Certified in Cybersecurity (ISC2-CC ) Sample Questions

A medium sized technology firm called Crestline Systems has been gradually shifting its operations into the public cloud and each department has chosen its own migration timeline and tools. The sales group adopted a cloud CRM, engineering moved its project and test results into a managed database, and every department except marketing now uses a cloud document editor. The information security team has observed that the reliability of these cloud services is below the level required by senior management to maintain expected customer service. Where did the organization most likely fail in its cloud migration?

• ❏ A. Risk management

• ❏ B. Google Cloud Operations

• ❏ C. Cloud governance

• ❏ D. Threat modeling

Which requirement should a corporate password standard include to reduce unauthorized access?

• ❏ A. Allowing users to reuse their previous passwords

• ❏ B. Requiring passwords to contain uppercase letters lowercase letters numbers and special characters

• ❏ C. Enforcing password changes every 30 days

A regional financial services company needs a resilient security strategy for its cloud and on premises infrastructure. Which approach offers the most effective defense in depth?

• ❏ A. Relying primarily on staff security awareness training

• ❏ B. Encrypting all data in transit

• ❏ C. Deploying layered security measures across network segments endpoints and application tiers

• ❏ D. VPC Service Controls

Which term denotes an actor or event that could harm information systems or data?

• ❏ A. Risk

• ❏ B. Threat

• ❏ C. Vulnerability

Which item below is not considered one of the three foundational goals of information security commonly referred to as the CIA triad?

• ❏ A. Integrity

• ❏ B. Authentication

• ❏ C. Availability

• ❏ D. Confidentiality

Who assigns and manages a resource’s access rights under a discretionary access control model?

• ❏ A. System administrator

• ❏ B. The resource owner

• ❏ C. Central policy authority

A municipal legal team must prove that digital documents they will submit in a trial have not been modified after collection. Which technique would they use to demonstrate the evidence is authentic?

• ❏ A. Asymmetric encryption

• ❏ B. Public Key Infrastructure

• ❏ C. Cryptographic hash digest

• ❏ D. Symmetric encryption

What primary objective should guide the purchase of a cyber insurance policy?

• ❏ A. Reducing incident likelihood or impact

• ❏ B. Transferring financial liability to an insurer

• ❏ C. Complying with contractual or regulatory requirements

As a network engineer at a regional payments startup how can you defend servers and networks from an attack that floods the system with packets exceeding the allowed size?

• ❏ A. Use network intrusion detection such as Cloud IDS to watch for anomalous traffic patterns

• ❏ B. Deploy Google Cloud Armor security policies to filter and mitigate suspicious traffic

• ❏ C. Apply rate limiting on ingress interfaces to cap the number of packets and limit oversized packet floods

• ❏ D. Install endpoint antivirus on all servers and workstations to detect malicious payloads

Which access control model grants permissions to roles instead of assigning them directly to individual users?

• ❏ A. Attribute Based Access Control ABAC

• ❏ B. Role Based Access Control RBAC

• ❏ C. Discretionary Access Control DAC

All question come from the certificationexams.pro practice exams website and my ISC2-CC Udemy Course.

In a standard software development lifecycle which stage usually consumes the greatest amount of time?

• ❏ A. Testing

• ❏ B. Implementation and coding

• ❏ C. Requirements gathering and feasibility

• ❏ D. Design

What is the primary advantage of enforcing least privilege for user access?

• ❏ A. Improves auditability and compliance

• ❏ B. Reduces the blast radius of compromised accounts

• ❏ C. Limits unauthorized access to sensitive data

How would you best describe a trust zone within a cloud network environment?

• ❏ A. Encrypted tunnels that link resources at distant sites

• ❏ B. Shared infrastructure pools provided to multiple tenants

• ❏ C. Policies and rules that specify which employees can reach which systems

• ❏ D. Physical logical or virtual boundaries established around network assets

What is a primary disadvantage of storing data across multiple cloud regions?

• ❏ A. Improved availability

• ❏ B. Unintended exposure to differing legal jurisdictions

• ❏ C. Higher latency for cross region reads

Marta is the security engineer working with the platform and development teams at a cloud software vendor named Greenline as they ready a new application and its API for deployment on a platform as a service. They have arrived at the stage of deploying a secrets manager. What is the primary purpose of a secrets manager?

• ❏ A. Collecting and forwarding API usage logs to a central system

• ❏ B. Protecting sensitive credentials such as API keys and passwords

• ❏ C. Using Cloud Identity and Access Management to configure permissions

• ❏ D. Improving API performance by optimizing resource allocation

Which listed standard is optional for both cloud providers and cloud customers?

• ❏ A. FedRAMP

• ❏ B. ISO/IEC 27017

• ❏ C. CSA STAR

What is the main issue commonly caused by managing access controls in a distributed manner across multiple business units?

• ❏ A. Higher training expenses

• ❏ B. Difficulty with auditing and reporting

• ❏ C. Inconsistent permissions across teams

• ❏ D. Overly granular and complex policies

What best defines cloud multitenancy?

• ❏ A. Customers using multiple cloud providers

• ❏ B. Different customers sharing a provider’s compute storage and network infrastructure

• ❏ C. Dedicated hardware provisioned per customer

• ❏ D. Customers having access to each other’s data

A regional colocation operator is designing a centralized facility monitoring platform for multiple data halls and which device should be excluded from the building management environment?

• ❏ A. HVAC failure sensors

• ❏ B. Fire alarm system

• ❏ C. Smart locks

• ❏ D. Water or gas leak detectors

Which item qualifies as personally identifiable information?

• ❏ A. Company policy document

• ❏ B. User’s date of birth

• ❏ C. Service account private key

The correct answer is: Cloud governance

The correct answer is: Requiring passwords to contain uppercase letters lowercase letters numbers and special characters

The correct answer is: Deploying layered security measures across network segments endpoints and application tiers

The correct answer is: Threat.

The correct answer is: Authentication

The correct answer is: The resource owner.

The correct answer is: Cryptographic hash digest.

The correct answer is: Transferring financial liability to an insurer

The correct answer is: Apply rate limiting on ingress interfaces to cap the number of packets and limit oversized packet floods

The correct answer is: Role Based Access Control RBAC

The correct answer is: Implementation and coding

The correct answer is: Limits unauthorized access to sensitive data

The correct answer is: Physical logical or virtual boundaries established around network assets

The correct answer is: Unintended exposure to differing legal jurisdictions

The correct answer is: Protecting sensitive credentials such as API keys and passwords

The correct answer is: ISO/IEC 27017

The correct answer is: Inconsistent permissions across teams.

The correct answer is: Different customers sharing a provider’s compute storage and network infrastructure

The correct answer is: Smart locks.

The correct answer is: A user’s date of birth