Free ISC CC Practice Exam with Questions & Answers | Set: 13

Two-Person Integrityensures no single individual can complete a sensitive action alone, reducing fraud and insider threats.

Security testing is used to verify that a specific control is functioning as intended. In this scenario, John wants to confirm that authentication controls operate correctly, which requires actively testing them under real or simulated conditions.

Security assessments evaluate overall security posture and risk, audits focus on compliance and policy adherence, and walkthroughs are informal reviews or demonstrations. None of these directly validate control effectiveness as precisely as testing.

Security testing may include functional testing, penetration testing, or control validation exercises to confirm expected behavior. For authentication controls, this might involve testing login mechanisms, MFA enforcement, failure handling, and session management.

NIST SP 800-53 and ISO/IEC 27001 both emphasize testing as a critical step in ensuring security controls are implemented correctly and remain effective over time.

The purpose of multi-factor authentication (MFA) in Identity and Access Management (IAM) is to strengthen authentication by requiring users to present two or more independent factors from different categories: something you know, something you have, or something you are. This layered approach significantly reduces the risk of unauthorized access, even if one factor—such as a password—is compromised.

MFA addresses common attack techniques such as phishing, credential stuffing, and brute-force attacks. For example, even if an attacker steals a user’s password, they would still need access to the user’s hardware token or biometric factor to authenticate successfully.

MFA does not simplify access, remove authentication, or grant unrestricted access. Instead, it deliberately increases verification requirements to improve security. NIST SP 800-63 and other security frameworks strongly recommend MFA for privileged accounts, remote access, and cloud services because of its proven effectiveness in preventing account compromise.

Risk assessment is the structured process of identifying risks, estimating their likelihood and impact, and prioritizing them for treatment. It forms the analytical foundation of risk management and enables informed decision-making. Risk assessment typically includes threat identification, vulnerability analysis, likelihood determination, and impact analysis.

Risk treatment and mitigation occur after risks have been assessed, while risk management is the broader lifecycle that includes assessment, response, monitoring, and communication. Standards such as NIST SP 800-30 emphasize risk assessment as a critical early step in managing cybersecurity risk.

Risk Avoidanceeliminates risk by discontinuing activities that expose the organization to unacceptable threats.

These areType 1 (bare-metal) hypervisors, running directly on hardware without a host operating system, offering higher performance and security.

Bell–LaPadula is a Mandatory Access Control (MAC) model focused on confidentiality. It uses security labels and clearances to enforce access rules such as “no read up, no write down.”

The ISC2 Code of Ethics prioritizesprotecting society and the public, including users, over employer interests.

A switch operates at Layer 2 and forwards traffic only to the destination port based on MAC address tables, unlike hubs which broadcast traffic.

A Content Delivery Network (CDN) ensures low latency by caching content at geographically distributed edge locations close to end users. When customers access a website, content is served from the nearest CDN node rather than a centralized server.

This significantly reduces round-trip time, network congestion, and load on origin servers. CDNs are especially effective for static content such as images, scripts, and videos, which dominate e-commerce traffic.

Load balancing distributes traffic but does not reduce geographic distance. SaaS is a service model, not a latency solution. Decentralized data centers help but lack the optimized edge caching and routing capabilities of a CDN.

CDNs are a core performance and availability control for global online services and are widely used by large e-commerce platforms to improve customer experience and resilience.