Pass the ISC ISC certification CC Questions and answers with CertsForce

Human life and safety always take precedence over systems, data, and business operations. Security awareness ensures employees know how to act safely during incidents such as fires, active threats, or infrastructure failures.

Risk management aims to reduce risks to acceptable levels, not eliminate them entirely. This involves identifying risks, assessing impact and likelihood, and selecting appropriate controls.

Technical (logical) controls are implemented using technology to enforce security policies. A GPS tracking system is a technical control because it relies on electronic systems and software to monitor and record vehicle location.

Security guards and door locks are physical controls. Technical controls include firewalls, encryption, intrusion detection systems, access control systems, and monitoring tools.

Technical controls play a major role in preventing, detecting, and responding to cyber threats and are emphasized heavily in modern cybersecurity frameworks.

Anintrusionis an unauthorized attempt to access systems or networks. It may or may not succeed. Intrusions are more serious than simple events but may not rise to the level of a breach if controls prevent access.

Qualitative risk analysis evaluates risk using descriptive categories such aslow,medium, andhighinstead of numerical values. This approach relies on expert judgment, experience, and contextual understanding rather than precise financial or statistical calculations. According to NIST SP 800-30, qualitative analysis is especially useful when numerical data is unavailable or when rapid risk prioritization is required.

Unlike quantitative risk analysis, which assigns monetary values and probabilities, qualitative analysis focuses on relative severity and likelihood. It is commonly used during early stages of risk management, policy development, and executive decision-making. While less precise, qualitative risk analysis is easier to communicate to stakeholders and helps organizations focus resources on the most critical risks.

According to NIST SP 800-61, incident response consists of four core phases:Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Option A best represents these core components.

In anasymmetric cryptography system, each user is assigned akey pairconsisting ofone public key and one private key. These two keys are mathematically related but serve different purposes: the public key is shared openly for encryption or verification, while the private key is kept secret for decryption or signing.

To support50 users, each user must have2 keys:

1 public key

1 private key

Therefore, the total number of keys required is:

50 users × 2 keys per user = 100 keys

This is one of the major advantages of asymmetric cryptography over symmetric cryptography. In symmetric systems, the number of required keys grows rapidly as the number of users increases (n(n−1)/2), making key management complex. Asymmetric cryptography scales much more efficiently because each user manages only their own key pair.

Asymmetric encryption is widely used in secure communications such as TLS, digital signatures, and PKI-based authentication. Standards bodies like NIST and ISO/IEC rely heavily on asymmetric cryptography for scalable and secure key management.

Password Authentication Protocol (PAP) is the least secure option because it transmits credentials in clear text over the network. This makes PAP highly vulnerable to eavesdropping and credential theft.

CHAP improves security by using challenge-response mechanisms. EAP supports strong authentication methods, including certificates and MFA. IPsec provides encrypted and authenticated network communication.

Because PAP lacks encryption and protection mechanisms, it is generally discouraged and considered obsolete. Modern security standards strongly advise against its use in favor of encrypted authentication protocols.

Firewalls are not particularly effective against insider threats because insiders already have authorized access to internal systems and networks. Firewalls are designed to control traffic between trusted and untrusted networks, not to monitor legitimate internal user behavior.

Least privilege limits what insiders can access, reducing potential damage. Background checks help identify risky individuals before hiring. Separation of duties prevents any one person from having complete control over critical processes.

Insider threats involve misuse of legitimate access, whether malicious or accidental. Effective controls against insiders focus on access management, monitoring, auditing, and behavioral analysis—not perimeter defenses.

Security frameworks consistently emphasize that insider threats require administrative, detective, and procedural controls rather than traditional network perimeter tools like firewalls.

An incident response policy establishes authority, scope, and direction. Without management approval, IR activities lack legitimacy.