Question 1 1 / 1 point

For which of the following systems would the security concept of availability probably be most
important? (D1, L1.1.1)

Question options:

A)

Medical systems that store patient data

B)

Retail records of past transactions

C)

Online streaming of camera feeds that display historical works of art in museums around the
world

D)

Medical systems that monitor patient condition in an intensive care unit

Hide question 1 feedback

D is correct. Information that reflects patient condition is data that necessarily must be kept
available in real time, because that data is directly linked to the patients' well-being (and possibly
their life). This is, by far, the most important of the options listed. A is incorrect because stored
data, while important, is not as critical to patient health as the monitoring function listed in
answer D. B is incorrect because retail transactions do not constitute a risk to health and human
safety. C is incorrect because displaying artwork does not reflect a risk to health and human
safety; also because the loss of online streaming does not actually affect the asset (the artwork in
the museum) in any way—the art will still be in the museum, regardless of whether the camera is
functioning.
Question 2 0 / 1 point
Sophia is visiting Las Vegas and decides to put a bet on a particular number on a roulette wheel.
This is an example of _________. (D1, L1.2.2)

Question options:

A)

Acceptance

B)

Avoidance

C)

Mitigation

D)

Transference

Hide question 2 feedback

A is correct. Sophia is accepting the risk that the money will be lost, even though the likelihood
is high; Sophia has decided that the potential benefit (winning the bet), while low in likelihood,
is worth the risk. B is incorrect; if Sophia used avoidance, Sophia would not place the bet. C is
incorrect; mitigation involves applying a control to reduce the risk. There is no practical (or
legal) way to reduce the risk that Sophia will lose the bet. D is incorrect; if Sophia wanted to
transfer the risk, Sophia might ask some friends to each put up a portion of the bet, so that they
would all share the loss (or winnings) from the bet.
Question 3 1 / 1 point
A system that collects transactional information and stores it in a record in order to show which
users performed which actions is an example of providing ________. (D1, L1.1.1)

Question options:

A)

Non-repudiation

B)

Multifactor authentication

C)

Biometrics

D)

Privacy

Hide question 3 feedback

A is correct. Non-repudiation is the concept that users cannot deny they have performed
transactions that they did, in fact, conduct. A system that keeps a record of user transactions
provides non-repudiation. B and C are incorrect because nothing in the question referred to
authentication at all. D is incorrect because non-repudiation does not support privacy (if
anything, non-repudiation and privacy are oppositional).
Question 4 1 / 1 point
The city of Grampon wants to ensure that all of its citizens are protected from malware, so the
city council creates a rule that anyone caught creating and launching malware within the city
limits will receive a fine and go to jail. What kind of rule is this? (D1, L1.4.1)

Question options:

A)

Policy

B)

Procedure

C)

Standard

D)

Law

Hide question 4 feedback

D is correct. The city council is a governmental body making a legal mandate; this is a law. A is
incorrect; the rule is not a policy used by a specific organization, but instead applies to anyone
within the jurisdiction of the Grampon city council. B is incorrect; this rule is not a process to
follow. C is incorrect; this rule is not recognized outside the jurisdiction of the Grampon city
council.
Question 5 1 / 1 point
Zarma is an (ISC)² member and a security analyst for Triffid Corporation. One of Zarma's
colleagues is interested in getting an (ISC)2  certification and asks Zarma what the test questions
are like. What should Zarma do? (D1, L1.5.1)

Question options:

A)

Inform (ISC)²

B)

Explain the style and format of the questions, but no detail

C)

Inform the colleague's supervisor

D)

Nothing

Hide question 5 feedback

B is the best answer. It is all right to explain the format of the exam, and even to share your own
impressions of how challenging and difficult you found the exam to be. But in order to protect
the security of the test, and to adhere to the (ISC)² Code of Ethics ("advance and protect the
profession"), Zarma should not share any explicit information about details of the exam or reveal
any actual questions.
Question 6 1 / 1 point
Of the following, which would probably not be considered a threat? (D1, L1.2.1)

Question options:

A)

Natural disaster

B)

Unintentional damage to the system caused by a user

C)

A laptop with sensitive data on it

D)

An external attacker trying to gain unauthorized access to the environment

Hide question 6 feedback

C is correct. A laptop, and the data on it, are assets, not threats. All the other answers are
examples of threats, as they all have the potential to cause adverse impact to the organization and
the organization's assets.
Question 7 1 / 1 point
Hoshi is an (ISC)2  member who works for the Triffid Corporation as a data manager. Triffid
needs a new firewall solution, and Hoshi is asked to recommend a product for Triffid to acquire
and implement. Hoshi's cousin works for a firewall vendor; that vendor happens to make the best
firewall available. What should Hoshi do? (D1, L1.5.1)

Question options:

A)

recommend a different vendor/product

B)

recommend the cousin's product

C)

Hoshi should ask to be recused from the task

D)

disclose the relationship, but recommend the vendor/product

Hide question 7 feedback

D is the best answer. According to the third Canon of the ISC2 Code of Ethics, members are
required to "provide diligent and competent service to principals." Hoshi's principal here is
Triffid, Hoshi's employer. It would be inappropriate for Hoshi to select the cousin's product
solely based upon the family relationship; however, if the cousin's product is, in fact, the best
choice for Triffid, then Hoshi should recommend that product. In order to avoid any appearance
of impropriety or favoritism, Hoshi needs to declare the relationship when making the
recommendation.
Question 8 0 / 1 point
The city of Grampon wants to know where all its public vehicles (garbage trucks, police cars,
etc.) are at all times, so the city has GPS transmitters installed in all the vehicles. What kind of
control is this? (D1, L1.3.1)

Question options:

A)

Administrative

B)

Entrenched

C)

Physical

D)

Technical

Hide question 8 feedback

D is correct. A GPS unit is part of the IT environment, so this is a technical control. A is
incorrect. The GPS unit itself is not a rule or a policy or a process; it is part of the IT
environment, so D is a better answer. B is incorrect; "entrenched" is not a term commonly used
to describe a particular type of security control, and is used here only as a distractor. C is
incorrect; while a GPS unit is a tangible object, it is also part of the IT environment, and it does
not interact directly with other physical objects in order to prevent action, so "technical" is a
better descriptor, and D is a better answer.
Question 9 1 / 1 point
Steve is a security practitioner assigned to come up with a protective measure for ensuring cars
don't collide with pedestrians. What is probably the most effective type of control for this task?
(D1, L1.3.1)

Question options:

A)

Administrative

B)

Technical

C)

Physical

D)

Nuanced

Hide question 9 feedback

C is correct. Physical controls, such as fences, walls and bollards, will be most likely to ensure
cars cannot collide with pedestrians by creating actual barriers between cars and pedestrians. A is
incorrect; administrative controls (such as signage and written directions) may be helpful in this
situation, but not as helpful as physical controls. B is incorrect because technical controls are
typically associated with IT environments and less practical for physical interactions; while
helpful, technical controls would most likely not be as useful as physical controls in this
situation. D is incorrect because "nuanced" is not a common type of security control, and the
word is only used here as a distractor.
Question 10 0 / 1 point
Triffid Corporation has a policy that all employees must receive security awareness instruction
before using email; the company wants to make employees aware of potential phishing attempts
that the employees might receive via email. What kind of control is this instruction? (D1, L1.3.1)

Question options:

A)

Administrative

B)

Finite

C)

Physical

D)

Technical

Hide question 10 feedback

A is correct. Both the policy and the instruction are administrative controls; rules and governance
are administrative. B is incorrect; "finite" is not a term commonly used to describe a particular
type of security control, and is used here only as a distractor. C is incorrect; training is not a
tangible object, so this is not a physical control. D is incorrect; training is not part of the IT
environment, so it is not a technical control.
Question 11 0 / 1 point
Preenka works at an airport. There are red lines painted on the ground next to the runway;
Preenka has been instructed that nobody can step or drive across a red line unless they request,
and get specific permission from, the control tower. This is an example of a(n)______ control.
(D1, L1.3.1)

Question options:

A)

Physical

B)

Administrative

C)

Critical

D)

Technical

Hide question 11 feedback

B is correct. The process of requesting and getting permission, and the painted signage, are
examples of administrative controls. A is incorrect; while the line is painted on the ground (and
the ground is a tangible object), the line does not actually act to prevent or control anything—the
line is a symbol and indicator; Preenka could easily walk across the line, if Preenka chose to do
so. C is incorrect; "critical" is not a term commonly used to describe a particular type of security
control, and is used here only as a distractor. D is incorrect; a painted line is not an IT system or
part of the IT environment.
Question 12 0 / 1 point
Triffid Corporation has a rule that all employees working with sensitive hardcopy documents
must put the documents into a safe at the end of the workday, where they are locked up until the
following workday. What kind of control is the process of putting the documents into the safe?
(D1, L1.3.1)

Question options:

A)

Administrative

B)

Tangential

C)

Physical

D)

Technical

Hide question 12 feedback

A is the correct answer. The process itself is an administrative control; rules and practices are
administrative. The safe itself is physical, but the question asked specifically about process, not
the safe, so C is incorrect. Neither the safe nor the process is part of the IT environment, so this
is not a technical control; D is incorrect. B is incorrect; "tangential" is not a term commonly used
to describe a particular type of security control, and is used here only as a distractor.
Question 13 1 / 1 point
In risk management concepts, a(n) _________ is something a security practitioner might need to
protect. (D1, L1.2.1)

Question options:

A)

Vulnerability

B)

Asset

C)

Threat

D)

Likelihood

Hide question 13 feedback

B is correct. An asset is anything with value, and a security practitioner may need to protect
assets. A, C, and D are incorrect because vulnerabilities, threats and likelihood are terms
associated with risk concepts, but are not things that a practitioner would protect.
Question 14 1 / 1 point
A vendor sells a particular operating system (OS). In order to deploy the OS securely on
different platforms, the vendor publishes several sets of instructions on how to install it,
depending on which platform the customer is using. This is an example of a ________. (D1,
L1.4.2)

Question options:

A)

Law

B)

Procedure

C)

Standard

D)

Policy

Hide question 14 feedback

B is correct. This is a set of instructions to perform a particular task, so it is a procedure (several
procedures, actually—one for each platform). A is incorrect; the instructions are not a
governmental mandate. C is incorrect, because the instructions are particular to a specific
product, not accepted throughout the industry. D is incorrect, because the instructions are not
particular to a given organization.
Question 15 0 / 1 point
The Triffid Corporation publishes a policy that states all personnel will act in a manner that
protects health and human safety. The security office is tasked with writing a detailed set of
processes on how employees should wear protective gear such as hardhats and gloves when in
hazardous areas. This detailed set of processes is a _________. (D1, L1.4.1)

Question options:

A)

Policy

B)

Procedure

C)

Standard

D)

Law

Hide question 15 feedback

B is correct. A detailed set of processes used by a specific organization is a procedure. A is
incorrect; the policy is the overarching document that requires the procedure be created and
implemented. C is incorrect. The procedure is not recognized and implemented throughout the
industry; it is used internally. D is incorrect; the procedure was created by Triffid Corporation,
not a governmental body.
Question 16 1 / 1 point
Olaf is a member of (ISC)² and a security analyst for Triffid Corporation. During an audit, Olaf
is asked whether Triffid is currently following a particular security practice. Olaf knows that
Triffid is not adhering to that standard in that particular situation, but that saying this to the
auditors will reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1)

Question options:

A)

Tell the auditors the truth

B)

Ask supervisors for guidance

C)

Ask (ISC)² for guidance

D)

Lie to the auditors

Hide question 16 feedback

A is the best answer. The (ISC)² Code of Ethics requires that members "act honorably, honestly,
justly, responsibly" and also "advance and protect the profession." Both requirements dictate that
Olaf should tell the truth to the auditors. While the Code also says that Olaf should "provide
diligent and competent service to principals," and Olaf's principal is Triffid in this case, lying
does not serve Triffid's best long-term interests, even if the truth has some negative impact in the
short term.
Question 17 1 / 1 point
Which of the following probably poses the most risk? (D1, L1.2.1)

Question options:

A)

A high-likelihood, high-impact event

B)

A high-likelihood, low-impact event

C)

A low-likelihood, high-impact event

D)

A low-likelihood, low-impact event

Hide question 17 feedback

A is correct. An event that is has a significant probability of occurring ("high-likelihood") and
also has a severe negative consequence ("high-impact") poses the most risk. The other answers
all pose less risk, because either the likelihood or impact is described as "low." This is not to say
that these risks can be dismissed, only that they are less significant than the risk posed by answer
A.
Question 18 1 / 1 point
Jengi is setting up security for a home network. Jengi decides to configure MAC address filtering
on the router, so that only specific devices will be allowed to join the network. This is an
example of a(n)_______ control. (D1, L1.3.1)

Question options:

A)

Physical

B)

Administrative

C)

Substantial

D)

Technical

Hide question 18 feedback

This is a difficult question, because it may seem as if there are two possible answers: the router
enforces a set of rules as to which MAC addresses may be included on the network, so that
sounds like an administrative control. However, the router is an IT system, so that seems as if it
is a technical control. In fact, it is considered the latter. In general, it is best to consider the
matter this way: if it has a power cord, or electricity running through it, it's a technical control.
So D is the correct answer. A is incorrect; while the router is a tangible object, it does not act on
the physical realm, affecting other tangible objects; it's an electronic device that is part of the IT
environment. C is incorrect; "substantial" is not a term commonly used to describe a particular
type of security control, and is used here only as a distractor.
Question 19 1 / 1 point
Within the organization, who can identify risk? (D1, L1.2.2)

Question options:

A)

The security manager

B)

Any security team member

C)

Senior management

D)

Anyone

Hide question 19 feedback

D is correct. Anyone within the organization can identify risk.
Question 20 0 / 1 point
Tina is an (ISC)² member and is invited to join an online group of IT security enthusiasts. After
attending a few online sessions, Tina learns that some participants in the group are sharing
malware with each other, in order to use it against other organizations online. What should Tina
do? (D1, L1.5.1)

Question options:

A)

Nothing

B)

Stop participating in the group

C)

Report the group to law enforcement

D)

Report the group to (ISC)²

Hide question 20 feedback

B is the best answer. The (ISC)² Code of Ethics requires that members "protect society, the
common good, necessary public trust and confidence, and the infrastructure"; this would include
a prohibition against disseminating and deploying malware for offensive purposes. However, the
Code does not make (ISC)² members into law enforcement officers; there is no requirement to
get involved in legal matters beyond the scope of personal responsibility. Tina should stop
participating in the group, and perhaps (for Tina's own protection) document when participation
started and stopped, but no other action is necessary on Tina's part.
Question 21 0 / 1 point
Which of the following is likely to be included in the business continuity plan? (D2, L2.2.1)

Question options:

A)

Alternate work areas for personnel affected by a natural disaster

B)

The organization's strategic security approach

C)

Last year's budget information

D)

Log data from all systems

Hide question 21 feedback

A is correct. The business continuity plan should include provisions for alternate work sites, if
the primary site is affected by an interruption, such as a natural disaster. B is incorrect; the
organization's strategic security approach should be included in the organization's security
policy. C is incorrect; budgetary information is not typically included in the business continuity
plan. D is incorrect; log data is not typically included in the business continuity plan.
Question 22 1 / 1 point
You are reviewing log data from a router; there is an entry that shows a user sent traffic through
the router at 11:45 am, local time, yesterday. This is an example of a(n) _______. (D2, L2.1.1)
incide

Question options:

A)

Incident

B)

Event

C)

Attack

D)

Threat

Hide question 22 feedback

An event is any observable occurrence within the IT environment. (Any observable occurrence
in a network or system. (Source: NIST SP 800-61 Rev 2) While an event might be part of an
incident, attack, or threat, no other information about the event was given in the question, so B is
the correct answer.
Question 23 0 / 1 point
Which of the following are not typically involved in incident detection? (D2, L2.1.1)

Question options:

A)

Users

B)

Security analysts

C)

Automated tools

D)

Regulators

Hide question 23 feedback

D is correct. Typically, regulators do not detect incidents, nor alert organizations to the existence
of incidents. All the other answers are often involved in incident detection.
Question 24 1 / 1 point
What is the goal of Business Continuity efforts? (D2, L2.2.1)

Question options:

A)

Save money

B)

Impress customers

C)

Ensure all IT systems continue to operate

D)

Keep critical business functions operational

Hide question 24 feedback

D is correct. Business Continuity efforts are about sustaining critical business functions during
periods of potential interruption, such as emergencies, incidents, and disasters. A is incorrect;
Business Continuity efforts often require significant financial expenditures. B is incorrect;
Business Continuity efforts are important regardless of whether customers are impressed. C is
incorrect; Business Continuity efforts should focus specifically on critical business functions, not
the entire IT environment.
Question 25 1 / 1 point
What is the goal of an incident response effort? (D2, L2.1.1)

Question options:

A)

No incidents ever happen

B)

Reduce the impact of incidents on operations

C)

Punish wrongdoers

D)

Save money

Hide question 25 feedback

B is correct. The overall incident response effort is to reduce the impact incidents might have on
the organization's operations. A is incorrect; there is no such thing as "zero risk" or "100%
security." C is incorrect; security practitioners are neither law enforcers nor superheroes. D is
incorrect; incident response efforts may actually cost the organization more money than the
impact of a given incident or set of incidents – "impact" can be measured in other ways than
monetary results.
Question 26 1 / 1 point
An attacker outside the organization attempts to gain access to the organization's internal files.
This is an example of a(n) ______. (D2, L2.1.1)

Question options:

A)

Intrusion

B)

Exploit

C)

Disclosure

D)

Publication

Hide question 26 feedback

A is correct. An intrusion is an attempt (successful or otherwise) to gain unauthorized access. B
is incorrect; the question does not mention what specific attack or vulnerability was used. C and
D are incorrect; the organization did not grant unauthorized access or release the files.
Question 27 1 / 1 point
What is the risk associated with resuming full normal operations too soon after a DR effort? (D2,
L2.3.1)

Question options:

A)

The danger posed by the disaster might still be present

B)

Investors might be upset

C)

Regulators might disapprove

D)

The organization could save money

Hide question 27 feedback

A is correct. Resuming full normal operations too soon after a disaster might mean personnel are
put in danger by whatever effects the disaster caused. B and C are incorrect because the feelings
of investors and regulators are not the primary concern of DR efforts. D is incorrect; saving
money is not a risk, it is a benefit.
Question 28 0 / 1 point
A human guard monitoring a hidden camera could be considered a ______ control. (D3, L3.2.1)

Question options:

A)

Detective

B)

Preventive

C)

Deterrent

D)

Logical

Hide question 28 feedback

A is correct. The guard monitoring the camera can identify anomalous or dangerous activity; this
is a detective control. B is incorrect; neither the guard nor the camera is actually preventing any
activity before it occurs. C is incorrect; because the attacker is unaware of the guard and the
camera, there is no deterrent benefit. D is incorrect; the guard is a physical control.
Question 29 1 / 1 point
Which of the following statements is true? (D3, L3.3.1)

Question options:

A)

Logical access controls can protect the IT environment perfectly; there is no reason to deploy
any other controls

B)

Physical access controls can protect the IT environment perfectly; there is no reason to deploy
any other controls

C)

Administrative access controls can protect the IT environment perfectly; there is no reason to
deploy any other controls

D)

It is best to use a blend of controls in order to provide optimum security

Hide question 29 feedback

The use of multiple types of controls enhances overall security. D is correct. A, B and C are all
incorrect, because no single type of control can provide adequate protection of an environment.
Question 30 1 / 1 point
In order for a biometric security to function properly, an authorized person's physiological data
must be ______. (D3, L3.2.1)

Question options:

A)

Broadcast

B)

Stored

C)

Deleted

D)

Modified

Hide question 30 feedback

B is correct. A biometric security system works by capturing and recording a physiological trait
of the authorized person and storing it for comparison whenever that person presents the same
trait in the future. A is incorrect; access control information should not be broadcast. C is
incorrect; if all biometric data is erased, the data cannot be used for comparison purposes to grant
access later. D is incorrect; biometric data should not be modified, or it may become useless for
comparison purposes.
Question 31 1 / 1 point
Network traffic originating from outside the organization might be admitted to the internal IT
environment or blocked at the perimeter by a ________. (D3, L3.2.1)

Question options:

A)

Turnstile

B)

Fence

C)

Vacuum

D)

Firewall

Hide question 31 feedback

A firewall is a solution used to filter traffic between networks, including between the internal
environment and the outside world. D is the correct answer. A and B are incorrect; a turnstile and
a fence are physical access control mechanisms. C is incorrect; a vacuum does not affect network
traffic, and the term is used here only as a distractor.
Question 32 1 / 1 point
Suvid works at Triffid, Inc. When Suvid attempts to log in to the production environment, a
message appears stating that Suvid has to reset the password. What may have occurred to cause
this?

Question options:

A)

Suvid broke the law

B)

Suvid's password has expired

C)

Suvid made the manager angry

D)

Someone hacked Suvid's machine

Hide question 32 feedback

Typically, users are required to reset passwords when the password has reached a certain age.
Permanent passwords are more likely to be compromised or revealed. B is the correct answer. A,
C and D are incorrect; these are not likely reasons to require password refresh.
Question 33 1 / 1 point
Which of the following is a biometric access control mechanism? (D3, L3.2.1)

Question options:

A)

A badge reader

B)

A copper key

C)

A fence with razor tape on it

D)

A door locked by a voiceprint identifier

Hide question 33 feedback

D is correct. A lock that opens according to a person's voice is a type of biometric access control.
A, B and C are all access control mechanisms, but none of them are based on unique
physiological characteristics of a person, so they are not biometric systems.

Question 34 1 / 1 point
 Gelbi is a Technical Support analyst for Triffid, Inc. Gelbi sometimes is required to install or
remove software. Which of the following could be used to describe Gelbi's account? (D3,
L3.1.1)

Question options:

A)

Privileged

B)

Internal
C)

External

D)

User

Hide question 34 feedback

A is Correct. This is the description of a privileged account; an account that typically needs
greater permissions than a basic user. B and C are incorrect; the question does not specify
whether Gelbi connects to the environment from within the network, or from outside. D is
incorrect; this is too vague—Gelbi is a user, but has permissions that are typically greater than
what basic users have.

Question 35 1 / 1 point
Which of the following roles does not typically require privileged account access? (D3, L3.1.1)

Question options:

A)

Security administrator

B)

Data entry professional

C)

System administrator

D)

Help Desk technician

Hide question 35 feedback

B is correct. Data entry professionals do not usually need privileged access. A, C and D are all
incorrect; those are roles that typically need privileged access.
Question 36 1 / 1 point
Which of the following will have the most impact on determining the duration of log retention?
(D3, L3.2.1)

Question options:

A)

Personal preference

B)

Applicable laws

C)

Industry standards

D)

Type of storage media

Hide question 36 feedback

B is correct. Laws will have the most impact on policies, including log retention periods, because
laws cannot be contravened. All the other answers may have some impact on retention periods,
but they will never have as much impact as applicable laws.
Question 37 1 / 1 point
Gary is unable to log in to the production environment. Gary tries three times and is then locked
out of trying again for one hour. Why? (D3, L3.3.1)

Question options:

A)

Gary is being punished

B)

The network is tired

C)

Users remember their credentials if they are given time to think about it

D)

Gary's actions look like an attack

Hide question 37 feedback

Repeated login attempts can resemble an attack on the network; attackers might try to log in to a
user's account multiple times, using different credentials, in a short time period, in an attempt to
determine the proper credentials. D is correct. A is incorrect; security policies and processes are
not intended to punish employees. B is incorrect; IT systems do not get tired. C is incorrect; the
delay is not designed to help users remember credentials.
Question 38 0 / 1 point
Which of the following would be considered a logical access control?

Question options:

A)

An iris reader that allows an employee to enter a controlled area

B)

A fingerprint reader that allows an employee to enter a controlled area

C)

A fingerprint reader that allows an employee to access a laptop computer

D)

A chain attached to a laptop computer that connects it to furniture so it cannot be taken

Hide question 38 feedback

Logical access controls limit who can gain user access to a device/system. C is the correct
answer. A, B and D are all physical controls, as they limit physical access to areas and assets.
Question 39 1 / 1 point
Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina
offers to log in for Doug, using Trina's credentials, so that Doug can get some work done.

What is the problem with this? (D3, L3.3.1)

Question options:

A)

Doug is a bad person

B)

If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without
assistance

C)

Anything either of them do will be attributed to Trina

D)

It is against the law

Hide question 39 feedback

If two users are sharing one set of credentials, then the actions of both users will be attributed to
that single account; the organization will be unable to discern exactly who performed which
action, which can be troublesome if either user does something negligent or wrong. C is the
correct answer. A is incorrect; we don't know enough about Doug from the question. B is
incorrect; while true, getting Doug to remember credentials shouldn't be the priority of the
situation. D is incorrect; regardless of whether sharing credentials is against the law (and it might
or might not be, depending on the jurisdiction), the important point is that both users' actions
must be distinct.
Question 40 1 / 1 point
Prachi works as a database administrator for Triffid, Inc. Prachi is allowed to add or delete users,
but is not allowed to read or modify the data in the database itself. When Prachi logs onto the
system, an access control list (ACL) checks to determine which permissions Prachi has.

In this situation, what is the ACL? (D3, L3.1.1)

Question options:

A)

The subject

B)

The object

C)

The rule

D)

The firmware

Hide question 40 feedback

C is correct. The ACL, in this case, acts as the rule in the subject-object-rule relationship. It
determines what Prachi is allowed to do, and what Prachi is not permitted to do. A and B are
incorrect, because the ACL is the rule in this case. D is incorrect, because firmware is not
typically part of the subject-object-rule relationship, and the ACL is not firmware in any case.
Question 41 1 / 1 point
Which of the following is not an appropriate control to add to privileged accounts? (D3, L3.1.1)

Question options:

A)

Increased logging

B)

Multifactor authentication

C)

Increased auditing

D)

Security deposit

Hide question 41 feedback

D is correct. We typically do not ask privileged account holders for security deposits. A, B, and
C are incorrect; those are appropriate controls to enact for privileged accounts.
Question 42 1 / 1 point
Guillermo logs onto a system and opens a document file. In this example, Guillermo is: (D3,
L3.1.1)

Question options:

A)

The subject

B)

The object

C)

The process

D)

The software

Hide question 42 feedback

A is correct. Guillermo is the subject in this example. B is incorrect; in this example, the file is
the object. C is incorrect; in this example, the process is logging on and opening the file. D is
incorrect; in this example, the application used to open the file is the software.
Question 43 1 / 1 point
Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control
scheme for the company. Handel wants to ensure that employees transferring from one
department to another, getting promoted, or cross-training to new positions can get access to the
different assets they'll need for their new positions, in the most efficient manner. Which method
should Handel select? (D3, L3.3.1)

Question options:

A)

Role-based access controls (RBAC)

B)

Mandatory access controls (MAC)

C)

Discretionary access controls (DAC)

D)

Barbed wire

Hide question 43 feedback

RBAC is the most efficient way to assign permissions to users based on their job duties. A is the
correct answer. B and C are incorrect; MAC and DAC don't offer the same kind of efficiency in
this regard. D is incorrect; barbed wire is a physical control, and won't be useful in this context.
Question 44 0 / 1 point
Larry and Fern both work in the data center. In order to enter the data center to begin their
workday, they must both present their own keys (which are different) to the key reader, before
the door to the data center opens.

Which security concept is being applied in this situation? (D3, L3.1.1)

Question options:

A)

Defense in depth

B)

Segregation of duties

C)

Least privilege

D)

Dual control

Hide question 44 feedback

D is correct. This is an example of dual control, where two people, each with distinct
authentication factors, must be present to perform a function. A is incorrect; defense in depth
requires multiple controls protecting assets—there is no description of multiple controls in this
situation. B is incorrect; in segregation of duties, the parts of a given transaction are split among
multiple people, and the task cannot be completed unless each of them takes part. Typically, in
segregation of duties, the people involved do not have to take part simultaneously; their actions
can be spread over time and distance. This differs from dual control, where both people must be
present at the same time. C is incorrect; the situation described in the question does not reduce
the permissions of either person involved or limit their capabilities to their job function.
Question 45 0 / 1 point
Triffid, Inc., has many remote workers who use their own IT devices to process Triffid's
information. The Triffid security team wants to deploy some sort of sensor on user devices in
order to recognize and identify potential security issues. Which of the following is probably most
appropriate for this specific purpose? (D4.2 L4.2.2)

Question options:

A)

HIDS (host-based intrusion-detection systems)

B)

NIDS (network-based intrusion-detection systems)

C)

LIDS (logistical intrusion-detection systems)

D)

Firewalls

Hide question 45 feedback

Host-based intrusion-detection systems are expressly designed for this purpose; each HIDS is
installed on each endpoint machine. A is the correct answer. B is incorrect; NIDS are useful for
monitoring internal traffic, but a HIDS would be better for distributed users/devices. C is
incorrect; LIDS is not a term standard within our industry, and was just made up and used here
as a distractor. D is incorrect; firewalls limit traffic, and can be used to identify potential threats,
but a HIDS is specifically intended for this purpose.
Question 46 0 / 1 point
A tool that inspects outbound traffic to reduce potential threats. (D4.2 L4.2.3)

Question options:

A)

NIDS (network-based intrusion-detection systems)

B)

Anti-malware

C)

DLP (data loss prevention)

D)

Firewall

Hide question 46 feedback

DLP solutions typically inspect outbound communications traffic to check for unauthorized
exfiltration of sensitive/valuable information. C is correct. A, B and D are incorrect; these
solutions are not typically suited to inspect outbound traffic.
Question 47 1 / 1 point
A means to allow remote users to have secure access to the internal IT environment. (D4.3
L4.3.3)

Question options:

A)

Internet

B)

VLAN

C)

MAC

D)

VPN

Hide question 47 feedback

D is correct; a virtual private network protects communication traffic over untrusted media. A is
incorrect; the internet is an untrusted medium. B is incorrect; VLANs are used to segment
portions of the internal environment. C is incorrect; MAC is the physical address of a given
networked device.
Question 48 1 / 1 point
Which type of fire-suppression system is typically the safest for humans? (D4.3 L4.3.1)

Question options:

A)

Water

B)

Dirt

C)

Oxygen-depletion

D)

Gaseous

Hide question 48 feedback

A is correct as it is the safest fire-suppression system listed that is typically used. B is incorrect;
dirt is rarely used in fire suppression, and then usually only for forest fires. C is incorrect;
humans require oxygen. D is incorrect; gaseous fire-suppression systems typically pose more
hazard to humans than water-based systems.
Question 49 1 / 1 point
Which of the following is one of the common ways potential attacks are often identified? (D4.2
L4.2.2)

Question options:

A)

The attackers contact the target prior to the attack, in order to threaten and frighten the target

B)

Victims notice excessive heat coming from their systems

C)

The power utility company warns customers that the grid will be down and the internet won't be
accessible

D)

Users report unusual systems activity/response to Help Desk or the security office

Hide question 49 feedback

Users often act as an attack-detection capability (although many user reports might be false-
positives). D is the correct answer. A and C are incorrect; unfortunately, we rarely get advance
notification of impending threats to the environment. B is incorrect; attacks are not typically
identified by physical manifestations.
Question 50 1 / 1 point
Ludwig is a security analyst at Triffid, Inc. Ludwig notices network traffic that might indicate an
attack designed to affect the availability of the environment. Which of the following might be the
attack Ludwig sees? (D4.2 L4.2.1)

Question options:

A)

DDOS (distributed denial of service)

B)

Spoofing

C)

Exfiltrating stolen data

D)

An insider sabotaging the power supply

Hide question 50 feedback

DDOS is an availability attack, often typified by recognizable network traffic; either too much
traffic to be processed normally, or malformed traffic. A is the correct answer. B and C are
incorrect, because in both these kinds of attacks, the attacker wants the IT environment to
continue working properly—if the attacker shut down the environment, the attacker wouldn't be
able to use spoofed credentials or exfiltrate stolen data. D is incorrect, because loss of power is
not recognized by network traffic, it is recognized by lack of functionality.
Question 51 0 / 1 point
A tool that aggregates log data from multiple sources, and typically analyzes it and reports
potential threats. (D4.2 L4.2.2)

Question options:

A)

HIDS

B)

Anti-malware

C)

Router

D)

SIEM

Hide question 51 feedback

SIEM/SEM/SIM solutions are typically designed specifically for this purpose. D is the correct
answer. A and C are incorrect; these are specific single sources of log data. B is incorrect; anti-
malware does not typically gather log data from multiple sources.
Question 52 1 / 1 point
Which of the following activities is usually part of the configuration management process, but is
also extremely helpful in countering potential attacks? (D4.2 L4.2.3)

Question options:

A)

Annual budgeting

B)

Conferences with senior leadership

C)

Updating and patching systems

D)

The annual shareholders' meeting

Hide question 52 feedback

C is the correct answer. Keeping systems up to date is typically part of both the configuration
management process and enacting best security practices. A, B and D are incorrect; these
activities are neither part of the configuration management process nor a best security practice.
Question 53 1 / 1 point
An IoT (Internet of Things) device is typified by its effect on or use of the _____ environment.
(D4.3 L4.3.3)

Question options:

A)

Philosophical

B)

Remote

C)

Internal

D)

Physical

Hide question 53 feedback

IoT devices typically have some interaction with the physical realm, either by having some
physical effect (a vacuum cleaner, refrigerator, light) or by monitoring the physical environment
itself (a camera, sensor, etc.). A, B and C are incorrect; IoT is typified by effects on or use of the
physical environment.
Question 54 1 / 1 point
Which of the following would be best placed in the DMZ of an IT environment? (D4.3 L4.3.3)

Question options:

A)

User's workplace laptop

B)

Mail server

C)

Database engine

D)

SIEM log storage

Hide question 54 feedback

B is correct; devices that must often interact with the external environment (such as a mail
server) are typically best situated in the DMZ. A, C and D are incorrect; devices that contain
sensitive or valuable information are typically best placed well inside the perimeter of the IT
environment, away from the external world and the DMZ.
Question 55 0 / 1 point
Bert wants to add a flashlight capability to a smartphone. Bert searches the internet for a free
flashlight app, and downloads it to the phone. The app allows Bert to use the phone as a
flashlight, but also steals Bert's contacts list. What kind of app is this? (D4.2 L4.2.1)

Question options:

A)

DDOS

B)

Trojan

C)

Side channel

D)

On-path

Hide question 55 feedback

This is a textbook example of a Trojan horse application. Bert has intentionally downloaded the
application with the intent to get a desired service, but the app also includes a hostile component
Bert is unaware of. A is incorrect; DDOS involves multiple attacking machines trying to affect
the availability of the target. C is incorrect; a side channel attack is passive and generally only
observes operational activity, instead of capturing and exfiltrating specific data. D is incorrect;
an on-path attack involves the attackers inserting themselves between communicating parties.
Question 56 0 / 1 point
The logical address of a device connected to the network or Internet. (D4.1 L4.1.1)

Question options:

A)

Media access control (MAC) address

B)

Internet Protocol (IP) address

C)

Geophysical address

D)

Terminal address

Hide question 56 feedback

The IP address is the logical address assigned to a device connected to a network or the Internet.
B is the correct answer. A is incorrect; the MAC address of a device is its physical address. C is
incorrect; the geophysical address is typically the postal address assigned to a building, not an IT
device. D is incorrect; "terminal address" has no meaning in this context, and is only used here as
a distractor.
Question 57 1 / 1 point
Which type of fire-suppression system is typically the least expensive?
(D4.3 L4.3.1)

Question options:

A)

Water

B)

Dirt

C)

Oxygen-depletion

D)

Gaseous

Hide question 57 feedback

Water is typically the least expensive type of fire-suppression system, as water is one of the most
common chemicals on the planet. A is correct. B is incorrect; dirt is usually only used in the
suppression of forest fires. C and D are incorrect; gaseous/oxygen depletion systems are typically
much, much more expensive than water-based systems.
Question 58 1 / 1 point
A device that filters network traffic in order to enhance overall security/performance. (D4.1
L4.1.1)

Question options:

A)

Endpoint

B)

Laptop

C)

MAC (media access control)

D)

Firewall

Hide question 58 feedback

Firewalls filter traffic in order to enhance the overall security or performance of the network, or
both. D is the correct answer. A is incorrect; "endpoint" is the term used to describe a device
involved in a networked communication, at either "end" of a conversation. B is incorrect; laptops
are not typically employed to filter network traffic. C is incorrect; MAC is the physical address
of a device on a network.
Question 59 0 / 1 point
"Wiring _____" is a common term meaning "a place where wires/conduits are often run, and
equipment can be placed, in order to facilitate the use of local networks." (D4.3 L4.3.1)

Question options:

A)

Shelf

B)

Closet

C)

Bracket

D)

House

Hide question 59 feedback

"Wiring closet" is the common term used to described small spaces, typically placed on each
floor of a building, where IT infrastructure can be placed. A, C and D are incorrect; these are not
common terms used in this manner.
Question 60 1 / 1 point
Cyril wants to ensure all the devices on his company's internal IT environment are properly
synchronized. Which of the following protocols would aid in this effort? (D4, L4.1.2)

Question options:

A)

FTP (File Transfer Protocol)

B)

NTP (Network Time Protocol)

C)

SMTP (Simple Mail Transfer Protocol)

D)

HTTP (Hypertext Transfer Protocol)

Hide question 60 feedback

B is the correct answer; this is the purpose of NTP. A, C and D are incorrect; these do not serve
the purpose of synchronization.
Question 61 1 / 1 point
Cheryl is browsing the Web. Which of the following protocols is she probably using? (D4,
L4.1.2)

Question options:

A)

SNMP (Simple Network Management Protocol)

B)

FTP (File Transfer Protocol)

C)

TFTP (Trivial File Transfer Protocol)

D)

HTTP (Hypertext Transfer Protocol)

Hide question 61 feedback

D is correct; HTTP is designed for Web browsing. A, B and C are incorrect; these are not
protocols designed to handle Web browsing.
Question 62 1 / 1 point
A device that is commonly useful to have on the perimeter between two networks. (D4.3 L4.3.3)

Question options:

A)

User laptop

B)

IoT

C)

Camera

D)

Firewall

Hide question 62 feedback

Firewalls are often useful to monitor/filter traffic between two networks. D is correct. A and B
are incorrect; these are typically located inside the perimeter of the internal environment. C is
incorrect; cameras do not offer much benefit in monitoring communications traffic.
Question 63 0 / 1 point
Every document owned by Triffid, Inc., whether hardcopy or electronic, has a clear, 24-point
word at the top and bottom. Only three words can be used: "Sensitive," "Proprietary" and
"Public."

This is an example of _____. (D5.1, L5.1.1)

Question options:

A)

Secrecy

B)

Privacy

C)

Inverting

D)

Labeling

Hide question 63 feedback

Labeling is the practice of annotating assets with classification markings. D is the correct answer.
A is incorrect; "secrecy" is too broad a term in this context, and not accurate—the markings are
visible. B is incorrect; privacy is associated with information that identifies a specific person (or
specific people). C is incorrect; this term has no meaning in this context, and is used here only as
a distractor.
Question 64 1 / 1 point
By far, the most crucial element of any security instruction program. (D5.4, L5.4.1)

Question options:

A)

Protect assets

B)

Preserve health and human safety

C)

Ensure availability of IT systems

D)

Preserve shareholder value

Hide question 64 feedback

B is correct: This is the paramount rule in all security efforts. A, C and D are incorrect; these are
goals of the security instruction program, but all are secondary to B.
Question 65 0 / 1 point
Dieter wants to send a message to Lupa and wants to be sure that Lupa knows the message has
not been modified in transit. What technique/tool could Dieter use to assist in this effort? (D5.1,
L5.1.3)

Question options:

A)

Hashing

B)

Clockwise rotation

C)

Symmetric encryption

D)

Asymmetric encryption

Hide question 65 feedback

Hashing is a means to provide an integrity check. A is the correct answer. B is incorrect; this
term is meaningless and used here only as a distractor. C and D are incorrect; neither symmetric
encryption nor asymmetric encryption provides message integrity.
Question 66 1 / 1 point
Data retention periods apply to ____ data. (D5.1, L5.1.1)

Question options:

A)

Medical

B)

Sensitive

C)

All

D)

Secret

Hide question 66 feedback

All data should have specific retention periods (even though retention periods may differ for
various types of data). C is the correct answer. A, B and D are incorrect; retention periods affect
all data
Question 67 0 / 1 point
Which of these is the most important reason to conduct security instruction for all employees.
(D5.4, L5.4.1)

Question options:

A)

Reduce liability

B)

Provide due diligence

C)

It is a moral imperative

D)

An informed user is a more secure user

Hide question 67 feedback

While all the answers are true, D is the single most important reason to conduct security
instruction, because it leads to all the others. A, B and C are incorrect; while true, they are not
the most important reason(s).
Question 68 0 / 1 point
Triffid, Inc., wants to host streaming video files for the company's remote users, but wants to
ensure the data is protected while it's streaming. Which of the following methods are probably
best for this purpose? (D5.1, L5.1.3)

Question options:

A)

Symmetric encryption

B)

Hashing

C)

Asymmetric encryption

D)

VLANs

Hide question 68 feedback

A is the correct answer; symmetric encryption offers confidentiality of data with the least amount
of processing overhead, which makes it the preferred means of protecting streaming data. B is
incorrect; hashing would not provide confidentiality of the data. C is incorrect; asymmetric
encryption requires more processing overhead than symmetric encryption, and is therefore not
preferable for streaming purposes. D is incorrect; VLANs are useful for logical segmentation of
networks, but do not serve a purpose for streaming data to remote users.
Question 69 1 / 1 point
______ is used to ensure that configuration management activities are effective and enforced.
(D5.2, L5.2.1)

Question options:

A)

Inventory

B)

Baseline

C)

Identification

D)

Verification and audit

Hide question 69 feedback

Verification and audit are methods we use to review the IT environment to ensure that
configuration management activities have taken place and are achieving their intended purpose.
D is the correct answer. A, B and C are incorrect; while these are terms related to configuration
management, the answer is verification and audit.
Question 70 0 / 1 point
The output of any given hashing algorithm is always _____. (D5.1, L5.1.3)

Question options:

A)

The same length

B)

The same characters

C)

The same language

D)

Different for the same inputs

Hide question 70 feedback

Hashing algorithms create output of a fixed length. A is the correct answer. B is incorrect; the
characters in the output will change depending on the input. C is incorrect; hashing algorithms do
not create output in any particular language—usually, the output is a mix of alphanumeric
characters. D is incorrect; hash outputs should be the same when the same input is used.
Question 71 0 / 1 point
Data _____ is data left behind on systems/media after normal deletion procedures have been
attempted. (D5.1, L5.1.1)

Question options:

A)

Fragments

B)

Packets

C)

Remanence

D)

Residue

Hide question 71 feedback

C is correct. Data remanence is the term used to describe data left behind on systems/media after
normal deletion procedures have been attempted.
Question 72 1 / 1 point
When Pritha started working for Triffid, Inc., Pritha had to sign a policy that described how
Pritha would be allowed to use Triffid's IT equipment. What policy was this? (D5.3, L5.3.1)

Question options:

A)

The organizational security policy

B)

The acceptable use policy (AUP)

C)

The bring-your-own-device (BYOD) policy

D)

The workplace attire policy

Hide question 72 feedback

The AUP describes how users will be permitted to use the organization's IT assets. B is the
correct answer. A, C and D are incorrect; while these are all common policies, they do not serve
the same function as the AUP.
Question 73 1 / 1 point
One of the benefits of computer-based training (CBT): (D5.4, L5.4.1)

Question options:

A)

Expensive

B)

Scalable

C)

Personal interaction with instructor

D)

Interacting with other participants

Hide question 73 feedback

B is the correct answer. CBT is completely scalable, because it can be replicated uniformly for
any number of users. A, C and D are incorrect; these are not characteristics of CBT.
Question 74 0 / 1 point
Security needs to be provided to ____ data. (D5.1, L5.1.1)

Question options:

A)

Restricted

B)

Illegal

C)

Private

D)

All

Hide question 74 feedback

D is the correct answer. All data needs some form of security; even data that is not sensitive
(such as data intended for public view) needs protection to ensure availability. A, B and C are
incorrect; all data needs some form of security protection.
Question 75 1 / 1 point
Security controls on log data should reflect ________. (D5.1, L5.1.2)

Question options:

A)

The organization's commitment to customer service

B)

The local culture where the log data is stored

C)

The price of the storage device

D)

The sensitivity of the source device

Hide question 75 feedback

Log data should be protected with security as high, or higher, than the security level of the
systems or devices that log was captured from. D is the correct answer. A, B and C are incorrect;
these are not qualities that dictate security level of protection on log data.