ISC2 CCSP Exam Questions 2025

Information Rights Management (IRM) is a technology that provides persistent data protection by embedding access and usage rights directly into the digital content itself. Its primary advantage is enabling the content owner to define and enforce granular policies on how information is used, regardless of where it is stored or transmitted. For XYZ Media, this means they can control who can open, modify, print, forward, or copy their intellectual property (movies, music), and even revoke access remotely or set expiration dates. This control is the core function of IRM.

A. It ensures that digital content is always encrypted.

Encryption is a mechanism used by IRM to enforce control, but the control itself (the rights and policies) is the primary advantage, not the encryption alone.

B. It automatically classifies all digital content.

IRM enforces policies that are often based on data classification, but it does not perform the classification. Classification is a separate, prerequisite process.

D. It allows unrestricted access to all digital content.

This is the opposite of IRM's purpose. IRM is designed specifically to restrict access and usage based on predefined policies set by the content owner.

1. National Institute of Standards and Technology (NIST). (2016). Guide to Enterprise Telework

Remote Access

and Bring Your Own Device (BYOD) Security (NIST Special Publication 800-46 Revision 2). "Digital Rights Management (DRM) technologies can be used to enforce access and usage policies for digital information... DRM can restrict activities such as viewing

copying

printing

and forwarding of documents." (Section 4.4.3

Page 4-16).

2. Microsoft Corporation. (2023). What is Azure Information Protection? Official Microsoft Learn Documentation. "Azure Information Protection (AIP) is a cloud-based solution that enables organizations to discover

classify

and protect documents and emails by applying labels to content... Protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology uses encryption

identity

and authorization policies." This documentation highlights that the purpose is protection through policies

using encryption as a tool.

3. Park

J.

& Sandhu

R. (2004). The UCONABC Usage Control Model. ACM Transactions on Information and System Security

7(1)

128–174. This foundational academic paper on usage control

the principle behind IRM

describes models for "controlling the usage of digital objects" beyond simple access control

including ongoing controls after access is granted. (Section 1

Paragraph 1). https://doi.org/10.1145/984334.984339

The Export Administration Regulations (EAR) are the set of rules administered by the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce. The EAR governs the export and re-export of most commercial items, software, and technology, including "dual-use" items that have both commercial and potential military or proliferation applications. These regulations are central to U.S. export control policy for non-military items and are the direct responsibility of the Commerce Department, as specified in the question.

A. ITAR (International Traffic in Arms Regulations) is managed by the U.S. Department of State, not Commerce, and specifically controls the export of defense articles and services.

B. DRM (Digital Rights Management) refers to technologies used to control access to and use of copyrighted digital media; it is not a government export control regulation.

D. EAL (Evaluation Assurance Level) is a numerical rating from the Common Criteria standard (ISO/IEC 15408) that describes the rigor of a security product's evaluation, unrelated to export laws.

1. U.S. Department of Commerce

Bureau of Industry and Security (BIS). (n.d.). The Export Administration Regulations (EAR). Retrieved from bis.doc.gov. The introduction explicitly states

"The Export Administration Regulations (EAR) are issued by the United States Department of Commerce

Bureau of Industry and Security (BIS)..."

2. Massachusetts Institute of Technology (MIT)

Office of the Vice President for Research. (n.d.). Export Control Regulations: EAR. Retrieved from vpr.mit.edu. The page clarifies

"The Export Administration Regulations (EAR)

15 C.F.R. §§ 730-774

are promulgated and implemented by the Department of Commerce. The EAR regulates the export of 'dual-use' items..."

3. Stanford University

DoResearch. (n.d.). Export Controls at Stanford. Retrieved from doresearch.stanford.edu. The site distinguishes the regulations: "The Department of Commerce administers the Export Administration Regulations (EAR)... The Department of State administers the International Traffic in Arms Regulations (ITAR)."

Deep Packet Inspection (DPI) is the most suitable method as it operates at the application layer (Layer 7) to examine the actual data payload of network packets, not just the headers. For a cloud-native application processing sensitive data, this allows for the identification of malicious code, intrusion attempts, and the exfiltration of sensitive data patterns that would be invisible to lower-level network controls. DPI provides the granular visibility required to enforce security policies based on the content of the traffic, which is essential for preventing sophisticated data breaches and meeting compliance mandates.

B. Implementing network security groups (NSGs) with inbound and outbound rules.

NSGs are stateful firewalls operating at Layers 3 and 4. They filter traffic based on IP addresses and ports but do not inspect the packet's content.

C. Using encryption without any inspection tools.

Encryption protects data confidentiality in transit but is a countermeasure to eavesdropping, not an inspection mechanism. It can actually obscure traffic from security tools.

D. Relying on endpoint security software.

Endpoint security protects individual compute instances (VMs, containers) but does not provide a comprehensive view or control over the network traffic flowing between different application components.

1. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-204A

Building Secure Microservices-based Applications Using Service-Mesh Architecture. Section 4.3.2

"Traffic Management

" discusses the capabilities of service mesh architectures

which are common in cloud-native applications

to perform Layer 7 traffic inspection and apply security policies based on application-level data. This is a direct application of DPI principles.

2. Al-Ayyoub

M.

Jararweh

Y.

& Al-Sa'di

M. (2018). A Survey on Network Intrusion Detection in Cloud Computing. Journal of Network and Computer Applications

115

57-75. The paper discusses various intrusion detection techniques for the cloud

highlighting that "Deep Packet Inspection (DPI) is a technique that examines the payload part of a packet... to detect protocol non-compliance

viruses

spam

intrusions or any predefined criteria to decide whether a packet may pass or not." (Section 3.1.2). This confirms DPI's role in content-level inspection.

3. Zardari

Z. A.

Jung

L. T.

& Zakaria

N. (2014). Cloud-based deep packet inspection for intrusion detection. In 2014 International Conference on Computer and Information Sciences (ICCOINS). The paper states

"DPI is a form of network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point... It is considered as a key component of Network Intrusion Detection System (NIDS)." (Section II.A). This emphasizes its function as a detailed inspection mechanism.

Kernel-based Virtual Machine (KVM) is a Type-1 hypervisor integrated into the Linux kernel that enables virtualization on hardware with virtualization extensions. It is a core infrastructure technology used by cloud providers to create and manage virtual machines (IaaS), not a technology used by end-users to securely access cloud services over a network. In contrast, HTTPS, VPN, and TLS are all fundamental technologies designed to provide secure, encrypted communication channels for accessing systems and services. HTTPS secures web-based access, VPNs create secure tunnels to private cloud networks, and TLS is the cryptographic protocol that underpins the security of both HTTPS and many VPN solutions.

B. HTTPS: Incorrect. HTTPS (HTTP over TLS) is a primary and ubiquitous protocol for securely accessing web-based cloud services, management consoles, and APIs.

C. VPN: Incorrect. Virtual Private Networks are commonly used to establish secure, encrypted connections from remote users or on-premises networks to a private cloud environment (e.g., a VPC/VNet).

D. TLS: Incorrect. Transport Layer Security is the foundational cryptographic protocol that provides end-to-end security for many higher-level protocols, including HTTPS, and is used in many VPN implementations.

1. KVM: Red Hat Enterprise Linux 7 Documentation

Virtualization Deployment and Administration Guide

Chapter 2. KVM Guest Timing Management. The documentation states

"KVM (Kernel-based Virtual Machine) is a virtualization solution that is part of the Red Hat Enterprise Linux kernel. KVM provides the core virtualization infrastructure..." This identifies KVM as an infrastructure component

not a secure access protocol.

2. TLS/HTTPS: National Institute of Standards and Technology (NIST)

Special Publication 800-52 Revision 2: Guidelines for the Selection

Configuration

and Use of Transport Layer Security (TLS) Implementations

(May 2019). Section 1

Page 1

states

"Transport Layer Security (TLS) is a protocol that is widely used to provide data security and data integrity for communications over TCP/IP networks

such as the internet... TLS is commonly used with protocols such as the Hypertext Transfer Protocol (HTTP)..."

3. VPN: National Institute of Standards and Technology (NIST)

Special Publication 800-77 Revision 1: Guide to IPsec VPNs

(February 2020). Section 2.1

Page 6

describes a VPN as a "virtual network

built on top of existing physical networks

that can provide a secure communications mechanism for data and control information transmitted between networks." This is a primary method for secure access to cloud resources.

4. Cloud Access Security: Armbrust

M.

et al. (2009). Above the Clouds: A Berkeley View of Cloud Computing. University of California

Berkeley. Technical Report No. UCB/EECS-2009-28. Section 5.2

"Data Confidentiality and Auditability

" implicitly discusses the need for secure channels (like TLS/VPNs) for data in transit to and from the cloud.

A multi-cloud strategy with real-time data replication is the most effective approach for a critical system requiring minimal disruption. This architecture provides the highest level of availability and data protection. Using multiple cloud providers mitigates the risk of a single provider-wide failure. Real-time replication ensures that data is continuously synchronized to a secondary, active site. This combination results in a near-zero Recovery Point Objective (RPO), minimizing data loss, and a very low Recovery Time Objective (RTO) through rapid failover, minimizing downtime. This directly addresses the need for uninterrupted service for a critical application.

B. Daily backups result in a potential data loss of up to 24 hours (high RPO) and a longer recovery time (high RTO) to restore services.

C. A cold site has the longest recovery time (very high RTO), and weekly synchronization leads to significant potential data loss (very high RPO).

D. Cloud provider uptime guarantees (SLAs) are contractual agreements for compensation after an outage; they are not a proactive technical DR strategy to prevent or minimize downtime.

1. Cloud Security Alliance (CSA). (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Domain 11: Business Continuity and Disaster Recovery

p. 118. The document states

"For mission-critical applications

a multi-cloud solution may be leveraged to provide failover capability in the event of a CSP outage." It also emphasizes aligning DR solutions with RTO/RPO requirements.

2. National Institute of Standards and Technology (NIST). (2010). Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems. Section 4.3.2

"Alternate Site." This guide describes a "hot site" as having "fully configured computer systems... and near-real-time data replication." A multi-cloud strategy with real-time replication is a modern implementation of a hot site

which provides the fastest recovery (lowest RTO/RPO) compared to cold sites (Option C).

3. Toosi

A. N.

Calheiros

R. N.

& Buyya

R. (2014). Interconnected Cloud Computing Environments: Challenges

Taxonomy

and Survey. ACM Computing Surveys

47(1)

7:1–7:61. https://doi.org/10.1145/2593512. Section 3.2 discusses the benefits of multi-cloud adoption

highlighting "High Availability" and "Risk Reduction" as key drivers. The paper notes that distributing workloads across multiple clouds mitigates the risk of a single point of failure

which is fundamental to an effective DR strategy.

This strategy comprehensively addresses the healthcare provider's requirements. SSL/TLS is the industry-standard protocol for encrypting data in transit, protecting it from eavesdropping as it travels to the cloud. Server-side encryption ensures the data is encrypted before being stored on disk, fulfilling the data-at-rest requirement. Critically, using customer-managed keys (CMK) via a service like a Key Management Service (KMS) gives the healthcare provider exclusive control over the cryptographic keys. This control is essential for demonstrating compliance with regulations like HIPAA, as it allows the provider to manage key lifecycle, set access policies, and audit key usage, thereby maintaining sovereignty over their sensitive patient data.

A. Tokenization substitutes data rather than encrypting it, which may not meet HIPAA's encryption safe harbor provisions. SSH is not the standard for application-level cloud service communication.

B. Storing a static key in application code is a critical security flaw, as a code compromise would expose the key and all protected data.

C. Asymmetric encryption is too computationally intensive and slow for encrypting large volumes of data at rest; symmetric encryption is the appropriate choice for this task.

1. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations.

SC-8 (Transmission Confidentiality and Integrity): Recommends cryptographic mechanisms like TLS to protect the confidentiality and integrity of transmitted information. This supports the use of SSL/TLS for data in transit.

SC-12 (Cryptographic Key Establishment and Management): Emphasizes the need for secure key management policies and mechanisms

which aligns with the use of customer-managed keys to maintain control.

SC-28 (Protection of Information at Rest): Mandates the protection of data at rest

with encryption being a primary method.

2. Cloud Security Alliance (CSA)

Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.

Domain 4: Application Security

Page 68: "All communication between the application components and between the application and its users should be encrypted using industry best practices (e.g.

TLS)."

Domain 5: Operations

Page 83: Discusses data-at-rest encryption and key management

stating

"The customer may want to manage their own keys... This is often referred to as Customer Managed Keys (CMK)... This model is often used in regulated industries..."

3. Amazon Web Services (AWS)

Architecting for HIPAA Security and Compliance on Amazon Web Services

July 2023.

Page 11

"Encrypting PHI in transit": "AWS recommends that customers encrypt PHI in transit by using Transport Layer Security (TLS)..."

Page 12

"Encrypting PHI at rest": "Amazon S3 offers server-side encryption (SSE)... Customers can use customer master keys (CMKs) that they manage within AWS KMS. This gives customers more control over their keys..." This directly validates the components of the correct answer.

Role-Based Access Control (RBAC) is the most effective and widely adopted approach for managing authorization in complex environments like the public cloud. RBAC aligns access permissions with the specific job functions and responsibilities of personnel. By assigning users to predefined roles (e.g., database administrator, network engineer, auditor), organizations can systematically enforce the principle of least privilege. This ensures that individuals only have the minimum level of access necessary to perform their duties, significantly reducing the risk of unauthorized access to sensitive resources, data breaches, and accidental misconfigurations. It also simplifies access management and auditing processes.

A. Allowing users to self-assign permissions as needed violates the principle of least privilege and separation of duties, creating a high risk of privilege escalation and unauthorized access.

B. Granting all users the same level of access regardless of their role directly contradicts the principle of least privilege and exposes sensitive resources to unnecessary risk from a larger pool of users.

D. Using a single, shared admin account for all cloud administrators eliminates individual accountability and non-repudiation, making it impossible to trace actions back to a specific person.

1. Cloud Security Alliance (CSA). (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Domain 6: Identity

Entitlement

and Access Management

Section 6.2

page 79

states

"Role-based access control (RBAC) is the most common model for managing entitlements. In this model

entitlements are grouped into roles

and users are assigned to those roles."

2. National Institute of Standards and Technology (NIST). (2020). Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations. Control AC-2 (Account Management) and its enhancement AC-2(1) emphasize assigning access authorizations based on "formal

documented organizational mission/business functions

" which is the foundational concept of RBAC.

3. Microsoft Azure Documentation. (2023). What is Azure role-based access control (Azure RBAC)?. In its official documentation

Microsoft states

"Azure role-based access control (Azure RBAC) is the authorization system you use to manage access to Azure resources... To grant access

you assign roles to users

groups

service principals

or managed identities at a particular scope." This exemplifies the standard implementation of RBAC by a major cloud provider.

4. Ferraiolo

D. F.

& Kuhn

D. R. (1992). Role-Based Access Control. 15th National Computer Security Conference. This foundational academic paper introduced the RBAC model

defining its core principles of assigning permissions to roles rather than directly to users to enforce organizational security policies. (Available via NIST CSRC publications).

A bastion host is a special-purpose computer system on a network specifically designed and configured to withstand attacks. It is intentionally exposed to an untrusted network, such as the public internet. To minimize the attack surface, the system is "hardened" by removing all non-essential software, services, and user accounts, and by applying stringent security configurations. This ensures the system performs only its intended, specific function (e.g., hosting a web server or a VPN endpoint) and nothing else, making it a secure platform for public-facing services.

A. A firewall is a network security device that filters traffic based on rules; it is not the end-system performing the desired operations.

B. A proxy is an intermediary that forwards requests on behalf of clients; while it can be hosted on a bastion, it is the intermediary function, not the hardened system itself.

C. A honeypot is a decoy system designed to attract and trap attackers for intelligence gathering, not to provide legitimate, desired services to the public.

---

1. National Institute of Standards and Technology (NIST). (2009). Guidelines on Firewalls and Firewall Policy (NIST Special Publication 800-41

Rev. 1). Section 2.3

p. 10. The document defines a bastion host as "a computer system that is a critical component in a network’s security... A bastion host is specifically configured to withstand attacks."

2. Cheswick

W. R.

Bellovin

S. M.

& Rubin

A. D. (2003). Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed.). Addison-Wesley Professional. Chapter 8

"Bastion Hosts

" p. 173. This foundational text states

"A bastion host is a computer system that is the target of attack... It is designed

configured

and managed to be as secure as possible."

3. Stallings

W.

& Brown

L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. In Chapter 20.2

"Firewall Characteristics

" a bastion host is described as a system that is hardened to resist attack and typically hosts a single

specific application

such as a proxy server

for external access.

Orchestration is the automated arrangement, coordination, and management of multiple, complex computer systems, services, and software to execute a cohesive workflow. The question describes handling "complex and distributed operations" programmatically as a single process, which is the core function of orchestration. It goes beyond simple automation by coordinating multiple automated tasks across different systems or services to achieve a larger, business-oriented goal, such as deploying a multi-tier application.

B. Provisioning: This is the process of creating and deploying a specific resource (e.g., a virtual machine or storage), which is often just one step within a larger orchestrated workflow.

C. Automation: This is a broad term for making a single task or process run without human intervention. Orchestration is a specific, higher-level form of automation that coordinates multiple automated tasks.

D. Allocation: This refers to the assignment of specific computational resources (like CPU or RAM) to a provisioned service. It is a granular action and a subset of provisioning.

1. National Institute of Standards and Technology (NIST). (2011). NIST Cloud Computing Reference Architecture (NIST Special Publication 500-292). Section 5.3.1

"Service Orchestration

" states

"The Service Orchestration refers to the composition of system components to provide a Cloud service to a Cloud Consumer. It includes arranging

coordinating

and managing the components to provide the service."

2. National Institute of Standards and Technology (NIST). (2017). Application Container Security Guide (NIST Special Publication 800-190). Section 3.2

"Orchestrators

" describes how orchestrators are used to manage complex applications composed of many containers

handling tasks like scheduling

load balancing

and service discovery

which exemplifies the coordination of distributed operations.

3. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (NIST Special Publication 800-145). The characteristic of "On-demand self-service" is described as a consumer being able to "unilaterally provision computing capabilities... automatically without requiring human interaction." Orchestration is the mechanism that enables the automated coordination required for complex provisioning.

4. Papazoglou

M. P.

& van den Heuvel

W. J. (2011). Service orchestration and choreography. In Web Services Foundations (pp. 319-365). Springer

Berlin

Heidelberg. This academic text distinguishes orchestration as the coordination of multiple services to achieve a composite task

managed from a central point of control

which aligns with the question's scenario. (DOI: 10.1007/978-3-642-19576-510)

Role-Based Access Control (RBAC) is an authorization model that simplifies the administration of user permissions, especially in complex, large-scale environments like cloud architectures. Its primary advantage is abstracting permissions into roles (e.g., 'administrator', 'developer', 'auditor'). Instead of assigning numerous, granular permissions directly to each user, administrators assign users to predefined roles. When a user's job function changes, an administrator only needs to change their role assignment rather than reconfiguring a multitude of individual permissions. This approach significantly reduces administrative overhead, minimizes errors, and facilitates the enforcement of the principle of least privilege by ensuring users only have the access necessary for their roles.

A. It allows users to access all resources without restrictions.

This is incorrect. RBAC is a method of restricting access based on a user's defined role, not granting universal access.

C. It eliminates the need for user authentication.

This is incorrect. RBAC is an authorization mechanism that determines what an authenticated user can do; it functions after successful authentication.

D. It automatically encrypts all user data.

This is incorrect. RBAC is an access control model concerned with permissions, while data encryption is a separate security control for protecting data confidentiality.

1. National Institute of Standards and Technology (NIST). (2004). The NIST Model for Role-Based Access Control: Towards a Unified Standard. In this foundational document

it is stated

"The centrally controlled

many-to-many correspondence between users and permissions in RBAC provides a high degree of administrative convenience." (Page 1

Section 1

Paragraph 2).

2. Cloud Security Alliance (CSA). (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. In the Identity & Access Management domain

the guide explains that RBAC simplifies administration: "RBAC is a popular model for enforcing authorization... It simplifies the administration of permissions by associating them with roles

which are then assigned to users." (Page 81

Domain 5: Identity & Access Management).

3. Sandhu

R. S.

Coyne

E. J.

Feinstein

H. L.

& Youman

C. E. (1996). Role-based access control models. Computer

29(2)

38-47. This seminal academic paper on RBAC states

"A major motivation for RBAC is the desire to simplify administration of permissions." (Page 39

Section "RBAC Framework"). DOI: https://doi.org/10.1109/2.485845

4. National Institute of Standards and Technology (NIST). (2014). Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. When comparing models

this guide notes

"In the RBAC model

permissions are associated with roles

and users are assigned to appropriate roles. This simplifies the management of permissions for individual users." (Page 6

Section 2.2

Paragraph 1).