ISC2 Certified in Cybersecurity Combined Pre
and Post Course Assessment
Tests With Exam Reviewed Questions
Correctly Answered | Updated For Revision
1. The Payment Card Industry (PCI) Council is a committee made up of
representatives from major credit card providers (Visa, Mastercard,
American Express) in the United States. The PCI Council issues rules that
merchants must follow if the merchants choose to accept payment via
credit card. These rules describe best practices for securing credit card
processing technology, activities for securing credit card information, and
how to protect customers' personal data. This set of rules is a _____. (D1,
L1.4.2)
A) Law
B) Policy
C) Standard
D) Procedure
C is correct. This set of rules is known as the Data Security Standard, and it is
accepted throughout the industry. A is incorrect, because this set of rules was not
issued by a governmental body. B is incorrect, because the set of rules is not a
strategic, internal document published by senior leadership of a single
organization. D is incorrect, because the set of rules is not internal to a given
organization and is not limited to a single activity.
2. For which of the following systems would the security concept of availability
probably be most important? (D1, L1.1.1)
A) Medical systems that store patient data
B) Retail records of past transactions
C) Online streaming of camera feeds that display historical works of art in
, museums around the world
D) Medical systems that monitor patient condition in an intensive care unit
D is correct. Information that reflects patient condition is data that necessarily
must be kept available in real time, because that data is directly linked to the
patients' well-being (and possibly their life). This is, by far, the most important of
the options listed. A is incorrect because stored data, while important, is not as
critical to patient health as the monitoring function listed in answer D. B is
incorrect because retail transactions do not constitute a risk to health and human
safety. C is incorrect because displaying artwork does not reflect a risk to health
and human safety; also because the loss of online streaming does not actually
affect the asset (the artwork in the museum) in any way—the art will still be in the
museum, regardless of whether the camera is functioning.
3. Which of the following is an example of a "something you know"
authentication factor? (D1, L1.1.1)
A) User ID
B) Password
C) Fingerprint
D) Iris scan
B is correct. A password is something the user knows and can present as an
authentication factor to confirm an identity assertion. A is incorrect because a
user ID is an identity assertion, not an authentication factor. C and D are incorrect
as they are examples of authentication factors that are something you are, also
referred to as "biometrics."
4. In risk management concepts, a(n) _________ is something a security practitioner might need to
protect. (D1, L1.2.1)
A) Vulnerability
B) Asset
C) Threat
D) Likelihood
,B is correct. An asset is anything with value, and a security practitioner may need
to protect assets. A, C, and D are incorrect because vulnerabilities, threats and
likelihood are terms associated with risk concepts, but are not things that a
practitioner would protect.
5. Olaf is a member of (ISC)² and a security analyst for Triffid Corporation.
During an audit, Olaf is asked whether Triffid is currently following a
particular security practice. Olaf knows that Triffid is not adhering to that
standard in that particular situation, but that saying this to the auditors will
reflect poorly on Triffid. What should Olaf do? (D1, L1.5.1)
A) Tell the auditors the truth
B) Ask supervisors for guidance
C) Ask (ISC)² for guidance
D) Lie to the auditors
A is the best answer. The (ISC)² Code of Ethics requires that members "act
honorably, honestly, justly, responsibly" and also "advance and protect the
profession." Both requirements dictate that Olaf should tell the truth to the
auditors. While the Code also says that Olaf should "provide diligent and
competent service to principals," and Olaf's principal is Triffid in this case, lying
does not serve Triffid's best long-term interests, even if the truth has some
negative impact in the short term.
6. Siobhan is an (ISC)² member who works for Triffid Corporation as a security
analyst. Yesterday, Siobhan got a parking ticket while shopping after work.
What should Siobhan do? (D1, L1.5.1)
A) Inform (ISC)²
B) Pay the parking ticket
C) Inform supervisors at Triffid
D) Resign employment from Triffid
B is the best answer. A parking ticket is not a significant crime, besmirchment of
character or moral failing, and has nothing to do with Siobhan's duties for Triffid.
Even though the (ISC)² Code of Ethics requires that members act "legally," and
, "protect the profession," a parking ticket does not reflect poorly on Siobhan,
Triffid, (ISC)², or the security profession. Siobhan should, however, pay the ticket.
7. Aphrodite is a member of (ISC)² and a data analyst for Triffid Corporation.
While Aphrodite is reviewing user log data, Aphrodite discovers that
another Triffid employee is violating the acceptable use policy and watching
streaming videos during work hours. What should Aphrodite do? (D1,
L1.5.1)
A) Inform (ISC)²
B) Inform law enforcement
C) Inform Triffid management
D) Nothing
C is the best answer. Aphrodite is required by the (ISC)² Code of Ethics to "provide
diligent and competent service to principals." This includes reporting policy
violations to Triffid management (Triffid is the principal, in this case). A policy
violation of this type is not a crime, so law enforcement does not need to be
involved, and (ISC)² has no authority over Triffid policy enforcement or employees.
8. A software firewall is an application that runs on a device and prevents
specific types of traffic from entering that device. This is a type of ________
control. (D1, L1.3.1)
A) Physical
B) Administrative
C) Passive
D) Technical
D is correct. A software firewall is a technical control, because it is a part of the IT
environment. A is incorrect; a software firewall is not a tangible object that
protects something. B is incorrect; a software firewall is not a rule or process.
Without trying to confuse the issue, a software firewall might incorporate an
administrative control: the set of rules which the firewall uses to allow or block
particular traffic. However, answer D is a much better way to describe a software
firewall. C is incorrect; "passive" is not a term commonly used to describe a
particular type of security control, and is used here only as a distractor.
