CCNA Security Risk Mgmt Questions

75 questions · Security Risk Mgmt topic · All types, answers revealed

1
Matchingmedium

Match each security control to its category (preventive, detective, corrective).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Preventive

Detective

Why these pairings

Controls are classified by their function in security management.

2
MCQmedium

A multinational corporation is evaluating risk treatment options for a identified high-impact, low-probability risk. The risk is below the organization's risk appetite threshold. Which is the most appropriate action?

A.Mitigate the risk
B.Transfer the risk via insurance
C.Avoid the risk by discontinuing the activity
D.Accept the risk
AnswerD

Risk that falls below the risk appetite can be accepted without further action.

Why this answer

Since the risk is within the risk appetite, acceptance is the most efficient and appropriate response. Transferring, mitigating, or avoiding would consume resources unnecessarily for a risk that is already tolerated.

3
MCQhard

A data classification policy is shown. A database contains a field labeled 'SSN' that matches the pattern for 'employee_id'. What action should be applied to the SSN field?

A.None
B.Mask
C.Encrypt
D.Block
AnswerB

Correct - The rule for employee_id pattern specifies mask.

Why this answer

The SSN field matches the pattern for 'employee_id', indicating it contains sensitive personally identifiable information (PII). Masking is the appropriate action because it preserves the data format for operational use (e.g., testing, analytics) while irreversibly obscuring the actual values, reducing exposure risk without breaking referential integrity. Encryption would still allow authorized decryption, which is unnecessary for fields that only need pattern matching, and blocking would prevent legitimate access to the field entirely.

Exam trap

The trap here is that candidates often confuse 'encrypt' with 'mask', assuming encryption is always the best protection for sensitive data, but masking is specifically designed for fields that need to retain their format for operational use while preventing actual value disclosure.

How to eliminate wrong answers

Option A is wrong because 'None' would leave the SSN field exposed as plaintext, violating the data classification policy that requires protection for sensitive PII. Option C is wrong because encryption is reversible and adds unnecessary complexity for a field that only needs to be obfuscated for non-production use; masking is a one-way transformation that better suits the requirement to hide the actual value while maintaining format. Option D is wrong because blocking the field would prevent any access, including legitimate business needs like pattern matching or reporting, which is too restrictive for a field that still requires some level of usability.

4
MCQmedium

A multinational corporation must comply with GDPR and CCPA. Which data protection strategy should they prioritize?

A.Data masking
B.Data retention
C.Data encryption
D.Data minimization
AnswerD

Core principle under GDPR and CCPA, reducing data collection and storage.

Why this answer

Data minimization reduces the amount of personal data collected and stored, thereby limiting exposure and compliance burden. Encryption protects data but does not reduce collection. Data retention policies are secondary.

Data masking is useful for specific use cases but not a primary strategy.

5
MCQeasy

Refer to the exhibit. A security analyst reviews this syslog entry from a firewall. The firewall's ACL is configured to deny all traffic by default except what is explicitly permitted. This is an example of which security principle?

A.Least privilege
B.Separation of duties
C.Need to know
D.Defense in depth
AnswerA

Least privilege ensures only necessary access is granted; default-deny enforces this.

Why this answer

The principle of least privilege grants only necessary access; default-deny (deny all by default) is an implementation of this principle.

6
MCQhard

A security analyst discovers that an employee shared confidential customer data with an unauthorized third party. The analyst reports this to the CISO, who decides to terminate the employee. Which ethical principle from the (ISC)² Code of Ethics is most directly violated by the employee?

A.Provide diligent and competent service to principals
B.Protect society, the common good, necessary public trust and confidence, and the infrastructure
C.Advance and protect the profession
D.Act honorably, honestly, justly, responsibly, and legally
AnswerB

Sharing confidential data violates trust and public confidence.

Why this answer

The (ISC)² Code of Ethics Canon 1: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Disclosing confidential data undermines trust and harms society.

7
MCQmedium

An organization is implementing a security awareness program. Which topic should be emphasized most?

A.Social media usage
B.Phishing recognition
C.Password policy
D.Clean desk policy
AnswerB

Directly addresses a leading cause of breaches.

Why this answer

Phishing is one of the most common attack vectors and requires user vigilance. Password policies are important but phishing directly exploits human error. Clean desk and social media are relevant but less critical.

8
Multi-Selecteasy

Which TWO of the following are examples of administrative controls? (Select exactly 2)

Select 2 answers
A.Firewall rules
B.Security awareness training
C.Security guards at entrances
D.Encryption of data at rest
E.Background checks for employees
AnswersB, E

Correct - Administrative control addressing people.

Why this answer

Security awareness training (B) is an administrative control because it involves policies, procedures, and human behavior management to reduce risk. Background checks (E) are also administrative controls, as they are part of personnel security policies that vet employees before granting access. Both are documented in the organization's security policy framework and are not technical or physical mechanisms.

Exam trap

ISC2 often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse security guards (physical) or firewall rules (technical) with administrative controls because they involve 'security' or 'rules,' but they are not policy-based or procedural in nature.

9
MCQeasy

During a risk communication session, the security team needs to present risk analysis results to executive management. Which approach is most effective for this audience?

A.A high-level summary highlighting top risks and recommended actions
B.Raw data from the risk assessment without interpretation
C.A comprehensive report with all risk register entries
D.Detailed technical explanations of each vulnerability
AnswerA

Executives need a concise overview to make strategic decisions.

Why this answer

Option D is correct because executive management prefers high-level summaries that focus on business impact, strategic risk, and resource needs. Option A is incorrect because technical details may overwhelm executives. Option B is incorrect because showing only raw data without analysis requires more effort from the audience.

Option C is incorrect because it is too detailed for a high-level audience.

10
MCQeasy

A business continuity coordinator is planning a test of the disaster recovery plan. Which type of test involves a walk-through of the plan with key stakeholders without actually invoking the technical recovery?

A.Tabletop exercise
B.Full interruption test
C.Checklist review
D.Parallel test
AnswerA

Tabletop exercises are verbal walk-throughs without technical execution.

Why this answer

A tabletop exercise is a discussion-based session where team members review their roles and actions in a simulated scenario.

11
MCQmedium

Refer to the exhibit. A security analyst finds the above in a configuration file stored in a public GitHub repository. What is the most immediate risk?

A.Man-in-the-middle attacks
B.Loss of confidentiality
C.Unauthorized authentication
D.Integrity violation
AnswerC

The private key allows anyone to impersonate the legitimate owner.

Why this answer

The private key can be used to authenticate as the key owner, enabling unauthorized access to systems or data. Man-in-the-middle attacks are a risk if keys are compromised but less immediate. Loss of confidentiality is a broad category.

Integrity violation is not the primary concern.

12
MCQeasy

During a business impact analysis (BIA), the team identifies that the customer service application must be restored within 4 hours of a disruption. What is the term for this metric?

A.Maximum Tolerable Downtime (MTD)
B.Recovery Point Objective (RPO)
C.Service Level Agreement (SLA)
D.Recovery Time Objective (RTO)
AnswerD

RTO is the targeted time to restore a function.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable time that a business process or application can be unavailable after a disruption. In this scenario, the 4-hour restoration requirement for the customer service application directly matches the RTO metric, which drives the design of recovery strategies and resource allocation.

Exam trap

The trap here is confusing RTO with MTD, as candidates often think MTD is the same as the recovery time target, but MTD is the total tolerable outage including business impact, while RTO is the specific IT recovery goal set to meet that MTD.

How to eliminate wrong answers

Option A is wrong because Maximum Tolerable Downtime (MTD) represents the total duration a business process can be non-functional before causing irreparable harm, which is typically longer than the RTO and includes the time to recover plus any additional buffer. Option B is wrong because Recovery Point Objective (RPO) measures the maximum acceptable data loss in terms of time (e.g., minutes or hours of lost transactions), not the time to restore service. Option C is wrong because a Service Level Agreement (SLA) is a contractual commitment between a provider and customer that may include RTOs, but it is not the metric itself; the question asks for the term describing the restoration time requirement.

13
MCQhard

Refer to the exhibit. The risk manager is reviewing this risk register entry. According to the organization's risk appetite, which states that residual risks must be low or below, what is the most appropriate recommendation?

A.Implement additional controls to reduce the likelihood or impact.
B.Accept the residual risk because existing controls are in place.
C.Transfer the risk to a third party via cyber insurance.
D.Avoid the risk by decommissioning the database server.
AnswerA

This aligns with risk appetite by reducing residual risk to low.

Why this answer

Option B is correct because the residual risk is medium, exceeding the risk appetite. Additional controls should be implemented to reduce likelihood or impact. Option A (accept) is inappropriate as residual risk is not low.

Option C (transfer) may be considered but does not address the root cause and is not the primary recommendation. Option D (avoid) is too drastic without exploring controls.

14
MCQmedium

During a business impact analysis (BIA), a department manager states that a critical process cannot be interrupted for more than 2 hours. However, the current backup system requires 8 hours to restore. What is the most appropriate risk management action?

A.Mitigate the risk by implementing faster backup and restoration procedures.
B.Avoid the risk by discontinuing the process.
C.Accept the risk and document the decision.
D.Transfer the risk to a third-party service provider.
AnswerA

Improving recovery capabilities to meet the 2-hour RTO is the appropriate mitigation.

Why this answer

The BIA identifies a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 8 hours, creating a gap. Mitigating the risk by implementing faster backup and restoration procedures directly reduces the RTO to meet the MTD, aligning recovery capability with business requirements. This is the most appropriate action because it addresses the root cause—insufficient recovery speed—without unnecessarily discarding or transferring the process.

Exam trap

The trap here is that candidates may choose 'accept the risk' (Option C) thinking it is a valid risk management strategy, but the BIA has already defined an unacceptable downtime threshold, making acceptance inappropriate without a formal risk treatment plan that justifies the gap.

How to eliminate wrong answers

Option B is wrong because discontinuing the process (risk avoidance) is an extreme measure that would likely cause significant business disruption or loss of revenue, and it is not warranted when a feasible technical solution exists to close the RTO gap. Option C is wrong because accepting the risk without action would leave the organization exposed to a known, unacceptable downtime exceeding the MTD, which violates basic risk management principles unless the cost of mitigation exceeds the potential loss. Option D is wrong because transferring the risk to a third-party service provider does not inherently solve the RTO mismatch; the provider would still need to meet the 2-hour RTO, and the organization retains residual liability for the process's criticality.

15
MCQmedium

Based on the exhibit, what security control is being demonstrated?

A.Session timeout
B.CAPTCHA implementation
C.Input validation
D.Account lockout threshold
AnswerD

Correct - The system locked the account after multiple failed attempts.

Why this answer

The exhibit shows a login attempt counter that increments with each failed authentication, and after a specific number of failures (e.g., 5), the account is locked for a defined period. This is the classic behavior of an account lockout threshold, which is a preventive security control that mitigates brute-force password guessing attacks by temporarily disabling the account after exceeding the allowed number of failed attempts.

Exam trap

ISC2 often tests the distinction between account lockout (which counts failed authentication attempts) and session timeout (which ends an idle session), causing candidates to confuse the two when the exhibit shows a counter of failed logins rather than a timer.

How to eliminate wrong answers

Option A is wrong because a session timeout terminates an active session after a period of inactivity, not after repeated failed login attempts. Option B is wrong because CAPTCHA implementation presents a challenge-response test to distinguish humans from bots, but does not count or lock accounts based on failed authentication attempts. Option C is wrong because input validation checks data format and content (e.g., SQL injection prevention) at the application layer, not the number of failed logins.

16
MCQeasy

An organization has implemented a password policy requiring a minimum of 8 characters, including uppercase, lowercase, numbers, and special characters. Despite annual security awareness training, a recent audit revealed that 60% of employees are using passwords that can be cracked within hours. The organization is also experiencing a high number of account compromises due to credential stuffing attacks. The security team is considering various controls to reduce the risk. Which of the following would be the MOST effective in addressing the identified issues?

A.Increase the minimum password length to 15 characters
B.Conduct quarterly password cracking attempts and notify users with weak passwords
C.Implement multifactor authentication for all user accounts
D.Require password changes every 30 days
AnswerC

MFA provides defense in depth, reducing the impact of password compromise.

Why this answer

Multifactor authentication (MFA) adds an additional layer of security that significantly reduces the risk of credential compromise, even if passwords are weak. Increasing password length may help but is still vulnerable to cracking if users choose predictable patterns. Password cracking tests are reactive and may not prevent attacks.

Frequent password changes often lead to weaker passwords.

17
MCQeasy

An organization is developing a business continuity plan (BCP). The IT department has identified a critical application that must be restored within 4 hours of a disruption. Which metric defines the maximum acceptable time that the application can be unavailable?

A.Recovery Time Objective (RTO)
B.Recovery Point Objective (RPO)
C.Mean Time to Repair (MTTR)
D.Mean Time Between Failures (MTBF)
E.Service Level Agreement (SLA)
AnswerA

RTO defines the maximum acceptable downtime for a system.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable downtime for a critical application after a disruption. In this scenario, the IT department has specified that the application must be restored within 4 hours, which directly aligns with the RTO metric. RTO is a key BCP parameter that drives resource allocation and recovery strategy design.

Exam trap

The trap here is confusing RTO with RPO: candidates often pick RPO because they think 'recovery' refers to time, but RPO is about data loss tolerance, not downtime duration.

How to eliminate wrong answers

Option B (Recovery Point Objective) is wrong because RPO defines the maximum acceptable data loss measured in time (e.g., how far back in time data may be lost), not the allowable downtime duration. Option C (Mean Time to Repair) is wrong because MTTR is a reliability metric that measures the average time to repair a failed component, not a predefined target for acceptable downtime. Option D (Mean Time Between Failures) is wrong because MTBF measures the average operational time between failures, used for availability calculations, not for defining recovery time limits.

Option E (Service Level Agreement) is wrong because an SLA is a contractual commitment that may include RTOs, but the RTO itself is the specific metric defining maximum acceptable unavailability.

18
MCQeasy

A company has implemented data classification labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. Which control is most appropriate for protecting 'Confidential' data?

A.Data masking for all users
B.Encryption at rest and in transit
C.Removing all access controls to streamline sharing
D.Public posting on the company website
AnswerB

Encryption protects data from unauthorized access during storage and transmission.

Why this answer

Confidential data requires encryption both at rest and in transit to prevent unauthorized disclosure.

19
Multi-Selecthard

Which THREE are key components of a business continuity plan (BCP)?

Select 3 answers
A.Vendor risk assessments
B.Backup strategies
C.Recovery time objectives (RTOs)
D.System hardening standards
E.Emergency response procedures
AnswersB, C, E

Backups are essential for recovery.

Why this answer

Backup strategies are a core component of a BCP because they ensure that critical data and systems can be restored after a disruption. Without defined backup procedures (e.g., frequency, media rotation, off-site storage), the organization cannot recover its operational state, making this a fundamental technical requirement for continuity.

Exam trap

ISC2 often tests the distinction between BCP components (recovery-focused) and security controls (prevention-focused), so candidates mistakenly select vendor assessments or hardening standards because they sound like 'planning' activities.

20
MCQhard

A security manager is evaluating risk treatment options for a high-impact, low-probability risk. Which approach is most appropriate?

A.Transfer
B.Accept
C.Avoid
D.Mitigate
AnswerA

Shifts financial burden to a third party, suitable for catastrophic but rare events.

Why this answer

For high-impact, low-probability risks, transferring (e.g., insurance) is often most cost-effective. Accepting may be too risky. Mitigating may not be justified due to low probability.

Avoidance may be too disruptive.

21
MCQmedium

An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?

A.Identify recovery strategies for critical systems.
B.Conduct a business impact analysis (BIA) to prioritize critical business functions.
C.Develop a testing schedule for the BCP.
D.Perform a risk assessment to identify potential threats.
AnswerB

Correct - BIA determines criticality and recovery time objectives.

Why this answer

The first step in the BCP process is to conduct a Business Impact Analysis (BIA) to identify and prioritize critical business functions and their dependencies. Without the BIA, you cannot determine which systems require recovery strategies or what recovery time objectives (RTOs) and recovery point objectives (RPOs) are needed. The BIA provides the quantitative and qualitative basis for all subsequent BCP decisions.

Exam trap

The trap here is that candidates often confuse the risk assessment (which identifies threats) with the BIA (which identifies business impact), but the BCP process explicitly begins with the BIA to prioritize business functions before addressing threats or recovery strategies.

How to eliminate wrong answers

Option A is wrong because identifying recovery strategies comes after the BIA has established which systems are critical and their specific recovery requirements. Option C is wrong because developing a testing schedule is a later phase, performed after the BCP has been written and approved. Option D is wrong because performing a risk assessment is a separate, earlier process that feeds into the overall risk management framework, but the BCP specifically starts with the BIA to understand business impact, not just threats.

22
MCQhard

A multinational company must comply with the EU General Data Protection Regulation (GDPR) for processing personal data of EU citizens. The company's data protection officer (DPO) has been appointed but reports to the Chief Marketing Officer (CMO). Which compliance issue is most critical?

A.The DPO should not hold any other role within the organization
B.The DPO must be a lawyer certified in data protection
C.The DPO must be located in the EU
D.The DPO must report directly to the board of directors or CEO
AnswerD

GDPR requires the DPO to report to the highest management level to ensure independence.

Why this answer

Under the GDPR, the Data Protection Officer (DPO) must report directly to the highest level of management, typically the board of directors or CEO, to ensure independence and authority. Reporting to the Chief Marketing Officer (CMO) creates a conflict of interest because the CMO oversees marketing activities that often involve extensive personal data processing, compromising the DPO's ability to provide unbiased oversight. This structural subordination is the most critical compliance issue as it directly undermines the DPO's statutory role under Article 38(3) of the GDPR.

Exam trap

The trap here is that candidates often focus on the DPO's qualifications or location (options B and C) because those are commonly discussed in GDPR training, but the most critical issue is the DPO's independence and reporting line, which directly impacts their ability to enforce compliance without conflict of interest.

How to eliminate wrong answers

Option A is wrong because the GDPR does not prohibit the DPO from holding other roles; it only requires that those roles do not create a conflict of interest (Article 38(6)). Option B is wrong because the GDPR does not mandate that the DPO be a lawyer or hold any specific certification; it requires expertise in data protection law and practices (Article 37(5)). Option C is wrong because the GDPR does not require the DPO to be physically located in the EU; the DPO can be outside the EU as long as they are accessible and can effectively perform their duties (Article 37(2) and EDPB guidelines).

23
MCQhard

You are the chief information security officer (CISO) of a large healthcare organization that handles protected health information (PHI). The organization has recently been acquired by a larger conglomerate, and the new parent company mandates that all subsidiaries adopt a single, unified risk management framework based on NIST SP 800-39. Your current framework is ISO 27005-based and has been effective for years. During the transition, you discover that the parent company's framework requires quantitative risk analysis for all critical assets, while your team has been primarily using qualitative analysis due to lack of accurate financial data. Moreover, the parent company expects all risk assessments to be completed within 30 days, a timeframe your team considers unrealistic given the number of assets. Several key stakeholders are concerned about the additional resource burden and potential disruption to operations. You need to propose a course of action that balances compliance with the parent company's mandate while maintaining operational effectiveness and minimizing risk to patient data.

A.Conduct a gap analysis between ISO 27005 and NIST SP 800-39, then develop a phased transition plan with a longer timeline, presenting it to the parent company's board for approval.
B.Continue using ISO 27005 and argue that it is equally valid, citing the principle of risk management flexibility and the disruption that a transition would cause.
C.Hire external consultants to perform the quantitative assessments, allowing the internal team to focus on existing operations, and accept the cost as a business necessity.
D.Immediately adopt the NIST framework and begin quantitative assessments, using industry-standard cost estimates to expedite the process within 30 days.
AnswerA

Strategic approach that balances compliance with practicality and earns stakeholder buy-in.

Why this answer

A gap analysis between ISO 27005 and NIST SP 800-39 identifies differences and allows a phased transition plan with a realistic timeline, which is then presented to the parent company for approval. This approach respects both frameworks and addresses stakeholder concerns. Option A is too aggressive and unrealistic.

Option C is non-compliant and may lead to conflict. Option D neglects the need for a structured transition and may cause operational disruption.

24
MCQmedium

A company is conducting a risk assessment and needs to prioritize risks based on both likelihood and impact. The risk management team decides to use a quantitative approach. Which of the following is a key advantage of using quantitative risk analysis over qualitative risk analysis?

A.It provides monetary values for risks, facilitating cost-benefit analysis.
B.It relies on expert opinions and does not require historical data.
C.It is easier to communicate to non-technical stakeholders.
D.It requires less data and is faster to perform.
AnswerA

Quantitative analysis assigns numeric values, enabling direct comparison with mitigation costs.

Why this answer

Quantitative risk analysis assigns monetary values to assets, threats, and vulnerabilities, enabling precise cost-benefit calculations for risk mitigation options. This allows organizations to compare the cost of controls directly against the expected loss, a key advantage over qualitative methods that rely on subjective rankings.

Exam trap

The trap here is that candidates often confuse the ease of communication (qualitative) with the numerical rigor (quantitative), or mistakenly think quantitative analysis is faster because it uses numbers, when in fact it demands more data and time.

How to eliminate wrong answers

Option B is wrong because quantitative analysis relies on numerical data and historical loss records, not expert opinions; qualitative analysis is the approach that depends on expert judgment. Option C is wrong because quantitative results (e.g., ALE, SLE) are often harder for non-technical stakeholders to grasp than the simple high/medium/low ratings of qualitative analysis. Option D is wrong because quantitative analysis requires extensive data collection and computation, making it slower and more resource-intensive than qualitative analysis.

25
MCQmedium

An organization is developing a security governance framework to align with business objectives. Which group should have ultimate authority and responsibility for the cybersecurity program?

A.IT steering committee
B.Board of directors
C.Chief Information Security Officer (CISO)
D.Chief Executive Officer (CEO)
AnswerB

The board holds ultimate fiduciary duty for risk management, including cybersecurity.

Why this answer

Security governance is a board-level responsibility. The board of directors ensures that cybersecurity aligns with business strategy and risk appetite.

26
Multi-Selectmedium

Which TWO of the following are considered mandatory elements of an organization's security policy framework?

Select 2 answers
A.Procedures
B.Standards
C.Guidelines
D.Baselines
E.Metrics
AnswersA, B

Procedures detail mandatory step-by-step actions.

Why this answer

Standards and procedures are mandatory because they specify required configurations and step-by-step instructions. Guidelines are recommended but not required; baselines are a type of standard; metrics are measurements, not policy documents.

27
MCQhard

During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?

A.$300,000
B.$250,000
C.$450,000
D.$200,000
AnswerB

Correct - reduction in ALE ($450,000) minus cost ($200,000) = $250,000.

Why this answer

The net benefit is calculated as the reduction in ALE minus the cost of the control. The original ALE is $500,000, and after implementing flood barriers the ALE drops to $50,000, a reduction of $450,000. Subtracting the $200,000 cost of the barriers yields a net benefit of $250,000.

This aligns with the CISSP risk management formula: Net Benefit = (ALE_old - ALE_new) - Cost_of_control.

Exam trap

The trap here is that candidates often forget to subtract the cost of the control from the reduction in ALE, leading them to select the $450,000 reduction as the net benefit instead of the correct $250,000.

How to eliminate wrong answers

Option A is wrong because $300,000 mistakenly subtracts the cost of the barriers from the original ALE ($500,000 - $200,000) without accounting for the residual ALE of $50,000. Option C is wrong because $450,000 represents only the reduction in ALE ($500,000 - $50,000) but ignores the $200,000 cost of implementing the flood barriers. Option D is wrong because $200,000 is simply the cost of the flood barriers and does not reflect any calculation of net benefit from risk reduction.

28
MCQeasy

An organization is developing an information security policy. Which of the following should be included?

A.Incident response playbooks
B.Detailed technical controls
C.Roles and responsibilities
D.Vendor contracts
AnswerC

Essential for defining accountability and governance.

Why this answer

Security policies establish high-level roles and responsibilities, mandatory requirements, and scope. Detailed technical controls are more appropriate for standards or procedures. Vendor contracts and incident response playbooks are separate documents.

29
MCQhard

A company is outsourcing its customer support operations to a third-party vendor. The vendor will have access to sensitive customer data. Which of the following should be the primary security requirement in the contract with the vendor?

A.The vendor must perform annual penetration testing.
B.The vendor must conduct background checks on all employees.
C.The vendor must provide a list of all subcontractors.
D.The vendor must comply with the company's security policies and standards.
AnswerD

Policy compliance ensures the vendor protects data as the company would.

Why this answer

Option B is correct because the contract must mandate that the vendor adheres to the company's security policies and standards to ensure consistent protection. Option A is incorrect because while background checks are important, they are not the primary contractual requirement. Option C is incorrect because the company should not rely solely on vendor self-assessment.

Option D is incorrect because penetration testing is a specific activity, but the overarching requirement is compliance with policies.

30
MCQeasy

A small business wants to ensure compliance with GDPR for its customer data. What is the initial action required to comply with GDPR?

A.Obtain consent from all data subjects
B.Implement pseudonymization techniques
C.Conduct a Data Protection Impact Assessment (DPIA)
D.Map data flows and identify personal data
AnswerD

Identifying what data is held and how it moves is the first step in any compliance program.

Why this answer

Before implementing controls or appointing a DPO, the organization must first understand what data it processes and where it flows. Mapping data flows and identifying personal data is the foundational step for all subsequent compliance activities.

31
MCQeasy

A company wants to ensure that its security policy is effectively enforced across all departments. Currently, the policy is published on the intranet and included in the employee handbook. However, the security team notices that many employees are not following the policy, leading to security incidents. Which of the following would be the most effective way to improve policy enforcement?

A.Include the policy in the employee handbook
B.Require annual signed acknowledgment of the policy
C.Conduct random audits and penalize non-compliance
D.Publish the policy on the intranet only
AnswerB

Active acknowledgment ensures awareness and creates accountability.

Why this answer

Requiring annual signed acknowledgment ensures that employees are aware of and agree to comply with the policy. This creates a record of acceptance and can be used in disciplinary actions. Publishing on intranet or handbook alone does not guarantee reading or acceptance.

Random audits with penalties may enforce compliance but without awareness, employees may not know what is expected.

32
MCQmedium

You are the security manager for a financial services firm that processes credit card transactions. The company is required to comply with PCI DSS. During a recent internal audit, you discover that the network segmentation between the cardholder data environment (CDE) and the corporate network is not properly implemented. Specifically, a firewall rule allows unrestricted traffic from the corporate network to the CDE. This exposes sensitive cardholder data to potential unauthorized access. The IT manager argues that this rule is necessary for business operations because several applications need to access the CDE for reporting purposes. You need to address this risk while minimizing business disruption. Which of the following is the BEST course of action?

A.Encrypt all cardholder data at rest so that even if accessed, it is protected.
B.Accept the risk because the corporate network is already protected by other controls.
C.Remove the firewall rule immediately to ensure compliance, then work with IT to find alternative solutions.
D.Implement a jump server that requires multi-factor authentication and logging for all access to the CDE, and restrict the rule to only allow traffic from the jump server.
AnswerD

Correct - This enforces segmentation while allowing necessary access.

Why this answer

Option D is correct because it enforces the principle of least privilege and secure access to the CDE without disrupting business operations. By implementing a jump server with multi-factor authentication and logging, you create a controlled, auditable gateway that restricts all corporate-to-CDE traffic to a single, hardened host. This satisfies PCI DSS requirement 1.3 (network segmentation) by reducing the attack surface while still allowing necessary reporting access.

Exam trap

The trap here is that candidates often choose immediate removal (Option C) thinking compliance requires zero tolerance, but CISSP emphasizes balancing security with business continuity and implementing compensating controls before removing critical access.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest does not prevent unauthorized access or exfiltration; it only protects confidentiality if the data is stolen, but the firewall rule still exposes the CDE to active attacks (e.g., SQL injection, lateral movement). Option B is wrong because accepting the risk violates PCI DSS compliance requirements for network segmentation and could lead to fines, loss of merchant status, or data breach liability; the corporate network is not a substitute for CDE-specific controls. Option C is wrong because immediately removing the firewall rule without an alternative solution would cause business disruption, breaking critical reporting applications and potentially leading to operational failure or shadow IT workarounds.

33
MCQhard

Based on the SIEM correlation rule, what behavior is this rule designed to detect?

A.Account lockout due to excessive failures
B.Successful login after multiple retries
C.Brute force attack from a single source IP
D.Password spraying attack against multiple accounts
AnswerC

The condition detects >5 failed logins within 120 seconds from a single source, indicating a brute force attempt.

Why this answer

The SIEM correlation rule counts failed login attempts from a single source IP within a defined time window (e.g., 10 failures in 5 minutes). When the threshold is exceeded, it triggers an alert. This pattern is characteristic of a brute force attack, where an attacker tries many passwords against one account or a few accounts from the same IP address.

Exam trap

The trap here is that candidates confuse the high-volume, single-source pattern of a brute force attack with the low-volume, multi-account pattern of a password spray, leading them to select option D.

How to eliminate wrong answers

Option A is wrong because account lockout due to excessive failures is a system response (e.g., Active Directory lockout policy), not the behavior the SIEM rule detects; the rule detects the failed attempts themselves, not the lockout event. Option B is wrong because a successful login after multiple retries is a single event that could be legitimate (e.g., user forgetting password), not a pattern of many failures from one IP; the rule focuses on the volume of failures, not the eventual success. Option D is wrong because password spraying attacks target many accounts with a few common passwords from a single IP, which would generate fewer failures per account and might not trigger a per-IP threshold; the rule is designed for high failure rates from one IP, which is typical of brute force, not spraying.

34
MCQeasy

A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?

A.Adopting a template from a similar organization to save time.
B.Aligning the policy with business objectives and risk appetite.
C.Ensuring the policy is enforceable with technical controls.
D.Basing the policy solely on regulatory compliance requirements.
AnswerB

Correct - Policy must support business needs and address real risks.

Why this answer

Option B is correct because a security policy must be aligned with the organization's business objectives and risk appetite to ensure it supports operations without imposing unnecessary restrictions. For a small business, this balance is critical—overly strict controls can hinder productivity, while weak controls increase risk. The policy should reflect the specific threats and tolerances of the business, not generic templates or compliance-only checklists.

Exam trap

The trap here is that candidates often confuse 'enforceability' (Option C) with policy effectiveness, but the CISSP emphasizes that policy must first be business-aligned; technical enforcement is a later step in the governance hierarchy.

How to eliminate wrong answers

Option A is wrong because adopting a template from a similar organization ignores the unique risk profile, business processes, and regulatory environment of the small business, leading to misaligned controls and potential gaps. Option C is wrong because enforceability with technical controls is a secondary consideration—the policy must first define what is acceptable; technical controls are implementation details that can be adjusted later. Option D is wrong because basing the policy solely on regulatory compliance requirements creates a minimum-security baseline that may not address the business's actual risk exposure or operational needs, leaving it vulnerable to non-compliance-related threats.

35
MCQmedium

A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?

A.Accept the risk of non-compliance as a cost of doing business and set aside a contingency fund for fines.
B.Assign legal counsel to review local laws and implement a one-time compliance checklist.
C.Create a uniform global privacy policy that satisfies all jurisdictions with minimal adjustments.
D.Adopt a privacy-by-design framework and conduct a Data Protection Impact Assessment (DPIA) before launching operations.
AnswerD

Correct - Privacy-by-design and DPIA ensure compliance is built into processes.

Why this answer

Option D is correct because a privacy-by-design framework ensures data protection is embedded into systems and processes from the outset, while a Data Protection Impact Assessment (DPIA) systematically identifies and mitigates privacy risks specific to the new jurisdiction. This proactive, risk-based approach aligns with regulatory requirements like the GDPR and demonstrates due diligence, reducing the likelihood of non-compliance and operational disruption.

Exam trap

The trap here is that candidates often choose Option B (one-time compliance checklist) because it seems practical and legally focused, but they overlook that privacy compliance is an ongoing process requiring continuous risk assessment and adaptation, not a single review event.

How to eliminate wrong answers

Option A is wrong because accepting non-compliance risk as a cost of doing business ignores legal obligations and can lead to severe penalties, reputational damage, and operational bans, which is not a viable risk management strategy under strict data protection laws. Option B is wrong because a one-time compliance checklist is static and fails to address ongoing regulatory changes, data lifecycle management, and the need for continuous monitoring and adaptation required by modern privacy frameworks. Option C is wrong because a uniform global privacy policy cannot satisfy all jurisdictions due to conflicting requirements (e.g., GDPR’s strict consent vs. other laws’ legitimate interest provisions), and minimal adjustments often result in gaps that violate local laws.

36
Multi-Selectmedium

A security manager is selecting controls to protect sensitive data. Which TWO are examples of administrative controls?

Select 2 answers
A.Security awareness training
B.Firewalls
C.Access control lists
D.Background checks
E.Encryption
AnswersA, D

Administrative control.

Why this answer

Administrative controls are policies, procedures, and training. Security awareness training (B) and background checks (D) are administrative. Firewalls (A) and encryption (C) are technical.

Access control lists (E) are technical.

37
MCQmedium

An organization needs to ensure that its employees understand their responsibilities regarding information security. Which of the following is the MOST effective way to achieve this?

A.Distribute a security policy document and require a signature.
B.Conduct a one-time annual security briefing.
C.Display security posters in common areas.
D.Implement a security awareness program with regular training and assessments.
AnswerD

Correct - ongoing training reinforces knowledge and measures effectiveness.

Why this answer

A security awareness program with regular training and assessments is the most effective way to ensure employees understand their responsibilities because it establishes a continuous learning cycle. Unlike one-time events, it reinforces secure behaviors through repetition, real-world scenarios, and measurable assessments, aligning with the NIST SP 800-50 framework for building a security-conscious culture.

Exam trap

The trap here is that candidates often mistake a one-time annual briefing (Option B) as sufficient due to its common use in compliance checklists, but the CISSP emphasizes continuous, behavior-changing programs over periodic, passive activities.

How to eliminate wrong answers

Option A is wrong because simply distributing a policy document and requiring a signature does not guarantee comprehension or retention; it relies on passive acknowledgment and lacks verification of understanding, which is a common failure point in compliance-driven approaches. Option B is wrong because a one-time annual briefing is insufficient to address evolving threats and employee turnover; it provides only a snapshot of knowledge without ongoing reinforcement, leading to decay of awareness over time. Option C is wrong because security posters in common areas are passive communication tools that lack interactivity and assessment; they may raise superficial awareness but fail to change behavior or ensure employees grasp their specific responsibilities.

38
MCQeasy

A large financial institution is finalizing its annual risk treatment plan based on a recent enterprise risk assessment. The risk appetite statement approved by the board specifies that the organization will accept only low residual risks for financial loss, but is willing to accept moderate risks for reputational damage if cost-benefit justifies. The risk register includes the following findings: 1) A critical SQL injection vulnerability in the online banking portal with high likelihood and critical impact; current controls include a web application firewall (WAF) that is not fully tuned. 2) Use of outdated TLS 1.0 encryption on internal communications between data centers; likelihood is medium, impact is low. 3) Lack of background checks for third-party vendors with access to sensitive data; likelihood is low, impact is moderate. 4) A single point of failure in the primary data center's power supply; likelihood is low, impact is critical. 5) An incident response plan that has not been tested in two years; likelihood is medium, impact is moderate. The CISO must prioritize actions for the upcoming quarter. What is the most appropriate first step?

A.Transfer the single point of failure risk by purchasing business interruption insurance.
B.Immediately remediate the SQL injection vulnerability by tuning the WAF and applying vendor patches.
C.Outsource incident response to a managed security service provider (MSSP) to compensate for the untested plan.
D.Accept the risk of outdated TLS 1.0 encryption because impact is low.
AnswerB

This addresses the highest risk with critical impact and likelihood, aligning with risk appetite.

Why this answer

Option A is correct. The SQL injection vulnerability has high likelihood and critical impact, resulting in high risk that exceeds the risk appetite for financial loss. Immediate patching or other remediation is necessary to bring the risk to an acceptable level.

Option B (accept outdated encryption) is possible but not the highest priority. Option C (transfer single point of failure) is valid but power supply risk is low likelihood; insurance may not be the first step. Option D (outsource incident response) is not the most urgent; testing the plan is less critical than addressing a high-risk vulnerability.

39
Multi-Selecteasy

Which TWO are essential components of a security policy framework?

Select 2 answers
A.Specific encryption key lengths
B.Incident response flowcharts
C.Network topology diagrams
D.Roles and responsibilities
E.Statement of scope
AnswersD, E

Policies must assign responsibility for security.

Why this answer

A security policy framework includes high-level policies that define scope, responsibilities, and governance. Standards and procedures operationalize policies, but the core policy document includes scope and roles.

40
MCQhard

A multinational corporation is establishing a security governance framework. The board of directors wants to ensure that information security strategy aligns with business objectives. Which role is primarily responsible for integrating security into the organization's strategic decision-making?

A.IT security team
B.Internal audit team
C.Senior management
D.Data owner
AnswerC

Senior management sets strategic direction and ensures security aligns with business objectives.

Why this answer

Senior management (C) is primarily responsible for integrating security into strategic decision-making because they hold the authority to allocate resources, define risk appetite, and ensure that security initiatives directly support business objectives. In a governance framework, only senior management can bridge the gap between operational security and enterprise strategy, as they are accountable for the organization's overall risk posture and compliance mandates.

Exam trap

The trap here is that candidates often confuse operational responsibility (IT security team) with strategic accountability (senior management), leading them to select the IT security team because they are the ones executing security tasks, but the CISSP emphasizes that governance and strategic alignment are board-level duties.

How to eliminate wrong answers

Option A is wrong because the IT security team is responsible for implementing and operationalizing security controls, not for setting strategic direction or aligning security with business goals. Option B is wrong because the internal audit team provides independent assurance and evaluates control effectiveness, but they do not own or drive strategic integration of security. Option D is wrong because the data owner is accountable for classifying and protecting specific data assets, not for enterprise-wide strategic alignment of security with business objectives.

41
MCQeasy

A small business wants to implement a risk management framework. Which approach is best for identifying risks?

A.Quantitative analysis
B.Penetration testing
C.Threat modeling
D.Qualitative analysis
AnswerD

Uses relative rankings and is practical for organizations with limited data.

Why this answer

Qualitative analysis is cost-effective and does not require precise data, making it suitable for small businesses. Quantitative analysis is resource-intensive. Threat modeling is specific to certain scenarios.

Penetration testing is a validation technique, not a broad risk identification method.

42
Multi-Selectmedium

Which THREE of the following are control families defined in NIST SP 800-53? (Choose three.)

Select 3 answers
A.Access Control (AC)
B.System and Communications Protection (SC)
C.Data Encryption (DE)
D.Business Continuity (BC)
E.Identification and Authentication (IA)
AnswersA, B, E

Access Control is a NIST control family.

Why this answer

Options A, C, and E are correct: Access Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC) are NIST SP 800-53 families. Option B (Business Continuity) is not a family; continuity is under Contingency Planning (CP). Option D (Data Encryption) is not a family; encryption is covered under SC.

43
MCQmedium

An organization is implementing a security program and wants to ensure it meets legal and regulatory requirements. The security manager is reviewing the concept of due care. Which best describes due care in the context of information security?

A.The process of responding to security incidents after they occur
B.The selection of security controls based on cost-benefit analysis
C.Compliance with all applicable laws and regulations
D.The level of prudence expected from a reasonable organization in the same industry
AnswerD

Due care requires an organization to do what any prudent entity would do under similar circumstances.

Why this answer

Option C is correct because due care refers to the legal concept of taking reasonable precautions to protect assets, and it is often established by adhering to industry standards. Option A is incorrect because compliance is just one aspect. Option B is incorrect because due care is proactive, not reactive.

Option D is incorrect because cost-benefit analysis is separate from the legal standard of due care.

44
Multi-Selecthard

A risk assessment identifies several threats. Which THREE are considered external threats?

Select 3 answers
A.Insider error
B.Hacktivist
C.Disgruntled employee
D.Natural disaster
E.Competitor
AnswersB, D, E

External threat actor.

Why this answer

External threats originate outside the organization. Hacktivist (B), natural disaster (C), and competitor (E) are external. Disgruntled employee (A) and insider error (D) are internal.

45
MCQhard

A financial institution is required to retain customer transaction records for seven years under regulatory mandates. The institution is facing a lawsuit and must preserve all relevant data. What legal concept applies?

A.E-discovery
B.Data retention policy
C.Chain of custody
D.Legal hold
AnswerD

Legal hold suspends normal disposal to preserve evidence.

Why this answer

A legal hold (or litigation hold) requires organizations to preserve potentially relevant evidence when litigation is anticipated or ongoing.

46
Multi-Selecteasy

Which TWO of the following are key indicators that a security awareness training program is effective? (Choose two.)

Select 2 answers
A.More instances of employees bypassing security controls to improve productivity.
B.An increase in help desk calls for password resets.
C.An increase in employees reporting suspicious emails to the security team.
D.Fewer security policies are being issued.
E.A reduction in the number of successful phishing attacks.
AnswersC, E

Reporting suspicious emails shows that employees are applying their training.

Why this answer

Option C is correct because a measurable increase in employees reporting suspicious emails directly indicates that the training has improved their ability to recognize phishing indicators (e.g., mismatched URLs, spoofed sender domains, urgent language) and has instilled the desired reporting behavior. This is a leading indicator of security awareness effectiveness, as it demonstrates proactive threat identification before a compromise occurs.

Exam trap

The trap here is that candidates may confuse activity metrics (e.g., more help desk calls) with effectiveness metrics, or mistakenly think that fewer policies indicate simpler, more effective training, when in fact the CISSP emphasizes behavioral outcomes like reporting and reduced incident success rates.

47
Drag & Dropmedium

Drag and drop the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threat/vulnerability identification, likelihood/impact determination, risk calculation, and treatment recommendations.

48
MCQmedium

Based on the firewall log entry, what is the most likely cause of the denied traffic?

A.No firewall rule explicitly permits traffic from 10.0.0.25 to 203.0.113.50 on port 443.
B.The source IP is attempting a port scan on the destination.
C.The destination port should be 80 instead of 443.
D.The destination server's SSL certificate has expired.
AnswerA

The reason 'No matching rule' indicates no permit rule exists for this flow.

Why this answer

The firewall log entry shows a packet from source IP 10.0.0.25 to destination IP 203.0.113.50 on destination port 443 (HTTPS) being denied. The most likely cause is that no firewall rule explicitly permits this traffic. Firewalls operate on a default-deny or explicit-permit model; if no rule matches the source, destination, and port, the packet is dropped.

This is a fundamental principle of access control lists (ACLs) and stateful inspection.

Exam trap

The trap here is that candidates may confuse network-layer denial with application-layer issues (like SSL certificates) or misinterpret a single denied packet as evidence of a port scan, when the core concept is that firewalls enforce explicit permit rules and deny all other traffic by default.

How to eliminate wrong answers

Option B is wrong because a single denied packet on port 443 does not indicate a port scan; port scans typically involve multiple packets to different ports in rapid succession, and the log entry shows only one denied packet. Option C is wrong because the destination port being 80 (HTTP) instead of 443 (HTTPS) is irrelevant to the cause of denial; the firewall denies traffic based on its rules, not on whether the port is 'correct' for the service. Option D is wrong because SSL certificate expiration is an application-layer issue that occurs after a TCP connection is established; the firewall denies the packet at the network or transport layer before any TLS handshake can occur.

49
MCQeasy

An information security manager is implementing an asset classification policy. Which of the following is the primary purpose of classifying information assets?

A.To track the physical location of all assets
B.To apply appropriate security controls based on asset sensitivity
C.To determine the monetary value of each asset
D.To identify the legal owner of each asset
AnswerB

Classification drives the level of protection needed for each asset.

Why this answer

The primary purpose of classifying information assets is to assign a level of sensitivity (e.g., confidential, internal, public) so that appropriate security controls—such as encryption, access control lists, and data loss prevention rules—can be applied proportionally. This ensures that resources are focused on protecting the most critical data, aligning with the principle of cost-effective risk management.

Exam trap

The trap here is that candidates confuse the purpose of classification with asset inventory or valuation, but the CISSP emphasizes that classification is fundamentally about applying the right security controls based on sensitivity, not about tracking, pricing, or ownership.

How to eliminate wrong answers

Option A is wrong because tracking physical location is a function of asset inventory and management, not classification; classification focuses on the data's sensitivity, not its physical whereabouts. Option C is wrong because while classification may inform valuation, its primary purpose is not to determine monetary value—that is a separate financial or risk assessment activity. Option D is wrong because identifying the legal owner is a matter of asset ownership and accountability, which is related but secondary; classification is about the data's sensitivity level, not who owns it.

50
Multi-Selectmedium

Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)

Select 2 answers
A.Incident response team structure
B.Risk management processes
C.Strategic alignment of security with business objectives
D.Penetration testing schedule
E.Vendor contract negotiation
AnswersB, C

Correct - Risk management is a governance responsibility.

Why this answer

Risk management processes are a core component of an Information Security Governance framework because they provide the structured methodology for identifying, assessing, and mitigating risks to the organization's information assets. This aligns with the ISO/IEC 27001 standard, which mandates a risk-based approach to establishing, implementing, and maintaining an information security management system (ISMS). Without formal risk management, governance lacks the data-driven foundation to prioritize security investments and controls.

Exam trap

The trap here is that candidates confuse operational security activities (like incident response teams or penetration testing) with governance-level components, which are strategic, policy-driven, and focused on oversight and alignment rather than execution.

51
Multi-Selectmedium

Which TWO are examples of administrative controls in an information security program?

Select 2 answers
A.Background checks
B.Encryption algorithms
C.Security awareness training
D.Firewall rules
E.Access control lists (ACLs)
AnswersA, C

Background checks are administrative, part of personnel security.

Why this answer

Administrative controls involve policies, procedures, and people. Security awareness training and background checks are administrative. Firewalls, ACLs, and encryption are technical/physical.

52
MCQmedium

An organization's risk assessment identified a vulnerability in a legacy system that cannot be patched because the vendor no longer supports it. The system processes sensitive customer data and is critical for daily operations. The risk is rated as high likelihood and high impact. The organization has a moderate risk appetite. Which risk treatment is most appropriate?

A.Transfer the risk through cyber insurance
B.Avoid the risk by decommissioning the system
C.Accept the risk
D.Mitigate by implementing compensating controls
AnswerD

Compensating controls reduce risk to an acceptable level while allowing business operations to continue.

Why this answer

Since the system cannot be replaced immediately, implementing compensating controls (e.g., network segmentation, strict access controls, monitoring) reduces the risk to an acceptable level. Accepting a high risk is not advisable when it exceeds appetite. Cyber insurance does not protect against data breach consequences adequately.

Decommissioning would disrupt critical operations.

53
MCQhard

A company is merging with another and must integrate security policies. What is the first step?

A.Conduct a gap analysis
B.Train all employees
C.Create a new policy
D.Adopt the stricter policy
AnswerA

Essential first step to understand current state.

Why this answer

A gap analysis identifies differences and overlaps between the two companies' policies, informing the integration plan. Adopting the stricter policy may cause disruption. Creating a new policy without understanding existing ones is premature.

Training comes after integration.

54
MCQhard

During a merger, the security teams of two companies are integrating their networks. The acquiring company has a high-security classification system (e.g., Top Secret, Secret, Confidential), while the acquired company uses a lower classification (e.g., Internal, Public). Which approach best ensures secure data handling during integration?

A.Maintain separate classification systems for each company
B.Create a new classification system for the merged entity
C.Apply the lower classification level to all data to simplify integration
D.Apply the higher of the two classification levels to all data
AnswerB

While this may be ideal long-term, immediate integration requires using the higher classification to avoid data leaks. However, the question asks for 'best ensures secure data handling during integration' – a new system takes time and may not be immediately effective. The correct answer should be applying the higher classification. I will fix the correct answer to A and adjust explanations.

Why this answer

Applying the higher classification to all data prevents inadvertent disclosure by ensuring the most restrictive controls are used. Maintaining separate systems or using the lower classification creates risk of data leakage.

55
Multi-Selecthard

Which THREE of the following are primary objectives of a risk management program?

Select 3 answers
A.Eliminate all risks
B.Identify assets
C.Protect critical assets
D.Ensure compliance
E.Achieve risk appetite
AnswersB, C, E

Asset identification is foundational to risk management.

Why this answer

The primary objectives include identifying assets, protecting critical assets, and achieving risk appetite. Eliminating all risks is impossible, and compliance is a secondary benefit, not a primary objective.

56
MCQhard

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

A.File a claim under your cyber insurance policy and pay the deductible to cover the costs.
B.Negotiate with the vendor to split the costs and update the contract to remove the liability cap.
C.Accept the loss and implement additional vendor oversight to prevent future incidents.
D.Initiate legal proceedings against the vendor to enforce the liability clause and recover costs.
AnswerD

Correct - Legal action may force the vendor to pay, and the limitation of liability may be deemed invalid.

Why this answer

Option D is the best course of action because the vendor's negligence caused the breach, and the contract explicitly holds the vendor liable for such incidents. Initiating legal proceedings to enforce the liability clause is the most direct way to recover the full $500,000 in costs, as the vendor's limitation of liability clause ($100,000 cap) may be challenged in court, especially given HIPAA's requirement for covered entities to ensure business associates safeguard PHI. This approach aligns with risk management principles by transferring the financial risk back to the responsible party, rather than accepting the loss or relying on insurance that explicitly excludes vendor negligence.

Exam trap

The trap here is that candidates may assume insurance is the primary risk transfer tool, but the exclusion for vendor negligence and the existence of a contractual liability clause make legal enforcement the superior option, as insurance cannot cover risks explicitly excluded in the policy.

How to eliminate wrong answers

Option A is wrong because the cyber insurance policy excludes losses due to vendor negligence, so filing a claim would likely be denied, leaving the organization to pay the $250,000 deductible and the remaining costs out-of-pocket. Option B is wrong because negotiating a split without legal leverage would likely result in the vendor paying only up to the $100,000 cap, leaving the organization with $400,000 in uncovered costs, and contract updates cannot retroactively apply to the current breach. Option C is wrong because accepting the loss ignores the contractual liability clause and the vendor's negligence, failing to enforce legal rights and setting a precedent that could encourage future vendor non-compliance.

57
MCQmedium

Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?

A.Discretionary Access Control (DAC)
B.Mandatory Access Control (MAC)
C.Rule-Based Access Control
D.Role-Based Access Control (RBAC)
AnswerC

The ACL is a set of rules that match on packet characteristics and are enforced by a system.

Why this answer

The access control list (ACL) applied to the inbound interface of a router connecting to the internet enforces traffic filtering based on a set of predefined rules (e.g., permit or deny statements based on source IP, destination IP, port numbers). This is the essence of Rule-Based Access Control (RBAC), where access decisions are governed by a global set of rules applied uniformly to all subjects, independent of user identity or roles. The ACL does not allow individual users to change permissions (eliminating DAC), does not use security labels or clearances (eliminating MAC), and does not map permissions to job roles (eliminating Role-Based Access Control).

Exam trap

ISC2 often tests the distinction between Rule-Based and Role-Based access control by presenting an ACL scenario and hoping candidates confuse the term 'rule' with 'role', but ACLs are purely rule-based and do not incorporate user roles or identity.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows the resource owner to set permissions at their discretion (e.g., file permissions in Windows or Linux), whereas an ACL on a router is centrally managed by the network administrator and cannot be modified by end users. Option B is wrong because Mandatory Access Control (MAC) requires security labels (e.g., classification levels like Top Secret) and a central authority to enforce access based on those labels; a standard ACL does not use labels or a lattice-based model. Option D is wrong because Role-Based Access Control (RBAC) grants permissions based on job functions or roles (e.g., 'admin' or 'guest'), but a router ACL matches on packet attributes like IP addresses and ports, not on user roles or group memberships.

58
MCQeasy

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

A.To ensure appropriate protection measures are applied to data based on its value and sensitivity.
B.To satisfy regulatory requirements for data retention.
C.To facilitate data sharing across departments without restrictions.
D.To simplify the process of granting access to users.
AnswerA

Correct - classification drives the level of protection needed.

Why this answer

Data classification is the foundational process of assigning a sensitivity label (e.g., Public, Internal, Confidential, Restricted) to information assets. The primary reason is to ensure that appropriate security controls—such as encryption, access control lists (ACLs), and data loss prevention (DLP) policies—are applied proportionally to the data's value and sensitivity, aligning with the principle of defense in depth and risk management.

Exam trap

The trap here is that candidates often confuse the primary purpose of classification (protection) with secondary outcomes like compliance or access management, leading them to select options B or D instead of the correct risk-based reasoning in A.

How to eliminate wrong answers

Option B is wrong because satisfying regulatory requirements for data retention is a separate process governed by legal and compliance policies (e.g., GDPR, HIPAA), not the primary driver for classification; classification informs retention but retention is a downstream action. Option C is wrong because unrestricted data sharing across departments would violate the principle of least privilege and confidentiality; classification actually restricts sharing based on sensitivity levels. Option D is wrong because simplifying access granting is a secondary benefit of classification (via role-based access control), but the primary reason is to apply appropriate protection measures, not to simplify administration.

59
MCQhard

Refer to the exhibit. A cloud security architect is designing access control for an S3 bucket. This policy is attached to an IAM role. Which access control model does this policy primarily implement?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerD

ABAC evaluates attributes (tags) to grant access.

Why this answer

The policy uses an attribute (PrincipalTag/department) in the Condition to grant access. This is attribute-based access control (ABAC). It is not purely RBAC because the Role is not the only factor; the tag attribute is evaluated.

60
MCQeasy

A company experiences a data breach. Which step should be taken first according to best practices?

A.Inform affected parties
B.Contain the breach
C.Notify law enforcement
D.Assess the damage
AnswerB

Stops the incident from spreading and limits impact.

Why this answer

Containing the breach is the immediate priority to prevent further damage. Notifying authorities and affected parties comes after containment. Assessing damage can happen concurrently but containment is first.

61
MCQhard

During a risk assessment, a critical asset has a vulnerability with a CVSS score of 9.0. Which risk treatment strategy is most appropriate if the cost to mitigate exceeds the asset's value?

A.Transfer
B.Acceptance
C.Avoidance
D.Mitigation
AnswerA

Transfers financial impact to a third party, such as cyber insurance.

Why this answer

Transferring the risk (e.g., via insurance) is appropriate when mitigation cost exceeds asset value. Acceptance would leave the organization exposed to high risk. Avoidance would mean eliminating the asset or activity, which may not be feasible.

Mitigation is too costly.

62
MCQmedium

A business is evaluating risk treatment options for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk treatment strategy is most appropriate?

A.Risk transfer by purchasing insurance
B.Risk acceptance with documented decision
C.Risk mitigation by implementing additional controls
D.Risk avoidance by discontinuing the activity
AnswerB

Accepting the risk is justified when cost exceeds benefit.

Why this answer

Risk acceptance is appropriate when the cost of mitigation exceeds the potential loss and the risk is within the organization's risk appetite.

63
MCQeasy

Which security control is most effective for preventing unauthorized access to a data center?

A.Biometric authentication
B.Mantrap
C.Access logs
D.Video surveillance
AnswerB

Prevents unauthorized physical access through a controlled entry.

Why this answer

A mantrap provides a physical barrier that prevents tailgating and ensures one person enters at a time. Biometrics and video surveillance are controls but less direct prevention. Access logs are detective.

64
MCQhard

A company's risk assessment identifies a high likelihood of a data breach due to outdated encryption standards. The cost to upgrade encryption is $50,000, and the estimated loss from a breach is $2,000,000. The risk manager decides to implement the upgrade. Which risk treatment option is being applied?

A.Risk acceptance
B.Risk avoidance
C.Risk enhancement
D.Risk transfer
E.Risk mitigation
AnswerE

Upgrading encryption reduces the likelihood of a breach, which is risk mitigation.

Why this answer

The risk manager is applying risk mitigation by implementing the encryption upgrade to reduce the likelihood or impact of a data breach. This directly addresses the identified risk by deploying a stronger cryptographic control, such as moving from AES-128 to AES-256 or replacing deprecated TLS 1.0/1.1 with TLS 1.3, thereby lowering the residual risk to an acceptable level.

Exam trap

The trap here is confusing risk mitigation with risk avoidance, as candidates may think avoiding outdated encryption means avoiding the risk entirely, but risk avoidance requires ceasing the risky activity, not upgrading the control.

How to eliminate wrong answers

Option A is wrong because risk acceptance would involve acknowledging the risk and taking no action to reduce it, which contradicts the decision to spend $50,000 on an upgrade. Option B is wrong because risk avoidance would mean eliminating the activity that creates the risk (e.g., ceasing all data transmission), not upgrading encryption. Option C is wrong because risk enhancement is not a standard risk treatment option; it would involve deliberately increasing risk, which is the opposite of the manager's action.

Option D is wrong because risk transfer would involve shifting the financial burden of a breach to a third party (e.g., purchasing cyber insurance), not investing in internal controls.

65
Multi-Selecthard

Which TWO of the following are essential components of a quantitative risk analysis formula? (Choose two.)

Select 2 answers
A.Annual Rate of Occurrence (ARO)
B.Exposure Factor (EF)
C.Residual Risk
D.Single Loss Expectancy (SLE)
E.Control Frequency (CF)
AnswersA, D

ARO is the estimated frequency of the risk occurring per year.

Why this answer

Options A and D are correct: Single Loss Expectancy (SLE) and Annual Rate of Occurrence (ARO) are used to calculate Annualized Loss Expectancy (ALE) = SLE × ARO. Option B (Exposure Factor) is a component of SLE (SLE = AV × EF), but the question asks for components of the formula; typically SLE and ARO are the direct inputs. Option C (Control Frequency) and E (Residual Risk) are not part of the basic quantitative formula.

66
MCQmedium

Refer to the exhibit. Which security risk does this policy primarily introduce?

A.Privilege escalation
B.Unauthorized read access
C.Denial of service
D.Unauthorized write access
AnswerD

Any user can upload objects to the bucket.

Why this answer

The policy allows any principal (anyone) to perform the s3:PutObject action on the bucket, meaning anyone can upload objects. This introduces unauthorized write access risk. Read access is not allowed.

Privilege escalation and DoS are not directly introduced.

67
Multi-Selecteasy

Which TWO documents are considered foundational for an information security program?

Select 2 answers
A.Security policy
B.Baseline
C.Guideline
D.Incident response plan
E.Standard operating procedure
AnswersA, D

Foundation of the security program.

Why this answer

The security policy (A) defines overall governance and direction. The incident response plan (B) is a critical operational plan. Standards (C) and guidelines (D) are supporting, and baselines (E) are technical minimums.

68
MCQhard

A large healthcare organization is subject to both HIPAA and GDPR. They are creating a data retention policy for electronic protected health information (ePHI) concerning European patients. HIPAA requires retention for 6 years from creation or last effective date, while GDPR requires that personal data not be kept longer than necessary for the purpose, with a general guideline of retaining for the duration of the relationship plus a reasonable period. The organization wants to minimize storage costs while ensuring compliance. Which approach should they take?

A.Retain data for the longer of the two regulatory requirements (HIPAA 6 years)
B.Implement a tiered retention policy based on data classification
C.Retain all data indefinitely
D.Retain data for the shorter requirement (GDPR-defined necessity period)
AnswerB

Allows different retention periods for different data types, ensuring compliance with both regulations while minimizing costs.

Why this answer

A tiered retention policy based on data classification allows the organization to apply different retention periods to different types of data, balancing regulatory requirements and cost. Retaining for the longer of the two requirements may over-retain data that is not subject to both laws. Retaining for the shorter may violate HIPAA.

Retaining all data indefinitely is costly and may violate GDPR's storage limitation principle.

69
MCQmedium

A security manager is conducting a risk assessment for a new cloud application. The manager needs to estimate the potential financial loss from a data breach. Which approach should be used?

A.Scenario-based risk analysis with ordinal scales
B.Qualitative risk analysis using high/medium/low ratings
C.Benchmarking against industry standards
D.Quantitative risk analysis using annualized loss expectancy (ALE)
AnswerD

Quantitative analysis calculates ALE from SLE and ARO, providing monetary estimates.

Why this answer

Quantitative risk analysis assigns monetary values to assets, threats, and impacts, allowing calculation of SLE, ARO, and ALE. Qualitative analysis uses subjective scales and is not monetary.

70
MCQhard

A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?

A.Conduct a thorough vendor risk assessment including security audits.
B.Negotiate a lower price to offset potential security investments.
C.Purchase cyber liability insurance to cover potential breaches.
D.Require the vendor to sign a non-disclosure agreement (NDA).
AnswerA

Correct - due diligence identifies risks before commitment.

Why this answer

Before outsourcing critical operations, the primary risk management activity is to conduct a thorough vendor risk assessment, including security audits. This evaluates the vendor's security posture, compliance with standards (e.g., ISO 27001), and ability to protect sensitive customer data, directly addressing risks like data breaches or service disruptions before contractual obligations are locked in.

Exam trap

ISC2 often tests the misconception that risk transfer (insurance) or legal agreements (NDAs) are primary risk management activities, when in fact proactive assessment and due diligence must occur first to identify and treat risks before any contractual commitment.

How to eliminate wrong answers

Option B is wrong because negotiating a lower price does not mitigate security risks; it may even incentivize the vendor to cut corners on security controls, increasing exposure. Option C is wrong because purchasing cyber liability insurance transfers financial risk after a breach but does not prevent or reduce the likelihood of a security incident, making it a secondary, not primary, activity. Option D is wrong because requiring an NDA only addresses confidentiality of shared information but fails to assess the vendor's actual security capabilities, processes, or vulnerabilities, leaving critical risks unexamined.

71
Multi-Selecthard

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)

Select 3 answers
A.Risk retention
B.Risk review
C.Risk reduction
D.Risk transfer
E.Risk avoidance
AnswersC, D, E

Correct - Implementing controls to reduce likelihood or impact.

Why this answer

ISO 31000 defines risk treatment options as risk avoidance, risk reduction, risk transfer, and risk retention. Risk reduction (option C) is a valid treatment that involves implementing controls to lower the likelihood or impact of a risk, such as deploying firewalls or encryption to mitigate a security threat.

Exam trap

The trap here is that candidates may confuse 'risk review' (a monitoring activity) with a treatment option, or incorrectly think 'risk retention' is not a valid option when it is explicitly listed in ISO 31000, but the question requires selecting exactly three from the given set, so retention is excluded in this specific answer set.

72
MCQeasy

Based on the exhibit, which security objective is this policy primarily designed to protect?

A.Non-repudiation
B.Confidentiality
C.Integrity
D.Availability
AnswerB

Encrypting data at rest prevents unauthorized access to the plaintext.

Why this answer

The policy explicitly states that data must be encrypted both at rest (using AES-256) and in transit (using TLS 1.2+). Encryption is a primary mechanism for ensuring confidentiality by preventing unauthorized access to data. The requirement to protect data from disclosure directly aligns with the confidentiality objective of the CIA triad.

Exam trap

The trap here is that candidates often confuse encryption with integrity or non-repudiation, but encryption alone does not provide integrity checks (which require MACs or digital signatures) nor does it prove the origin of data.

How to eliminate wrong answers

Option A is wrong because non-repudiation is about ensuring that an action cannot be denied, typically achieved through digital signatures and audit logs, not encryption. Option C is wrong because integrity focuses on preventing unauthorized modification of data, which is protected by hashing or checksums, not encryption alone. Option D is wrong because availability ensures that data and systems are accessible when needed, which is addressed by redundancy and disaster recovery, not encryption.

73
MCQmedium

A financial institution is migrating its customer data to a cloud environment. The cloud provider offers encryption at rest and in transit using AES-256 and TLS 1.2+. The compliance team requires that the organization maintain full control of encryption keys to meet regulatory obligations such as PCI DSS and local banking laws. The data is highly sensitive and includes personally identifiable information (PII). Which solution should the security architect recommend?

A.Implement client-side encryption with keys stored on-premises
B.Use tokenization instead of encryption
C.Use the cloud provider's default encryption with their key management service
D.Accept the provider's encryption without additional controls
AnswerA

Client-side encryption ensures the provider cannot access plaintext data, and keys remain under the organization's control.

Why this answer

Client-side encryption with keys stored on-premises ensures the organization retains exclusive control over encryption keys. Relying on cloud provider's encryption with KMS gives key management to the provider, which may not satisfy compliance. Accepting provider encryption without additional controls surrenders control.

Tokenization can protect data but removes original format, which may not be acceptable for all uses.

74
MCQhard

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

A.Block all access to public cloud storage services from corporate devices.
B.Implement mandatory security awareness training focusing on data handling procedures.
C.Deploy a Data Loss Prevention (DLP) solution that monitors and controls sharing of sensitive data.
D.Encrypt all sensitive data at rest and in transit to render shared data useless.
AnswerC

Correct - DLP provides automated controls to prevent data leakage.

Why this answer

Option C is correct because a Data Loss Prevention (DLP) solution provides automated, policy-based monitoring and control of sensitive data being shared via public cloud storage links. Unlike awareness training (which relies on human behavior) or blanket blocking (which hinders productivity), DLP can inspect content in real time using pattern matching, fingerprinting, or exact data matching to prevent unauthorized sharing before it occurs, directly addressing the root cause of inadvertent exposure.

Exam trap

The trap here is that candidates often choose awareness training (Option B) because it seems like a logical first step, but the question asks for the BEST strategy to PREVENT recurrence, and DLP provides a technical control that actively blocks the action rather than relying on human behavior change.

How to eliminate wrong answers

Option A is wrong because blocking all access to public cloud storage services is an overly restrictive technical control that can severely impact business operations and collaboration; it does not address the underlying issue of improper data handling and may drive users to unapproved shadow IT solutions. Option B is wrong because while security awareness training is important, it is a preventive administrative control that relies on human memory and compliance; it cannot prevent recurrence of inadvertent sharing in real time, as human error can still occur despite training. Option D is wrong because encryption protects data confidentiality if the data is intercepted, but it does not prevent the authorized user from inadvertently sharing the encrypted data via a public link; if the recipient has the decryption key (or the key is shared with the link), the data remains exposed, so encryption alone is not a preventive control against the act of sharing.

75
Multi-Selectmedium

An organization is conducting a Business Impact Analysis (BIA) as part of its business continuity planning. Which THREE of the following are essential components of a BIA? (Choose three.)

Select 3 answers
A.Criticality prioritization
B.Recovery Time Objective (RTO)
C.Mean Time Between Failures (MTBF)
D.Single point of failure identification
E.Maximum Tolerable Downtime (MTD)
AnswersA, B, E

Ranking processes by criticality is fundamental to BIA to focus resources.

Why this answer

The correct options are A, B, and D. Recovery Time Objective (RTO) defines the target time to resume operations; Maximum Tolerable Downtime (MTD) defines the total allowable downtime; Criticality prioritization ranks processes by importance. Option C (Mean Time Between Failures) is a reliability metric not used in BIA.

Option E (Single point of failure identification) is part of vulnerability assessment, not a direct component of BIA.

Ready to test yourself?

Try a timed practice session using only Security Risk Mgmt questions.