ISC² CC Certified in Cybersecurity Practice Exams

A regional insurer called Meridian Mutual is revising its business continuity vocabulary and needs to pick the metric that represents the maximum duration a system may remain offline before severe business impact occurs?

• ❏ A. RPO

• ❏ B. RSL

• ❏ C. RTO

• ❏ D. MTD

In cloud security terminology which concept is federation most directly associated with?

• ❏ A. Tenant isolation

• ❏ B. Access control

• ❏ C. Multivendor network diversity

• ❏ D. Data center environmental systems

Which device is most effective at detecting malicious activity by monitoring traffic across an enterprise network?

• ❏ A. Firewall

• ❏ B. Intrusion prevention system

• ❏ C. Host intrusion detection system

• ❏ D. Network intrusion detection system

NovaAcademy.example.com recently rolled out a new login system that requires each staff member to sign in with a unique username and password, however several staff have reported that they can sign in using another person’s credentials, what is the most likely explanation for this issue?

• ❏ A. Authentication system is misconfigured

• ❏ B. Employees are sharing account credentials

• ❏ C. Passwords are too weak and easy to guess

• ❏ D. An external breach exposed user credentials

A payments startup called Cobalt Ledger plans to add digital signatures to its contracts to prove documents are authentic and unchanged. Which of the following is not a fundamental component of a digital signature?

• ❏ A. A message digest produced by a secure hash function

• ❏ B. An encryption key

• ❏ C. The original document or message being signed

• ❏ D. A public key certificate

Why does the CyberTrust Consortium publish a professional Code of Ethics for security practitioners?

• ❏ A. Google Cloud Identity and Access Management

• ❏ B. To offer guidance on resolving conflicts of interest

• ❏ C. To enforce compliance with laws and regulations

• ❏ D. To define professional standards of conduct for information security professionals

Why do secure facilities install a mantrap at an entry point and what main function does it provide?

• ❏ A. To offer a rapid emergency egress path from a controlled area

• ❏ B. To add an extra layer of protection for a highly restricted zone by using a pair of interlocked doors and identity verification

• ❏ C. To consolidate entrances to reduce construction and maintenance expenses

• ❏ D. To enable precise entry logging for compliance monitoring and audit trails

A regional online retailer uses systems that apply data science methods to extract actionable insights from transaction records so managers can make better decisions. Which technology is the company using?

• ❏ A. BigQuery

• ❏ B. Artificial intelligence

• ❏ C. Quantum computing

• ❏ D. Machine learning

A network engineer at NovaTech Solutions needs to keep the finance and product teams in separate broadcast domains so they do not receive each other’s broadcast traffic. Which networking technology will provide independent broadcast domains for those teams?

• ❏ A. Virtual Private Network

• ❏ B. IP subnetting

• ❏ C. Demilitarized zone

• ❏ D. VLAN

Breaching the requirements for which class of personally identifiable information is most likely to lead to criminal prosecution?

• ❏ A. Unclassified PII

• ❏ B. Contract-based PII

• ❏ C. Statutorily controlled PII

• ❏ D. Nonpublic PII

All ISC2 questions come from the certificationexams.pro practice exams website and my ISC2-CC Udemy Course.

During the analysis stage of an incident response what is the primary goal of performing a forensic examination?

• ❏ A. Contain active threats using Cloud Logging and Security Command Center telemetry

• ❏ B. Record post-incident lessons and create a revised incident response playbook

• ❏ C. Preserve and collect evidentiary data while maintaining a documented chain of custody for potential legal actions

• ❏ D. Attribute the intrusion to a threat actor and determine their motives

Which of the following is an example of a detective access control in a corporate campus security scenario?

• ❏ A. A firewall that blocks unauthorized traffic and prevents network intrusions

• ❏ B. A lobby concierge who verifies visitor badges before permitting access

• ❏ C. Two factor authentication required at user sign in

• ❏ D. A motion detector alarm that alerts security staff about a suspected breach

A site reliability engineer at a mid sized payments startup left host configuration references inside source files. An attacker located those configuration entries in the repository and used them to bypass proper validation and gain access to the application. What kind of vulnerability is this?

• ❏ A. Server side request forgery

• ❏ B. Cross site scripting

• ❏ C. XML external entity reference

• ❏ D. Broken access control

Within a corporate risk governance model where control activities oversight functions and independent assurance are separated which line of defense is the information security team usually assigned to?

• ❏ A. It is the second line of defense

• ❏ B. It is the third line of defense

• ❏ C. It is the first line of defense

Which statement about domain name squatting is accurate?

• ❏ A. It is commonly condemned yet frequently practiced

• ❏ B. It is sometimes resolved as a civil dispute rather than a criminal offense

• ❏ C. It is an illegal practice under many trademark laws

• ❏ D. It is a lawful speculative domain buying strategy

A regional fintech company is reviewing its risk register and discovers a vulnerability that is very unlikely to occur and would cost more to remediate than the expected loss if it were exploited. In this situation which risk response is the organization most likely to choose?

• ❏ A. Mitigate the risk

• ❏ B. Transfer the risk

• ❏ C. Formally accept the risk

• ❏ D. Avoid the risk

A cloud security analyst at Cobalt Data Services must verify that the company systems are hardened against known exploits and then produce a report that details any discovered weaknesses. What is the most effective action for the analyst to take?

• ❏ A. Google Cloud Security Command Center

• ❏ B. Conduct static application security testing

• ❏ C. Conduct a vulnerability scan

• ❏ D. Run dynamic application security testing

NovaTech is starting an initiative that will process confidential records and they need to restrict access to only authorized personnel. Which security control should be applied to ensure only users who require the data can access it?

• ❏ A. Segregation of duties combined with least privilege access

• ❏ B. VPC Service Controls

• ❏ C. Apply least privilege access

• ❏ D. Segregation of duties

A streaming startup is converting its monolithic application into containerized microservices in the cloud. What is the main benefit this architecture change will provide?

• ❏ A. Anthos

• ❏ B. Independent scaling and greater operational flexibility

• ❏ C. Improved network throughput

• ❏ D. Centralized service management

Which statement best describes how a Denial of Service attack affects a networked service?

• ❏ A. An attack that attempts to circumvent authentication controls

• ❏ B. An attack that aims to exfiltrate sensitive files from cloud storage by abusing APIs

• ❏ C. An attack that overwhelms a host with excessive requests so legitimate users cannot reach the service

• ❏ D. An attack that attempts to remove or break encryption on data in transit

All ISC2 questions come from the certificationexams.pro practice exams website and my ISC2-CC Udemy Course.

Why should an organization routinely exercise its IT resilience plan and associated procedures?

• ❏ A. Google Cloud Storage

• ❏ B. To confirm the plan remains current and aligned with business procedures

• ❏ C. To achieve all of these outcomes

• ❏ D. To verify that recovery processes will restore systems effectively

Maria was using an internal customer portal while completing a report and she clicked through several pages to find a specific record. Over the next few days she observed alerts in her enterprise account indicating that requests she did not make were being denied. What type of web attack most likely caused these symptoms?

• ❏ A. Broken access control

• ❏ B. Cross-site request forgery

• ❏ C. Outdated or vulnerable components

• ❏ D. Cross-site scripting

Which of these does not describe the responsibilities of a security champion within a software delivery group?

• ❏ A. Advocating for security tasks and integrating them early in project plans

• ❏ B. Ignoring established security policies and procedures

• ❏ C. Coordinating with the organization wide security team as a bridge

• ❏ D. Providing hands on security coaching and training to team members

A healthcare technology startup uses both discretionary access control and mandatory access control to safeguard patient records. Which access control model takes precedence when both types of controls apply together?

• ❏ A. Both controls are evaluated independently with no automatic priority

• ❏ B. Mandatory access control takes precedence over discretionary permissions

• ❏ C. Discretionary access control overrides mandatory restrictions

• ❏ D. The resource owner chooses which control model applies for each object

A software company called Meridian Apps runs services in a shared cloud and wants to add transport encryption that balances the highest security with minimal latency for client connections. Which protocol should they deploy?

• ❏ A. Google Cloud Load Balancer managed TLS

• ❏ B. TLS 1.3

• ❏ C. SSL 3.0

• ❏ D. TLS 1.2

Which geographic jurisdiction does the General Data Protection Regulation primarily apply to?

• ❏ A. United States

• ❏ B. Google Cloud Platform

• ❏ C. European Union and the European Economic Area

• ❏ D. China

How can a regional bank weave security awareness learning into routine workflows so staff remain alert to cyber threats?

• ❏ A. Publish short interactive microlearning lessons on the company intranet

• ❏ B. Assign security related tasks as part of normal job responsibilities

• ❏ C. Send continuous reminders and security updates through email and chat platforms

• ❏ D. Require completion of a full training course before granting access to internal systems

Aurora Systems has detected a heightened risk of account takeover because many staff use weak credentials and simple passwords. Which mitigation approach will most effectively reduce this risk?

• ❏ A. Run recurring security awareness training for all personnel

• ❏ B. Use Cloud Identity to centrally manage user accounts and policies

• ❏ C. Require multi factor authentication for all user sign ins

• ❏ D. Enforce a strict password complexity and scheduled rotation policy

Cedar Logistics transferred several internal applications to a cloud provider and now worries the move may have been a mistake. What specific cloud concern does this situation best illustrate?

• ❏ A. Portability

• ❏ B. Cloud Interconnect

• ❏ C. Availability

• ❏ D. Reversibility

During an organization’s cloud information lifecycle which stage is the first one where controls are applied to safeguard data stored on persistent media?

• ❏ A. Generation

• ❏ B. Archival

• ❏ C. Storage

• ❏ D. Access

For a cloud deployment which delivery model allows administrators the greatest direct control over virtual machines storage and networking resources?

• ❏ A. Platform as a Service PaaS

• ❏ B. Function as a Service FaaS

• ❏ C. Infrastructure as a Service IaaS

• ❏ D. Software as a Service SaaS

Which role is responsible for coordinating and supervising the interactions between an organization that purchases cloud offerings and the company that delivers them?

• ❏ A. Managed service provider

• ❏ B. Cloud service broker

• ❏ C. Cloud service customer

• ❏ D. Cloud service provider

A data engineer at Nimbus Analytics wants to organize similar records together so they can be found and compared quickly in future analyses. Which method should they use?

• ❏ A. Metadata

• ❏ B. Encryption

• ❏ C. Hashing

• ❏ D. Labeling

A retail analytics company called Meridian Data is evaluating a data rights management tool that advertises persistent protection. Which statement best describes how persistent protection operates?

• ❏ A. Cloud Data Loss Prevention

• ❏ B. Access rights can be revised after a document is shared

• ❏ C. Time limited access or expiration controls can be attached to files

• ❏ D. Protection is bound to the file so the data stays secure regardless of where it moves

How would you describe access control within an information technology environment?

• ❏ A. Cloud Key Management Service

• ❏ B. The capability to read and modify data within a system

• ❏ C. Provisioning resources for users based on their assigned roles and responsibilities

• ❏ D. Measures that prevent unauthorized users from gaining access to resources

The correct option is MTD. MTD stands for Maximum Tolerable Downtime and it is the metric that defines the longest period a system or service may be unavailable before severe or unacceptable business impact occurs.

The MTD is a business impact driven limit and it sets the outer bound that recovery plans and objectives must meet. Planned recovery objectives such as RTO are target times to restore service and they should be at or below the MTD. The RPO defines acceptable data loss windows and it measures how much data can be lost rather than how long a system can remain offline.

The RPO option is incorrect because it refers to the recovery point objective which measures acceptable data loss in terms of time since the last recoverable state. It does not express the maximum allowed downtime before severe business impact.

The RSL option is incorrect because it is not the standard business continuity term for the maximum allowable outage. The acronym may appear in some contractual or service level contexts but it is not the established metric used to define maximum tolerable downtime.

The RTO option is incorrect because it is the recovery time objective that defines the planned target to restore a system during an incident. It is a recovery goal within procedures and not the definition of the maximum tolerable outage itself.

When a question asks for the maximum duration a system may be down before severe impact look for MTD. Remember that RTO is a planned restoration target and RPO is about acceptable data loss.

Access control is correct. Federation is primarily about enabling identities to be asserted across trust boundaries so that systems can make authentication and authorization decisions without creating separate local accounts.

Federation allows an identity provider to assert a user identity and related attributes to a service provider or relying party so access policies can be applied. This supports single sign on and delegated identity which are central to Access control because roles and permissions are granted based on the asserted identity and claims.

Tenant isolation is incorrect because that term refers to the logical separation of customer environments within a multi tenant cloud rather than the sharing of identity or trust between domains. Federation is about identity and trust not isolation mechanisms.

Multivendor network diversity is incorrect because it describes using equipment from multiple vendors for resilience or interoperability. Federation does not concern physical network vendor diversity and it does not manage network paths or devices.

Data center environmental systems is incorrect because that area covers cooling power and fire suppression and other physical controls. Federation is unrelated to environmental systems and instead deals with identity federation for authentication and authorization.

When you see federation think about identity and trust rather than infrastructure. Focus on words like authentication and authorization to link federation to access control when eliminating distractors.

Network intrusion detection system is the correct option.

Network intrusion detection system monitors network traffic at strategic points and analyzes packets and flows to identify malicious patterns and anomalies. It is deployed at network chokepoints and aggregation points so it can observe traffic from many hosts and detect coordinated or lateral attacks across the enterprise. Because it focuses on observing and alerting on suspicious activity across the network it is the most effective choice for detecting malicious activity by monitoring enterprise traffic.

Firewall enforces access control rules and filters traffic based on addresses and ports. It is primarily designed to permit or block connections and it does not provide the broad packet inspection and detection capability across multiple network segments that a network intrusion detection system provides.

Intrusion prevention system can detect threats and it is often placed inline to block or prevent malicious traffic. The question emphasizes detection by monitoring the enterprise network which aligns with the passive monitoring role of a network intrusion detection system rather than the active prevention role of an IPS.

Host intrusion detection system runs on individual endpoints and monitors local events such as file integrity and system calls. It cannot observe traffic across the entire network so it is not suitable for detecting network-wide malicious activity.

Focus on whether the solution is network wide or host specific and whether it is passive or inline when deciding between IDS, IPS, firewall, and HIDS.

The correct answer is Employees are sharing account credentials.

Employees are sharing account credentials is the most likely explanation because multiple staff members can authenticate using another person’s username and password while the authentication system otherwise appears to work normally. When credentials are shared you will often see the same account name used from different devices or at overlapping times in audit logs which matches the behaviour described.

Authentication system is misconfigured is unlikely because a misconfiguration typically causes widespread failures or unexpected bypasses rather than allowing many distinct users to successfully log in as the same individual when unique usernames are in use. A configuration fault would more often prevent logins or allow a broad access issue rather than create the specific pattern reported.

Passwords are too weak and easy to guess is not the best fit because weak passwords usually lead to external guessing attempts or automated brute force activity and you would expect many failed attempts or unusual source IP addresses. The scenario describes coworkers signing in as one another which points to intentional sharing rather than guessing attacks.

An external breach exposed user credentials could explain unauthorized access but a breach often produces a wider pattern of compromise with other indicators such as unfamiliar geographic logins or mass credential use. The simplest and most direct explanation for multiple staff being able to use another person’s credentials is that the credentials are being shared internally.

Look for evidence in logs such as overlapping sessions, multiple device types, or simultaneous logins from different locations to distinguish between shared accounts and external compromise.

The correct answer is An encryption key. This choice is not a fundamental component of a digital signature.

Digital signatures are built from the original message, a fixed length digest produced by a secure hash function, and a signing operation that uses a private key and a corresponding public key for verification. A certificate is often used to bind the public key to an identity. The core idea is integrity and nonrepudiation rather than encrypting the message, so a generic encryption key is not listed as a fundamental element.

A message digest produced by a secure hash function is incorrect because the digest is what is actually signed in most schemes. Hashing provides a compact representation of the original data and ensures that any change to the document yields a different digest, which makes it essential to the signature process.

The original document or message being signed is incorrect because the document is the item whose integrity and authenticity are being proven. You need the original or its representation to produce and later verify the digest and signature.

A public key certificate is incorrect because certificates are commonly used to associate the public verification key with an identity and to establish trust. Verification requires the public key and a means to trust that key, and certificates provide that assurance.

When you see questions about digital signatures focus on integrity and authentication. Remember that signatures sign a hash with a private signing key and that a certificate is used to trust the public key.

To define professional standards of conduct for information security professionals is the correct option.

A professional code of ethics exists to articulate the values and behaviors expected of practitioners and to provide a common set of standards for decision making and professional conduct. It helps information security professionals evaluate ethical dilemmas, maintain public trust, and promote consistency across the field.

Google Cloud Identity and Access Management is incorrect because that entry names a specific cloud service for managing user identities and permissions and it has nothing to do with issuing a professional code of conduct.

To offer guidance on resolving conflicts of interest is incorrect because that choice is too narrow. A code of ethics may address conflicts of interest, but its purpose is broader and focuses on defining overall professional standards and responsibilities.

To enforce compliance with laws and regulations is incorrect because codes of ethics provide ethical guidance rather than legal enforcement. Laws and regulations are enforced by legal authorities and regulators while a professional code guides behavior and may be used by professional bodies when judging ethical breaches.

When an option describes a broad purpose such as setting professional standards it is more likely to be correct than an option that names a specific product or gives a narrow function such as handling one type of issue.

To add an extra layer of protection for a highly restricted zone by using a pair of interlocked doors and identity verification is correct.

A mantrap is a small controlled space between two interlocked doors where only one door can open at a time and identity or authorization is verified before the second door will unlock. This arrangement prevents tailgating and unauthorized entry and it allows security staff or automated systems to perform secondary checks or screenings before admitting someone into the sensitive area.

To offer a rapid emergency egress path from a controlled area is wrong because mantraps are not designed to provide fast emergency escape. They can impede quick egress and emergency exits and life safety systems are planned separately to meet building and fire codes.

To consolidate entrances to reduce construction and maintenance expenses is wrong because the primary purpose of a mantrap is to improve security and not to save cost. Consolidating entrances might incidentally affect expenses but it is not the defining function of a mantrap.

To enable precise entry logging for compliance monitoring and audit trails is wrong because although mantraps are often integrated with access control systems that log events the main function of a mantrap is physical access control and preventing unauthorized passage. Logging is a secondary benefit provided by the connected systems and not the primary purpose of the mantrap itself.

When you read about interlocked doors and staged verification think tailgating prevention and controlled admission rather than emergency egress or cost savings.

Machine learning is the correct answer.

Machine learning refers to algorithms and statistical models that learn patterns from historical transaction records and then generate predictions or extract actionable insights to support managerial decisions. The question describes applying data science methods to transaction data to produce insights, which is precisely what machine learning techniques are designed to do.

BigQuery is a cloud data warehouse used to store and query very large datasets and it can host the data that machine learning models use. It is not the name of the data science method that extracts patterns and makes predictions, and that is why it is not the best match.

Artificial intelligence is a broad field that includes many approaches to making systems behave intelligently and it does include machine learning as a core subset. Because the question specifically describes applying data science methods to learn from transaction records, the more precise answer is machine learning rather than the broader term artificial intelligence.

Quantum computing is an emerging computational paradigm based on quantum mechanics and it is not the standard technology used to extract actionable business insights from retail transaction records. It does not describe the data science methods referenced in the question.

When a question describes deriving predictions or patterns from historical data choose machine learning rather than the broader term artificial intelligence or a platform name like BigQuery.

The correct option is VLAN.

A VLAN creates logical segments on a switched network so each segment operates as its own broadcast domain. By assigning switch ports or devices to different VLAN*s the switch confines broadcast traffic to only the devices in the same *VLAN, and traffic between *VLAN*s requires routing or a layer 3 device so you can enforce inter-team policies.

Virtual Private Network provides encrypted tunnels for secure communication over untrusted networks and it does not create separate layer 2 broadcast domains on a local switch. It can isolate remote user traffic but it is not the mechanism used to keep two local teams in separate broadcast domains.

IP subnetting divides an IP address space into smaller networks which define layer 3 boundaries and can correspond to separate broadcast domains when routed. Subnetting alone does not change how a switch forwards layer 2 broadcasts on the same physical LAN unless you also implement switch level segmentation with technologies such as VLANs.

Demilitarized zone is a security zone used to expose or isolate public facing services from internal networks and it is not a switch feature for separating internal teams into independent broadcast domains.

When the question asks about separating broadcast domains think of VLANs first because they provide layer 2 segmentation and are commonly paired with subnets for layer 3 control.

Statutorily controlled PII is the correct option.

Statutorily controlled PII refers to personally identifiable information that is protected by specific laws and regulations and that often carries defined penalties for unauthorized disclosure. When a statute explicitly protects a data element such as a Social Security number or similar identifier the government can pursue criminal charges for willful breaches under those laws. That legal basis and the explicit penalties are what make criminal prosecution most likely for this class of PII.

Unclassified PII is incorrect because unclassified data is not necessarily protected by specific criminal statutes. It may be low sensitivity information or only subject to agency policy and administrative controls and those situations rarely trigger criminal prosecution on their own.

Contract-based PII is incorrect because contractual obligations create civil and contractual remedies when violated. Breaching a contract can lead to damages or termination of agreements and possible administrative action but it does not by itself create criminal liability unless a separate statute is also violated.

Nonpublic PII is incorrect because nonpublic simply means the information is not openly available. It can be sensitive and require protection but that status does not guarantee statutory criminal penalties. Nonpublic information is more likely to lead to civil enforcement or administrative sanctions unless a law specifically criminalizes its disclosure.

When the question asks which breach could lead to criminal prosecution look for wording that points to laws or statutes. Prefer the option that explicitly ties protection to statutory requirements.

All ISC2 questions come from the certificationexams.pro practice exams website and my ISC2-CC Udemy Course.

Preserve and collect evidentiary data while maintaining a documented chain of custody for potential legal actions is correct.

This is because the primary goal of a forensic examination during analysis is to secure data in a manner that preserves its integrity and provenance so that it can be relied upon in investigations or in court. A proper forensic process focuses on collection methods that avoid altering evidence and on documenting every action that touches the data.

Forensic activities therefore include creating forensically sound images of storage, capturing volatile memory and relevant logs, recording timestamps and cryptographic hashes, and keeping a documented chain of custody for each item. These practices ensure that evidence remains admissible and that investigators can reconstruct events with confidence.

Contain active threats using Cloud Logging and Security Command Center telemetry is incorrect because active containment and mitigation are operational steps that run alongside response efforts and they do not replace the need to preserve evidence. Containment is about stopping harm and is not the primary objective of forensic examination.

Record post-incident lessons and create a revised incident response playbook is incorrect because lessons learned and playbook updates belong to the post-incident or recovery phase. Those activities come after evidence collection and detailed analysis rather than being the main goal of the forensic exam.

Attribute the intrusion to a threat actor and determine their motives is incorrect because attribution can be a longer term outcome that requires corroborating intelligence and context beyond preserved evidence. Attribution is not the immediate objective of collecting and maintaining forensic evidence.

When a question asks about the goal of a forensic exam focus on preservation and chain of custody rather than containment, remediation, or lessons learned.

A motion detector alarm that alerts security staff about a suspected breach is the correct option.

The motion detector alarm is a classic example of a detective control because it does not block access or prevent the event from occurring and it instead detects anomalous activity and generates an alert so security staff can investigate and respond.

A firewall that blocks unauthorized traffic and prevents network intrusions is incorrect because a firewall is a preventive control that aims to stop unauthorized traffic before it reaches assets rather than to detect and alert on an incident.

A lobby concierge who verifies visitor badges before permitting access is incorrect because that role is a preventive or administrative physical control that gates access at the point of entry instead of detecting and reporting a breach after it happens.

Two factor authentication required at user sign in is incorrect because two factor authentication is a preventive technical control that reduces the chance of unauthorized access rather than serving to detect and alert on suspicious activity.

When you see control type questions first ask whether the control stops an event or detects an event. Controls that generate alerts or logs are usually detective and that distinction will guide your choice.

The correct option is XML external entity reference.

XML external entity reference vulnerabilities occur when an XML parser is allowed to resolve external entity definitions that reference internal files or remote hosts. In the scenario a developer left host configuration references inside source files and an attacker found those entries in the repository and used them to bypass validation and access the application. That pattern of using file or host references during XML parsing to retrieve sensitive information or alter behavior matches XML external entity reference.

Server side request forgery involves forcing a server to make unintended network requests and it can look similar when external resources are fetched. The key difference is that Server side request forgery focuses on arbitrary network requests while the scenario specifically involves XML entity resolution and reuse of configuration entries which points to XML external entity reference instead.

Cross site scripting is about injecting client side script into web pages viewed by other users and it is not about XML entity processing or server side inclusion of configuration files. The attack described exploited server side parsing and not client side script execution so Cross site scripting is not correct.

Broken access control means missing or incorrect authorization checks that allow users to perform actions they should not. The attacker in this case manipulated parsing and reused configuration references rather than bypassing authorization rules so Broken access control does not best describe the issue.

When you see XML processing or references to external files look for XXE risks and remember to consider whether entity resolution can reach internal hosts or files. On the exam focus on the parsing context rather than just the network request behavior.

It is the first line of defense is correct because the information security team is usually part of the operational functions that own and manage risk and that implement and operate controls.

The first line of defense includes business and operational teams that design, deploy, and maintain security controls on a day to day basis. Information security typically implements technical controls, runs monitoring and detection, and leads incident response so it functions as an operational control owner rather than an oversight or assurance body.

It is the second line of defense is incorrect because the second line provides oversight, policy, and risk management support rather than operating the controls. Risk, compliance, and governance functions usually sit in the second line and they guide and monitor the first line.

It is the third line of defense is incorrect because the third line is independent assurance such as internal audit. The third line evaluates and reports on the effectiveness of controls and governance rather than implementing those controls.

When you see a lines of defense question identify who actually operates the controls. The first line runs and maintains controls, the second line provides oversight and policy, and the third line gives independent assurance.

It is an illegal practice under many trademark laws is the correct statement.

Domain name squatting, often called cybersquatting, is the registration or use of domain names that are identical or confusingly similar to established trademarks with the intent to profit from the trademark holder. Many jurisdictions treat that conduct as unlawful under trademark statutes and provide remedies such as transfer, cancellation, and monetary damages. For example the United States has the Anticybersquatting Consumer Protection Act which permits trademark owners to sue for bad faith registration and seek damages and there is an administrative procedure under ICANN called the Uniform Domain-Name Dispute-Resolution Policy that allows for arbitration and transfer or cancellation of abusive registrations.

It is commonly condemned yet frequently practiced is incorrect because that option states a matter of opinion about prevalence rather than a legal rule. Whether a practice is common does not determine its legality and the exam is asking for the legal characterization under trademark law.

It is sometimes resolved as a civil dispute rather than a criminal offense is incorrect because the statement is misleading in this context. Many cybersquatting cases are indeed handled by civil litigation or administrative dispute resolution, but the defining point is that the conduct is unlawful under trademark laws and can give rise to civil remedies and in extreme cases criminal penalties under specific statutes or jurisdictions.

It is a lawful speculative domain buying strategy is incorrect because that describes a legitimate speculative activity only when it does not target third party trademarks. When the registration is done in bad faith to exploit a trademark the practice is illegal and is not a lawful general strategy.

Focus on whether the statement describes legal status rather than popularity or dispute processes. Look for words like illegal and trademark laws to identify the most precise legal answer.

The correct answer is Formally accept the risk.

Formally accept the risk is appropriate when the likelihood of exploitation is very low and the expected loss is smaller than the cost to remediate. In that situation a cost benefit decision leads the organization to retain the risk rather than spend more on controls than the potential loss. Acceptance must be a formal decision and not doing nothing informally creates unmanaged exposure.

When an organization Formally accept the risk it should document the rationale in the risk register, record any residual risk, assign an owner, and establish monitoring or trigger points so the risk can be reassessed if conditions change and the likelihood or impact increases.

Mitigate the risk is incorrect because mitigation requires implementing controls to reduce likelihood or impact and that would cost more than the expected loss in this scenario.

Transfer the risk is incorrect because transferring the risk to a third party or insurer also incurs cost and does not make sense when the expected loss is lower than remediation or transfer costs.

Avoid the risk is incorrect because avoidance would require stopping the activity or removing the asset and that action is often impractical and more disruptive than formally accepting a low expected loss.

Look for wording about low likelihood and a remediation cost higher than expected loss and choose formal acceptance. Also mention documentation and monitoring to show the acceptance is a managed decision.

Conduct a vulnerability scan is the correct action for the analyst to take.

Conduct a vulnerability scan is designed to assess systems across the network and identify known security weaknesses such as missing patches, misconfigurations, and exposed services. Vulnerability scanners produce detailed findings and evidence and they map issues to identifiers and severity levels which supports prioritization and remediation and fulfills the requirement to verify hardening and produce a report of discovered weaknesses.

Google Cloud Security Command Center is a security management and visibility platform that aggregates telemetry and findings and helps prioritize risk. It can ingest vulnerability scanner output but by itself it does not perform a comprehensive active vulnerability assessment across hosts and network services which is the direct task in this scenario.

Conduct static application security testing inspects source code or compiled artifacts to find code level flaws. It is useful for identifying developer introduced vulnerabilities but it does not evaluate host configuration, missing OS patches, or exposed services and so it will not provide the required system hardening report for the environment.

Run dynamic application security testing tests a running application for runtime and web interface issues by simulating attacks against the application. It can find runtime flaws in web apps and APIs but it does not comprehensively scan servers, operating system patch status, or network level exposures so it is not the most effective single action here.

When a question asks to verify system hardening and produce a report choose the action that actively assesses hosts and networked services such as vulnerability scanning rather than tools that only inspect code or only provide aggregation and visibility.

Apply least privilege access is correct because it ensures users receive only the permissions they need to perform their job and no more which directly limits access to confidential records to authorized personnel.

This principle is implemented by granting the minimum necessary rights through role based access control and by using time limited or just in time permissions together with regular access reviews. These practices reduce the attack surface and help prevent unauthorized access to sensitive data.

Segregation of duties combined with least privilege access is incorrect because it mixes two concepts and the option as written is broader than the single control the question asks for. The question focuses on restricting who can access data and the precise control for that goal is granting only necessary permissions.

VPC Service Controls is incorrect because those controls provide network and service perimeter protections for cloud resources and they help prevent data exfiltration at the service boundary. They do not by themselves restrict which individual users can access confidential records.

Segregation of duties is incorrect because it is intended to prevent conflicts of interest by splitting responsibilities among multiple people. It does not directly limit user access to data based on job necessity in the way that granting only necessary permissions does.

When a question asks about restricting who can access data focus on the concept of least privilege and choose answers that limit user permissions rather than network perimeters or separation of roles.

The correct answer is Independent scaling and greater operational flexibility.

Moving from a monolithic application to containerized microservices allows individual services to be scaled on demand and updated independently. This reduces resource waste and enables faster deployments and clearer fault isolation which improves overall operational agility and resilience.

Anthos is a management and platform product for running Kubernetes across cloud and on prem environments and it describes a tool chain rather than the primary architectural benefit of breaking a monolith into microservices.

Improved network throughput is not the main outcome because microservices increase inter service calls and can add network overhead, so the change usually affects operational flexibility rather than raw network performance.

Centralized service management is misleading because microservices typically promote decentralized ownership and independent deployment of services instead of centralizing control.

Focus on answers that mention scalability or operational flexibility when the question asks about architecture benefits of moving to containers and microservices.

The correct answer is An attack that overwhelms a host with excessive requests so legitimate users cannot reach the service.

A denial of service attack denies availability by consuming the target’s computing or network resources so legitimate requests cannot be processed. The attacker sends excessive traffic or requests to exhaust CPU memory connection tables or bandwidth which prevents normal users from getting a response.

Many denial of service attacks are distributed which increases volume and makes mitigation more difficult. Common defenses focus on rate limiting filtering and traffic scrubbing to reduce the impact and restore access.

An attack that attempts to circumvent authentication controls is incorrect because that option describes authentication bypass or credential attacks that aim to gain unauthorized access rather than preventing legitimate users from accessing a service.

An attack that aims to exfiltrate sensitive files from cloud storage by abusing APIs is incorrect because that option describes data exfiltration or API abuse which targets confidentiality and data theft rather than availability.

An attack that attempts to remove or break encryption on data in transit is incorrect because that option describes cryptanalysis or attacks on confidentiality and integrity rather than a denial of service which impacts availability.

When a question mentions loss of availability or users being unable to access a service pick the answer that describes resource exhaustion or overwhelming traffic.

All ISC2 questions come from the certificationexams.pro practice exams website and my ISC2-CC Udemy Course.

To achieve all of these outcomes is correct because routine exercises of the IT resilience plan pursue multiple objectives rather than a single narrow purpose.

Regular exercises validate procedures, confirm that people understand their roles, test technical recovery steps, and ensure alignment with business priorities. That combination of purposes is why To achieve all of these outcomes is the best choice.

Google Cloud Storage is incorrect because it names a specific cloud storage service and not a reason to exercise an IT resilience plan. Exercising a plan is about validating processes, people, and coordination and not about a single product.

To confirm the plan remains current and aligned with business procedures is a valid outcome of exercises but it is incomplete on its own. Choosing only that outcome misses other goals such as verifying technical recovery and team coordination.

To verify that recovery processes will restore systems effectively is also a valid outcome but it is not the whole reason to perform routine exercises. Effective resilience exercises also check documentation, communications, and alignment with business priorities in addition to technical restoration.

When an option states all of these check that each listed outcome is reasonable. If each item is a plausible objective then the combined choice is likely correct.

The correct option is Cross-site scripting.

Cross-site scripting injects malicious script that runs in a victim’s browser and can use the victim’s active session to send requests or to steal session tokens. A script delivered by the portal could execute when Maria clicked through pages and then perform or trigger requests that appear to come from her account over the following days. Stored XSS can persist in the application and cause repeated unauthorized activity as the infected pages are viewed.

Broken access control describes server side authorization flaws that let users access resources they should not. That condition does not explain why Maria’s browser would itself initiate requests that she did not make.

Cross-site request forgery can cause a logged in browser to submit actions without the user’s explicit intent, but it normally relies on crafted cross origin requests and not on injected scripts running inside the site. The ongoing requests seen after navigating internal pages are more indicative of script execution in the browser which matches XSS.

Outdated or vulnerable components is a root cause that can enable many kinds of attacks when software is unpatched. It is not the specific browser based attack type that explains the client side execution and the repeated unauthorized requests.

When a question describes actions occurring from a user account without the user’s intent look for signs of client side script execution and persistent payloads. Recognizing browser executed scripts points you to XSS rather than server side misconfigurations.

Ignoring established security policies and procedures is the correct answer.

A security champion strengthens security within a delivery team by promoting secure design and ensuring compliance. They surface security tasks early in planning and help reduce risk while aligning the team with organizational requirements.

Ignoring established security policies and procedures would directly contradict that role because it removes the compliance and governance behaviors the champion is meant to promote. Choosing to ignore policies would increase security and regulatory risk and would not align with the responsibilities of the position.

Advocating for security tasks and integrating them early in project plans is incorrect because advocating and early integration are core responsibilities of a security champion. Champions help the team identify security work up front and ensure it is part of the delivery process.

Coordinating with the organization wide security team as a bridge is incorrect because security champions act as the local bridge to central security functions. They escalate issues and translate organizational guidance into team practices.

Providing hands on security coaching and training to team members is incorrect because coaching and practical guidance are typical duties for a champion. They raise the team’s security skill level and help apply secure techniques in day to day work.

When a role focuses on advocacy and liaison work choose the option that most directly contradicts those duties. Ignoring policies or refusing to collaborate are common red flags in role based questions.

Mandatory access control takes precedence over discretionary permissions is the correct option.

Mandatory access control enforces organization wide security policy by assigning labels to subjects and objects and by making access decisions based on those labels and policy rules. Discretionary controls allow owners to grant or restrict access but they operate within the constraints set by the mandatory access control policy so owner grants cannot override a mandatory access control denial. In a healthcare setting the mandatory access control rules typically implement classification and need to know requirements for patient records and those system enforced rules therefore take priority.

Both controls are evaluated independently with no automatic priority is incorrect because when mandatory access control and discretionary access control conflict the mandatory access control policy constrains what discretionary permissions can do. The system will enforce mandatory access control restrictions even if discretionary permissions would otherwise permit access.

Discretionary access control overrides mandatory restrictions is incorrect because resource owners cannot bypass centrally enforced policies. Discretionary permissions are subordinate to the mandatory access control rules and they cannot be used to negate those rules.

The resource owner chooses which control model applies for each object is incorrect because owners may set discretionary permissions but they cannot opt out of organization wide mandatory access control policies. The security architecture applies the system level policy rather than individual owner preference.

When both DAC and MAC appear on the exam pick the system enforced rule because mandatory controls constrain owner granted permissions and therefore take precedence.

The correct option is TLS 1.3.

TLS 1.3 provides the best balance of strong security and minimal latency because it reduces the number of handshake round trips and removes legacy cipher suites and features that increase attack surface. Mandatory forward secrecy and simplified, modern cipher selections improve security while the faster handshake and optional zero round trip resumption reduce connection latency for clients.

Google Cloud Load Balancer managed TLS is incorrect because it is a managed service for terminating TLS rather than a specific protocol to deploy. The service can provision and manage certificates and policies and it may support TLS 1.3, but the question asks which protocol to use so naming the managed service is not the direct answer.

TLS 1.2 is incorrect because although it can be configured securely it lacks the handshake and performance improvements introduced in TLS 1.3. TLS 1.2 allows older cipher suites and requires more round trips for a fresh handshake which makes it a weaker fit for the combined goals of highest security and minimal latency.

SSL 3.0 is incorrect and deprecated. It has well known vulnerabilities such as POODLE and it is retired in modern stacks which makes it insecure and unlikely to be a correct choice on current exams.

When a question asks for both highest security and minimal latency focus on protocol handshake behavior and mandatory modern cryptography and remember that TLS 1.3 was designed to deliver both improvements.

The correct answer is European Union and the European Economic Area.

European Union and the European Economic Area is correct because the General Data Protection Regulation is an EU regulation that protects the personal data of individuals located in the EU and EEA and it sets binding obligations for controllers and processors who handle that data.

The regulation also has extraterritorial effect and it can apply to organisations outside the EU and EEA when they offer goods or services to or monitor the behaviour of individuals in the EU and EEA. This means organisations in other countries may need to comply when processing the personal data of people in the EU and EEA, but the primary territorial scope remains the European Union and the European Economic Area.

United States is incorrect because the GDPR is not a US law. US federal and state privacy laws govern data within US jurisdictions and GDPR is an EU legal instrument aimed at protecting people in the EU and EEA.

Google Cloud Platform is incorrect because it is a cloud service provider and not a geographic jurisdiction. The GDPR applies based on the location of data subjects and the scope of processing rather than to a specific vendor as a territory.

China is incorrect because the GDPR is not a Chinese law. Chinese law governs data within China and GDPR governs personal data of individuals in the EU and EEA and only reaches organisations in China when they process data of people in the EU and EEA under the extraterritorial conditions set out by the regulation.

Answer with the jurisdiction where the law was enacted and remember that the GDPR also has extraterritorial reach which can affect organisations outside the EU and EEA.

Send continuous reminders and security updates through email and chat platforms is correct. This option describes embedding short, timely cues into the tools employees use every day so awareness becomes a continuous part of normal workflows.

Continuous reminders and updates are low friction and support spaced repetition which improves retention. They can be targeted and contextual so messages align with current threats and specific roles. They also allow rapid distribution of alerts about active phishing campaigns and encourage habitual vigilance without blocking productivity.

Publish short interactive microlearning lessons on the company intranet is useful as a resource but incomplete. Intranet lessons rely on staff to visit the site and pull the content which reduces frequency and the likelihood of repeated exposure compared with push notifications in email and chat.

Assign security related tasks as part of normal job responsibilities may create checkbox behavior and additional operational burden. Some security controls are best handled by specialists and assigning tasks broadly can produce inconsistent outcomes and does not ensure ongoing awareness reinforcement.

Require completion of a full training course before granting access to internal systems enforces compliance but is high friction and episodic. A one time course is easy to forget and it can delay access and productivity. Continuous reminders and updates are better for keeping staff alert over time.

Pick answers that emphasize ongoing, low friction reinforcement in the tools staff already use. Look for phrases like continuous, timely, or contextual as clues that the approach supports lasting awareness.

The correct answer is Require multi factor authentication for all user sign ins.

Require multi factor authentication for all user sign ins is the most effective control because it requires an additional factor beyond a password and attackers are unlikely to have that extra factor. MFA protects accounts even when staff use weak or reused passwords because possession of the password alone will not grant access.

MFA also reduces the effectiveness of credential stuffing and many phishing attacks and it can be enforced centrally for rapid risk reduction across the organization.

Run recurring security awareness training for all personnel is useful for improving user behavior and for raising detection of social engineering but it is not a reliable standalone control to prevent account takeover. Training complements technical controls but it does not stop attackers who already have valid credentials.

Use Cloud Identity to centrally manage user accounts and policies provides a platform for central management and making security settings consistent across users but it does not by itself prevent account takeover unless stronger protections such as Require multi factor authentication for all user sign ins are enabled. Central management is an enabler rather than a complete mitigation.

Enforce a strict password complexity and scheduled rotation policy is less effective in practice because frequent rotations can lead to predictable changes and user workarounds. Modern guidance favors long passphrases and risk based measures like MFA over mandatory frequent rotation, so complexity and rotation alone do not adequately address account takeover risk.

Choose the control that still blocks access when a password is compromised and that can be applied broadly. Emphasize MFA as the primary defense against account takeover.

The correct answer is Reversibility.

Reversibility is about the ability to undo a cloud migration and return applications and data to an on premise environment or to a different provider. The scenario shows regret after moving internal applications which matches concerns about contractual, technical, and operational obstacles to moving back. Issues such as data export formats, application dependencies on provider services, migration costs and egress fees, and the time required to rebuild or refactor systems all fall under reversibility.

Portability is incorrect because portability refers to the ability to move data and workloads between environments in general. Portability is related but it focuses on compatibility and standards rather than the broader practical and contractual ability to reverse a completed migration.

Cloud Interconnect is incorrect because cloud interconnect refers to network connections between on premise infrastructure and the cloud provider. That concern would apply to performance and latency for hybrid setups rather than the worry about having made a permanent or hard to reverse migration decision.

Availability is incorrect because availability concerns uptime and access to services when they are needed. The company is worried about whether the move can be undone rather than about outages or service continuity, so availability is not the best fit.

When a question describes regret after a cloud move think about exit strategies and whether the organization can actually get data and workloads back. Focus on the practical and contractual aspects of reversibility rather than just technical portability.

All ISC2 questions come from the certificationexams.pro practice exams website and my ISC2-CC Udemy Course.

The correct option is Storage.

Storage is the first lifecycle stage where data actually resides on persistent media and therefore it is the point where controls to protect data at rest are applied. This is when organizations implement measures such as encryption of data on disk, integrity checks, retention settings, and backup protections to safeguard information while it remains on persistent storage.

Generation is the creation or production phase of data and it focuses on how data is produced and initially classified. It is not the first point where controls on persistent media are applied because the data may not yet be written to long term storage.

Archival is the stage for long term retention and preservation and it often involves additional or different protections tailored for archived data. It comes after data has been stored and is therefore not the first stage where storage controls are applied.

Access concerns how users and systems retrieve and use data and it emphasizes authentication and authorization controls. These controls are important for protecting data in use and in transit but they do not represent the initial application of safeguards to data on persistent media.

Look for the phase where data is written to persistent media and use that as the clue that controls like encryption at rest and retention policies are first applied.

The correct option is Infrastructure as a Service IaaS.

With Infrastructure as a Service IaaS administrators obtain virtual machines attachable block storage and virtual networking primitives that they can configure directly. They manage the guest operating system middleware and applications while the cloud provider remains responsible for the physical hosts and hypervisor. This level therefore gives customers the greatest direct control over compute storage and network resources.

Platform as a Service PaaS is incorrect because the provider manages the operating system runtime and developer services so administrators do not control individual virtual machines or low level storage and network settings.

Function as a Service FaaS is incorrect because it is a serverless model that runs individual functions and abstracts away servers. There is no exposed VM level access or direct control of storage volumes and networking constructs.

Software as a Service SaaS is incorrect because it delivers fully managed applications and customers normally only configure application features and users. They do not manage the underlying compute storage or network infrastructure.

Focus on the degree of control over operating systems and networking when comparing models and remember that IaaS exposes VMs and network primitives while other models abstract those layers.

The correct option is Cloud service broker.

A Cloud service broker acts as an intermediary that coordinates and supervises interactions between the organization that purchases cloud offerings and the company that delivers them. A broker can negotiate contracts and service level agreements on behalf of the purchaser and can provide aggregation, integration, governance, and consolidated billing so the buyer has a single point of contact rather than dealing with multiple providers.

Managed service provider is not correct because a managed service provider typically operates or manages IT services for a customer rather than acting as a neutral intermediary that brokers relationships across multiple cloud providers.

Cloud service customer is not correct because the customer is the purchaser or consumer of cloud services and is not the party that coordinates or supervises interactions between purchaser and provider.

Cloud service provider is not correct because the provider is the company that delivers the cloud services and does not perform the purchaser side coordination role that a broker performs.

When you see wording that implies an intermediary or someone who aggregates and negotiates on behalf of a buyer look for the broker role rather than provider or customer.

Labeling is correct because attaching labels or tags to records is the direct way to group similar items so they can be found and compared quickly in later analyses.

Labels serve as structured attributes that analysts and query engines can filter and sort on to assemble related records for comparison and reporting. Applying labels to records makes it easy to run targeted queries and to maintain consistent groupings across datasets.

Metadata is broader and means data about data and it can include labels, but the term itself does not specify the explicit tagging mechanism needed to group records for quick comparison. That is why it is not the best choice here.

Encryption is intended to protect confidentiality by transforming data so it is unreadable without the correct keys. It does not organize or group records for analysis and so it is not appropriate for this purpose.

Hashing produces fixed length digests for integrity checks or indexing and small input changes produce very different hashes. That property prevents hashing from being a reliable way to group similar records for comparison.

When a question mentions organizing, grouping, or making records easy to find think of labeling or tagging as the solution and rule out cryptographic terms that focus on confidentiality or integrity.

Protection is bound to the file so the data stays secure regardless of where it moves is correct. Persistent protection describes file level controls that travel with the data so encryption, labels, and usage restrictions remain effective even after the file leaves the original repository.

This is implemented by embedding protection metadata or by applying rights management and cryptographic controls to the file. The protected file enforces access and usage policies at open time and can require authentication or online policy checks so the data remains protected on other devices and in other cloud services.

Cloud Data Loss Prevention is incorrect because DLP solutions focus on discovery, classification, and preventing exfiltration rather than binding protection to the file itself.

Access rights can be revised after a document is shared is incorrect as the best description of persistent protection. Changing rights after sharing describes dynamic administrative control and not the core idea that protection persistently travels with the file.

Time limited access or expiration controls can be attached to files is incorrect because expiration is a temporary restriction and not the defining characteristic of persistent protection. Expiration may be a feature of some protection schemes but persistent protection emphasizes security that remains with the file regardless of its location.

When a question asks about persistent protection focus on whether the protection travels with the file. Eliminate answers that describe detection, temporary links, or only administrative changes and look for file level encryption or rights management.

Measures that prevent unauthorized users from gaining access to resources is the correct description of access control within an information technology environment.

Access control describes the combination of policies, processes, and technical mechanisms that ensure only authorized users and systems can access resources. Access control includes verifying identity through authentication, granting appropriate privileges through authorization, and monitoring activity to detect and respond to unauthorized attempts.

Cloud Key Management Service is incorrect because it names a specific service used to manage cryptographic keys and protect secrets. Key management can support access control but it does not define the broader set of controls that prevent unauthorized access.

The capability to read and modify data within a system is incorrect because that phrase describes permissions or privileges that may be granted once access is allowed. It does not define the preventive controls and policies that restrict who can gain access in the first place.

Provisioning resources for users based on their assigned roles and responsibilities is incorrect because that describes role based provisioning or an access model rather than the overall concept of access control. Provisioning is one administrative activity and one implementation approach but it is not the full definition of preventing unauthorized access.

When answering definition questions focus on the purpose of the control. If an option describes preventing unauthorized access it is likely the correct definition of access control.