Free ISC2 Certified in Cybersecurity CC Practice Exam: ISC2 Certified in Cybersecurity

This free full-length ISC2 Certified in Cybersecurity CC practice exam includes 100 original IT Mastery questions across the exam domains.

These are original IT Mastery practice questions. They are not official ISC2 questions, copied live-exam content, or exam dumps. Use them to preview question style and explanation depth before continuing with mixed sets, topic drills, and timed mocks in IT Mastery.

Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.

Exam snapshot

• Practice target: ISC2 Certified in Cybersecurity CC
• Practice-set question count: 100
• Time limit: 120 minutes
• Practice style: mixed-domain diagnostic run with answer explanations

Full-length exam mix

Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and interactive practice.

Practice questions

Questions 1-25

Question 1

Topic: Security Principles

A junior security analyst discovers that a coworker copied customer data to a personal cloud account to finish work from home. The coworker asks the analyst not to report it because the data was not shared publicly. Which action best reflects professional and ethical conduct?

Options:

• A. Report the issue through approved internal channels

• B. Ignore it because no public disclosure occurred

• C. Post a warning about the coworker on social media

• D. Ask the coworker to delete it without documenting anything

Best answer: A

Explanation: Professional and ethical security conduct requires honesty, lawful behavior, and responsible handling of potential data exposure. Customer data copied to an unauthorized personal account is a security and privacy concern even if it was not posted publicly. The analyst should follow the organization’s approved reporting or escalation process so the issue can be assessed, contained, documented, and handled fairly. Acting alone, hiding the issue, or making a public accusation can increase risk and damage trust.

The key takeaway is to protect the public and the organization through responsible, authorized action.

• No public disclosure is not enough to dismiss the event because unauthorized storage can still violate policy or law.
• Undocumented deletion may hide evidence and prevent proper assessment, notification, or corrective action.
• Social media exposure is unprofessional and may create additional privacy, legal, and reputational harm.

Question 2

Topic: Identity and Access Management Concepts

A contractor’s engagement ended on Friday, and the company’s procedure requires removing the contractor’s application access the same day. During an access review, which evidence best confirms the access was removed after the lifecycle event?

Options:

• A. HR notice showing the contractor’s end date

• B. Manager email approving future access removal

• C. Security awareness record for the contractor

• D. IAM audit log showing the account disabled after termination

Best answer: D

Explanation: For deprovisioning, the strongest evidence confirms that access actually changed after the lifecycle event, not merely that removal was requested or that the event occurred. An IAM audit log showing the account was disabled provides direct evidence that the identity’s access was removed. Even stronger evidence could include removal from groups or applications, but the key point is that the record must show the completed access-removal action. HR records and approvals may trigger the process, but they do not prove access was removed.

• HR notice proves the lifecycle event occurred, but not that any account or entitlement was changed.
• Manager approval supports authorization for removal, but it does not confirm completion.
• Awareness training is unrelated to whether application access was deprovisioned.

Question 3

Topic: Security Governance

An organization runs a customer portal on two active servers behind a load balancer. If one server fails, the other server continues processing customer requests without waiting for data to be restored from backup. Which business continuity concept does this describe?

Options:

• A. Redundancy

• B. Restoration

• C. Archiving

• D. Backup

Best answer: A

Explanation: Redundancy supports availability by providing duplicate or alternate components that can keep a service running during a failure. In the scenario, the second active server is already available to handle traffic if the first server fails, so the goal is continued operation, not later recovery. Backups and restoration are still important business continuity and disaster recovery practices, but they usually address recovering data or systems after disruption rather than preventing service interruption at the moment of failure. The key distinction is whether the control keeps operations going now or helps bring them back later.

• Restoration fails because it is the process of returning data or systems to operation after an outage or loss.
• Backup fails because it creates recoverable copies, but it does not by itself keep the portal running during a server failure.
• Archiving fails because it is mainly for long-term retention and retrieval, not immediate service continuity.

Question 4

Topic: Identity and Access Management Concepts

A small organization has only one on-call administrator overnight. During outages, that administrator may need to approve and perform an emergency privileged change. Management accepts this limitation but requires an independent manager to examine the change record and activity logs the next business day. Which concept does this requirement best illustrate?

Options:

• A. Account deprovisioning

• B. Mandatory access control

• C. Compensating review

• D. Role-based provisioning

Best answer: C

Explanation: Separation of Duties (SoD) reduces the risk that one person can complete a sensitive action without oversight. In small teams or emergency situations, perfect SoD may not be practical because the same person may need to approve or perform a privileged action. A compensating review adds detective oversight, such as checking logs, tickets, or change records after the action, to reduce the risk of misuse or error. It does not replace SoD in every situation, but it is a reasonable compensating measure when strict separation cannot be achieved.

• Access model confusion fails because mandatory access control is about centrally enforced access rules, not post-action oversight.
• Lifecycle confusion fails because role-based provisioning grants access based on job role, but it does not address the emergency approval gap.
• Removal confusion fails because deprovisioning removes access when it is no longer needed, not when privileged work needs later review.

Question 5

Topic: Networking and Cloud Security Concepts

A company keeps point-of-sale systems, employee laptops, and guest Wi-Fi on the same flat network. During a malware incident on one guest device, security staff are concerned that unauthorized access could easily reach payment systems. Which control best limits the spread or reach of that unauthorized access?

Options:

• A. Require annual security awareness training for employees

• B. Increase password length for guest Wi-Fi users

• C. Install privacy screens on point-of-sale terminals

• D. Place payment systems in a separate VLAN with firewall rules

Best answer: D

Explanation: Segmentation limits how far unauthorized access can move by separating systems into zones, VLANs, or smaller network segments and controlling traffic between them. In this scenario, guest Wi-Fi is a less trusted area, while payment systems are sensitive assets. Placing payment systems in a separate VLAN and enforcing firewall rules reduces the chance that a compromised guest device can directly reach them. Training, physical privacy controls, and stronger guest Wi-Fi passwords may help other risks, but they do not create a network boundary around the payment systems.

• Awareness training helps reduce risky behavior but does not technically restrict network reach.
• Privacy screens protect visual confidentiality, not lateral movement across a network.
• Longer Wi-Fi passwords may reduce unauthorized Wi-Fi use but do not isolate payment systems from guest devices already connected.

Question 6

Topic: Security Principles

A small clinic stores patient records on a file server in a locked office. Management wants to reduce the chance of unauthorized access after a recent lost-key incident. The clinic has a limited budget and wants a practical approach that does not rely on one safeguard alone. Which action is the BEST fit?

Options:

• A. Require a longer password for all staff accounts

• B. Post a warning sign near the file server room

• C. Replace the office lock with a stronger lock

• D. Use door locks, unique user accounts, and access reviews

Best answer: D

Explanation: Layered controls, often called defense in depth, reduce risk by using multiple safeguards that support each other. In this scenario, a stronger door lock helps protect the room, but it does not address inappropriate account access or ongoing permission changes. Unique user accounts add accountability and access control, while access reviews help confirm that only authorized staff retain access. Combining control types is stronger because one control can fail or be bypassed without leaving the asset completely unprotected.

A single physical, technical, or administrative safeguard may help, but it is weaker than a coordinated set of controls matched to the risk.

• Stronger lock only improves physical security but still relies on one safeguard after a lost-key issue.
• Longer passwords only improve account security but do not address physical access to the server room.
• Warning sign only is a weak administrative deterrent and does not prevent unauthorized access.

Question 7

Topic: Networking and Cloud Security Concepts

A company hosts an internal payroll application on a private network. Any device connected to the office LAN can reach the application, and managers assume the LAN is trusted. A recent malware alert came from an employee laptop on the same LAN. What is the best action to reduce unnecessary risk?

Options:

• A. Trust only devices connected through the corporate VPN

• B. Require verified user and device access with segmentation

• C. Add a stronger firewall only at the Internet edge

• D. Allow access because the application is not Internet-facing

Best answer: B

Explanation: Zero Trust addresses the unsafe assumption that an internal network is automatically trustworthy. In this scenario, malware on one employee laptop could move toward the payroll application because network location alone grants reachability. A better approach is to verify the user and device, enforce least privilege, and segment the payroll application so only approved roles and healthy devices can access it. This is defense in depth because it adds internal controls rather than relying only on the outer network boundary.

The key takeaway is that private or internal does not mean safe; access should be continuously controlled based on identity, device state, and business need.

• Internal-only access fails because private network placement does not protect against compromised internal devices.
• Internet-edge firewall helps at the perimeter but does not limit movement from a compromised device already on the LAN.
• VPN trust repeats the same mistake by treating network location as sufficient proof of trust.

Question 8

Topic: Networking and Cloud Security Concepts

A small company is comparing cloud options for a customer portal. The security team must assign patching and configuration responsibilities before migration. The current design uses IaaS virtual machines, but the business is also considering a PaaS application platform or a SaaS portal. Which responsibility model is the BEST fit?

Options:

• A. IaaS: customer manages hardware; PaaS: customer manages hypervisor; SaaS: customer manages middleware

• B. IaaS: provider manages data; PaaS: provider manages users; SaaS: customer manages OS

• C. IaaS: customer manages OS; PaaS: provider manages OS; SaaS: provider manages application

• D. IaaS: provider manages all security; PaaS: customer manages all security; SaaS: shared equally

Best answer: C

Explanation: The cloud shared responsibility model changes with the service model. In IaaS, the provider manages the physical data center, network, and underlying virtualization, while the customer commonly manages the guest operating system, applications, identities, and data. In PaaS, the provider takes on more responsibility, including the operating system and platform runtime, while the customer still manages its application code, access, configuration, and data. In SaaS, the provider manages the application and most underlying technology, while the customer focuses on users, data, permissions, and secure use. The key takeaway is that responsibility does not disappear in cloud; it shifts depending on how much of the stack the provider delivers.

• Provider manages data is misleading because customers remain responsible for appropriate data use, classification, and access in cloud services.
• Customer manages hardware is incorrect because cloud providers manage physical infrastructure across IaaS, PaaS, and SaaS.
• All-or-nothing security fails because cloud security is shared, but the split changes by service model.

Question 9

Topic: Identity and Access Management Concepts

A small company already uses multifactor authentication for employee sign-ins. Auditors now ask for evidence that application access is approved by data owners, reviewed quarterly, and removed when employees change roles. Which action is the best fit for this need?

Options:

• A. Implement identity governance workflows for access reviews and approvals

• B. Require longer passwords for all applications

• C. Block sign-ins after three failed attempts

• D. Add a second authentication factor to every login

Best answer: A

Explanation: Identity governance focuses on managing and proving who should have access, who approved it, and whether access remains appropriate over time. In this scenario, sign-in protection already exists through multifactor authentication. The audit need is governance evidence: owner approval, periodic review, and access removal after role changes. Those are supported by identity governance processes or tools such as access requests, approvals, access certification, and deprovisioning workflows.

Authentication controls verify that a user is who they claim to be at login. They do not, by themselves, prove that the user’s access was approved, reviewed, or still appropriate.

• Password strength improves authentication but does not provide access-owner approval or quarterly review evidence.
• More MFA strengthens login verification, but the scenario already has MFA and needs governance support.
• Failed-login lockout helps resist guessing attacks, but it does not manage access approvals or lifecycle changes.

Question 10

Topic: Security Governance

A company’s help desk reports that several employees approved unexpected MFA push notifications after receiving urgent-looking text messages claiming their accounts would be disabled. The security team wants to reduce this behavior quickly without disrupting normal work. Which awareness approach is the BEST fit?

Options:

• A. Advanced malware analysis training for help desk staff

• B. Targeted microtraining on MFA fatigue and suspicious texts

• C. A technical firewall rule blocking all text messages

• D. Annual policy acknowledgment for all employees

Best answer: B

Explanation: Security awareness should match the audience, risky behavior, and urgency. Here, employees are approving unexpected MFA prompts after social engineering by text message, so the best fit is targeted microtraining that explains MFA fatigue, smishing clues, and the expected response, such as denying unknown prompts and reporting the message. This approach is quick, behavior-focused, and directly tied to the observed risk. Broad annual acknowledgments may support compliance, but they are too general to change an active risky behavior quickly. Deep technical training or unrelated technical controls would not address the employee decision that enabled the issue.

• Annual acknowledgment may document policy awareness, but it is too broad and passive for an active MFA-prompt behavior problem.
• Malware analysis training is too technical and aimed at a different skill set than everyday user awareness.
• Blocking text messages is not a realistic awareness approach and would not teach users how to handle unexpected MFA prompts.

Question 11

Topic: Identity and Access Management Concepts

A company is deprovisioning a departing administrator. The team discovers that a shared maintenance account is used by several admins, and multiple service accounts run scheduled jobs but have no documented owners. The goal is to remove the person’s access without disrupting approved business processes. Which action is BEST?

Options:

• A. Inventory dependencies, assign account owners, then revoke or rotate access

• B. Disable all shared and service accounts immediately

• C. Wait until the next scheduled access review

• D. Change only the departing administrator’s named account password

Best answer: A

Explanation: Shared accounts make deprovisioning difficult because activity and credential possession cannot be tied to one person. If a departing user knew a shared password, disabling only that user’s named account does not remove their effective access. Orphaned service accounts add another problem: without an owner, the organization may not know which business process depends on the account or who can approve changes. The best fit is to identify dependencies, assign accountable owners, and then revoke, rotate, or replace access in a controlled way. Immediate disabling may remove risk quickly, but it can also break valid jobs or services without confirming impact.

• Immediate disabling may interrupt approved scheduled jobs because dependencies and owners are unknown.
• Named account only misses any shared password the departing administrator may still know.
• Delayed review leaves a known deprovisioning gap active longer than necessary.

Question 12

Topic: Identity and Access Management Concepts

A department is reorganized, and several employees now perform different duties. Managers disagree about which access each new position should have. Which IAM action best addresses the unclear responsibilities before changing user permissions?

Options:

• A. Update documented role definitions with owner approval

• B. Postpone changes until the next password reset

• C. Copy permissions from the previous team structure

• D. Let each employee request needed access individually

Best answer: A

Explanation: When responsibilities change or are unclear, IAM should start by clarifying and documenting roles, ownership, and approval authority. Role definitions connect job duties to appropriate access, supporting least privilege and consistent provisioning. Owner approval is important because business or system owners are accountable for deciding what access is appropriate for a role. After roles are clarified, permissions can be provisioned, modified, or removed based on the updated role expectations.

Copying old permissions or relying only on individual requests can preserve excessive or mismatched access. The key takeaway is to define the role first, then adjust access to match it.

• Old permissions may no longer match the reorganized duties and can carry forward unnecessary access.
• Individual requests can be useful later, but they do not resolve unclear role responsibilities or ownership.
• Password reset timing is unrelated to defining job roles or authorizing permissions.

Question 13

Topic: Security Governance

A small retailer has budget for one security improvement this quarter. The network team prefers replacing older but supported switches. A risk review shows the online payment database stores customer payment data, supports most revenue, and has overdue user access reviews. Which control should the security manager recommend first?

Options:

• A. Add badge readers to the server room

• B. Replace the older supported switches first

• C. Complete a risk-based access review for the payment database

• D. Send a general password awareness email

Best answer: C

Explanation: Security governance links control decisions to business risk, not to isolated technical preference. The payment database has clear business impact because it stores sensitive payment data and supports revenue. Overdue access reviews create a specific governance risk: users may retain access they no longer need. A risk-based access review, with remediation of inappropriate access, is the best first control because it targets the asset and weakness that matter most to the business.

Older supported switches, physical access improvements, and general awareness may be useful, but they are not the best response to the stated risk.

• Technology age bias fails because supported switches are not shown to create the highest business risk.
• Physical control mismatch fails because the stated weakness is user access governance, not server room entry.
• Generic awareness is weaker because it does not specifically reduce excessive access to the payment database.

Question 14

Topic: Security Governance

A small company is preparing for a compliance review. The security lead must show each identified risk, the control intended to reduce it, any approved exception, and the evidence collected for the reviewer. Which GRC tool or artifact best supports this requirement?

Options:

• A. Risk and control register

• B. Firewall rule set

• C. Security awareness calendar

• D. Incident response playbook

Best answer: A

Explanation: A risk and control register, often managed in a GRC tool, is designed to connect governance information that must be tracked over time. It can record identified risks, the controls that address them, control owners, exception approvals, due dates, status, and evidence collected for audits or compliance reviews. This supports traceability: a reviewer can see what risk exists, what control is expected, whether an exception was approved, and what proof supports the control. Operational artifacts such as firewall rules or incident playbooks may support security work, but they do not provide the governance-level tracking requested in the scenario.

• Firewall rules are technical controls, but they do not track risk ownership, exceptions, and review evidence across the program.
• Awareness calendars help schedule training, but they do not map risks to controls or store compliance evidence.
• Incident playbooks guide response actions, but they are not the primary artifact for tracking GRC risk and control status.

Question 15

Topic: Networking and Cloud Security Concepts

A company uses a SaaS email platform. Its policy requires cloud security responsibilities to be clearly assigned and reviewed. During an internal audit, the team must provide evidence that responsibility for user access to the SaaS platform is assigned and managed appropriately. Which evidence is the BEST fit?

Options:

• A. A list of all employees who use cloud services

• B. A responsibility matrix with access owner, review dates, and completed review results

• C. A network diagram showing the company’s internet connection

• D. A vendor brochure describing the SaaS provider’s security features

Best answer: B

Explanation: Shared security responsibility means the cloud provider and customer each have defined duties. In a SaaS model, the provider manages much of the platform, but the customer commonly remains responsible for user access decisions, approvals, and reviews. Strong audit evidence should show both assignment and management: a named owner or role, what responsibility they own, and records that the control was performed, such as access review dates and results.

A document that only describes technology or users may be useful context, but it does not prove the responsibility was assigned or managed. The key takeaway is that evidence should connect the responsibility to an owner and show follow-through.

• Provider brochure describes available features, but it does not prove the company assigned or reviewed its own access responsibilities.
• Network diagram may support connectivity understanding, but it does not address SaaS user access ownership.
• Employee list identifies users, but it does not show access approval, review, or responsibility ownership.

Question 16

Topic: Security Operations and Incident Response

A small company updated its Incident Response Plan after a recent phishing report. The security manager wants to practice who declares an incident, who contacts leadership, and how key containment decisions are made, without disrupting production systems. Which activity is the best fit?

Options:

• A. Perform a full system restore

• B. Conduct a tabletop exercise

• C. Run a vulnerability scan

• D. Launch a red team engagement

Best answer: B

Explanation: A tabletop exercise is a discussion-based incident response exercise. Participants use a realistic scenario to practice responsibilities, decision points, escalation paths, and communication before a real incident occurs. It is especially useful when the goal is to validate that people understand their roles in the Incident Response Plan without causing operational disruption.

More technical tests, such as scans, restores, or adversary simulations, may be useful for other objectives, but they do not primarily exercise response roles and decision-making in a low-risk setting.

• Vulnerability scanning identifies weaknesses, but it does not practice incident declaration, escalation, or leadership communication.
• System restore testing validates recovery capability, but the stem focuses on response roles and decisions.
• Red team engagement simulates adversary behavior, but it is more intrusive and advanced than needed for a role-based discussion exercise.

Question 17

Topic: Security Principles

A security manager approves a policy requiring quarterly access reviews and ensures system owners complete and document those reviews. Which concept is best demonstrated by the manager’s actions?

Options:

• A. Separation of Duties (SoD)

• B. Non-repudiation

• C. Due diligence

• D. Due care

Best answer: C

Explanation: Due diligence means actively checking, verifying, and documenting that reasonable security measures are implemented and working. In this scenario, the manager is not just stating that access should be reviewed; the manager ensures reviews are completed and documented. Due care is the broader responsibility to act reasonably and responsibly, such as creating appropriate policies or applying expected safeguards. Due diligence is the follow-through that shows those responsibilities were actually performed.

• Due care is tempting because the access-review policy is responsible behavior, but the emphasis is on verifying and documenting follow-through.
• Non-repudiation concerns proof that an action or transaction cannot later be denied.
• Separation of Duties reduces conflict of interest by splitting sensitive tasks among different people.

Question 18

Topic: Security Principles

During a privacy review, a manager needs evidence that a signed-in employee actually opened a customer record. The evidence must show the user action, not just who the employee is or whether access was permitted. Which concept best matches this requirement?

Options:

• A. Authentication

• B. Identification

• C. Authorization

• D. Accounting

Best answer: D

Explanation: In access control, the common AAA concepts separate different kinds of evidence. Authentication provides evidence that a user is who they claim to be, such as a password or multi-factor check. Authorization determines what that authenticated user is allowed to do, such as read a customer record. Accounting captures what the user actually did, usually through logs or audit trails.

Here, the manager needs proof of an action: opening a customer record. That points to accounting or audit logging, not identity proof or permission assignment.

• Authentication proves identity, but it does not prove that the user opened the record.
• Authorization defines permission, but it does not show that the permitted action occurred.
• Identification is a claimed identity, such as a username, before that identity is verified.

Question 19

Topic: Security Operations and Incident Response

A small healthcare clinic sees repeated login attempts against its patient portal from new IP addresses. The security team has limited time and wants to decide which activity to investigate and block first. Which control best uses threat intelligence to support this decision?

Options:

• A. Encrypt all stored patient records

• B. Compare the source IPs with current threat intelligence indicators

• C. Schedule a physical security walkthrough

• D. Update the employee password policy next quarter

Best answer: B

Explanation: Cyber threat intelligence helps security teams interpret suspicious activity by adding context from known attacker behavior, indicators of compromise, affected sectors, and active campaigns. In this case, the team already has suspicious login attempts and limited time. Comparing the source IPs against current intelligence can help prioritize which events are more likely malicious and guide defensive actions such as blocking, monitoring, or escalation.

Encryption, physical inspections, and future policy updates may be useful controls in other situations, but they do not directly interpret the observed login activity or help prioritize immediate investigation.

• Data protection control does not help decide whether the current login sources are tied to known malicious activity.
• Physical control addresses facility risks, not suspicious portal authentication behavior.
• Delayed policy change may improve password practices later, but it is too indirect for immediate event prioritization.

Question 20

Topic: Networking and Cloud Security Concepts

A facilities team uses several IoT door controllers that run embedded software. The vendor no longer provides frequent patches, and the devices cannot run the organization’s standard endpoint management agent. The security team wants to reduce the chance that a compromised controller can reach other internal systems. What is the BEST action?

Options:

• A. Rely on annual manual patch checks as the primary safeguard

• B. Connect the controllers to the main user LAN for easier monitoring

• C. Place the controllers on a segmented network with restricted firewall rules

• D. Disable authentication to avoid lockout during outages

Best answer: C

Explanation: Embedded, ICS, and IoT devices are often difficult to patch, replace, or manage with standard endpoint tools. A foundational safeguard is to isolate them from general-purpose networks and allow only required traffic. Network segmentation, such as a dedicated VLAN or subnet with firewall rules, reduces lateral movement if a device is compromised. It does not fix the device, but it limits what the device can communicate with and makes monitoring more focused.

The key takeaway is to compensate for weak manageability with containment and least-needed connectivity.

• Connecting the controllers to the user LAN increases exposure and makes lateral movement easier.
• Disabling authentication weakens access control and does not address the patching limitation.
• Annual manual patch checks may help with maintenance, but they are not enough as the primary protection for unpatchable or hard-to-manage devices.

Question 21

Topic: Identity and Access Management Concepts

A help desk analyst requests temporary administrator access to the HR database to troubleshoot a payroll issue. The database contains sensitive employee data, and company policy says privileged access requires approval from the system owner before it is granted. What is the BEST action?

Options:

• A. Obtain system owner approval before granting access

• B. Copy access from another HR administrator

• C. Share an existing administrator account

• D. Grant access because the request is temporary

Best answer: A

Explanation: Privileged or sensitive access should follow least privilege and an approval workflow. In this scenario, the analyst is requesting administrator access to a database containing sensitive employee data, and the policy explicitly requires system owner approval. The best action is to pause provisioning until the appropriate owner approves the request, then grant only the access needed for the task and time period. Temporary need does not remove the approval requirement. Shared accounts and copied access also weaken accountability and may grant more access than needed.

• Temporary access still needs approval when the access is privileged and the policy requires it.
• Copying access may over-provision privileges and bypass the access owner’s decision.
• Shared admin accounts reduce accountability and conflict with proper identity management.

Question 22

Topic: Security Operations and Incident Response

A development team is planning a new customer portal that will handle personal information. Before coding begins, security wants to identify likely attack paths, trust boundaries, and design weaknesses so developers can change the architecture early. Which application testing activity best fits this need?

Options:

• A. Vulnerability scanning

• B. Dynamic analysis

• C. Static analysis

• D. Threat modeling

Best answer: D

Explanation: Threat modeling is best when the need is to reason about an application’s design before or early in development. It helps teams identify assets, trust boundaries, threat actors, misuse cases, and design weaknesses while changes are still cheaper to make. Vulnerability scanning is better for finding known weaknesses in deployed systems or components. Static analysis reviews source code or binaries without running the program. Dynamic analysis tests a running application for behavior and runtime issues. The key clue is that the portal is not coded yet and the concern is architecture and attack paths.

• Vulnerability scanning is weaker here because it usually checks existing systems or components for known weaknesses.
• Static analysis does not fit because there is no source code to review yet.
• Dynamic analysis does not fit because it requires a running application to test behavior.

Question 23

Topic: Security Principles

A security analyst discovers that a new SaaS application is being used to store customer contact lists. The application is not in the asset inventory or risk register, and company policy requires systems that handle customer data to follow the risk management lifecycle before permanent approval. What is the best next activity?

Options:

• A. Disable the application immediately

• B. Wait for the next annual access review

• C. Assess the likelihood and impact of the exposure

• D. Accept the risk for the business owner

Best answer: C

Explanation: In the risk management lifecycle, discovery of a new asset, threat, vulnerability, or control gap should be followed by risk assessment or analysis. The team needs to determine what could go wrong, how likely it is, and what the impact would be, especially because customer data is involved. That assessment supports later decisions such as mitigation, transfer, avoidance, or acceptance by the proper risk owner. Immediate technical action may be needed for urgent danger, but the stem does not describe an active incident or confirmed compromise.

• Business acceptance fails because risk acceptance should follow analysis and be made by an authorized risk owner.
• Immediate shutdown may be too disruptive when no active incident or emergency condition is stated.
• Annual review delay fails because customer-data systems require lifecycle handling before permanent approval.

Question 24

Topic: Networking and Cloud Security Concepts

A help desk team receives reports that users cannot reach an internal web application. The team wants a simple way to organize checks from physical connectivity through application behavior before deciding whether deeper packet analysis is needed. Which control or approach best meets this requirement?

Options:

• A. Use the OSI model as a troubleshooting framework

• B. Replace the web server certificate immediately

• C. Create a new acceptable use policy

• D. Start a full packet capture on all network segments

Best answer: A

Explanation: A network model such as the OSI model provides a structured way to troubleshoot connectivity and service problems. For this scenario, the team can check layers in order: cabling and links, addressing and routing, transport connectivity, and application behavior. This helps avoid random troubleshooting and does not require analyzing individual packets unless earlier checks suggest it is necessary.

Packet capture can be useful later, but it is a more detailed diagnostic step, not the best first organizing approach. The key takeaway is that network models help structure thinking and communication during troubleshooting.

• Packet capture first is too detailed for the stated need and may be unnecessary before basic layered checks.
• Certificate replacement targets one possible application-layer cause but ignores the need for a general troubleshooting structure.
• Acceptable use policy is an administrative control and does not help diagnose a network access problem.

Question 25

Topic: Networking and Cloud Security Concepts

A small office is setting up a Wi-Fi network for employees. The owner wants a basic safeguard that helps prevent unauthorized people nearby from joining the network and helps protect wireless traffic. Which control best meets this need?

Options:

• A. Hide the network SSID

• B. Enable WPA3 or WPA2 with a strong passphrase

• C. Increase the wireless signal strength

• D. Disable automatic IP addressing

Best answer: B

Explanation: For a small Wi-Fi environment, a core safeguard is using modern Wi-Fi protected access, such as WPA3 or WPA2, with a strong unique passphrase. This helps restrict network access to people who know the authorized credential and encrypts traffic between wireless clients and the access point. It is a basic control suited to small offices and homes when enterprise authentication is not required.

Hiding the network name or changing IP settings may reduce casual visibility or convenience, but they do not provide reliable access protection. Increasing signal strength can make the network reachable from farther away, which may increase exposure.

• SSID hiding is weak because the network name can still be discovered through normal wireless activity.
• Disabling DHCP may make setup harder, but it does not authenticate users or encrypt Wi-Fi traffic.
• Higher signal strength can expand coverage, but it does not protect access and may increase exposure.

Questions 26-50

Question 26

Topic: Security Operations and Incident Response

A security team keeps an approved baseline for workstation settings, compares devices against that baseline, and flags unauthorized drift from the expected state. Which concept does this describe?

Options:

• A. Incident response

• B. Configuration management

• C. Change approval

• D. Change tracking

Best answer: B

Explanation: Configuration management focuses on knowing and maintaining the approved state of systems, such as standard settings, installed components, and secure baselines. In the scenario, the key activity is comparing workstations to an approved baseline and identifying drift. Change approval is the decision process used before a proposed change is allowed, while change tracking records what changes were made, when, and by whom. The baseline and drift language points to configuration management rather than the approval or recordkeeping parts of change management.

• Approval decision is not the focus because no proposed change is being accepted or rejected.
• Change records are not the focus because the scenario does not describe logging who changed what and when.
• Incident handling is too broad because the activity described is routine baseline control, not responding to a security event.

Question 27

Topic: Security Principles

A nonprofit is starting a risk management effort for its donor database. The team inventories the database server, identifies ransomware and insider misuse as threats, notes missing security patches, and estimates the possible impact of donor data exposure. Which risk management lifecycle phase is the best fit for these activities?

Options:

• A. Risk monitoring

• B. Risk assessment

• C. Risk acceptance

• D. Risk treatment

Best answer: B

Explanation: Risk assessment is the lifecycle phase where an organization develops an understanding of risk before deciding what to do about it. In this scenario, the team is identifying the asset, possible threats, known vulnerabilities, and the business impact if the donor data is exposed. Those activities help estimate and prioritize risk. Risk treatment comes later, when the organization selects responses such as mitigation, transfer, avoidance, or acceptance. Monitoring comes after controls and decisions are in place to watch for changes over time. The key takeaway is that identifying and analyzing risk factors belongs to assessment, not response.

• Risk treatment would involve choosing controls or responses, but the team has not selected a response yet.
• Risk monitoring tracks risk and control effectiveness over time, rather than performing the initial identification and analysis.
• Risk acceptance is a decision to tolerate a risk, not the process of finding assets, threats, vulnerabilities, and impact.

Question 28

Topic: Identity and Access Management Concepts

A company currently approves system access through informal email requests. Security wants access requests routed to the appropriate data owner, approvals recorded, deprovisioning tasks tracked, and reports available for periodic access reviews. Which IAM tool capability best supports this governance need?

Options:

• A. Single sign-on capability

• B. Multi-factor authentication capability

• C. Password reset capability

• D. Workflow, approval, and reporting capability

Best answer: D

Explanation: IAM governance needs evidence that access was requested, approved by the right authority, changed when needed, and reviewed over time. Workflow, approval, and reporting features help enforce those governance steps by routing requests, documenting decisions, tracking completion, and producing review reports. This does not replace authentication controls, but it supports accountability and least privilege across the identity lifecycle.

Authentication-focused features may improve login security or user convenience, but they do not by themselves prove that access was properly approved or reviewed.

• Single sign-on reduces repeated logins, but it does not provide approval routing or access-review evidence by itself.
• Multi-factor authentication strengthens authentication, but it does not govern who should receive access.
• Password reset supports account recovery, but it does not track approvals, deprovisioning, or review reporting.

Question 29

Topic: Security Principles

A junior security analyst finds that an internet-facing application storing customer data has a critical vulnerability. The system owner says patching must wait for a future release, but the potential business impact is beyond the analyst’s approval authority. Which risk management concept best applies?

Options:

• A. Risk transfer

• B. Risk acceptance

• C. Risk avoidance

• D. Risk escalation

Best answer: D

Explanation: Risk escalation means raising a risk to someone with the authority to make or approve the decision. In this scenario, the analyst identified a serious vulnerability affecting customer data, but delaying remediation could create business impact beyond the analyst’s role. The analyst should not personally accept the risk or decide to defer treatment. The appropriate action is to escalate the risk to the system owner, risk owner, or management process defined by the organization. Risk treatment choices such as accepting, transferring, or avoiding the risk require proper authority.

• Acceptance fails because accepting a significant risk requires approval from an authorized risk owner.
• Transfer fails because shifting financial impact, such as through insurance, is not the immediate concept shown.
• Avoidance fails because stopping the risky activity is a treatment option, not the authority issue in the scenario.

Question 30

Topic: Security Governance

An organization provides quarterly phishing awareness training. Leadership wants a metric that best shows whether the activity is effective at improving employee behavior, not just whether the training was delivered. Which metric best fits this requirement?

Options:

• A. Percentage of employees assigned training

• B. Change in simulated phishing report rate

• C. Date the awareness policy was approved

• D. Number of training slides published

Best answer: B

Explanation: Effectiveness metrics should show whether a control or awareness activity is producing the intended security outcome. For phishing awareness, the goal is usually to improve user behavior, such as recognizing and reporting suspicious messages. A simulated phishing report rate, especially tracked over time, provides evidence of behavior change. Delivery metrics, such as slides published or users assigned training, are useful for administration but do not prove that the activity reduced risk or improved response.

• Published content shows that material exists, but it does not show whether employees learned or changed behavior.
• Assigned training measures coverage or rollout, not whether users respond better to phishing attempts.
• Policy approval supports governance, but it is not an effectiveness metric for the awareness activity.

Question 31

Topic: Security Principles

A finance team’s security goal is to keep vendor payment records accurate. During a review, an analyst finds that a vendor’s bank account number was changed by an unauthorized user. There is no evidence that the record was copied, and the payment system remained available. Which security objective is most directly affected?

Options:

• A. Confidentiality

• B. Availability

• C. Authentication

• D. Integrity

Best answer: D

Explanation: The core concept is the CIA triad: confidentiality protects information from unauthorized disclosure, integrity protects information from unauthorized modification, and availability keeps systems and data accessible when needed. In this scenario, the decisive fact is that an unauthorized user changed a vendor bank account number. The system stayed online, and there is no evidence of copying, so the main impact is loss of trust in the accuracy of the payment record.

Authentication is related to proving identity, but the security objective harmed by the changed data is integrity.

• Disclosure focus does not fit because the stem says there is no evidence that the record was copied.
• Service access focus does not fit because the payment system remained available.
• Identity proof focus is relevant to access control, but the direct harm described is the changed record.

Question 32

Topic: Security Principles

A help desk user successfully signs in to the ticketing system with multifactor authentication. The user can view standard support tickets but is trying to approve refund requests, which should be limited to supervisors. Which security function is needed to decide whether this signed-in user may approve refunds?

Options:

• A. Authentication

• B. Identification

• C. Authorization

• D. Accounting

Best answer: C

Explanation: AAA separates identity-related decisions into authentication, authorization, and accounting. In this scenario, the user has already signed in successfully, so the system has verified who the subject is. The remaining question is whether that authenticated subject is allowed to perform a specific action: approving refund requests. That permission decision is authorization, usually based on role, group membership, policy, or assigned privileges. Authentication answers “Who are you?” Authorization answers “What are you allowed to do?”

• Authentication is not enough because the sign-in and MFA step has already verified the user’s identity.
• Accounting records activity for audit or tracking; it does not decide whether the action is permitted.
• Identification is the claim of identity, such as a username, not the permission decision for refund approval.

Question 33

Topic: Security Principles

A security team has time to fix only one issue this week. One issue causes frequent but minor help desk complaints on a noncritical tool. The other issue is less visible to users but could interrupt online order processing. Which risk management concept should guide the priority decision?

Options:

• A. Business impact

• B. Asset depreciation

• C. Technical inconvenience

• D. User preference

Best answer: A

Explanation: Risk management prioritizes work by considering the likelihood and impact of harm to the organization. A technically annoying issue may consume support time, but an issue that could disrupt online order processing has a larger business impact because it can affect revenue, customer service, and operations. Business impact helps security teams focus limited resources on risks that matter most to mission and organizational objectives.

The key takeaway is that visibility or annoyance alone does not determine risk priority; the expected business consequence does.

• Technical inconvenience may describe the noisy help desk issue, but annoyance alone is not the main basis for risk priority.
• User preference can inform usability decisions, but it does not replace business risk evaluation.
• Asset depreciation relates to asset value over time, not prioritizing security remediation by operational impact.

Question 34

Topic: Security Principles

A privacy officer reviews a simple access case involving customer records. The evidence shows: the user passed multifactor login, the user’s role allowed access to the records, and an audit entry shows the user downloaded a report. Which mapping is the BEST FIT for identity, permission, and user action?

Options:

• A. Identity: audit entry; permission: multifactor login; action: role access

• B. Identity: role access; permission: audit entry; action: multifactor login

• C. Identity: multifactor login; permission: role access; action: audit entry

• D. Identity: customer records; permission: downloaded report; action: user role

Best answer: C

Explanation: In access scenarios, the three evidence types answer different questions. Evidence of identity answers “Who is the user?” and usually comes from authentication, such as a successful multifactor login. Evidence of permission answers “What is the user allowed to access?” and comes from authorization, such as a role, group, or access control list. Evidence of user action answers “What did the user do?” and comes from logs or audit trails, such as a download event. Keeping these separate supports privacy reviews and trust-boundary decisions because access may be authenticated and authorized, but still require audit evidence of actual activity.

• Role as identity fails because a role shows assigned permissions, not proof that the person authenticated.
• Login as permission fails because successful authentication does not by itself grant access to a specific record.
• Asset as evidence fails because the customer record is the protected data, not proof of identity, permission, or action.

Question 35

Topic: Security Governance

A company has seen several near-miss phishing attempts against payroll employees. The messages imitate executives and ask staff to change direct-deposit details quickly. Payroll employees already receive the same annual security video as all employees. Which awareness approach best fits this audience, behavior, and risk?

Options:

• A. A reminder poster about password complexity

• B. A stronger email gateway only

• C. Role-based phishing training with payroll-specific verification practice

• D. A longer annual video for all employees

Best answer: C

Explanation: Security awareness should match the audience, the risky behavior, and the likely impact. Payroll employees are being targeted with business email compromise-style messages that pressure them to change payment information. A role-based awareness approach can teach and rehearse the specific safe behavior: pause, verify the request through an approved channel, and follow the payroll change procedure. Simulated phishing or scenario practice is useful when the goal is behavior change, not just policy awareness.

Broad annual training may be necessary, but it is weaker for a role-specific, high-impact risk. Technical controls can help reduce malicious email, but they do not replace employee verification for requests that may look legitimate.

• Generic annual training is too broad because payroll needs practice with its specific payment-change risk.
• Email filtering only is the wrong layer by itself because awareness is needed when convincing messages reach employees.
• Password posters do not address the behavior of verifying direct-deposit change requests.

Question 36

Topic: Networking and Cloud Security Concepts

An organization already uses firewall zones to separate the internet, DMZ, and internal network. Several application servers inside the same DMZ VLAN should communicate only with specific required services, but a compromise of one server could allow lateral movement to other servers in that VLAN. Which control best addresses this risk?

Options:

• A. Place all application servers in one dedicated VLAN

• B. Create a new internet-facing firewall zone

• C. Implement micro-segmentation between workloads

• D. Publish a stricter network acceptable use policy

Best answer: C

Explanation: Firewall zones define broad trust areas, such as internet, DMZ, and internal networks. VLANs logically separate devices at the network segment level, but systems in the same VLAN may still communicate unless additional controls restrict them. Micro-segmentation is the best fit when the requirement is to control east-west traffic between individual workloads or small groups of systems, especially to reduce lateral movement after a compromise. A new zone or VLAN may improve broad separation, but it does not provide the same fine-grained workload-to-workload control.

• New firewall zone is too broad because the problem is traffic between systems already inside an existing zone.
• Dedicated VLAN groups the servers but does not automatically restrict communication among them.
• Acceptable use policy is administrative guidance, not a technical control for limiting lateral movement.

Question 37

Topic: Security Governance

A small company hosts its customer portal on one server in a single office network closet. Recent power issues caused the portal to be unavailable twice, and management wants to reduce the chance that one equipment or facility failure will take the portal offline. Which action is the BEST fit?

Options:

• A. Increase log retention for the portal

• B. Create a longer incident report template

• C. Require stronger administrator passwords

• D. Deploy a redundant server in a separate location

Best answer: D

Explanation: Redundancy reduces single points of failure by adding an alternate component, path, site, or service that can continue operating if the primary one fails. In this scenario, the portal depends on one server in one office closet, and power issues have already affected availability. Placing a redundant server in a separate location better supports disaster recovery and availability because a local equipment or facility problem is less likely to stop the entire service. Controls such as stronger passwords, logging, and reporting may improve security management, but they do not directly provide an alternate operating capability.

• Password hardening helps protect administrator accounts, but it does not address the single server or single facility dependency.
• Longer log retention improves investigation and compliance evidence, but logs do not keep the portal available during an outage.
• Incident templates can improve response documentation, but they do not remove the operational single point of failure.

Question 38

Topic: Security Operations and Incident Response

A data handling standard requires files labeled Confidential to be stored only in an approved encrypted repository. During a review, which evidence best supports whether the requirement is being followed?

Options:

• A. A list of employees with repository access

• B. Annual security awareness completion records

• C. Repository audit logs showing labeled files and storage location

• D. A copy of the data handling standard

Best answer: C

Explanation: Evidence for data handling compliance should show the actual handling of the data against the stated requirement. Here, the requirement has two observable parts: files must be labeled Confidential, and they must be stored only in an approved encrypted repository. Audit logs or repository records that show file labels and storage locations provide direct evidence that can be compared with the standard. Training records, policy documents, and access lists may support the control environment, but they do not prove that the data was handled correctly.

• Training completion shows users were educated, but not that confidential files were stored correctly.
• Policy copy states the requirement, but it is not evidence of actual compliance.
• Access list shows who can use the repository, but not whether labeled files were placed there.

Question 39

Topic: Networking and Cloud Security Concepts

A company stores customer records in a SaaS document platform. The provider manages the application infrastructure, but an audit finds employees are creating “anyone with the link” shares for confidential files. Which control best addresses this risk?

Options:

• A. Rely on the provider’s encryption at rest

• B. Ask the provider to patch the host operating systems

• C. Block public links in the SaaS sharing settings

• D. Install a perimeter firewall for the provider network

Best answer: C

Explanation: In a shared responsibility model, the cloud provider may manage the underlying infrastructure, but the customer still remains responsible for how its users, identities, data, and tenant settings are managed. Here, the risk is not an unpatched server or provider network exposure. It is a customer-controlled sharing behavior in a SaaS platform. Disabling or restricting public links directly reduces unauthorized access to confidential customer records.

Encryption at rest is useful, but it does not prevent a user from granting broad access through a valid sharing link.

• Provider patching targets infrastructure maintenance, not customer-managed file-sharing behavior.
• Perimeter firewalling is the wrong layer for a SaaS tenant sharing-control problem.
• Encryption at rest protects stored data from some infrastructure risks but does not stop overly broad authorized sharing.

Question 40

Topic: Security Principles

A company is adding a customer feedback form to its public website. The form will collect names, email addresses, and optional comments. Company policy requires users to know why personal information is collected and how it will be used before they submit it. What is the BEST action for the project team?

Options:

• A. Limit admin access to the web server

• B. Add a clear privacy notice before submission

• C. Review firewall rules for the website

• D. Encrypt the feedback database after launch

Best answer: B

Explanation: Privacy requirements should affect user communication and system or process design when personal information is collected, used, shared, or retained. In this scenario, the policy requirement is about informing users before collection, so the best action is to provide a clear privacy notice at the point where users submit their information. Encryption and access limits can help protect confidentiality, but they do not satisfy the requirement to tell users why the data is collected and how it will be used. Privacy is not only a technical control issue; it also includes transparency and appropriate handling of personal data.

• Encryption only helps protect stored data but does not communicate collection purpose or use to the user.
• Admin access limits support least privilege but do not address the privacy notice requirement.
• Firewall review may improve website security but does not address personal information collection transparency.

Question 41

Topic: Security Principles

An employee discovers that an unauthorized user changed a supplier’s bank account number in the purchasing system. The system remained online, and there is no evidence that records were viewed or exported. Which security objective is most directly affected?

Options:

• A. Integrity

• B. Authentication

• C. Confidentiality

• D. Availability

Best answer: A

Explanation: The core objective in this scenario is integrity. Integrity protects information from unauthorized or improper modification and supports confidence that data is accurate, complete, and trustworthy. The key fact is that the supplier’s bank account number was changed without authorization. Because the system stayed online, availability is not the main issue. Because there is no evidence that records were viewed or exported, confidentiality is not the most direct impact. Authentication may have failed as a control, but the security objective harmed by the changed record is integrity.

• Confidentiality would be most affected if the supplier record had been disclosed to someone without authorization.
• Availability would be most affected if users could not access the purchasing system or needed data.
• Authentication is a process for verifying identity, not the CIA objective directly harmed by changed data.

Question 42

Topic: Identity and Access Management Concepts

A small design team stores project files in a shared repository. The security goal is to let the person who owns each file decide which coworkers can read or edit it, while still allowing administrators to enforce general account policies. Which access control model is the best fit?

Options:

• A. Mandatory access control

• B. Discretionary access control

• C. Rule-based access control

• D. Role-based access control

Best answer: B

Explanation: Discretionary access control (DAC) fits when the owner of a resource has influence over access decisions, such as sharing a file with specific coworkers. Administrators may still manage accounts and baseline policies, but the key feature is that the file owner can grant or remove access at the resource level. This differs from models where access is centrally determined by labels, roles, or system rules. The deciding clue is the requirement for the file owner to choose who can read or edit the file.

• Mandatory labels are used in mandatory access control, where owners do not freely decide access based on personal sharing choices.
• Job roles are central to role-based access control, but the scenario focuses on file-owner decisions rather than role membership.
• System rules can enforce conditions, but they do not describe owner-directed sharing.

Question 43

Topic: Networking and Cloud Security Concepts

A small company uses one flat network for employee laptops, guest Wi-Fi, IoT cameras, development servers, and production systems. A compromised guest device could currently scan and connect to production hosts. Which control best reduces this risk?

Options:

• A. Publish a policy telling guests not to access internal systems

• B. Install antivirus software on production servers

• C. Separate traffic into VLANs or zones with firewall rules

• D. Require longer passwords for guest Wi-Fi users

Best answer: C

Explanation: Network segmentation separates systems with different trust levels, functions, or risk profiles. Guest devices, IoT devices, development systems, and production systems should not share one unrestricted broadcast and routing space. Placing them in separate VLANs or security zones and enforcing firewall or access control rules limits which systems can communicate. This reduces the chance that a compromised guest or IoT device can move laterally into production. Passwords, endpoint tools, and policies can help, but they do not provide the same network-layer separation.

• Password focus improves authentication but does not stop an already connected guest device from reaching production hosts.
• Endpoint protection may detect malware on servers, but it does not separate guest, IoT, development, and production traffic.
• Policy only sets expectations, but it is weaker than a technical control that enforces traffic separation.

Question 44

Topic: Security Operations and Incident Response

A security team receives more alerts than it can investigate during each shift. Recent missed alerts involved an internet-facing payment system that stores customer data. Which control should the team implement to improve event triage priority?

Options:

• A. Assigning alerts evenly across analysts

• B. First-in, first-out alert handling

• C. Risk-based alert scoring using asset criticality, likelihood, and impact

• D. Blocking all alerts from low-risk systems

Best answer: C

Explanation: Event triage should focus limited analyst time on the alerts that represent the greatest risk. A risk-based approach considers how critical the affected asset is, how likely the activity is to be malicious or exploited, and the potential impact if the event becomes an incident. In this scenario, alerts involving an internet-facing payment system that stores customer data deserve higher priority than routine alerts on less critical systems. This does not mean ignoring all other events; it means using consistent criteria to decide what should be investigated first.

• Queue order can be simple, but it may delay urgent alerts affecting critical assets.
• Blocking low-risk alerts is too broad because low-risk systems can still provide useful evidence or indicate lateral movement.
• Equal assignment balances workload, but it does not determine which events create the highest risk.

Question 45

Topic: Networking and Cloud Security Concepts

A help desk ticket says a user cannot open an internal web application. The browser times out before any sign-in page appears. Network logs show the user’s device never establishes a TCP connection to the application server, and there are no failed login events for that user. Which concept best describes the problem?

Options:

• A. Authorization failure

• B. Network connectivity failure

• C. Authentication failure

• D. Accounting failure

Best answer: B

Explanation: A network connectivity failure means the device cannot successfully reach the target service over the network. In this ticket, the browser times out before the sign-in page, the TCP connection is never established, and no login events are recorded. Those facts place the failure before authentication or authorization can occur. Authentication failure would involve proving identity unsuccessfully, such as a bad password or failed MFA. Authorization failure would happen after identity is known, when the user lacks permission to access a resource. The key takeaway is to locate where the process stops: reachability first, then authentication, then authorization.

• Bad credentials does not fit because no sign-in attempt or failed login event occurred.
• Missing permission does not fit because authorization is checked only after the user is authenticated.
• Accounting issue does not fit because accounting records activity; it is not the cause of a pre-login timeout.

Question 46

Topic: Security Governance

An employee receives a phone call from someone claiming to be from the help desk. The caller says the employee’s account will be locked unless the employee immediately provides a one-time MFA code. What is the best initial user action?

Options:

• A. Provide the code only if the caller knows the employee’s name

• B. Share the code, then change the password afterward

• C. Ask the caller to send an email link for verification

• D. End the call and report it through the approved security channel

Best answer: D

Explanation: The core concept is social engineering response. A request for an MFA code is a high-risk sign because legitimate support staff should not need a user’s one-time authentication code. The best initial action is to stop interacting with the suspicious caller and use the organization’s approved reporting process, such as a security mailbox, help desk ticket, or phishing-reporting tool. This preserves the account, alerts security, and avoids giving the attacker more information.

Verifying through the same caller or following a link supplied by the caller keeps the user inside the attacker’s channel. The key takeaway is to disengage and report using a trusted, independent process.

• Caller knowledge is weak verification because names, job titles, and phone numbers can be gathered or spoofed.
• Email link verification is risky because an attacker can send a convincing link to a phishing site.
• Post-disclosure password change fails because the MFA code could allow immediate unauthorized access before recovery steps occur.

Question 47

Topic: Identity and Access Management Concepts

A company is improving its offboarding process. Reviewers find that several employees used the same shared administrator account, and some application service accounts still exist after their owners left the company. Which IAM issue does this example best illustrate?

Options:

• A. Deprovisioning is harder when account ownership is unclear

• B. Access is automatically removed by role inheritance

• C. Multifactor authentication enrollment is incomplete

• D. Password length requirements are too strict

Best answer: A

Explanation: Deprovisioning depends on knowing which identity belongs to which person, system, or business owner. Shared accounts break individual accountability because multiple people use the same credential, so removing one person does not clearly remove that person’s access. Orphaned service accounts create a similar problem because the account may still have permissions even though no current owner is responsible for validating its need. These conditions increase the risk of lingering access after role changes or termination. The key takeaway is that every account should have a defined owner and a clear lifecycle process.

• Role inheritance is not the issue because inherited access does not automatically solve shared-account or orphaned-account ownership problems.
• Password length is unrelated because strong passwords do not identify who should keep or lose access.
• MFA enrollment may improve authentication, but it does not determine account ownership or remove unused service accounts.

Question 48

Topic: Security Governance

A company launched phishing awareness training after several employees clicked fake login links. The security goal is to reduce risky user behavior and encourage employees to report suspicious messages. Management wants one metric to show whether the awareness activity is effective over time. Which metric is the BEST FIT?

Options:

• A. Number of awareness emails sent each month

• B. Trend in simulated phishing click and report rates

• C. Total number of spam messages blocked

• D. Percentage of employees assigned the training

Best answer: B

Explanation: Effective cybersecurity metrics should align with the stated control goal. In this scenario, the awareness activity is intended to change user behavior: fewer unsafe clicks and more reporting of suspicious messages. A trend in simulated phishing click rates and report rates measures that behavior directly over time, making it a better effectiveness metric than counts of communications or assignments. Activity measures can show that a program was delivered, but they do not prove the control improved behavior.

• Emails sent measures program activity, not whether employees changed behavior.
• Training assigned shows coverage of the assignment, but not completion, understanding, or safer behavior.
• Spam blocked may be useful for email security operations, but it does not measure awareness training effectiveness.

Question 49

Topic: Identity and Access Management Concepts

A help desk manager needs two new analysts to start work today. The company has a preapproved Help Desk Analyst access role that includes the ticketing system and password reset tool. The manager asks security to “just copy” permissions from a senior analyst because it is faster. What is the best action?

Options:

• A. Copy the senior analyst’s permissions

• B. Let the analysts share an existing account

• C. Grant administrator access temporarily

• D. Assign the preapproved help desk role

Best answer: D

Explanation: Role-based access control supports safe provisioning by assigning permissions through approved job roles instead of building access one request at a time. In this scenario, the preapproved Help Desk Analyst role already matches the new analysts’ job need, so it is more consistent with least privilege and easier to review later. Copying a senior user’s permissions may include extra access based on experience, exceptions, or old duties. Temporary administrator access and shared accounts create even greater accountability and privilege risks. The key takeaway is to use an approved role when it fits the business function, then handle any true exceptions separately through approval.

• Copied permissions may transfer unnecessary or outdated access from the senior analyst.
• Temporary admin access exceeds the stated job need and violates least privilege.
• Shared accounts weaken accountability because actions cannot be tied to one individual.

Question 50

Topic: Security Principles

A junior security analyst notices that a coworker is copying customer records to a personal cloud storage account. The company policy states that customer data must only be stored in approved systems, and the analyst is not responsible for investigating employee misconduct. What is the best action for the analyst to take?

Options:

• A. Report the concern to the designated manager or security channel

• B. Ignore the activity until customer harm is proven

• C. Post a warning about the coworker in the team chat

• D. Confront the coworker and demand deletion of the files

Best answer: A

Explanation: Professional and ethical conduct requires reporting suspected security or policy concerns through appropriate channels. The analyst has a reasonable concern: customer records are being copied to an unapproved personal storage account. Because the analyst is not assigned to investigate misconduct, the right action is to escalate to the designated manager, security team, ethics hotline, or other approved reporting path. This supports due care, protects confidentiality, and preserves proper handling of the concern.

Direct confrontation, public accusation, or inaction can increase risk and may violate company process. The key takeaway is to report credible concerns promptly through authorized channels, not to investigate beyond your role.

• Direct confrontation can escalate the situation and bypass the organization’s investigation process.
• Waiting for harm fails because policy violations and data exposure concerns should be reported when noticed.
• Public accusation risks privacy, defamation, and mishandling of a sensitive concern.

Questions 51-75

Question 51

Topic: Identity and Access Management Concepts

A contractor’s engagement ended yesterday, but an access review shows the contractor’s VPN and file-share accounts are still active. Company policy requires access removal when a contract ends, and the file share contains internal project documents. What is the best immediate action?

Options:

• A. Disable the contractor’s active accounts

• B. Ask the contractor to confirm account deletion

• C. Move the accounts to a read-only group

• D. Wait for the next monthly access review

Best answer: A

Explanation: Deprovisioning is the IAM process of removing access when a user no longer has a business need, such as after termination or contract completion. Because the contractor still has active VPN and file-share credentials after the engagement ended, the immediate priority is to stop access. Disabling the accounts is usually the safest first step because it quickly prevents login while preserving records for review if needed. Later steps may include documenting the action, notifying the access owner, and completing formal account deletion according to retention and audit requirements.

Waiting or reducing permissions leaves unnecessary active access in place. The key takeaway is to remove access promptly when the relationship ends.

• Monthly review delay fails because the access issue is already known and policy requires removal when the contract ends.
• User confirmation fails because deprovisioning is controlled by the organization, not by the former contractor.
• Read-only access fails because the contractor no longer has a business need for any access.

Question 52

Topic: Identity and Access Management Concepts

A department asks for broad file-share access for all staff because it would be more convenient during busy periods. Security says each user should receive only the access needed to perform assigned job duties. Which IAM concept does this describe?

Options:

• A. Principle of Least Privilege (PoLP)

• B. Discretionary access control (DAC)

• C. Separation of Duties (SoD)

• D. Single sign-on (SSO)

Best answer: A

Explanation: The Principle of Least Privilege (PoLP) means users, processes, and systems should have only the minimum access needed to perform their authorized tasks. In this scenario, convenience is not a valid reason to grant broad file-share access. Access should be tied to job duties, approved business need, and ownership decisions. This reduces accidental disclosure, unauthorized changes, and misuse of data.

A close distractor is Separation of Duties, but that focuses on splitting sensitive tasks among different people to prevent one person from having too much control over a process.

• SoD mismatch fails because the scenario is about limiting access scope, not dividing conflicting duties across people.
• SSO mismatch fails because signing in once does not decide what resources a user may access.
• DAC mismatch fails because owner-granted discretion is not the main principle being applied here.

Question 53

Topic: Security Operations and Incident Response

A small company detects repeated failed logins against its remote access portal from many source IP addresses. No account has been compromised, and there is no evidence identifying a specific person or group. The security team wants to use threat actor information during triage. What is the best action?

Options:

• A. Wait to respond until the attacker is positively identified

• B. Label the activity as nation-state because it uses many countries

• C. Use observed behavior and current threat intelligence to guide risk prioritization

• D. Ignore threat actor type because attribution is never useful

Best answer: C

Explanation: Threat actor categories, such as cybercriminal, insider, hacktivist, or nation-state, can help a team think about likely motives, capabilities, targets, and risk. In this scenario, the evidence shows broad failed login activity but does not prove who is behind it. A good entry-level triage approach is to use observable indicators and reliable cyber threat intelligence to prioritize monitoring, hardening, and response while avoiding unsupported attribution. The team should treat actor type as one input to risk thinking, not as a guessing game or a reason to delay action.

The key takeaway is to base risk decisions on evidence and revise assumptions as new information appears.

• Foreign sources do not prove a nation-state actor; distributed sources are common in automated credential attacks.
• Ignoring actor type misses useful context about motive and capability when supported by evidence.
• Waiting for attribution delays protective action even though triage can proceed with available facts.

Question 54

Topic: Identity and Access Management Concepts

An employee is terminated after suspicious file downloads are detected from their user account. The security team needs to stop any further access immediately, but HR and audit require the account history, mailbox, and logs to remain available for investigation. Which control should the IAM administrator apply first?

Options:

• A. Disable the user account and preserve associated records

• B. Delete the user account and mailbox permanently

• C. Reset the user password and keep the account active

• D. Transfer the account credentials to the manager

Best answer: A

Explanation: Deprovisioning should remove or block access without destroying evidence that may be needed later. In this scenario, the immediate risk is continued access by a terminated employee, so the account should be disabled or suspended. That prevents new logins while preserving identity records, mailbox contents, access history, and logs for HR, audit, and investigation. Deleting the account or mailbox can break audit trails and remove evidence. A password reset is weaker because the account remains active, and credential sharing violates accountability.

• Permanent deletion fails because it can remove mailbox and identity evidence needed for audit or investigation.
• Password reset is weaker because the account remains enabled and may still be misused through sessions or recovery paths.
• Credential transfer violates individual accountability and does not preserve a clean investigative trail.

Question 55

Topic: Security Operations and Incident Response

During a tabletop incident response exercise, the team identifies that no one knows who is authorized to approve isolating a suspected infected server from the network. This delay could allow malware to spread during a real incident. What is the best improvement?

Options:

• A. Require annual security awareness training for all employees

• B. Update the incident response procedure with the approval role and escalation path

• C. Move the server to a locked equipment room

• D. Install a new endpoint detection tool on all servers

Best answer: B

Explanation: An incident response exercise should expose gaps in plans, procedures, roles, and communication paths before an actual event. When the problem is an unclear response step, the best improvement is to update the Incident Response Plan (IRP) or supporting procedure so the responsible role, approval authority, and escalation path are clear. This is an administrative control that directly addresses the exercise finding. Technical tools may help detect or contain malware, but they do not clarify who is authorized to make the containment decision.

• New detection tool may improve visibility, but it does not define approval authority for isolation.
• General awareness training is too broad for a specific unclear incident response step.
• Locked room is a physical control and does not address network isolation authority.

Question 56

Topic: Identity and Access Management Concepts

A company is onboarding employees into several departments. Each department has a consistent set of systems and data needed for its job duties, such as payroll staff needing payroll records and help desk staff needing ticketing tools. The security team wants a scalable access control approach that assigns permissions based on job function. Which control is the best fit?

Options:

• A. Mandatory access control

• B. Role-based access control

• C. Physical access control

• D. Discretionary access control

Best answer: B

Explanation: Role-based access control (RBAC) is the best fit when users need access according to their job function. Permissions are grouped into roles, such as Payroll, Help Desk, or Sales, and users receive access by being assigned to the appropriate role. This supports least privilege and makes onboarding, transfers, and access reviews easier because permissions are managed by role instead of individually for each user.

Discretionary access control depends on resource owners granting access, mandatory access control is based on strict labels and classifications, and physical access control protects physical spaces rather than logical system permissions.

• Owner-granted access is weaker for this requirement because it does not centrally map permissions to job functions.
• Classification labels fit high-control environments but are not the normal model for departmental job duties.
• Physical controls protect buildings, rooms, or devices, not user permissions in business applications.

Question 57

Topic: Security Operations and Incident Response

A help desk employee reports several users received the same suspicious email, and one user clicked the link. The security manager wants the team to respond consistently, preserve needed evidence, and know who must approve communications. What is the BEST action?

Options:

• A. Rebuild the clicked user’s computer first

• B. Disable all user accounts immediately

• C. Follow the Incident Response Plan

• D. Notify all customers before triage

Best answer: C

Explanation: An Incident Response Plan (IRP) guides how an organization prepares for, detects, responds to, contains, recovers from, and learns from security incidents. In this scenario, the key need is coordination: consistent actions, evidence preservation, and approved communication. The IRP provides the sequence of response activities, assigns responsibilities, defines escalation points, and helps avoid ad hoc decisions during a stressful event.

Immediate technical actions may be needed later, but they should follow the planned response process so the team does not destroy evidence, overreact, or communicate without authorization.

• Disabling all accounts may be excessive and disruptive before triage confirms scope and affected identities.
• Customer notification may be required later, but communications should follow approved incident procedures.
• Rebuilding first could remove evidence and skips coordinated triage, containment, and approval steps.

Question 58

Topic: Security Operations and Incident Response

A small clinic needs to send an encrypted patient report to an outside specialist. The two organizations have not shared a secret key in advance, and the clinic needs a practical way for only the specialist to open the report. Which control is the best fit?

Options:

• A. Mask patient identifiers in the report

• B. Encrypt the report with a shared symmetric key

• C. Hash the report before sending it

• D. Encrypt the report with the specialist’s public key

Best answer: D

Explanation: Asymmetric encryption is the better fit when two parties need confidentiality but have not already exchanged a shared secret. The sender uses the recipient’s public key to encrypt, and only the recipient’s private key can decrypt. Symmetric encryption is efficient for bulk data, but both parties must already have the same secret key and protect its exchange. Hashing supports integrity checking, not confidentiality, and masking reduces visible sensitive data but does not let the recipient recover the original full report.

• Shared symmetric key is plausible for fast encryption, but it requires a secure way to share the secret key first.
• Hashing can show whether data changed, but it does not encrypt the report for confidentiality.
• Masking identifiers may reduce exposure, but it does not provide encrypted delivery of the full patient report.

Question 59

Topic: Networking and Cloud Security Concepts

A small company is moving a customer database to a managed cloud database service. The provider will maintain the database platform and underlying infrastructure. The company must still protect customer data and meet its internal access-control policy. What is the best action for the security analyst to recommend?

Options:

• A. Configure customer-controlled access, encryption, and monitoring

• B. Rely on the provider to handle all database security

• C. Disable logging to reduce operational overhead

• D. Move the database to an unmanaged virtual machine

Best answer: A

Explanation: Managed cloud services shift some operational work to the cloud provider, such as maintaining the service platform, applying provider-side updates, and operating the underlying infrastructure. They do not remove the customer’s security responsibilities. The customer usually remains responsible for protecting its data, managing identities and access, configuring security settings, monitoring activity, and meeting internal policy requirements. In this scenario, the company can benefit from the managed service while still enforcing access control and data protection. The key takeaway is that managed service does not mean fully outsourced security.

• Provider handles everything fails because shared responsibility still leaves customer-side controls and data protection with the company.
• Unmanaged virtual machine increases operational responsibility and does not best fit the goal of using a managed service.
• Disabling logs conflicts with monitoring and would weaken visibility into access and security events.

Question 60

Topic: Security Governance

A small clinic depends on an electronic scheduling system. Leadership is concerned that a system outage would leave staff unsure who makes decisions, how to contact key personnel, which patient services to continue first, and how to keep operating on paper until the system returns. Which control best addresses this requirement?

Options:

• A. Disaster recovery rebuild procedure

• B. Business continuity plan

• C. Firewall rule review

• D. Backup retention schedule

Best answer: B

Explanation: Business continuity planning focuses on maintaining essential business functions during a disruption, not only restoring technology afterward. In this scenario, the clinic needs predefined decision roles, contact paths, operational priorities, and manual paper-based processes so staff can continue patient services while the scheduling system is unavailable. Those elements belong in a business continuity plan because they guide people and processes during degraded operations. A disaster recovery procedure may support the technical restoration of the scheduling system, but it does not fully address how the clinic continues work before restoration is complete.

• Backup schedule helps preserve data for recovery, but it does not define operational roles, communications, or manual workarounds.
• Firewall review may reduce network risk, but it does not prepare staff to continue services during an outage.
• Rebuild procedure supports restoring a system, but it is narrower than continuity planning for ongoing operations.

Question 61

Topic: Identity and Access Management Concepts

A company finds that several employees who transferred to new departments still have access to applications used only in their previous roles. The company wants a control that regularly confirms whether existing access is still appropriate and removes access that is no longer needed. Which control best addresses this requirement?

Options:

• A. Periodic access review and recertification

• B. Mandatory password changes every 90 days

• C. Day-one provisioning for new hires

• D. Final deprovisioning during employee termination

Best answer: A

Explanation: Access review and recertification is the IAM control used to confirm that current access still matches a user’s job needs. In this scenario, the issue is not initial access for a new employee or account removal after termination. The risk is accumulated access after role changes. A periodic review by managers, system owners, or data owners helps enforce least privilege by approving, modifying, or removing existing permissions. Provisioning grants approved access at the start of employment or a role assignment, while deprovisioning removes access when employment or eligibility ends. The key takeaway is that access review sits between those lifecycle events and checks whether granted access remains valid.

• New-hire provisioning grants initial approved access, but it does not regularly validate access after role changes.
• Termination deprovisioning removes access at the end of employment, not during ongoing employment transfers.
• Password changes may support account security, but they do not determine whether permissions are still appropriate.

Question 62

Topic: Security Principles

A company needs a control that can later prove a specific employee approved a high-value transaction and prevent the employee from credibly denying that action. Which cybersecurity objective is the company seeking?

Options:

• A. Authorization

• B. Authentication

• C. Non-repudiation

• D. Accounting

Best answer: C

Explanation: Non-repudiation is the security objective focused on proof that a specific party performed an action or originated a message. In this scenario, the deciding need is not simply to verify the employee’s identity at login; it is to preserve evidence that the employee approved the transaction and cannot later deny it. Digital signatures, strong audit trails, and protected logs can support this objective. Authentication is related because it verifies identity, but proof of a completed action is the key distinction.

• Identity check fails because authentication verifies who the user is, but does not by itself prove a later transaction cannot be denied.
• Permission check fails because authorization determines what an authenticated user is allowed to do.
• Activity tracking is tempting because accounting records actions, but non-repudiation focuses on defensible proof of origin or action.

Question 63

Topic: Identity and Access Management Concepts

A company is reviewing access to its payroll application. A contractor has the Payroll Admin role, which allows changing bank account details. Policy says continued access to payroll data must be approved by the business person accountable for that application, while IT only creates or removes accounts. What is the BEST action?

Options:

• A. Ask the contractor as the user to confirm the access

• B. Ask the payroll access owner to approve or deny the access

• C. Ask any privileged user to approve the access

• D. Convert the contractor account to a service account

Best answer: B

Explanation: In IAM, a user is the human identity using a system, while a role is a set of permissions assigned to identities. A privileged user has elevated permissions, but that does not automatically make them responsible for approving access. A service account is a non-human account used by an application or process. The access owner is the person or function accountable for a resource and for approving who should have access to it. In this scenario, payroll data access must be approved by the business person accountable for the payroll application, so the review should go to that access owner, not to IT or the contractor.

• User self-approval fails because the contractor benefits from the access and is not accountable for the payroll application.
• Privileged user approval fails because elevated permissions do not equal ownership or approval authority.
• Service account conversion fails because a contractor is a human user, not an application or automated process.

Question 64

Topic: Security Principles

A small company must be able to review who made security-relevant changes to its customer database, including failed access attempts and administrative updates. Which control best supports this requirement?

Options:

• A. Grant administrators full access to the database

• B. Post a policy reminding users to report changes

• C. Require complex passwords for all database users

• D. Enable audit logging tied to unique user IDs

Best answer: D

Explanation: Accounting in AAA is the tracking and recording of security-relevant actions for accountability and review. In this scenario, the company needs evidence of who attempted access and who made administrative updates. Audit logs tied to unique user IDs provide that record, supporting investigation, review, and accountability. Authentication proves an identity, and authorization determines what that identity can do, but accounting records what actually happened.

• Password complexity helps authentication, but it does not record database changes or failed attempts for review.
• Full administrator access weakens least privilege and does not create accountability by itself.
• User reminders are administrative guidance, but they are weaker than technical logging for tracking actual actions.

Question 65

Topic: Networking and Cloud Security Concepts

A small company has a public web server, employee workstations, and a database that stores sensitive customer records. Management wants to limit movement if the public server is compromised. Which control best separates these systems by exposure and sensitivity?

Options:

• A. Require annual security awareness training

• B. Enable full-disk encryption on all workstations

• C. Store all systems on one flat VLAN

• D. Create separate network zones enforced by firewalls

Best answer: D

Explanation: Segmentation divides systems into separate network areas based on trust level, exposure, or sensitivity. In this scenario, the public web server should not share unrestricted network access with employee workstations or the sensitive customer database. Placing them in separate zones or VLANs, with firewall rules controlling allowed traffic between zones, reduces the chance that a compromise of the public server leads directly to internal or sensitive systems. Encryption and awareness are useful controls, but they do not create network separation. A flat VLAN does the opposite by allowing easier lateral movement.

• Encryption control protects stored data on devices but does not separate network paths between public and sensitive systems.
• Awareness training addresses user behavior, not network isolation between zones.
• Flat VLAN increases lateral movement risk because systems remain in the same broad network segment.

Question 66

Topic: Networking and Cloud Security Concepts

A small company has a public website, employee workstations, and a payroll database on the same flat network. Management wants the website reachable from the internet but wants payroll isolated from public-facing and general user systems. What is the BEST segmentation approach?

Options:

• A. Place the website in a DMZ and payroll in a restricted internal VLAN

• B. Put all systems behind one perimeter firewall rule

• C. Move payroll to the same subnet as workstations

• D. Disable internet access for employee workstations

Best answer: A

Explanation: Network segmentation reduces risk by separating systems with different exposure levels and sensitivity. A public website should be isolated from trusted internal systems, commonly in a DMZ, because it must accept internet traffic. The payroll database contains sensitive data and should be placed in a more restricted internal segment, such as a dedicated VLAN, with access limited to approved users and systems. This approach limits the impact if the website is compromised and helps enforce least privilege for payroll access.

A single perimeter control does not provide enough separation inside the network once traffic is allowed through.

• Single firewall rule fails because it does not separate public, internal, and sensitive systems after traffic enters the environment.
• Shared payroll subnet increases exposure by placing sensitive data systems with general user devices.
• Blocking workstation internet may reduce browsing risk, but it does not isolate the public website or payroll database.

Question 67

Topic: Networking and Cloud Security Concepts

A hospital wants cloud resources dedicated for its own organization only. The resources may be hosted by a third-party provider, but they are not shared as a public multi-tenant offering. Which cloud concept does this describe?

Options:

• A. Infrastructure as a Service (IaaS)

• B. Software as a Service (SaaS)

• C. Platform as a Service (PaaS)

• D. Private cloud deployment model

Best answer: D

Explanation: Cloud deployment models describe how cloud resources are made available and to whom, such as public, private, community, or hybrid cloud. In this scenario, the deciding fact is that the resources are dedicated to one organization, even if a third party hosts or manages them. That maps to a private cloud deployment model. Service models describe what level of technology is delivered, such as applications, platforms, or infrastructure. The key takeaway is to separate the audience and ownership pattern from the service layer being consumed.

• SaaS confusion fails because SaaS describes using a complete application, not whether the environment is private or public.
• PaaS confusion fails because PaaS describes a managed application platform for building or deploying software.
• IaaS confusion fails because IaaS describes access to compute, storage, and network resources, not the deployment audience.

Question 68

Topic: Security Operations and Incident Response

A security analyst collects several public reports about a phishing campaign. The analyst validates the indicators, confirms the campaign targets the organization’s industry, maps affected business units, and recommends blocking domains and warning specific employees. Which concept best describes the analyst’s final output?

Options:

• A. Threat framework mapping

• B. Threat information

• C. Actionable threat intelligence

• D. Threat actor profile

Best answer: C

Explanation: Threat information is raw or lightly processed data about possible threats, such as reports, indicators, tactics, or observations. It becomes actionable threat intelligence when it is analyzed, validated, put into organizational context, and connected to decisions or defensive actions. In this scenario, the analyst did more than collect public reports. The analyst confirmed relevance, identified who may be affected, and recommended concrete actions. That makes the final output intelligence that can drive response and prevention, not just general threat data.

• Raw reports are only threat information until they are analyzed and connected to the organization’s risk or actions.
• Actor profile would focus on who is conducting the activity, not the defensive recommendations.
• Framework mapping would organize tactics or techniques, but mapping alone does not describe the full actionable output.

Question 69

Topic: Security Operations and Incident Response

A security monitoring analyst receives an alert showing repeated successful logins to a payroll administrator account from an unfamiliar country at 3:00 a.m. The company’s triage procedure says suspected compromise of a privileged account that can access payroll data meets incident criteria. What is the best next escalation?

Options:

• A. Wait for more alerts before acting

• B. Close the alert as a false positive

• C. Escalate to the incident response team

• D. Update the SIEM rule threshold

Best answer: C

Explanation: Event triage determines whether a monitored event is normal activity, a security event needing investigation, or an incident requiring formal response. In this case, the organization has already defined suspected compromise of a privileged payroll account as meeting incident criteria. The analyst should escalate according to the Incident Response Plan (IRP), usually to the incident response team or designated incident handler. That enables containment, evidence handling, communication, and recovery steps to begin under an approved process.

Tuning detection rules may be useful later, but it does not replace escalation when the current event meets the incident definition.

• False positive closure ignores the documented criteria and the risk of privileged access to payroll data.
• Waiting for more alerts delays response even though the procedure already defines this condition as an incident.
• SIEM tuning may improve future monitoring, but it is not the right immediate escalation for a qualifying incident.

Question 70

Topic: Security Principles

A company gives temporary contractors access to a customer support portal that contains personal data. The security goal is to protect privacy across the contractor trust boundary, and recent audit logs show one contractor viewed records unrelated to assigned tickets. What is the BEST action?

Options:

• A. Disable logging to reduce stored personal data

• B. Restrict access by role and keep activity logging enabled

• C. Allow current access but review logs weekly

• D. Encrypt database backups more frequently

Best answer: B

Explanation: Activity logging supports accountability by recording who did what and when, but it does not stop an authorized user from viewing data they should not need. In this scenario, contractors are outside a more trusted employee boundary and can view personal data unrelated to assigned work. The preventive control should limit access before exposure occurs, usually through least privilege or role-based access tied to business need. Logging should remain in place as a detective and accountability control for review, investigation, and audit evidence.

The key takeaway is that monitoring user actions complements preventive access controls; it does not replace them.

• Log review only fails because it detects misuse after access has already occurred.
• Disable logging removes accountability and audit evidence, even if log data must be protected.
• Backup encryption protects stored backup copies but does not limit portal access to live personal data.

Question 71

Topic: Security Operations and Incident Response

A company has experienced several security alerts where help desk staff, system administrators, and managers took different actions and notified different people. Leadership wants a control that defines roles, communication paths, escalation steps, and approved response actions during a security incident. Which control best meets this requirement?

Options:

• A. Business continuity plan

• B. Incident Response Plan

• C. Network firewall rule

• D. Vulnerability scan

Best answer: B

Explanation: An Incident Response Plan (IRP) is an administrative control that guides coordinated actions during a security incident. It defines responsibilities, escalation, communication, evidence handling expectations, and response phases such as identification, containment, eradication, recovery, and lessons learned. In this scenario, the problem is not just a missing technical defense; it is inconsistent response behavior across teams. A documented and practiced IRP gives responders a shared playbook so decisions are timely, authorized, and aligned with business needs.

Technical controls may help prevent or detect events, but an IRP directs the people and process once an incident is suspected or confirmed.

• Vulnerability scanning finds weaknesses before exploitation, but it does not coordinate response roles or escalation during an active incident.
• Business continuity planning focuses on keeping critical business functions operating after disruption, not detailed incident response actions.
• Firewall rules can restrict network traffic, but they do not define responder responsibilities or communications.

Question 72

Topic: Identity and Access Management Concepts

A company is redesigning access to its HR application. Employees should receive permissions based on approved job functions such as Payroll Clerk, HR Manager, or Benefits Analyst. Individual file owners should not decide who gets access, and the data is not being controlled by formal security classification labels. Which access control model best fits this requirement?

Options:

• A. Role-based access control

• B. Mandatory access control

• C. Discretionary access control

• D. Per-user access lists

Best answer: A

Explanation: Role-based access control (RBAC) is the best fit when access is driven by job function. Permissions are assigned to roles, such as Payroll Clerk or HR Manager, and users inherit permissions by being placed in those roles. Discretionary access control (DAC) lets resource owners decide who can access their objects, which the scenario specifically does not want. Mandatory access control (MAC) relies on centrally enforced labels or classifications, such as clearance levels and data sensitivity labels, which are not the deciding factor here. The key distinction is that RBAC maps access to organizational responsibilities rather than individual owner choices or formal classification labels.

• Owner-controlled access is DAC, but the requirement says individual file owners should not decide access.
• Classification labels point to MAC, but the scenario does not use formal labels or clearances.
• Per-user lists can work at small scale, but they are weaker than job-function roles for consistent HR access.

Question 73

Topic: Security Principles

A small company identifies a high risk that an unpatched internet-facing remote access server could be exploited. Management wants the action that best reduces the likelihood of the risk occurring while keeping remote work available. Which action is the BEST fit?

Options:

• A. Restore last month’s backup of the server

• B. Apply the security patch and verify the server is updated

• C. Document the risk for the next quarterly review

• D. Buy cyber insurance for remote access incidents

Best answer: B

Explanation: Risk treatment should match the stated risk and the desired effect. Here, the risk is exploitation of a known weakness on an internet-facing remote access server, and the goal is to reduce likelihood while keeping the service available. Applying and verifying the security patch is a risk mitigation action because it addresses the vulnerability that makes the exploit more likely. Insurance may transfer some financial impact, and documentation supports governance, but neither lowers the chance of exploitation. Restoring a backup is mainly a recovery action after a failure or incident, not a preventive treatment for an unpatched system.

• Insurance transfer may reduce financial impact, but it does not reduce the likelihood of the server being exploited.
• Delayed review records the issue, but postponing action leaves the high-risk exposure in place.
• Backup restoration supports recovery, but it does not address the current vulnerability unless the restored system is also patched.

Question 74

Topic: Identity and Access Management Concepts

A company requires multi-factor authentication for all users. During an access review, a help desk technician is found to have authenticated successfully and then downloaded payroll reports, even though the technician’s job duties do not require payroll access. Which control best addresses the issue?

Options:

• A. Add a second MFA method for payroll access

• B. Remove the payroll permission from the technician’s role

• C. Require a longer password for the technician

• D. Install a camera near the technician’s workstation

Best answer: B

Explanation: Authentication proves the user is who they claim to be; authorization determines what that authenticated user is allowed to access. In this scenario, MFA worked, but the technician still had access to payroll reports outside their job duties. The best control is to correct the user’s authorization scope by removing unneeded permissions or adjusting role-based access. Stronger authentication would reduce the chance of account misuse, but it would not fix excessive access granted to a legitimate user. The key takeaway is to match permissions to job need after identity is verified.

• Stronger password addresses authentication strength, not the technician’s unnecessary payroll authorization.
• More MFA may protect sign-in, but it still allows an authenticated technician to access payroll if permissions remain unchanged.
• Physical monitoring does not correct logical access rights to sensitive reports.

Question 75

Topic: Security Principles

A small company requires MFA for all administrative access. One legacy server management console does not support MFA, and replacing it will take 3 months. Administrators still need limited access during that period. What is the BEST compensating control?

Options:

• A. Document the exception and allow direct access until replacement

• B. Restrict console access to a VPN jump host and log admin sessions

• C. Remove all administrator access until the system is replaced

• D. Disable password changes to avoid lockouts during the transition

Best answer: B

Explanation: A compensating control is an alternate safeguard used when the preferred control cannot be implemented immediately. It should reduce the same risk as much as practical without blocking required business operations. In this case, MFA is the preferred control for administrative access, but the legacy console cannot support it yet. Restricting access through a VPN jump host limits who can reach the console, and session logging improves accountability and detection. The control does not fully replace MFA, but it provides a reasonable temporary risk reduction until the system is replaced.

• Exception only fails because documentation does not reduce the access risk by itself.
• Access removal may be secure, but it does not fit the stated need for administrators to retain limited access.
• Password freeze weakens account hygiene and does not address unauthorized administrative access.

Questions 76-100

Question 76

Topic: Security Governance

A company’s main office loses power after a severe storm. The customer support application is still running in the cloud, but office staff cannot work from the building. Leadership’s goal is to keep critical support services operating during the outage. Which action is the BEST fit?

Options:

• A. Start the disaster recovery plan to rebuild the cloud application

• B. Begin a forensic investigation of the office power failure

• C. Restore the application from the most recent backup

• D. Activate the business continuity plan for alternate work arrangements

Best answer: D

Explanation: Business continuity planning addresses how the organization continues essential operations when normal working conditions are disrupted. In this scenario, the application is still available, but the office facility is unavailable, so the priority is alternate work arrangements, staffing, communications, and continuity of customer support. Disaster recovery planning is narrower and focuses on restoring failed IT systems, applications, data, or infrastructure after an outage or loss. Because the cloud application is not described as failed, rebuilding or restoring it does not match the main need.

The key distinction is continuity of business service versus recovery of failed technology.

• Rebuilding the application fits disaster recovery only if the cloud application or infrastructure has failed.
• Restoring from backup addresses data or system recovery, but the stem says the application is still running.
• Forensic investigation is not the best first fit because there is no indication of a security incident or suspicious cause.

Question 77

Topic: Security Operations and Incident Response

A company is updating how it stores several file shares. General project notes can remain available to all employees, but payroll records and customer personal information must be encrypted, access-restricted, and retained according to legal requirements. Which concept best explains why the handling requirements change?

Options:

• A. Physical penetration testing

• B. Data classification and handling

• C. Vulnerability scanning

• D. Network address translation

Best answer: B

Explanation: Data classification and handling links the type and value of information to the protections it requires. Sensitive, regulated, or business-critical data usually needs stricter handling than routine internal information, such as stronger access limits, encryption, approved storage locations, retention rules, and secure disposal. In this case, payroll records and customer personal information have higher sensitivity and possible legal obligations, so they require different controls than general project notes.

The key takeaway is that handling requirements should follow the data’s classification, not just where the files are stored.

• Vulnerability scanning identifies technical weaknesses; it does not decide how data should be labeled, retained, or protected.
• Network address translation changes how IP addresses are presented across networks; it is not a data handling practice.
• Physical penetration testing checks physical security weaknesses; it does not define storage or access requirements for sensitive records.

Question 78

Topic: Networking and Cloud Security Concepts

A junior analyst is asked to verify whether recent connection attempts from an external IP address were blocked by the perimeter firewall and to identify which rule handled the traffic. Which concept best supports this investigation and validation need?

Options:

• A. Application whitelisting

• B. Port forwarding

• C. Firewall logging

• D. Network address translation

Best answer: C

Explanation: Firewall logging records traffic decisions made by a firewall, such as whether a connection was allowed or denied, when it occurred, source and destination information, ports or protocols, and sometimes the rule that matched. In this scenario, the analyst needs evidence to validate that the firewall blocked specific attempts and to support an investigation. Reviewing firewall logs is the appropriate concept because it provides observable records of firewall behavior rather than just changing traffic flow or permitting applications.

The key takeaway is that firewall logging supports investigation, troubleshooting, and control validation when the question asks for evidence of firewall decisions.

• Port forwarding changes how inbound traffic reaches an internal service; it does not primarily provide evidence of blocked attempts.
• Network address translation rewrites IP address information for routing or address conservation; it is not the investigation record.
• Application whitelisting controls which software may run on a system; it does not validate perimeter firewall rule matches.

Question 79

Topic: Security Principles

During a routine review, an analyst finds that the approved procedure requires terminated user accounts to be disabled within 24 hours. In practice, one department waits for a weekly HR report, leaving some accounts active for several days. Which response is most appropriate?

Options:

• A. Delete the accounts without following the process.

• B. Ignore the issue if no misuse is observed.

• C. Document the gap and escalate for corrective action.

• D. Treat the weekly process as the new procedure.

Best answer: C

Explanation: When documented policy or procedure does not match observed practice, the safest response is to document the gap and escalate it through the proper governance or operational channel. The organization can then bring the practice back into compliance, update the procedure if the business need is valid, or approve a formal exception with risk acceptance. Informal practice should not override approved documentation, especially for access removal after termination, where delay can create avoidable security risk. The key point is controlled correction, not silent acceptance or unauthorized action.

• Informal procedure fails because a repeated local habit does not replace an approved procedure.
• No observed misuse fails because policy compliance is required even before harm is detected.
• Unauthorized deletion fails because corrective action should follow approved ownership and change processes.

Question 80

Topic: Security Governance

A regional clinic depends on an online scheduling system. Leadership wants staff to keep urgent appointments moving during a prolonged system outage, know who makes decisions, and know how updates will be shared. Which action is the best fit?

Options:

• A. Document a business continuity plan section

• B. Run a vulnerability scan on the system

• C. Replace the incident response plan

• D. Encrypt the scheduling database backups

Best answer: A

Explanation: Business continuity planning focuses on keeping critical business functions operating during disruption. In this scenario, the clinic needs decision roles, communication paths, service priorities, and manual workarounds so urgent scheduling can continue while the online system is unavailable. Those details belong in a business continuity plan because they guide people and processes during an outage, not just technical recovery. Disaster recovery may address restoring the scheduling system, but continuity planning addresses how the clinic continues essential work until normal service returns.

• Incident response focuses on handling security incidents, not replacing continuity guidance for routine business operations during an outage.
• Backup encryption protects stored backup data but does not tell staff how to operate manually.
• Vulnerability scanning may find weaknesses, but it does not define roles, priorities, or communication during disruption.

Question 81

Topic: Security Governance

A department file share became corrupted at 10:00 a.m., and the corruption has already synchronized to the redundant file server. The business need is to restore usable files as quickly as possible, and a verified backup from 2:00 a.m. is available. Which action is the BEST fit?

Options:

• A. Restore the verified 2:00 a.m. backup

• B. Replace the failed storage hardware

• C. Increase backup frequency after the incident

• D. Fail over to the redundant file server

Best answer: A

Explanation: Disaster recovery actions should match the stated recovery need. In this scenario, the need is to restore usable data, and the redundant server is not a clean recovery point because corruption has already synchronized to it. A verified backup from before the corruption provides a known good copy of the files. Redundancy helps maintain service availability, but it does not replace backups when bad data, deletion, or corruption is replicated. The key takeaway is to recover from a trusted point before the damaging event.

• Redundant failover fails because the standby server already has the same corrupted files.
• Hardware replacement may fix a device problem, but it does not restore clean data.
• Future backup changes may improve resilience later, but they do not meet the immediate recovery need.

Question 82

Topic: Security Operations and Incident Response

A company completed a tabletop exercise for its Incident Response Plan (IRP). Management wants evidence that the exercise produced actionable follow-up, not just proof that the meeting occurred. Which artifact best meets this requirement?

Options:

• A. Exercise slide deck

• B. Participant sign-in sheet

• C. After-action report with owners and target dates

• D. Calendar invite for the exercise

Best answer: C

Explanation: Incident response exercises should produce findings that lead to corrective actions. The strongest evidence is an after-action report or improvement plan that documents gaps, lessons learned, assigned action owners, and target completion dates. This turns observations from the tabletop into trackable work. Attendance records, invitations, and presentation materials may prove the exercise was planned or held, but they do not show that the organization identified improvements or assigned follow-up responsibilities. The key is whether the artifact supports accountability and progress tracking after the exercise.

• Attendance proof shows who participated, but it does not identify gaps or corrective actions.
• Presentation materials support exercise delivery, but they do not prove lessons were converted into follow-up tasks.
• Scheduling evidence shows the event was arranged, but it provides no evidence of outcomes or accountability.

Question 83

Topic: Security Governance

A small company must show auditors how its security controls support privacy requirements, who owns each control, and which risks remain open. The security manager wants a structured reference to organize these activities consistently across teams. Which GRC concept best fits this need?

Options:

• A. Incident response plan

• B. Password standard

• C. Security framework

• D. Firewall rule set

Best answer: C

Explanation: A security framework helps an organization structure its governance, risk, and compliance work. It can provide a common way to organize controls, map them to requirements, assign responsibilities, track risk treatment, and gather evidence for audits. Frameworks do not usually prescribe every operational step; they give a structured model that teams can adapt to the organization’s needs. In this scenario, the key need is consistent organization across controls, risks, owners, and compliance obligations, which points to a framework rather than a single technical control or procedure.

• Incident planning focuses on preparing for and responding to security incidents, not organizing broad GRC activities.
• Password rules define one specific identity-related requirement, not an overall structure for risks and controls.
• Firewall rules are technical configurations, not a governance model for compliance and responsibility mapping.

Question 84

Topic: Security Governance

A GRC review checks whether a required backup restoration control operates each quarter. The control owner says the test was completed but cannot provide a ticket, report, log, or other evidence. What is the best entry-level action?

Options:

• A. Replace the backup control with a new policy

• B. Log a control deficiency and request remediation evidence

• C. Accept the control owner’s verbal confirmation

• D. Remove the control from the compliance scope

Best answer: B

Explanation: In GRC work, a required control must have evidence that shows it exists and operates as intended. If the control owner cannot provide objective evidence, the entry-level action is to document the issue as a control deficiency or finding, then request remediation and supporting evidence through the normal GRC process. This does not prove the backup failed, but it does mean the organization cannot demonstrate control operation for the review period. Verbal assurance is not enough for control testing or compliance reporting.

• Verbal confirmation fails because control reviews rely on objective evidence, not informal assurance.
• Removing scope is inappropriate because a reviewer should not delete a required control to avoid a finding.
• Replacing the policy skips the immediate governance need, which is to document and remediate the evidence gap.

Question 85

Topic: Identity and Access Management Concepts

A help desk analyst receives a deprovisioning request for an employee who was terminated after suspected data misuse. The security team needs the employee’s access removed immediately, and company policy requires account activity records to be available for audit. What is the best action?

Options:

• A. Delete the account and purge its logs

• B. Disable the account and preserve related records

• C. Reset the password and leave the account enabled

• D. Rename the account for reuse by another employee

Best answer: B

Explanation: In deprovisioning, disabling an account is usually the safer immediate action when investigation or audit evidence may be needed. It prevents the former user from authenticating while preserving account identifiers, group memberships, timestamps, audit logs, mailbox data, and other records that can help investigators reconstruct activity. Deleting an account too early can break the link between actions and the identity that performed them, and purging logs may violate retention or audit requirements. The key distinction is access removal versus evidence destruction: remove access promptly, but preserve relevant records according to policy.

• Deleting and purging fails because it removes the evidence the security team and auditors may need.
• Password reset only fails because the account remains enabled and could still be misused through existing sessions or alternate access paths.
• Account reuse fails because it weakens accountability by mixing one person’s identity history with another person’s access.

Question 86

Topic: Security Operations and Incident Response

A company recently updated its Incident Response Plan (IRP). The security manager wants the response team, legal, communications, and business leaders to practice their roles and decision-making during a simulated ransomware incident without touching production systems. Which control best meets this requirement?

Options:

• A. Deploy additional endpoint monitoring

• B. Perform a full system restore

• C. Conduct a tabletop exercise

• D. Run a vulnerability scan

Best answer: C

Explanation: A tabletop exercise is an administrative incident response exercise used to discuss a simulated incident and validate how people apply the IRP. It focuses on roles, escalation paths, communications, approvals, and decision-making. Because the company wants to practice a ransomware response without touching production systems, a discussion-based tabletop is the best fit. Technical controls such as scanning, restoring systems, or deploying monitoring may support security operations, but they do not primarily test whether stakeholders understand their responsibilities during an incident.

• Vulnerability scanning identifies technical weaknesses, but it does not rehearse incident roles or business decisions.
• System restore tests recovery capability, not cross-functional decision-making during a simulated incident.
• Endpoint monitoring improves detection visibility, but it does not validate the IRP through role-based practice.

Question 87

Topic: Identity and Access Management Concepts

A contractor needs access to a project file repository for a 3-week engagement. The access is broader than the contractor normally receives, and the project manager has approved it only for this engagement. Which control best supports secure provisioning?

Options:

• A. Grant permanent access after approval

• B. Grant access with an expiration date

• C. Move the repository to a separate network

• D. Require a longer password

Best answer: B

Explanation: Temporary access should be time-bound or scheduled for follow-up review. In this scenario, the contractor has a defined 3-week business need and broader-than-normal permissions. Adding an expiration date directly controls the IAM lifecycle risk: access that was appropriate for a short engagement could become excessive if it remains after the work ends. If automatic expiration is not available, a documented follow-up access review by the access owner is the next best approach.

Password strength and network placement may be useful controls in other situations, but they do not address the temporary nature of the authorization.

• Permanent access ignores the limited business need and can leave unnecessary privileges active.
• Password change strengthens authentication but does not remove excess authorization after 3 weeks.
• Network separation is a broader architecture control and does not manage the contractor’s temporary permissions.

Question 88

Topic: Networking and Cloud Security Concepts

A small clinic uses Wi-Fi for staff tablets. A recent walk-through found that the clinic’s SSID has a strong signal in the public parking lot, where non-employees can sit without entering the building. Ethernet jacks and network closets are already in badge-controlled areas. Which action is the BEST fit for the identified concern?

Options:

• A. Adjust AP placement and transmit power

• B. Lock the network closets

• C. Replace patch cables with shorter cables

• D. Disable unused Ethernet wall jacks

Best answer: A

Explanation: Wireless networks create an exposure that wired networks usually do not: the signal can extend beyond walls and controlled physical space. In this scenario, the problem is not that someone can reach a cable or network closet; those wired access points are already physically controlled. The visible issue is that someone outside the clinic can receive the Wi-Fi signal from the parking lot and attempt to connect. Adjusting access point location, antenna direction, or transmit power helps keep usable coverage closer to the intended area. Authentication and encryption are still important, but the best fit for the stated concern is reducing unnecessary wireless signal exposure.

• Ethernet jacks are a wired physical access concern, but the stem says wired access is already in badge-controlled areas.
• Network closets should be locked, but that control does not reduce a Wi-Fi signal reaching the parking lot.
• Shorter patch cables do not meaningfully control wireless coverage or outside signal exposure.

Question 89

Topic: Networking and Cloud Security Concepts

A manufacturing plant uses a programmable controller to run a safety-critical conveyor line. The controller uses an older embedded operating system, must run continuously, and the vendor warns that untested endpoint agents can interrupt operations. Which control is the best fit for this asset?

Options:

• A. Apply the office laptop patch policy with forced restarts

• B. Run frequent aggressive vulnerability scans during production

• C. Install the standard office EDR agent with automatic remediation

• D. Segment it on an OT network with vendor-approved change controls

Best answer: D

Explanation: Industrial Control Systems (ICS) are not ordinary office endpoints when they control physical processes, require continuous operation, or depend on vendor-certified configurations. The main concern is not only confidentiality of data, but also availability, safety, and process integrity. A better control is to isolate the ICS in an operational technology (OT) segment and make changes only after vendor approval, testing, and planned maintenance. Standard office controls such as automatic remediation, forced restarts, or aggressive scans can disrupt production or create safety risk. The key takeaway is to protect ICS with controls designed for operational reliability, not with endpoint defaults meant for office computers.

• Standard EDR can be valuable on office systems, but automatic actions may interrupt a controller that runs a physical process.
• Forced restarts are inappropriate when continuous operation and safety-critical availability are required.
• Aggressive scanning can overload or disrupt fragile embedded or control-system devices during production.

Question 90

Topic: Security Governance

A security governance dashboard shows that the number of unresolved access-review exceptions has increased for three consecutive months and now exceeds the risk tolerance set by management. Which concept does this example best represent?

Options:

• A. Key Risk Indicator (KRI)

• B. Service Level Agreement (SLA)

• C. Procedure

• D. Key Performance Indicator (KPI)

Best answer: A

Explanation: A Key Risk Indicator (KRI) is a governance metric used to warn that risk is increasing or may exceed the organization’s tolerance. In this case, repeated access-review exceptions are trending upward and have crossed a management-defined threshold, so the metric is not just reporting activity. It is signaling elevated risk that may require review, treatment, or escalation.

A KPI usually measures performance against an objective, while a KRI focuses on exposure to risk. The key clue is the combination of a trend, a threshold, and risk tolerance.

• KPI confusion fails because a KPI measures performance or progress, not primarily increasing risk exposure.
• SLA confusion fails because an SLA defines expected service levels between parties, not a governance risk signal.
• Procedure confusion fails because a procedure gives step-by-step instructions rather than reporting a risk trend.

Question 91

Topic: Networking and Cloud Security Concepts

A company allows any device connected to its office LAN to reach internal applications because the network is considered trusted. Security staff want to reduce this unnecessary risk by requiring verification of users, devices, and access needs before allowing each connection. Which concept best matches this response?

Options:

• A. Network address translation

• B. Single sign-on

• C. Warm site

• D. Zero Trust

Best answer: D

Explanation: Zero Trust (ZT) is the concept that directly addresses the risky assumption that anything inside the internal network should be trusted. Instead of granting broad access because a user or device is on the LAN, ZT verifies identity, device posture, and authorization for the requested resource. It also supports least privilege, segmentation, and ongoing evaluation of access decisions.

The key takeaway is that internal location alone should not be treated as proof of trust.

• Network translation changes addressing behavior but does not verify users, devices, or access need.
• Single sign-on can simplify authentication, but it does not by itself remove implicit trust in the internal network.
• Warm site is a disaster recovery facility concept, not a network trust model.

Question 92

Topic: Security Principles

A company portal asks a user to enter a password and approve a mobile prompt before the portal checks which records the user may view. Which security concept is being performed first?

Options:

• A. Authentication

• B. Authorization

• C. Non-repudiation

• D. Accounting

Best answer: A

Explanation: Authentication is the AAA function that verifies an entity is who or what it claims to be. In the portal example, the password and mobile approval are used to validate the user’s identity before the system evaluates permissions. After authentication succeeds, authorization can determine which records the user may access, and accounting can record activity for audit purposes. The key takeaway is sequence: verify identity first, then decide allowed access.

• Authorization applies after identity is verified and determines what the authenticated entity is allowed to do.
• Accounting records activity such as logins, access attempts, or changes, but it does not verify identity.
• Non-repudiation supports proof that an action cannot reasonably be denied later, not initial identity verification.

Question 93

Topic: Security Principles

A contractor needs access to an internal ticketing system. Company policy says access rights can be evaluated only after the person is verified as an approved user. Which action is the BEST fit before access is considered?

Options:

• A. Authenticate the contractor using approved credentials

• B. Record the contractor’s ticket activity

• C. Encrypt the contractor’s network connection

• D. Assign the contractor the least-privilege role

Best answer: A

Explanation: Authentication is the AAA function used to verify that an entity is who or what it claims to be before access is granted or evaluated. In this scenario, the policy requires the person to be verified first, so the immediate need is authentication, such as approved credentials or MFA. After that, authorization can determine what the contractor is allowed to do. Accounting can record activity, and encryption can protect data in transit, but neither verifies the user’s identity.

• Least privilege is an authorization decision that should happen after identity is verified.
• Activity logging supports accounting and auditing, but it does not prove identity before access.
• Connection encryption protects confidentiality in transit, but it does not authenticate the user for access decisions.

Question 94

Topic: Security Operations and Incident Response

A support team is preparing a file that contains customer names, email addresses, and government-issued identification numbers. The organization’s labeling standard defines Restricted as regulated or highly sensitive data requiring the strongest handling, Confidential as sensitive business data, Internal as routine company data, and Public as approved for open release. Which label should be applied?

Options:

• A. Confidential

• B. Public

• C. Internal

• D. Restricted

Best answer: D

Explanation: Data classification labels should match the highest sensitivity of the information in the dataset. When a file contains multiple data types, the most sensitive element usually drives the required label and handling controls. In this case, customer names and email addresses may already require protection, but government-issued identification numbers create a higher sensitivity level under the stated standard. Because the standard reserves Restricted for regulated or highly sensitive data requiring the strongest handling, that label is the best fit.

• Confidential is too low because the file includes government-issued identification numbers, not only general sensitive business data.
• Internal is inappropriate because routine company data does not cover highly sensitive customer identifiers.
• Public fails because the file is not approved for open release and contains protected personal data.

Question 95

Topic: Networking and Cloud Security Concepts

A help desk ticket says an employee cannot open the payroll application. The network team confirms the workstation can reach the payroll server on the required HTTPS port through the firewall, and the browser shows an application message: Access denied for this user. What is the best action?

Options:

• A. Disable HTTPS inspection for the server

• B. Move the server to a public subnet

• C. Check the user’s application authorization

• D. Open all outbound firewall ports

Best answer: C

Explanation: A firewall controls network reachability, such as whether traffic can reach a server on a specific port. It does not decide whether a user is allowed to use a function inside an application. In this scenario, the workstation can reach the payroll server over HTTPS, and the error comes from the application: Access denied for this user. That points to application authorization, role assignment, or account entitlement rather than a blocked port. The key distinction is that successful network connectivity does not prove the user has permission inside the application.

• Opening all ports increases exposure and does not address an application-level denial.
• Disabling inspection is not supported by any certificate, proxy, or content-inspection error in the stem.
• Public subnet move changes exposure and network placement, but the server is already reachable on the required port.

Question 96

Topic: Security Governance

A compliance team must prepare recurring reports for several control requirements. Evidence is currently collected by email in different formats, making it hard to prove that each control was reviewed consistently. Which 2026 CC concept best fits this need?

Options:

• A. Network vulnerability scanner

• B. Incident Response Plan (IRP)

• C. KRI dashboard

• D. GRC tool

Best answer: D

Explanation: GRC tools support governance, risk, and compliance activities by helping organizations collect evidence in a repeatable way, map it to controls, track owners and due dates, and produce compliance reports. In this scenario, the main problem is not discovering technical weaknesses or responding to an incident. The problem is inconsistent evidence collection for control reporting. A GRC tool or similar compliance management capability is the best concept match because it creates a structured system of record for audit and compliance evidence.

• KRI dashboard focuses on risk indicators and trends, not collecting detailed control evidence in a consistent format.
• IRP guides incident handling, containment, communication, and recovery, not routine compliance evidence collection.
• Vulnerability scanner identifies technical weaknesses, but it does not manage broad compliance evidence and attestations across controls.

Question 97

Topic: Security Principles

A small company completed a risk assessment after adding multi-factor authentication to remote access. The remaining likelihood and impact are documented as residual risk. Management has a documented risk tolerance for remote-access disruption and fraud losses. What is the best action before accepting the residual risk?

Options:

• A. Recalculate inherent risk and ignore residual risk

• B. Transfer the risk to users who work remotely

• C. Accept the risk because a control was implemented

• D. Compare the residual risk to management’s risk tolerance

Best answer: D

Explanation: Risk tolerance and risk appetite define how much risk an organization is willing to accept while pursuing its objectives. After controls are applied, the remaining exposure is residual risk. The decision to accept that residual risk should be made by comparing it with the approved tolerance or appetite and obtaining appropriate management acceptance when it is within those limits. Implementing a control does not automatically make the remaining risk acceptable.

The key takeaway is that residual risk is a business decision, not just a technical finding.

• Control implemented fails because adding MFA reduces risk but does not prove the remaining exposure is acceptable.
• Transfer to users fails because risk ownership and acceptance remain with the organization, not individual users.
• Ignore residual risk fails because the acceptance decision depends on the risk that remains after controls.

Question 98

Topic: Security Principles

A company stores customer contact details and payment records. A new project requirement says the company must handle customer requests to access or delete personal information within legally required time frames. Which governance source is most relevant for defining this obligation?

Options:

• A. Applicable privacy law or regulation

• B. Security awareness guideline

• C. Internal password standard

• D. Network segmentation procedure

Best answer: A

Explanation: Governance sources define where requirements come from and how binding they are. A requirement to honor customer access or deletion rights for personal information is a privacy compliance obligation, so the most relevant source is the applicable law or regulation. Internal policies, standards, guidelines, and procedures may support compliance, but they should align with the external legal requirement rather than replace it. The key is to match the source to the nature of the obligation: legal privacy rights come from laws or regulations.

• Password standard addresses authentication requirements, not customer privacy rights.
• Awareness guideline may educate employees, but it is not the authoritative source for legal privacy obligations.
• Segmentation procedure is a technical operating step and does not define personal data rights.

Question 99

Topic: Networking and Cloud Security Concepts

A small clinic offers Wi-Fi for staff tablets. The access point still uses the factory-set network name and password, and anyone in the waiting room can connect without approval. Which concept best describes the risk created by this wireless configuration?

Options:

• A. Static application testing

• B. Network address translation

• C. Data masking

• D. Unauthorized wireless access

Best answer: D

Explanation: Wireless networks extend beyond physical walls, so weak configuration can create an unauthorized access risk. Default credentials, open networks, weak encryption, or shared passwords that are not controlled can allow nearby people to connect as if they were trusted users. In this scenario, the factory-set settings and lack of approval make the Wi-Fi easy for unauthorized users in the waiting room to access. Stronger configuration would include changing defaults, using appropriate encryption, limiting access to approved users, and separating guest traffic from internal systems.

• Network address translation changes how IP addresses are represented across networks; it does not describe weak Wi-Fi access control.
• Data masking protects sensitive data by obscuring values; it does not control who can join a wireless network.
• Static application testing reviews application code without running it; it is unrelated to Wi-Fi configuration risk.

Question 100

Topic: Networking and Cloud Security Concepts

A company is moving an internal application to a hybrid cloud environment. Users should access only the application functions required for their job roles, and the security team wants each access request evaluated based on current identity and device signals. Which control combination is the BEST fit?

Options:

• A. Role-based access, MFA, and device posture checks

• B. Flat network access and annual password changes

• C. Data backups and quarterly restore testing

• D. Shared administrator accounts and VPN-only access

Best answer: A

Explanation: Zero Trust assumes no user, device, or network location is automatically trusted. For this scenario, least privilege is supported by assigning access based on job roles, while continuous verification is supported by checking factors such as MFA status and device posture before allowing or maintaining access. This creates a layered control approach that fits defense in depth: identity controls, access controls, and device-condition checks work together rather than relying only on a network boundary. VPN access can be useful, but it does not by itself prove that the user, device, or requested access is appropriate.

• Flat access fails because it gives broad network reach and does not enforce least privilege or ongoing verification.
• Shared admin accounts fail because they weaken accountability and make individual access decisions harder to verify.
• Backup testing supports recovery, but it does not control user privileges or verify access requests.

Continue in the web app

Use IT Mastery for interactive ISC2 Certified in Cybersecurity CC practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.

Try ISC2 Certified in Cybersecurity CC on Web

Focused topic pages

• Security Principles
• Security Governance
• IAM Concepts
• Network and Cloud Security
• Security Operations