ISC2 Systems Security Certified Practitioner (SSCP) Practice Test

The requirement describes a control that is applied after the endpoint has already been admitted to the network; it must continue to monitor the device's health and, if the posture changes, dynamically enforce a different policy (for example by moving the host to a remediation or quarantine VLAN). This is a classic post-admission control implemented through periodic or continuous posture assessment combined with dynamic VLAN assignment. One-time pre-admission checks, port-based MAC limits, or link-layer encryption all occur either before admission or focus on different security objectives, and they do not provide ongoing health verification or automated quarantine.

TACACS+ encrypts the entire payload of the authentication packet, supports per-command authorization decisions, and records detailed accounting information, meeting the engineer's encryption, authorization, and logging needs. RADIUS only encrypts the user's password, cannot perform command-by-command authorization, and provides less granular accounting, so it falls short of the stated requirements.

Encapsulating an IP packet with IPsec ESP adds 20-70 bytes of header and trailer information. If the original packet is already near the path MTU (often 1500 bytes on Ethernet), the extra overhead pushes the frame size above the MTU. Because the original packet usually carries the Don't Fragment (DF) bit, intermediate routers cannot fragment the now-larger packet. They instead send ICMP Type 3 Code 4 ("fragmentation needed") messages, which many firewalls or hosts ignore. The result is that large packets are repeatedly dropped, while smaller ones pass. Lowering the MSS or enabling proper Path-MTU discovery on the VPN devices addresses the problem. Phase-1 mode selection, PFS settings, and tunnel-versus-transport mode choices do not cause size-related drops; they affect security strength or header exposure but not fragmentation behavior.

The company remains the data controller under GDPR and must keep the personal data inside the European Economic Area unless additional transfer safeguards are in place. Using only EU Regions such as eu-central-1 or eu-west-1 meets data-residency expectations. Encrypting the data with customer-managed AWS KMS keys that are also restricted to those Regions safeguards confidentiality and allows the controller to delete the keys later, which renders the data permanently unreadable and can fulfil the GDPR right to erasure. AWS acts as the data processor, and its GDPR Data Processing Addendum is automatically part of the AWS Service Terms, so no separate signature is required (although the customer can request a signed copy). The other options either move data outside the EU, rely on an invalid transfer mechanism, prevent deletion with Object Lock Compliance mode, or incorrectly shift the controller role to AWS, so they fail to meet GDPR obligations.

Unlike natural disasters that threaten facilities or infrastructure, a pandemic principally affects the availability of people. Best-practice guidance from NIST and DHS recommends identifying minimum staffing levels and ensuring that multiple, qualified individuals can perform each mission-critical task. Cross-training staff (and documenting procedures) mitigates the risk that illness will remove all individuals who know how to run or restore key systems. Arranging a hot site, installing generators, or changing backup cycles help with physical or data loss scenarios but do little to address the primary pandemic risk-human resource shortages.

Creating separate VPCs for development and production gives each environment an independent, non-overlapping IP space and its own routing and security boundaries, delivering the strongest form of logical segmentation at Layer 3. A VPC itself is free, and VPC peering has no hourly cost; you only pay for data that crosses the link. By attaching restrictive route-table entries and security-group rules to the peering connection, you can allow just the necessary CI/CD ports while denying all other traffic.

Placing dev and prod in different subnets with distinct network ACLs still leaves them in the same VPC, so misconfigurations (for example, overly permissive route tables) could expose prod resources, and stateless ACLs require duplicate in/out rules, increasing operational effort. Simply changing security groups keeps everything in one subnet, providing the weakest separation and a larger blast radius. Deploying AWS Network Firewall would achieve segmentation but adds additional service cost and management overhead that the scenario seeks to avoid.

Amazon S3 Glacier Flexible Retrieval delivers the lowest $/GB cost of the Glacier classes other than Deep Archive, and it supports Expedited retrievals that return individual objects in 1-5 minutes-well under the 15-minute service-level goal. S3 Glacier Deep Archive is cheaper per-GB but only offers bulk and standard retrievals that take hours, so it fails the time requirement. S3 Standard-IA and S3 Glacier Instant Retrieval provide much faster access, but both cost significantly more per-GB than Glacier Flexible Retrieval. Therefore, storing the data directly in S3 Glacier Flexible Retrieval and using Expedited retrievals when audits occur is the most cost-effective solution that satisfies the retrieval-time constraint without requiring on-premises tape management.

Forensic reporting standards such as NIST SP 800-86 and ISO/IEC 27037 stress that conclusions must be based solely on verifiable facts. The analyst should reference specific evidence (log entries, timestamps, hash values) and clearly separate these factual observations from any interpretations. Attributing intent without corroborating proof, front-loading opinions, or oversimplifying by stripping necessary technical detail may introduce bias or reduce accuracy, undermining the report's objectivity and legal defensibility.

Mutual TLS at Amazon API Gateway authenticates each calling device and encrypts the session, providing strong protection for PHI in transit. Decrypting the payload only inside a private Lambda function and immediately re-encrypting it with a customer-managed AWS KMS key (SSE-KMS) limits plaintext exposure to trusted code while giving the organization control over the key, detailed CloudTrail logging, and the ability to enable automatic annual key rotation. The other options fail to meet one or more requirements: relying on SSE-S3 does not give customer key control, hard-coding client-side keys impedes secure rotation, and using an IPsec VPN without TLS or encryption at rest would violate HIPAA safeguards.

SMTP uses TCP port 25 for transferring email between mail transfer agents on the Internet. Opening this port in the outbound firewall rule allows the organization's application servers to establish SMTP sessions with external mail servers. POP3 (port 110) and IMAP (port 143) are used by clients retrieving mail, not by servers sending it. DNS typically uses port 53 and is unrelated to SMTP message delivery.

Once management declares a disaster, the business-continuity plan moves from preparation into the activation and relocation phase. The highest priority is to restore availability of critical services by transferring processing to the predefined alternate site that is already equipped and ready-typically a hot site in another geographic region. Beginning restorations at the damaged facility delays recovery and may be impossible while utilities are offline. Halting network connectivity or waiting for structural clearance does nothing to maintain service availability and therefore are not appropriate first steps under the BCP.

A compensating control must deliver security that is equivalent to, or stronger than, the original requirement when the prescribed control cannot be implemented. Because the legacy operating system cannot perform native filesystem or transparent database encryption, the most effective alternative is to modify the application so it encrypts sensitive payroll fields before they are written to disk. This ensures the data is actually stored in ciphertext, satisfying the policy's encryption-at-rest mandate. Simply restricting network access, enforcing stronger passwords, or backing up to encrypted media may reduce other risks, but none of those options guarantee that the data residing on the legacy server itself is encrypted, so they do not fully meet the stated requirement.

EAP-TLS uses X.509 certificates on both the supplicant and the authentication server, creating a mutually authenticated TLS tunnel before any user credentials are exchanged. Because authentication relies on asymmetric keys stored in the certificates, no password-based challenge is exposed, eliminating the possibility of offline password-cracking attacks. PEAP and EAP-FAST rely on tunneled password methods and only require a server certificate, providing less assurance. EAP-MD5 offers only one-way authentication and transmits a hash that is vulnerable to dictionary attacks, making it unsuitable for secure wireless deployments.

An Access Control List (ACL) applied through the native host-based firewall (such as iptables or nftables on Linux) allows restriction of inbound traffic at the network layer. By explicitly permitting TCP 8443 only from 192.168.10.0/24, permitting TCP 80 from all internal networks, and dropping all other unsolicited traffic, the server enforces the required segmentation while honoring least privilege. VLAN re-architecture or hardware firewalls add components the constraint disallows. Client certificates or file permissions control authentication or data access after the connection but do not block unwanted network connections, so they do not satisfy the policy.

AWS Artifact is the AWS self-service portal for on-demand access to AWS compliance documentation, including SOC 1/SOC 2 reports, ISO 27001 certifications, and other third-party audit attestations. By downloading the reports directly from AWS Artifact, the company's auditors can verify that the cloud provider's controls meet regulatory standards without relying on the SaaS vendor.

• AWS CloudTrail supplies account-level API activity logs, not independent compliance attestations.
• AWS Config records and evaluates resource configurations but does not provide external audit reports.
• AWS Security Hub aggregates security findings from multiple sources but does not distribute AWS's formal compliance certifications. Therefore, AWS Artifact is the appropriate choice for obtaining third-party audit documentation.

A compensating control provides an alternative safeguard when the preferred control (upgrading the application to support TLS 1.2) is not immediately feasible. Terminating incoming sessions on an Application Load Balancer that is configured with a TLS 1.2-only security policy ensures every client negotiates the required protocol. The load balancer can then re-encrypt traffic to the backend with TLS 1.0, allowing the legacy application to operate unchanged while satisfying the policy for external connections.

AWS Network Firewall cannot reliably drop traffic based on the negotiated TLS version because the TLS handshake is encrypted after the ClientHello, and version filtering is not a supported feature. Encrypting EBS volumes protects data at rest and does nothing for in-transit requirements. Restricting the instance's outbound access addresses egress control, not the mandated minimum TLS version for inbound client sessions. Therefore, using an Application Load Balancer for TLS 1.2 termination is the appropriate compensating control.

A mantrap is a small vestibule with two interlocking doors. Each door is controlled by an access mechanism (such as a badge reader or biometric scanner), and only one door can be unlocked at any moment. An individual must authenticate to open the first door, step inside, let it close, then authenticate again to open the second door. Because the space holds only one person at a time and the second door will not open until the first is secured, mantraps are specifically designed to prevent piggybacking or tailgating into sensitive areas.

Closed-circuit television (CCTV) provides monitoring but does not physically stop unauthorized entry. A biometric time clock records attendance but does not control access or prevent multiple people from entering together. Visitor logbooks and badges establish accountability but rely on human enforcement and do not enforce single-person entry. Therefore, the mantrap is the only option that directly meets the stated requirement.

Mandatory Access Control (MAC) enforces system-wide policies defined and maintained centrally by a security authority, not by resource owners or local administrators. Objects receive fixed classification labels and subjects receive matching clearance labels; the operating system evaluates every request against these labels, so the rules remain intact even when data is moved.

Discretionary Access Control allows owners or administrators to change ACLs, violating the "no exceptions" requirement.

Role-Based Access Control ties permissions to job roles, but administrators can still alter role memberships or object permissions.

Attribute-Based Access Control is flexible but, like RBAC, relies on modifiable policies and is not designed specifically to enforce unchangeable classification labels.

Network-based DLP appliances identify sensitive data by examining packet payloads. When traffic is protected by TLS, those payloads are encrypted and unreadable to the DLP unless decryption occurs before inspection. Forwarding clear-text streams from an inline SSL/TLS-terminating device (such as a proxy or firewall performing SSL inspection) lets the DLP apply its content-matching policies and, if necessary, actively block the session. Merely mirroring encrypted traffic to a passive sensor, relying on flow records, or integrating with directory services does not provide the content visibility required to discover payment data in motion or to prevent its egress.

A browser-based virtual desktop infrastructure (VDI) session renders the desktop inside the data center and transmits only display information to the contractor. Because files never leave the controlled environment, source code cannot be stored on personal devices, and malware on those devices is isolated from the production network. VDI pools can be rapidly provisioned and de-provisioned, meeting the short engagement timeline. In contrast, any form of VPN (client-based, clientless, or site-to-site) extends the corporate network to unmanaged endpoints or allows file downloads, increasing data-loss risk and complicating onboarding and off-boarding.