ISC2 CC — Certified in Cybersecurity · Domain 1 · 26% of exam

Security Principles

Drill 20 practice questions focused entirely on Security Principles for the ISC2 CC exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A small marketing firm identifies a risk that an internal wiki server could briefly go offline during rare regional power flickers. After analysis, the team determines the likelihood is low, the impact is minimal (a few minutes of downtime for a non-critical tool), and the cost of adding a backup power supply far exceeds any potential loss. Management decides to take no further action and simply live with the possibility. Which risk treatment approach does this decision represent?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services firm performs nightly backups of its transaction database. During a quarterly review, the security team runs a restore of a backup to a test environment and compares checksums of the restored records against the originals to confirm that no data was altered or corrupted since the backup was taken. Which element of the CIA triad is this activity primarily designed to protect?

Reviewed for accuracy · Report an issue
Question 3 of 20

A company installs a fingerprint scanner at the entrance to its data center. Employees must scan their finger before the physical door will unlock, preventing unauthorized people from walking into the room. When classifying this safeguard by control type, how should the fingerprint scanner best be categorized?

Reviewed for accuracy · Report an issue
Question 4 of 20

A backup administrator at a mid-sized firm follows a document titled 'Nightly Backup Restoration' that lists the exact, ordered steps for restoring data from tape: log into the backup console, select the recovery point, mount the target volume, and verify checksums. New staff are expected to follow this document exactly, with no deviation. Within the firm's governance hierarchy, what type of document is this?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial analyst receives an email that appears to come from the CFO instructing an urgent wire transfer. Before acting, the analyst wants assurance that the message genuinely originated from the CFO and was not sent by an impersonator. Which security concept most directly addresses this need?

Reviewed for accuracy · Report an issue
Question 6 of 20

A sales representative loses a company laptop on a train. The laptop's entire drive was protected with full-disk encryption, and no data was accessible to whoever finds it. Which element of the CIA triad did the encryption primarily preserve in this incident?

Reviewed for accuracy · Report an issue
Question 7 of 20

A cybersecurity analyst discovers that a critical vulnerability was never remediated before a compliance deadline. Their manager instructs them to alter the audit report to indicate the issue was fixed, arguing it will 'protect the company's reputation.' Under the ISC2 Code of Ethics, what is the most appropriate action for the analyst?

Reviewed for accuracy · Report an issue
Question 8 of 20

A data center operations manager is reviewing safeguards for the server room. She wants to ensure that a small electrical fire would not destroy servers and cause an extended outage of critical services. She decides to install an automated clean-agent fire suppression system. Which element of the CIA triad is this control primarily intended to protect?

Reviewed for accuracy · Report an issue
Question 9 of 20

A company installs a network firewall that automatically inspects and blocks malicious inbound traffic based on configured rules. When categorizing this safeguard for a risk assessment report, which type of security control does the firewall represent?

Reviewed for accuracy · Report an issue
Question 10 of 20

A logistics company distributes its critical tracking application across data centers in three different regions. When one region suffered a complete power failure, customers experienced no service disruption because traffic was automatically routed to the other two regions. In risk management terms, what has the company primarily accomplished by using this multi-region design?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial firm's security manager introduces a policy requiring all employees who handle wire transfers to take at least one consecutive week of vacation each year, during which another employee performs their duties. The goal is to expose any fraudulent activity that might be hidden by the primary employee. What type of security control is this mandatory vacation policy?

Reviewed for accuracy · Report an issue
Question 12 of 20

A finance team shares a single login for the accounts-payable system so that any of the four clerks can approve payments quickly. After a fraudulent payment is discovered, management cannot determine which clerk approved it because all activity was logged under the shared account. Which security concept was most directly undermined by using the shared account?

Reviewed for accuracy · Report an issue
Question 13 of 20

A regional clinic must protect patient health records. The clinic's compliance officer notes two governing documents: a national healthcare data-protection statute passed by the legislature that mandates breach notification, and the clinic's own internal document requiring staff to lock workstations when unattended. If the clinic fails to comply with the national statute, which consequence is MOST likely, and how should these two documents be classified?

Reviewed for accuracy · Report an issue
Question 14 of 20

A hospital discovers that a patient's electronic medication record was altered without authorization, causing an incorrect dosage to be recommended. The clinical team is most concerned that the data displayed to physicians can no longer be trusted as accurate and unmodified. Which element of the CIA triad has been most directly compromised in this incident?

Reviewed for accuracy · Report an issue
Question 15 of 20

A new information security manager is organizing the company's governance documents. She finds a document that states: 'All employee passwords must be at least 14 characters long, contain three character types, and expire every 90 days.' Which type of governance document is this?

Reviewed for accuracy · Report an issue
Question 16 of 20

A financial analyst accidentally sends a draft quarterly earnings report to an external mailing list two weeks before its scheduled public release. The numbers themselves are accurate and unaltered, and the reporting system remained fully accessible throughout. Which element of the CIA triad has been primarily violated?

Reviewed for accuracy · Report an issue
Question 17 of 20

A company's information security policy states that all employees must be trained on security awareness. The IT department creates a document titled 'New Hire Security Onboarding' that lists the exact, ordered steps a manager follows to enroll a new employee in the training platform, assign the correct course, and record completion. Which governance element does this new document represent?

Reviewed for accuracy · Report an issue
Question 18 of 20

A manufacturing company's leadership issues a brief, high-level document declaring that 'all information systems must protect the organization's data and support business continuity.' A security analyst is later assigned to translate this into a mandatory requirement that every company laptop must use AES-256 full-disk encryption. Within the governance hierarchy, what type of document is the analyst creating?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company installs motion-activated cameras and alarms that alert security staff the moment an unauthorized person enters the data center after hours. Which category of security control function is being described by this behavior?

Reviewed for accuracy · Report an issue
Question 20 of 20

A national government passes a new data protection regulation that legally requires all companies to notify affected individuals within 72 hours of a data breach. The security manager at a mid-sized firm must ensure the organization can meet this obligation. Which governance document should the manager create or update FIRST to translate this legal requirement into a mandatory internal directive for the whole organization?

Reviewed for accuracy · Report an issue

More CC practice

Keep going with the other ISC2 CC — Certified in Cybersecurity domains, or take a full timed mock exam.

← Back to CC overview