ISC2 Certified in Cybersecurity (CC) Practice Test

The principle of least privilege requires that users receive only the minimum permissions necessary to perform their job duties. Granting a financial analyst read-only access to the report server limits the analyst to viewing data, preventing unintended or malicious changes while still allowing the analyst to do their work. Each incorrect choice provides broader permissions than needed: giving developers full administrator rights, equating temporary staff privileges with permanent employees, or granting a project manager unrestricted access to all file shares all violate least-privilege by exceeding the minimum required access.

An IPv4 address consists of 32 bits broken into four 8-bit segments (octets). Each octet is converted to decimal and the four values are written in dotted-decimal notation (for example, 192.168.1.1). The other choices are incorrect because 48-bit addresses describe MAC addresses, 64-bit binary strings are not used for IP addressing, and 128-bit hexadecimal groups separated by colons describe IPv6, not IPv4.

A security guard physically restricts or permits entry to a facility, making the control tangible and location-based; therefore it is categorized as a physical control. Encryption of laptops is a technical control because it relies on software and algorithms. Reviewing user privileges is an administrative control involving policy and oversight. Multi-factor authentication with one-time passcodes is also a technical control that uses electronic mechanisms to verify identity.

Non-repudiation demands proof that a specific sender created an unchanged message. A digital signature accomplishes this by combining the sender's private key with a hash of the email; successful verification with the corresponding public key shows the content is intact and that only the sender could have produced the signature. A checksum or hash alone proves integrity but not authorship, symmetric encryption relies on a shared secret so either party could have created the ciphertext, and a time stamp merely records when the message was handled without linking it to a unique signer or protecting the content.

Privacy is concerned with safeguarding information that can identify an individual (sometimes called personally identifiable information, or PII) so that it is not used or disclosed without proper authorization. While confidentiality, integrity, availability, and authentication are also core security concepts, they address different goals: confidentiality protects any sensitive data from unauthorized access; integrity focuses on preventing unauthorized alteration of information; availability ensures timely, reliable access for authorized users; and authentication verifies identity. Therefore, the statement describing protection of personal or sensitive information from unauthorized use or disclosure correctly captures the essence of the privacy principle.

A standard is a mandatory, technology-specific requirement that supports a higher-level policy. Stating that all laptops must use full-disk encryption with a particular algorithm specifies an exact configuration, so it belongs in a standard. A policy would only express management's intent to protect mobile devices without detailing encryption choices. A procedure would describe the step-by-step process technicians follow to enable encryption. A regulation is an external legal mandate, not an internal governance document.

The strategy described is mitigation. When an organization mitigates a risk, it implements controls-such as technical safeguards, administrative policies, or physical protections-to reduce the probability that the threat will be realized, the damage it can cause, or both. Mitigation keeps the activity in place but attempts to make it safer.

Avoidance takes the opposite approach by stopping or never starting the risky activity, thereby removing the exposure altogether. Transference shifts the financial responsibility for loss to another party (for example, through insurance or outsourcing). Acceptance means the organization consciously decides to tolerate the risk without further action, usually because the cost of additional controls would exceed the expected loss. Because only mitigation focuses on reducing likelihood or impact while allowing the activity to continue, it is the correct answer.

Purchasing insurance shifts the potential financial consequences of a security incident to a third party. This action exemplifies the risk transference (or sharing) strategy, where the organization pays another entity to assume part or all of the impact. Mitigation focuses on reducing likelihood or impact through controls, acceptance involves doing nothing beyond acknowledging the risk, and avoidance eliminates the risky activity altogether.

The first canon obligates professionals to place the welfare of society and the resilience of vital systems above all other considerations. By implementing redundant firewalls and backup network links for a city's emergency dispatch service, the professional is actively safeguarding critical infrastructure and helping to ensure that life-safety services remain available to the public. Disabling employee internet access may reduce risk but does not directly advance public trust or protect essential services. Negotiating a higher salary addresses personal interest, not societal welfare. Publishing exploit code for an unpatched vulnerability can endanger the public by facilitating attacks rather than protecting them.

The Application layer (Layer 7) is the top layer of the OSI model. It provides network-related services directly to user applications, enabling functions such as web browsing (HTTP), email transmission (SMTP), and file transfers (FTP). It supplies the protocols and interfaces that allow software to access network resources. The Presentation layer focuses on data formatting and encryption, the Session layer manages dialog control between hosts, and the Transport layer is concerned with reliable data delivery and flow control, not end-user application services.

Disaster recovery planning is not only about technology-it is often mandated by laws and industry regulations that require organizations to protect data and ensure service continuity. Meeting these legal or regulatory obligations is therefore a primary driver for establishing a formal disaster recovery capability. Cost-saving measures, employee engagement programs, or avoiding routine hardware upgrades may provide ancillary benefits, but they are not central reasons why most organizations invest in disaster recovery planning.

The strategy described is mitigation, also known as risk modification. Mitigation involves adding or enhancing safeguards-such as encryption, access controls, or redundancy-to lower either the likelihood that a threat succeeds or the magnitude of its impact. Transference shifts the risk to a third party (for example, through insurance), acceptance means consciously deciding to take no further action, and avoidance eliminates the risky activity altogether. Only mitigation focuses on reducing likelihood or impact through controls.

The canon that stresses the need to perform professional duties skillfully and attentively in service to employers or clients is "Provide diligent and competent service to principals." The other canons focus on broader societal protection, personal integrity, or advancing the profession, rather than directly requiring competent service to those who employ or retain the professional.

The "something you are" factor relies on inherent physical characteristics of the user. An iris scan pattern is a biometric measurement that uniquely identifies an individual, therefore satisfying the inherence factor. A smart card represents "something you have" because it is a physical object in the user's possession. A six-digit PIN is "something you know" because it is memorized information, and an SMS one-time password is also "something you have" because it depends on possession of the registered mobile device. Only the biometric iris scan directly reflects the user's own physical trait.

Regulations and laws originate from governmental bodies (e.g., legislatures or regulatory agencies) and carry the force of law, making compliance mandatory. Policies, procedures, and industry standards are developed internally or by non-government groups; although they may be required by management or contracts, they do not have the same legal authority or enforcement mechanisms as a government regulation or law.

Administrative controls are policy-driven or managerial measures that direct how people must act. Security awareness training is created and mandated by management to educate workers and shape acceptable behavior, so it is an administrative control. Firewall rule sets and RAID disk arrays are technical safeguards, while biometric door locks are physical controls; none of these are categorized as administrative.

Electronic badge systems authenticate a person by reading data stored on a card's magnetic stripe or RFID chip and then record the time and location of the successful (or failed) entry attempt. This audit trail supports accountability and investigations. Cameras, motion detectors, and fire-suppression equipment are separate controls, while logical file permissions are handled by software-based access control, not physical badge readers.

ISC2 makes adherence to its Code of Ethics a continuing, mandatory obligation for all members and associates. Certification holders must explicitly commit to follow the four canons and conduct themselves accordingly; failure to do so can lead to disciplinary action or loss of certification. Neither recurring seminars, employer attestations, nor public postings are stipulated by ISC2 as standing requirements.

Technical controls are safeguards implemented through hardware, software, or firmware. A network firewall that inspects and filters packets is a classic technical control because it is a software or hardware device that directly enforces security on data in transit. Security awareness training and acceptable use policies are administrative controls, while closed-circuit video cameras are physical controls. Although each plays an important role, only the firewall fits the definition of a technical control designed to protect systems electronically.

An incident response (IR) plan exists to guide coordinated actions that immediately address a security event. Its chief aim is to minimize the damage an incident causes-such as data loss, service disruption, and reputational harm-and to speed restoration of normal operations. While vulnerability management, regulatory compliance, and alternate facility planning are important security or continuity activities, they are handled by separate processes (secure development, governance/risk/compliance, and disaster recovery/business continuity respectively).