ISC2 Certified in Cybersecurity (CC) Practice Test

CCTV is classified as a monitoring control because its cameras continuously watch and electronically record activity within a protected area. Live feeds let security staff detect suspicious behavior as it happens, and stored footage supplies visual evidence for later investigation or prosecution. By itself, CCTV does not grant or deny entry (that is done by locks or authentication devices), enforce network policies, or verify biometric traits; instead, it provides real-time observation and historical documentation of physical events.

Hashing algorithms transform data into a fixed-length value (hash or message digest). Any change to the original data produces a different hash, allowing recipients or systems to detect unauthorized modification and thus preserve integrity. Encryption focuses on keeping data confidential, redundancy supports availability by providing alternate resources, and multi-factor authentication confirms identity rather than data accuracy.

Risk is not simply any vulnerability, incident count, or insurance cost. Rather, it represents the chance that a threat actor will successfully exploit a specific vulnerability and, as a result, harm the organization's assets, operations, or individuals. This definition highlights two key dimensions-likelihood (probability of exploitation) and impact (negative consequence). Security incidents, unpatched systems, or insurance premiums may relate to cybersecurity but do not, by themselves, represent the complete concept of risk as used in a formal risk assessment.

Redundancy involves duplicating critical components so that the failure of one does not interrupt operations. Using two independent uninterruptible power supplies (UPS) that can each support the same set of servers means power will continue even if one UPS fails. Merely labeling cables, configuring HVAC airflow, or installing a single next-generation firewall do not duplicate a critical function; they improve organization, cooling efficiency, or security but leave no backup component ready to take over immediately if the primary one stops working.

Multi-factor authentication (MFA) requires credentials from at least two distinct factor categories: something you know, something you have, or something you are. A smart card represents something you have, while a fingerprint is something you are. Using both meets the MFA definition. The other choices pair factors from the same category-either two knowledge factors (password and PIN, password and security question) or two biometric factors (retina scan and fingerprint)-so they do not constitute MFA.

A worm is a self-contained piece of malware that can copy itself from one system to another without any need to piggy-back on another file or wait for a user to run it. This autonomous replication distinguishes worms from viruses, which must infect host files to spread. Trojans, in contrast, masquerade as legitimate software and rely on users to install or run them; they do not self-replicate. Ransomware is malware that encrypts or blocks access to data until a ransom is paid, but it also lacks the automatic self-propagating property that defines a worm. Therefore, the worm is the only option that fulfills the description of independent, self-replicating network propagation.

Regular vulnerability scanning uses automated tools to probe systems and network devices for known weaknesses such as outdated software, unpatched flaws, or improper configurations. Finding these issues early allows defenders to correct them before attackers can exploit them, making vulnerability scanning a key preventive control. Penetration testing is a deeper, often manual, simulation of real attacks and is usually performed less frequently. Log monitoring focuses on detecting events that have already occurred rather than uncovering latent weaknesses. Packet filtering refers to enforcing firewall rules to block or permit traffic; it does not actively look for host vulnerabilities.

Placing essential network devices in a secured closet limits who can physically reach them. By restricting physical access, the organization greatly lowers the likelihood that an unauthorized person can steal, damage, or manipulate the hardware-actions that could disrupt operations or compromise data. While the control may indirectly help with issues such as power or electromagnetic interference, its main purpose is to prevent intentional or accidental physical tampering or theft. Software vulnerabilities and power fluctuations are addressed through different technical and electrical safeguards, not by locking the equipment location.

Closed-circuit television (CCTV) equipment is a tangible mechanism that helps deter and record unauthorized entry, so it is classified as a physical security control. Security awareness training and password complexity rules are written directives that guide behavior, making them administrative controls. Firewall rule sets are hardware or software mechanisms that limit network traffic, placing them in the technical control category. Because only the CCTV system involves a concrete, physical barrier or detection device, it is the correct choice.

A memorandum of understanding (MOU) records the intentions and shared responsibilities of the parties, such as how they will handle physical and environmental security in a jointly used data center. Because an MOU usually expresses cooperation goals without imposing strict legal obligations, it is considered non-binding. A memorandum of agreement (MOA) tends to be more formal and can carry legal force, a service-level agreement (SLA) specifies performance metrics for provided services, and a statement of work (SOW) details project tasks and deliverables.

A badge-activated card reader that releases an electric door strike is an example of an electronic lock. It physically keeps the door closed until proper authentication occurs, thereby preventing unauthorized entry. A CCTV camera only records activity and serves as a detective control. A motion-activated alarm detects and alerts but does not stop entry. Reflective window film obstructs viewing and acts chiefly as a deterrent, not as a lock.

A security baseline is a documented set of approved configuration settings that represent the minimum acceptable security posture for a system. Administrators use this baseline as a reference point: any future modification can be compared against it to verify that the system remains within the organization's approved, secure configuration. It does not automate patch installation, generate encryption keys, or perform event logging-those tasks are handled by other tools and processes.

The lessons-learned retrospective occurs during the post-incident activity phase. After systems are restored, the team reviews what happened, documents findings, and recommends improvements to policies, controls, and the incident response plan. Preparation, detection and analysis, and containment focus on readiness, identifying the incident, and limiting its spread; none of them center on formalizing lessons learned.

During containment, responders act immediately to stop an incident from spreading or worsening. Physically or logically isolating infected hosts halts further malware propagation, buying time for eradication and recovery steps. Investigating the entry point is part of analysis, patching and re-imaging fall under eradication and recovery, and the debrief occurs during post-incident activities-none of which are objectives of the containment phase.

Malware that masquerades as harmless or useful software to trick users into installing it is known as a Trojan. Once launched, a Trojan does not attempt to replicate or spread by itself; instead, it carries out the hidden payload such as opening a backdoor that allows an attacker remote access. A computer worm, by contrast, is self-replicating and travels across networks without user assistance. A logic bomb is dormant code that activates only when specific conditions are met, and a side-channel attack gathers information from hardware leakages like timing or power use rather than installing software. Therefore, only a Trojan fits the scenario described.

The delivery courier arrives without a badge, clearance, or an approved escort and therefore lacks any form of authorization. By contrast, the other individuals all have explicit permission-whether through role-based rights, a temporary access badge, or written authorization plus an approved escort-and may enter under policy.

Natural surveillance seeks to maximize visibility so legitimate users can easily observe suspicious activity. Trimming overgrown shrubs near entrances removes visual obstructions, extending lines of sight from windows and walkways. Biometric readers, smart card badges, and electronic cipher locks are access-control or authentication tools; they do not significantly affect visibility of surrounding areas, so they relate to other security control categories rather than environmental design for natural surveillance.

A Disaster Recovery Plan should break down recovery guidance by business unit so that each department has procedures that reflect its own systems, priorities, and dependencies. These department-specific recovery plans ensure that finance, human resources, manufacturing, and other units can restore their critical functions quickly and in the correct order. An executive summary only gives high-level context, a call tree focuses on notification, and an inventory of off-site backup media merely lists storage resources-none of these offers unit-level operational instructions.

A default-deny (or implicit deny) policy means the firewall blocks all traffic unless an explicit rule permits it. This minimizes attack surfaces because unsolicited or misconfigured traffic is discarded automatically. Simply denying only UDP, allowing all internal traffic, or trusting certain external IP ranges by default still leaves unnecessary openings that attackers can exploit. Starting with deny-all and then adding narrowly scoped permit rules best enforces least privilege.

No preventive security program can block every possible threat, so incidents will still occur. A formal incident response capability enables an organization to detect events quickly, limit damage through rapid containment, and coordinate recovery and communication efforts that protect data, operations, and reputation. Relying on prevention alone is insufficient, and incident response does not eliminate the need for user training or broader continuity and recovery planning. While incident response supports regulatory compliance, it does not automatically satisfy all obligations. Instead, its primary value is reducing impact and downtime after an unavoidable security event.