Free ISC2 CC Practice Test to Ace the Exam

In the cloud shared responsibility model for Infrastructure as a Service (IaaS), who is responsible for securing the operating system?

What is the main goal of a security awareness training program?

Which cloud deployment model is operated solely for a single organization but may be managed by a third party and hosted internally or externally?

Which wireless security protocol is considered the most secure for modern Wi-Fi networks?

Which social engineering tactic relies on creating a sense of panic to rush a victim into making a poor decision?

Which of the following would have the least reasonable expectation of privacy?

In cryptographic systems, what is a primary advantage of asymmetric encryption over symmetric encryption?

Which of the following best describes the principle of ‘due care’ in information security?

Which of the following is a cryptographic function that creates a fixed-size, unique ‘fingerprint’ of a message and is one-way?

Which of the following describes a Type I hypervisor?

The process of identifying a system’s weaknesses, such as missing patches or misconfigurations, is known as:

A user is required to enter a password and then use a fingerprint scanner to log in. This combination represents what type of authentication?

What is the primary purpose of using data encryption?

A system where file owners can grant or deny access permissions to other users is an example of which access control model?

An attacker calls an employee pretending to be an IT technician and tricks them into revealing their password. This is an example of what type of attack?

An organization implements a policy where an employee cannot both approve a payment and issue the payment. This control is an example of which security principle?

Which of the following are the three main goals of information security as defined by the CIA triad?

A business uses a cloud service that provides a complete application, such as a CRM or email service, over the internet. What type of cloud service model is this?

An organization wants to analyze data without revealing the identities of the individuals in the dataset. The process of removing or modifying personally identifiable information (PII) to achieve this is known as:

A facility uses bollards to block vehicle access to pedestrian areas. This is a form of which type of control?

What is the primary purpose of a web application firewall (WAF)?

A company requires a disaster recovery site that is fully equipped with hardware, software, and up-to-the-minute data, allowing for immediate failover. What type of site is this?

A company decides to stop offering a high-risk online service to completely remove the associated cybersecurity threats. Which risk treatment strategy is this?

What is the primary security risk of ‘shadow IT’?

A backup schedule involves a full backup on Sunday, followed by backups each weekday that only include files changed since the last full backup. What type of weekday backup is this?

What is the primary function of a Virtual Private Network (VPN)?

Which security concept ensures that a sender cannot later deny having sent a message?

An organization uses redundant firewalls in a high availability pair to ensure that if one fails, the other can take over immediately. This design is intended to remove what?

Which data destruction method uses a strong magnetic field to erase data from magnetic media like hard disk drives and tapes?

A security guard monitoring CCTV feeds is an example of which type of security control?

An organization determines it can tolerate a maximum of 4 hours of data loss from its primary sales database. This metric is known as the:

A policy that defines the rules for employees using their personal smartphones and laptops for work is called a:

The concept of ‘defense in depth’ refers to what security strategy?

What is the primary purpose of establishing a security configuration baseline for servers?

When an organization centrally collects and analyzes log data from firewalls, servers, and applications to detect security incidents, what type of system are they using?

An organization experiences a power outage. Which of the following security risks is most directly categorized as an availability issue?

In an access control process, what step involves a user proving their claimed identity, for example by providing a password?

A malware payload that remains dormant until a specific date or condition is met is called a:

Which of the following is a security benefit of using a password manager?

At which layer of the OSI model does the Internet Protocol (IP) operate, handling the routing of packets across different networks?

In the data lifecycle, what is the final stage where data is securely and permanently removed when it is no longer needed?

What is the primary risk associated with improperly secured wiring closets?

In disaster recovery, what is the purpose of a tabletop exercise?

Which security device sits on a network, monitors traffic for malicious patterns, and can actively block the identified threats?

Which document is created during business continuity planning to identify mission-essential functions and the critical IT systems that support them?

According to the Privacy Management Framework (PMF), ensuring that personal information is only retained for as long as necessary aligns with which principle?

A security auditor finds that an employee who moved from Finance to Marketing six months ago still has access to sensitive financial systems. This situation is an example of:

A security professional is using a tool to check web applications for vulnerabilities like SQL injection and Cross-Site Scripting (XSS). What type of activity is this?

An organization is concerned about malicious insiders. Which security principle would be most effective in limiting the damage a compromised employee account could cause?

An organization’s policy dictates how long different types of records must be stored before they are securely destroyed. This policy is known as a:

Which of the (ISC)² Code of Ethics canons requires a certified professional to ‘act honorably, honestly, justly, responsibly, and legally’?

A company purchases cybersecurity insurance to cover potential losses from a data breach. What risk management strategy is being employed?

In the context of physical security, what is the purpose of Crime Prevention Through Environmental Design (CPTED)?

A system on a network has an IP address of 169.254.10.55. What is the most likely reason for this?

A security analyst is reviewing network traffic and sees a massive volume of SYN packets from many different source IPs directed at a single web server, which is now unresponsive. What type of attack is likely occurring?

What is the primary function of RAID (Redundant Array of Inexpensive Disks)?

According to the NIST incident response lifecycle, which phase involves limiting the damage caused by an incident and removing its effects from the network?

A policy requires that users change their passwords every 90 days. This is an example of a password _______ requirement.

What is the primary function of a ‘honeypot’ in a network security context?

A hacker successfully alters data in a financial report to hide fraudulent activity. Which core principle of the CIA triad has been violated?

Which of the following is a key characteristic of cloud computing that allows customers to increase or decrease capacity as needs fluctuate?

A firewall is implemented to block malicious traffic from entering a network. By its mechanism of action, what type of security control is a firewall?

What does a Security Assertion Markup Language (SAML) assertion typically contain?