CCNA Cissp Security Risk Questions

74 questions · Cissp Security Risk topic · All types, answers revealed

1
MCQmedium

A financial institution is required to comply with SOX. Which of the following is a key focus area for IT under SOX?

A.IT general controls for financial systems
B.Encryption of data at rest
C.Breach notification procedures
D.Privacy of customer data
AnswerA

Correct - ITGC are essential for SOX compliance.

Why this answer

SOX requires publicly traded companies to establish and maintain internal controls over financial reporting. IT general controls (ITGC) are critical for ensuring the integrity of financial systems.

2
MCQmedium

A company is implementing PCI DSS compliance. Which requirement is related to protecting cardholder data at rest?

A.Restrict physical access to cardholder data
B.Encrypt transmission of cardholder data over open networks
C.Install and maintain a firewall configuration
D.Protect stored cardholder data
AnswerD

Requirement 3 specifically addresses protecting data at rest.

Why this answer

PCI DSS Requirement 3 is to protect stored cardholder data, often through encryption or tokenization.

3
MCQeasy

Which component of the CIA triad ensures that information is not disclosed to unauthorized individuals, entities, or processes?

A.Non-repudiation
B.Integrity
C.Availability
D.Confidentiality
AnswerD

Correct - Confidentiality is about preventing unauthorized disclosure.

Why this answer

Confidentiality ensures that information is accessible only to those authorized. Integrity ensures accuracy and completeness, and availability ensures timely access.

4
MCQmedium

During a business impact analysis (BIA), which metric represents the maximum amount of time a business process can be disrupted before causing significant harm to the organization?

A.Work Recovery Time (WRT)
B.Recovery Point Objective (RPO)
C.Maximum Tolerable Period of Disruption (MTPD)
D.Recovery Time Objective (RTO)
AnswerC

Correct - MTPD/MTD is the maximum acceptable downtime.

Why this answer

Maximum Tolerable Period of Disruption (MTPD) or Maximum Tolerable Downtime (MTD) is the longest time a process can be unavailable before causing severe damage. RTO is the recovery time objective, RPO is recovery point objective, and WRT is work recovery time.

5
MCQhard

A healthcare organization covered by HIPAA wants to share protected health information (PHI) with a third-party billing service. What must be in place to comply with HIPAA?

A.A memorandum of understanding (MOU)
B.A data processing agreement under GDPR
C.A consent form from each patient
D.A business associate agreement (BAA)
AnswerD

HIPAA mandates a BAA for PHI sharing with business associates.

Why this answer

HIPAA requires covered entities to have a business associate agreement (BAA) with any third party that will handle PHI on their behalf. The BAA ensures the business associate will safeguard the PHI.

6
MCQeasy

Which document is mandatory, high-level, and sets the direction for security within an organization?

A.Policy
B.Standard
C.Procedure
D.Baseline
AnswerA

Correct - Policy is high-level and mandatory.

Why this answer

A security policy is a high-level, mandatory document that establishes the overall security direction and principles. Standards, baselines, guidelines, and procedures are more detailed.

7
Multi-Selectmedium

Which THREE of the following are data subject rights under the GDPR? (Select THREE)

Select 4 answers
A.Right to object to processing
B.Right to data portability
C.Right to erasure
D.Right to rectification
E.Right to remuneration
AnswersA, B, C, D

Data subject can object to processing for direct marketing.

Why this answer

GDPR grants rights including right to erasure, right to data portability, and right to rectification. Right to remuneration is not a data subject right.

8
MCQhard

In a quantitative risk analysis, if the single loss expectancy (SLE) is $15,000 and the annual rate of occurrence (ARO) is 0.5, what is the annualized loss expectancy (ALE)?

A.$7,500
B.$30,000
C.$15,000
D.$75,000
AnswerA

Correct computation.

Why this answer

ALE = SLE * ARO = $15,000 * 0.5 = $7,500.

9
Multi-Selectmedium

Which TWO of the following are lawful bases for processing personal data under the GDPR? (Select two)

Select 2 answers
A.Data subject's employment status
B.Data subject's nationality
C.Consent of the data subject
D.Legitimate interests of the controller
E.Profit maximization
AnswersC, D

Consent is a valid lawful basis.

Why this answer

Consent and legitimate interests are two of the lawful bases under Article 6 of the GDPR.

10
Multi-Selectmedium

In the context of business continuity planning, which THREE of the following are typically identified during a business impact analysis (BIA)? (Select THREE.)

Select 3 answers
A.Critical business processes
B.Maximum tolerable downtime (MTD)
C.Preferred vendor contracts
D.Recovery point objective (RPO)
E.Employee performance metrics
AnswersA, B, D

BIA identifies which processes are critical.

Why this answer

During BIA, critical processes are identified, and metrics such as MTD (maximum tolerable downtime) and RPO (recovery point objective) are determined. Vendor contracts are not part of BIA; they are part of procurement or vendor management.

11
MCQhard

A company's disaster recovery plan includes an agreement with another company to provide backup computing facilities in case of a disaster. The agreement allows the second company to use the facilities for its own operations if needed. This arrangement is best described as:

A.Hot site
B.Warm site
C.Cold site
D.Reciprocal agreement
AnswerD

This is a mutual arrangement between two organizations.

Why this answer

A reciprocal agreement is an arrangement between two organizations to provide backup facilities to each other, but it may be unreliable if both need the resources simultaneously.

12
MCQeasy

Which of the following is the correct order of the ISC2 Code of Ethics canons from highest to lowest priority?

A.Protect society, act honorably, provide diligent service, advance the profession
B.Act honorably, protect society, provide diligent service, advance the profession
C.Advance the profession, protect society, act honorably, provide diligent service
D.Provide diligent service, advance the profession, protect society, act honorably
AnswerA

Correct order as per ISC2.

Why this answer

The ISC2 Code of Ethics canons are, in priority order: Protect society, the common good, and the public trust; Act honorably, honestly, and justly; Provide diligent and competent service to principals; and Advance and protect the profession.

13
Multi-Selecthard

Under GDPR, which TWO of the following are valid lawful bases for processing personal data?

Select 2 answers
A.Data subject's employment
B.Data processor's request
C.Consent
D.Legitimate interest
E.Data controller's profit
AnswersC, D

Data subject has given consent.

Why this answer

GDPR Article 6 lists lawful bases including consent, contract, legal obligation, vital interests, public task, and legitimate interests.

14
MCQmedium

Under the ISC2 Code of Ethics, which canon takes precedence over all others?

A.Provide diligent and competent service to principals
B.Act honorably, honestly, justly, responsibly, and legally
C.Protect society, the common good, and the infrastructure
D.Advance and protect the profession
AnswerC

Correct; this is the first and highest priority canon.

Why this answer

The first canon is to protect society, the common good, and the public trust. It is the highest priority.

15
MCQmedium

A security manager is calculating the annual loss expectancy (ALE) for a server valued at $50,000. The exposure factor (EF) is 40%, and the annual rate of occurrence (ARO) is 0.5. What is the ALE?

A.$10,000
B.$100,000
C.$25,000
D.$20,000
AnswerA

Correct calculation: $50,000 x 0.4 x 0.5 = $10,000.

Why this answer

SLE = AV x EF = $50,000 x 0.4 = $20,000. ALE = SLE x ARO = $20,000 x 0.5 = $10,000.

16
MCQmedium

An organization is implementing a new access control system. The security team wants to ensure that users cannot deny having performed an action. Which security principle is being addressed?

A.Availability
B.Integrity
C.Confidentiality
D.Non-repudiation
AnswerD

Non-repudiation provides proof of actions, preventing denial.

Why this answer

Non-repudiation ensures that a party cannot deny the authenticity of their signature or the sending of a message. In access control, this is often achieved through audit logs and digital signatures.

17
MCQeasy

A security analyst is evaluating the risk of a data breach. The asset value of the database is $100,000, and the exposure factor is 0.5. If the annual rate of occurrence is 0.2, what is the annualized loss expectancy (ALE)?

A.$10,000
B.$100,000
C.$50,000
D.$20,000
AnswerA

Correct calculation.

Why this answer

SLE = AV * EF = $100,000 * 0.5 = $50,000. ALE = SLE * ARO = $50,000 * 0.2 = $10,000.

18
MCQeasy

Which of the following is an example of a security policy?

A.Step 1: Log in, Step 2: Enter code, Step 3: Access system
B.It is recommended to change passwords every 90 days
C.All employees must use multi-factor authentication
D.Use passwords of at least 12 characters with mixed case and numbers
AnswerC

This is a policy directive.

Why this answer

A policy is a high-level mandatory statement that reflects management's intent. 'All employees must use multi-factor authentication' is a mandatory directive.

19
MCQmedium

Under GDPR, which of the following is a valid lawful basis for processing personal data?

A.Corporate policy
B.Profit motive
C.Marketing preference
D.Vital interests
AnswerD

Correct; vital interests is a lawful basis.

Why this answer

GDPR Article 6 lists lawful bases including consent, contract, legal obligation, vital interests, public task, and legitimate interests. 'Vital interests' is a valid basis.

20
MCQmedium

In a qualitative risk assessment, a risk with a likelihood rating of 'High' and an impact rating of 'Critical' would typically fall into which category?

A.High risk
B.Medium risk
C.Low risk
D.De minimis risk
AnswerA

Correct; high likelihood and critical impact yield high risk.

Why this answer

In a typical 5x5 risk matrix, high likelihood and critical impact place the risk in the 'High' or 'Extreme' risk category, requiring immediate action.

21
MCQeasy

Which component of the AAA framework is responsible for determining what resources a user can access and what actions they can perform?

A.Auditing
B.Authentication
C.Accounting
D.Authorization
AnswerD

Authorization defines permissions.

Why this answer

AAA stands for Authentication, Authorization, and Accounting. Authorization is the process of granting or denying access to resources based on policies.

22
MCQmedium

A company is migrating its critical application to a cloud provider. Which disaster recovery strategy provides the shortest recovery time objective (RTO) and recovery point objective (RPO)?

A.Warm site
B.Cold site
C.Hot site
D.Reciprocal agreement
AnswerC

Hot site provides the fastest recovery.

Why this answer

A hot site is fully configured with hardware, software, and real-time data synchronization, minimizing RTO and RPO.

23
MCQhard

A security manager is evaluating risk responses for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk response strategy is most appropriate?

A.Avoid
B.Mitigate
C.Transfer
D.Accept
AnswerD

Accepting the risk is appropriate when mitigation cost outweighs the potential loss.

Why this answer

When the cost of mitigation exceeds the potential loss, accepting the risk is the most cost-effective response.

24
MCQmedium

An organization is implementing a BCP. After completing the BIA, which of the following is the next logical step in the planning process?

A.Develop recovery strategies
B.Test the plan
C.Conduct a risk assessment
D.Train personnel
AnswerA

Strategies are developed based on BIA findings.

Why this answer

After the BIA identifies critical processes and recovery requirements, the next step is to develop strategies to meet those requirements, such as selecting recovery sites and technologies.

25
MCQmedium

During a Business Impact Analysis (BIA), the maximum amount of time a business process can be unavailable before causing significant harm is determined. Which metric represents this?

A.Work Recovery Time (WRT)
B.Maximum Tolerable Period of Disruption (MTPD)
C.Recovery Point Objective (RPO)
D.Recovery Time Objective (RTO)
AnswerB

MTPD is the maximum time a process can be unavailable.

Why this answer

Maximum Tolerable Period of Disruption (MTPD) is the longest time a process can be disrupted before recovery is required.

26
MCQmedium

A company is implementing a risk management program. They have identified a critical server with an asset value of $50,000. The exposure factor due to a potential threat is 40%, and the annual rate of occurrence is 2. What is the Annualized Loss Expectancy (ALE)?

A.$50,000
B.$40,000
C.$20,000
D.$100,000
AnswerB

Correct calculation: ALE = 2 × ($50,000 × 0.4) = $40,000.

Why this answer

ALE = ARO × SLE; SLE = AV × EF = $50,000 × 0.4 = $20,000; ALE = 2 × $20,000 = $40,000.

27
MCQmedium

Which of the following is the correct order of priority for the ISC2 Code of Ethics Canons?

A.Advance the profession, protect society, act honorably, provide diligent service
B.Protect society, act honorably, provide diligent service, advance the profession
C.Provide diligent service, protect society, act honorably, advance the profession
D.Act honorably, provide diligent service, protect society, advance the profession
AnswerB

This is the correct order as per the ISC2 Code of Ethics.

Why this answer

The canons in order: 1. Protect society, the common good, and the public trust. 2. Act honorably, honestly, justly, responsibly, and legally. 3.

Provide diligent and competent service to principals. 4. Advance and protect the profession.

28
MCQhard

A company uses a qualitative risk analysis matrix where likelihood ranges from 1 to 5 and impact ranges from 1 to 5. A risk with a likelihood of 4 and an impact of 5 would fall into which risk level if the matrix defines high risk as scores above 15, medium as 10-15, and low as below 10?

A.Medium
B.Critical
C.High
D.Low
AnswerC

20 > 15, so high risk.

Why this answer

In qualitative risk analysis using a 5x5 matrix, the score is typically the product of likelihood and impact. 4 x 5 = 20, which is above 15, indicating high risk.

29
MCQeasy

An organization is implementing a new access control system. Which of the following represents the correct order of the AAA framework components?

A.Authentication, Authorization, Accounting
B.Authorization, Authentication, Accounting
C.Authentication, Accounting, Authorization
D.Accounting, Authentication, Authorization
AnswerA

Correct sequence as per AAA framework.

Why this answer

The AAA framework stands for Authentication, Authorization, and Accounting, in that order. First, a user's identity is verified, then permissions are checked, and finally activities are logged.

30
MCQeasy

Which document provides detailed step-by-step instructions for performing a specific security task?

A.Policy
B.Procedure
C.Standard
D.Guideline
AnswerB

Procedures provide detailed step-by-step instructions.

Why this answer

A procedure is a detailed, step-by-step document that describes how to perform a task.

31
MCQhard

Under HIPAA, what is the primary purpose of a Business Associate Agreement (BAA)?

A.To transfer ownership of PHI to the business associate
B.To authorize the use of PHI for marketing purposes
C.To require the business associate to comply with HIPAA Privacy and Security Rules
D.To allow the business associate to disclose PHI to any third party
AnswerC

The BAA is a contract that requires the business associate to safeguard PHI.

Why this answer

A BAA ensures that business associates handling PHI will appropriately safeguard the information.

32
Multi-Selecteasy

Which TWO of the following are elements of the AAA framework in security?

Select 2 answers
A.Accounting
B.Authentication
C.Authorization
D.Auditing
E.Availability
AnswersB, C

Authentication verifies identity.

Why this answer

AAA stands for Authentication, Authorization, and Accounting.

33
MCQhard

A hospital is subject to HIPAA. Which of the following is required when sharing protected health information (PHI) with a third-party billing company?

A.Annual audit report
B.Business Associate Agreement
C.Patient consent
D.Data Protection Impact Assessment
AnswerB

Correct; a BAA is required.

Why this answer

Under HIPAA, covered entities must have a Business Associate Agreement (BAA) with business associates that handle PHI.

34
Multi-Selectmedium

A security manager is choosing a risk response for a high-impact, high-likelihood risk. Which TWO responses are most appropriate? (Select TWO)

Select 2 answers
A.Risk mitigation
B.Risk research
C.Risk avoidance
D.Risk acceptance
E.Risk deferral
AnswersA, C

Implementing controls to reduce risk level.

Why this answer

For high-impact, high-likelihood risks, avoidance (eliminating the activity) or mitigation (reducing impact/likelihood) are common. Transfer (insurance) may also be used but is less comprehensive. Acceptance is for low risks.

35
MCQeasy

Under the ISC2 Code of Ethics, which canon has the highest priority?

A.Advance the profession
B.Provide diligent service
C.Act honorably
D.Protect society
AnswerD

Protect society is the first and highest priority canon.

Why this answer

The ISC2 Code of Ethics lists canons in order: Protect society, Act honourably, Provide diligent service, Advance the profession.

36
MCQeasy

Which type of risk remains after management has implemented controls to mitigate the identified risks?

A.Acceptable risk
B.Control risk
C.Residual risk
D.Inherent risk
AnswerC

Correct - risk that remains after controls.

Why this answer

Residual risk is the risk that remains after controls are applied. Inherent risk is the risk before controls.

37
MCQmedium

In qualitative risk analysis, a risk is assessed with a likelihood of 4 (on a scale of 1-5) and an impact of 5. The risk matrix defines scores of 15-25 as high. What is the risk rating?

A.Low
B.Medium
C.High
D.Critical
AnswerC

Correct - 4×5=20, which is high.

Why this answer

Likelihood × Impact = 4 × 5 = 20, which falls in the high range (15-25).

38
MCQhard

Under the GDPR, a data controller experiences a personal data breach that is likely to result in a risk to the rights and freedoms of individuals. What is the maximum time frame within which the controller must notify the supervisory authority?

A.72 hours
B.24 hours
C.48 hours
D.7 days
AnswerA

Correct - 72 hours is the GDPR requirement.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to rights and freedoms.

39
MCQeasy

According to the ISC2 Code of Ethics, which of the following canons has the highest priority when resolving an ethical dilemma?

A.Act honorably and lawfully
B.Provide diligent and competent service
C.Advance and protect the profession
D.Protect society, the common good, and the infrastructure
AnswerD

This is the first and highest priority canon.

Why this answer

The ISC2 Code of Ethics canons are in order of priority: 1. Protect society, the common good, and the infrastructure; 2. Act honorably and lawfully; 3.

Provide diligent and competent service; 4. Advance and protect the profession.

40
MCQmedium

An organization wants to avoid a particular risk entirely by not engaging in the activity that creates the risk. Which risk response strategy is being used?

A.Avoid
B.Transfer
C.Mitigate
D.Accept
AnswerA

Correct - Avoidance means not engaging in the risky activity.

Why this answer

Risk avoidance involves eliminating the risk by not performing the activity that causes it. Transfer shifts risk to a third party, mitigate reduces impact/likelihood, and accept acknowledges the risk.

41
MCQeasy

An organization's security policy requires that all data at rest must be encrypted. Which security principle is primarily being addressed?

A.Integrity
B.Confidentiality
C.Availability
D.Non-repudiation
AnswerB

Encryption protects data from unauthorized disclosure, fulfilling confidentiality.

Why this answer

Encryption of data at rest protects against unauthorized access, thus ensuring confidentiality.

42
MCQhard

An organization has identified a risk with a high likelihood and high impact. Management decides to implement controls to reduce the likelihood. After controls, the risk is reassessed as medium likelihood and medium impact. What is the residual risk?

A.Low likelihood, low impact
B.Medium likelihood, medium impact
C.High likelihood, high impact
D.Control risk is not a defined term
AnswerB

Residual risk is what remains after controls.

Why this answer

Residual risk is the remaining risk after controls are applied. In this case, it is the medium likelihood and medium impact risk.

43
MCQmedium

Which governance framework provides guidance specifically for aligning IT services with business needs and includes a service lifecycle?

A.ISO/IEC 27001
B.NIST Cybersecurity Framework
C.COBIT 2019
D.ITIL
AnswerD

ITIL is a service management framework with a lifecycle approach.

Why this answer

ITIL (Information Technology Infrastructure Library) is a set of practices for IT service management that focuses on aligning IT services with business needs.

44
MCQmedium

Which of the following is a key requirement under the GDPR regarding personal data breaches?

A.Notify the supervisory authority within 72 hours
B.Conduct a privacy impact assessment within 30 days
C.Report the breach to law enforcement immediately
D.Notify affected individuals within 24 hours
AnswerA

This is a specific requirement under GDPR Article 33.

Why this answer

GDPR Article 33 requires data controllers to notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to rights and freedoms.

45
Multi-Selecteasy

Which TWO of the following are examples of risk response strategies?

Select 2 answers
A.Risk acceptance
B.Risk analysis
C.Risk identification
D.Risk avoidance
E.Risk communication
AnswersA, D

Accepting the risk after evaluation.

Why this answer

Risk avoidance involves eliminating the risk by not performing the activity. Risk transfer shifts the risk to another party, such as through insurance.

46
Multi-Selecthard

A company is implementing PCI DSS compliance. Which THREE requirements are part of the PCI DSS? (Select THREE)

Select 3 answers
A.Use only approved encryption algorithms for stored data
B.Implement multi-factor authentication for all employees
C.Encrypt transmission of cardholder data across open, public networks
D.Restrict physical access to cardholder data
E.Install and maintain a firewall configuration to protect cardholder data
AnswersC, D, E

This is Requirement 4.

Why this answer

PCI DSS has 12 requirements including installing firewalls, encrypting cardholder data, and restricting physical access. Implementing MFA for all users is not a specific requirement (though it may be part of access control).

47
Multi-Selecthard

Under the GDPR, which THREE of the following are rights of data subjects? (Select THREE.)

Select 3 answers
A.Right to erasure (right to be forgotten)
B.Right to ignore processing
C.Right to sell data
D.Right to data portability
E.Right to access
AnswersA, D, E

Data subjects can request deletion of their data under certain conditions.

Why this answer

GDPR grants data subjects rights including the right to access, right to erasure ('right to be forgotten'), and right to data portability. The right to sell data is not a GDPR right, and the right to ignore processing is not a formal right.

48
Multi-Selectmedium

According to the ISC2 Code of Ethics, which TWO canons are listed in the correct order of priority (highest to lowest)?

Select 2 answers
A.Protect society
B.Act honorably
C.Provide diligent service
D.Act honestly
E.Advance the profession
AnswersA, B

First canon.

Why this answer

The order is: Protect society, Act honourably, Provide diligent service, Advance the profession.

49
Multi-Selectmedium

Which TWO of the following are examples of non-repudiation controls? (Select two)

Select 2 answers
A.Firewall rules
B.Encryption of data at rest
C.Audit logs with timestamps
D.Digital signatures
E.Biometric authentication
AnswersC, D

Audit logs create a record of events that can be used to prove actions.

Why this answer

Non-repudiation ensures that a party cannot deny an action. Digital signatures and audit logs with timestamps provide evidence of actions.

50
MCQhard

A company is designing a disaster recovery plan. They need to recover critical systems within 4 hours and lose no more than 15 minutes of data. Which combination of RTO and RPO should be specified?

A.RTO = 15 minutes, RPO = 4 hours
B.RTO = 4 hours, RPO = 4 hours
C.RTO = 4 hours, RPO = 15 minutes
D.RTO = 15 minutes, RPO = 15 minutes
AnswerC

Correct - RTO for downtime, RPO for data loss.

Why this answer

RTO (Recovery Time Objective) is the maximum acceptable downtime, here 4 hours. RPO (Recovery Point Objective) is the maximum acceptable data loss, here 15 minutes.

51
Multi-Selectmedium

A security officer is developing a risk management plan. Which TWO of the following are valid risk response strategies? (Select TWO.)

Select 2 answers
A.Transfer
B.Avoid
C.Accept
D.Ignore
E.Eliminate
AnswersA, B

Transfer is a valid risk response (e.g., insurance).

Why this answer

Common risk response strategies include: avoid, transfer, mitigate, and accept. 'Ignore' is not a valid strategy, and 'eliminate' is similar to avoid but not standard terminology.

52
MCQhard

A security analyst is evaluating risks using a qualitative matrix. The likelihood is rated as 'high' and the impact as 'medium'. What is the overall risk level typically assigned in a 3x3 matrix?

A.Medium
B.High
C.Critical
D.Low
AnswerB

Commonly, high likelihood combined with medium impact yields a high risk level.

Why this answer

In a 3x3 matrix with ratings of low, medium, high, high likelihood and medium impact often results in a high risk level.

53
MCQmedium

Which of the following is the PRIMARY goal of a Business Impact Analysis (BIA) in business continuity planning?

A.To determine the maximum acceptable outage for each process
B.To test the disaster recovery plan
C.To assign roles and responsibilities during a disaster
D.To select a hot site vendor
AnswerA

BIA identifies MTD and other recovery time objectives.

Why this answer

The BIA identifies critical business processes and their recovery requirements, such as RTO and RPO.

54
MCQmedium

Which of the following is a key difference between a policy and a guideline in information security governance?

A.Policies are created by IT, while guidelines are created by executives
B.Policies are technical, while guidelines are managerial
C.Policies are mandatory, while guidelines are recommended
D.Policies are static, while guidelines are updated frequently
AnswerC

Policies must be followed; guidelines are advisory.

Why this answer

Policies are high-level, mandatory statements that define the organization's security posture. Guidelines are recommendations that suggest best practices but are not mandatory.

55
MCQeasy

Which of the following is the PRIMARY purpose of the confidentiality principle in the CIA triad?

A.Preventing unauthorized access to information
B.Ensuring data is accurate and complete
C.Ensuring that users are who they claim to be
D.Guaranteeing that systems are available when needed
AnswerA

Confidentiality is about protecting information from unauthorized disclosure.

Why this answer

Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes.

56
MCQhard

Under the PCI DSS, which of the following best describes a 'cardholder data environment' (CDE)?

A.A physical room where payment cards are stored
B.Any system that connects to the internet
C.Systems that store, process, or transmit cardholder data
D.A network segment that contains only point-of-sale devices
AnswerC

This is the PCI DSS definition of CDE.

Why this answer

The CDE includes people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. Segmentation is used to isolate the CDE from other networks.

57
Multi-Selectmedium

A security auditor is reviewing an organization's governance framework. Which TWO of the following are commonly used frameworks for IT governance and security management?

Select 2 answers
A.ISO/IEC 27001
B.PMBOK
C.TOGAF
D.COBIT 2019
E.Six Sigma
AnswersA, D

An information security management standard.

Why this answer

COBIT 2019 is a framework for IT governance and management. ISO/IEC 27001 is an international standard for information security management systems.

58
Multi-Selecthard

A company is recovering from a ransomware attack. Which THREE of the following are key considerations when restoring data from backups to ensure integrity and minimal downtime?

Select 3 answers
A.Ensure encryption keys for backups are available
B.Isolate the restored data from the production network until verified
C.Perform a test restoration to a separate environment
D.Validate the integrity of the backup data before restoration
E.Restore data directly to production servers to save time
AnswersB, C, D

Prevents spread of malware.

Why this answer

Isolating the restored data from production prevents reinfection. Validating backup integrity ensures clean data. Testing the restoration process ensures the backups work.

Encrypted backups require decryption keys.

59
MCQmedium

Which of the following is a key objective of a business impact analysis (BIA)?

A.Implement security controls
B.Identify vulnerabilities in the network
C.Test the disaster recovery plan
D.Determine the maximum tolerable downtime for critical processes
AnswerD

BIA focuses on determining recovery objectives.

Why this answer

BIA identifies critical business processes and their recovery requirements such as RTO, RPO, and maximum tolerable downtime.

60
MCQeasy

An organization is implementing a new governance framework to align IT with business goals. Which framework is specifically designed for IT service management?

A.ISO/IEC 27001
B.COBIT 2019
C.ITIL
D.NIST Cybersecurity Framework
AnswerC

ITIL provides a set of detailed practices for IT service management.

Why this answer

ITIL (Information Technology Infrastructure Library) provides best practices for IT service management.

61
MCQhard

Under the Sarbanes-Oxley Act (SOX), which of the following is an example of an IT general control that supports financial reporting?

A.Change management process for the financial system
B.Data encryption for customer PII
C.Firewall rule to block unauthorized traffic
D.Automated calculation of interest on loans
AnswerA

Change management is an IT general control.

Why this answer

IT general controls (ITGC) include access controls, change management, backup and recovery, and computer operations. Change management ensures that changes to financial systems are authorized and tested.

62
MCQmedium

During a business impact analysis (BIA), the recovery point objective (RPO) for a critical database is determined to be 2 hours. What does this mean?

A.Data can be recovered from any point within the past 2 hours
B.The maximum tolerable downtime is 2 hours
C.Data backups must be taken at least every 2 hours
D.The database must be fully recovered within 2 hours of a disaster
AnswerC

To meet a 2-hour RPO, backups must be at least as frequent as 2 hours.

Why this answer

RPO defines the maximum acceptable data loss measured in time. An RPO of 2 hours means that data can be lost up to the last 2 hours before the disruption.

63
MCQmedium

Which governance framework is specifically designed to help organizations manage and protect their information assets by providing a comprehensive set of controls based on a risk management approach?

A.ISO/IEC 27001
B.NIST Cybersecurity Framework
C.COBIT 2019
D.ITIL
AnswerA

Correct - ISO 27001 is the standard for ISMS.

Why this answer

ISO/IEC 27001 is an international standard for information security management systems (ISMS) that provides a risk-based approach to managing information security.

64
MCQmedium

A security analyst is evaluating the risk of a data breach in a healthcare organization. The asset value of the patient database is $500,000, and the exposure factor is 0.2. The annual rate of occurrence is estimated at 0.1. What is the annualized loss expectancy (ALE)?

A.$10,000
B.$5,000
C.$50,000
D.$100,000
AnswerA

Correct calculation as above.

Why this answer

ALE = ARO × SLE, and SLE = AV × EF = $500,000 × 0.2 = $100,000. Then ALE = 0.1 × $100,000 = $10,000.

65
MCQmedium

A company decides to purchase cyber insurance to cover potential losses from data breaches. Which risk response strategy does this represent?

A.Transfer
B.Accept
C.Avoid
D.Mitigate
AnswerA

Insurance transfers the financial impact to the insurer.

Why this answer

Transfer involves shifting the risk to a third party, such as through insurance.

66
MCQhard

Under HIPAA, a covered entity must have a Business Associate Agreement (BAA) with which of the following?

A.A cloud service provider hosting ePHI
B.A janitorial service that cleans the office
C.A government regulator conducting an audit
D.A patient requesting their medical records
AnswerA

Correct - A cloud provider that processes or stores PHI is a business associate.

Why this answer

A BAA is required with a business associate, which is a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of a covered entity. A cloud service provider that stores ePHI is a business associate.

67
Multi-Selecthard

Which THREE of the following are key components of a disaster recovery plan for a hot site? (Select three)

Select 3 answers
A.Pre-installed servers and workstations
B.Empty space with power and cooling only
C.Real-time data replication from primary site
D.Network connectivity with bandwidth to support operations
E.Long lead time to activate (e.g., weeks)
AnswersA, C, D

Hardware must be ready and configured.

Why this answer

A hot site is fully equipped and ready to take over operations quickly, requiring real-time data synchronization, pre-installed hardware, and network connectivity.

68
MCQmedium

Under the GDPR, what is the maximum time frame for notifying the supervisory authority of a personal data breach?

A.72 hours
B.7 days
C.24 hours
D.48 hours
AnswerA

Correct. The GDPR mandates notification within 72 hours.

Why this answer

Article 33 of the GDPR requires notification within 72 hours of becoming aware of the breach.

69
MCQmedium

A security team is performing a quantitative risk analysis for a server valued at $100,000. The exposure factor is 0.4 and the annual rate of occurrence is 2. What is the annualized loss expectancy (ALE)?

A.$40,000
B.$200,000
C.$160,000
D.$80,000
AnswerD

Correct calculation: ALE = SLE × ARO = ($100,000 × 0.4) × 2 = $80,000.

Why this answer

SLE = AV × EF = $100,000 × 0.4 = $40,000. ALE = SLE × ARO = $40,000 × 2 = $80,000.

70
MCQmedium

An organization is required to report a personal data breach to the supervisory authority within 72 hours. Which regulation imposes this requirement?

A.GDPR
B.PCI DSS
C.SOX
D.HIPAA
AnswerA

GDPR requires notification within 72 hours.

Why this answer

GDPR Article 33 requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach.

71
Multi-Selectmedium

Which THREE of the following are valid risk response strategies?

Select 3 answers
A.Transfer
B.Eliminate
C.Avoid
D.Mitigate
E.Ignore
AnswersA, C, D

Shifting risk to another party, e.g., insurance.

Why this answer

Common risk responses include Avoid, Transfer, Mitigate, and Accept.

72
MCQmedium

A company is implementing a hot site as a disaster recovery option. Which of the following best describes a hot site?

A.A facility with basic infrastructure but no equipment
B.A reciprocal agreement with another company to share space
C.A facility with some equipment but not fully operational
D.A facility that is fully configured and ready to operate within hours
AnswerD

Correct - Hot site is ready for immediate activation.

Why this answer

A hot site is a fully equipped backup facility that is ready to take over operations immediately, including hardware, software, and data synchronization.

73
MCQmedium

An organization is implementing a new access control system. They want to ensure that users are who they claim to be, that actions can be traced to individuals, and that access rights are managed appropriately. Which framework encompasses all three of these goals?

A.COBIT 2019
B.AAA framework
C.CIA triad
D.ISO/IEC 27001
AnswerB

Correct - Authentication, Authorization, and Accounting.

Why this answer

The AAA framework (Authentication, Authorization, and Accounting) covers identification/authentication, authorization (access rights), and accounting (audit trails for non-repudiation).

74
MCQeasy

Which of the following is the primary purpose of the CIA triad in information security?

A.To establish a framework for risk management
B.To ensure compliance with regulatory requirements
C.To balance security controls with usability
D.To define the core objectives of information security
AnswerD

The CIA triad directly defines the three fundamental security objectives.

Why this answer

The CIA triad—Confidentiality, Integrity, and Availability—provides a foundational model for developing security policies and ensuring that data is protected from unauthorized access, tampering, and downtime.

Ready to test yourself?

Try a timed practice session using only Cissp Security Risk questions.