-hour RTO.

Why this answer

A hot site is fully configured with hardware, software, network connectivity, and real-time data replication, enabling recovery within minutes to hours and minimal data loss. This matches the requirement of restoring critical applications within 4 hours with minimal data loss, as hot sites maintain near-synchronous or synchronous replication (e.g., using synchronous replication over Fibre Channel or iSCSI with RPOs in seconds).

Exam trap

The trap here is that candidates confuse 'warm site' with 'hot site' because both have pre-installed hardware, but warm sites lack real-time data replication and automated failover, making them unsuitable for RTOs under 4 hours with minimal data loss.

How to eliminate wrong answers

Option B is wrong because a cold site provides only physical infrastructure (power, cooling, space) with no pre-installed hardware or data, requiring days or weeks to restore, far exceeding the 4-hour RTO. Option C is wrong because a reciprocal agreement relies on another organization's spare capacity, which is not guaranteed, lacks dedicated hardware, and typically has no real-time data replication, leading to RTOs of days and significant data loss. Option D is wrong because a warm site has partially configured hardware and software but lacks real-time data replication, often using periodic backups (e.g., daily tape or disk snapshots), resulting in RTOs of 12-24 hours and RPOs of hours to a day, failing the 4-hour RTO and minimal data loss requirement.

48
Multi-Selectmedium

An organization is planning its disaster recovery strategy. Which THREE options are considered recovery site types? (Select THREE.)

Select 3 answers
A.Cloud DR
B.Hot site
C.Cold site
D.Warm site
E.Reciprocal agreement
AnswersB, C, D

Fully operational duplicate site.

Why this answer

Hot, warm, and cold sites are standard DR site types. Reciprocal agreements and cloud DR are strategies but not physical site types.

49
MCQhard

A forensic investigator arrives at a crime scene involving a compromised server. The server is still running. According to the order of volatility, which of the following should the investigator capture FIRST?

A.RAM contents
B.CPU registers
C.Hard disk contents
D.Network connections
AnswerB

CPU registers are the most volatile and should be captured first.

Why this answer

CPU registers are the most volatile and must be captured first to preserve critical evidence.

50
MCQhard

An organization is implementing a patch management process. Which of the following is the most critical step to ensure that patches do not disrupt critical business operations?

A.Integrating patch deployment with change management
B.Applying patches as soon as they are released
C.Scanning for vulnerabilities weekly
D.Using automated patch tools
AnswerA

Change management includes testing, scheduling, and approval to avoid conflicts.

Why this answer

Change management ensures patches are tested and approved before deployment, minimizing operational impact.

51
MCQeasy

Which of the following is a key difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

A.BCP ensures continuity of business operations; DRP restores IT infrastructure
B.BCP only addresses natural disasters; DRP addresses all disasters
C.BCP is tested annually; DRP is tested monthly
D.BCP focuses on IT restoration; DRP focuses on business processes
AnswerA

This correctly distinguishes the two plans.

Why this answer

BCP focuses on maintaining business functions during/after a disaster, while DRP focuses on restoring IT systems.

52
MCQmedium

During a digital forensics investigation, which of the following data sources has the highest order of volatility?

A.CPU registers
B.Remote logging server
C.Network packets in transit
D.Hard disk drive
AnswerA

Registers are the most volatile.

Why this answer

CPU registers hold the most volatile data, followed by cache, RAM, swap, disk, remote logging, and physical media.

53
MCQeasy

Which type of digital forensics involves capturing and analyzing network traffic to investigate a security incident?

A.Media analysis
B.Log analysis
C.Network forensics
D.Memory forensics
AnswerC

Network forensics examines network traffic, logs, and packets.

Why this answer

Network forensics focuses on monitoring and analyzing network traffic for evidence.

54
Multi-Selectmedium

An organization is updating its incident response plan. According to best practices, which THREE components should be included in the plan?

Select 3 answers
A.Roles and responsibilities
B.Vendor product list
C.Employee performance reviews
D.Communication plan
E.Recovery procedures
AnswersA, D, E

Clearly defined roles are essential for coordination.

Why this answer

An IR plan should include roles, communication plan, and recovery procedures.

55
MCQhard

A company plans to implement a disaster recovery site that can be operational within 2 hours of a failure. Which type of DR site best meets this requirement?

A.Hot site
B.Warm site
C.Cold site
D.Reciprocal agreement
AnswerA

A hot site is a fully replicated environment that can be activated quickly, often within 1-2 hours.

Why this answer

Hot sites are fully operational and can be activated within minutes to a few hours.

56
Multi-Selecthard

A company is selecting a disaster recovery strategy for a mission-critical application. Which TWO of the following strategies provide the shortest recovery time objective (RTO)?

Select 2 answers
A.Hot site
B.Reciprocal agreement
C.Warm site
D.Cloud DR with pre-configured instances
E.Cold site
AnswersA, D

Hot sites are fully operational and can be activated quickly.

Why this answer

A hot site is a fully configured, operational data center with all hardware, software, and live data replication, enabling near-instantaneous failover. This provides the shortest RTO, often measured in minutes or seconds, because no setup or configuration is required after a disaster is declared.

Exam trap

The trap here is that candidates may confuse 'warm site' with 'hot site' because both have pre-installed hardware, but warm sites lack current data and require manual restoration, leading to a longer RTO than a hot site.

57
Multi-Selectmedium

A security analyst is examining a memory dump from a compromised workstation. Which TWO tools are commonly used for memory forensics?

Select 2 answers
A.Wireshark
B.EnCase
C.Volatility
D.Rekall
E.FTK Imager
AnswersC, D

Volatility is a leading memory forensics tool.

Why this answer

Volatility (C) is a leading open-source memory forensics framework that analyzes RAM dumps to extract running processes, network connections, and kernel objects. It supports multiple operating systems and profiles, making it essential for incident response and malware analysis.

Exam trap

The trap here is that candidates confuse network forensics tools (Wireshark) or disk imaging tools (EnCase, FTK Imager) with memory-specific analysis tools, forgetting that RAM analysis requires specialized frameworks like Volatility or Rekall.

58
MCQeasy

What is the PRIMARY purpose of a chain of custody in digital forensics?

A.To document the tools used during investigation
B.To identify the perpetrator of a cybercrime
C.To speed up the forensic analysis process
D.To maintain evidence integrity and admissibility in court
AnswerD

Chain of custody proves evidence has not been tampered with.

Why this answer

Chain of custody ensures evidence integrity through documentation of handling.

59
MCQmedium

A SOC analyst at Tier 1 identifies a potential malware infection on a user workstation. What is the next step in the standard incident response process?

A.Update the SIEM correlation rule to ignore similar alerts
B.Escalate the incident to Tier 2 analyst for further investigation
C.Disconnect the workstation from the network immediately
D.Perform a deep forensic analysis of the workstation
AnswerB

Tier 1 triages and escalates unresolved incidents.

Why this answer

Tier 1 analysts typically triage alerts and escalate if they cannot resolve them.

60
Multi-Selectmedium

A security analyst is identifying incident categories for a new incident response plan. Which TWO of the following are valid incident categories according to standard IR frameworks?

Select 2 answers
A.Change request
B.Denial of Service (DoS)
C.Patch management failure
D.Insider threat
E.Business continuity exercise
AnswersB, D

DoS is a standard incident category.

Why this answer

Common incident categories include Denial of Service, malware, data breach, insider threat, unauthorized access, and social engineering.

Ready to test yourself?

Try a timed practice session using only Cissp Security Ops questions.