ISC2 CCSP Exam Questions 2025

A. Directory synchronization is typically handled by protocols like the System for Cross-domain Identity Management (SCIM), not SAML.

B. This is a vague and non-standard phrase; SAML is a specific protocol for identity federation, not a general standard for "management logistics."

C. SAML is explicitly designed to avoid exchanging raw credentials like passwords; it uses secure, digitally signed assertions (tokens) instead.

1. National Institute of Standards and Technology (NIST). (2017). NIST Special Publication 800-63C: Digital Identity Guidelines: Federation and Assertions. Section 1.1, Introduction, states, "Federation allows a subject to use attributes from an identity provider (IdP) to authenticate to a relying party (RP), often in a different security domain... This document provides requirements on the use of federated identity protocols, such as Security Assertion Markup Language (SAML)..."

2. OASIS Security Services (SAML) TC. (2005). Security Assertion Markup Language (SAML) V2.0 Technical Overview. Committee Draft 01, 25 July 2005. Section 2.1, "SAML Solves the Web Browser SSO Problem," describes the core use case as enabling a principal (user) to authenticate to an IdP and then access a resource at a service provider by exchanging authentication and authorization information.

3. Purdue University. (2012). Federated Identity Management. CERIAS Tech Report 2012-10. Page 4 discusses SAML as a primary protocol for federated identity, stating, "SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities..."

A. Ransomware: This is a type of malware. A WAF is not the primary defense; endpoint protection and anti-malware solutions are designed for this threat.

B. Syn floods: This is a network-layer (Layer 3/4) Denial of Service (DoS) attack. It is primarily mitigated by network firewalls and dedicated DDoS protection services, not WAFs.

D. Password cracking: This is an attack on authentication. While a WAF can help by rate-limiting login attempts, the primary defenses are strong password policies and multi-factor authentication.

1. National Institute of Standards and Technology (NIST). (2007). Guide to Secure Web Services (Special Publication 800-95). "A WAF is a device that is intended to protect a Web server from Web-based attacks... WAFs can protect against a variety of attacks, including buffer overflows, SQL injection, and cross-site scripting." (Section 4.3.2, Page 4-6).

2. The Open Web Application Security Project (OWASP). Web Application Firewall. "A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection." (OWASP Foundation, Web Application Firewall page, Introduction).

3. Papamartzivanos, D., Mármol, F. G., & Kambourakis, G. (2017). Introducing an intelligent engine for thwarting application-layer DDoS attacks. Journal of Information Security and Applications, 35, 49-59. "Web Application Firewalls (WAFs) are security solutions that aim to protect web applications from a plethora of attacks, such as SQL injection (SQLi), Cross-Site Scripting (XSS), and Remote File Inclusion (RFI)." (Section 1, Introduction, Paragraph 1). https://doi.org/10.1016/j.jisa.2017.06.002

A. This option is incomplete as it omits the crucial elements of routines and standards, which are fundamental parts of an API's definition.

C. This is too narrow. While APIs involve standards, they also explicitly define the routines, protocols, and tools needed for interaction.

D. This option is missing standards and protocols, which are essential for ensuring consistent and predictable communication between applications.

1. National Institute of Standards and Technology (NIST), Special Publication 800-204, Security Strategies for Microservices-based Application Systems, December 2019. In Section 2.1, "Acronyms," an API is defined as: "A set of routines, protocols, and tools for building software and applications." This directly supports the components listed in the correct answer.

2. Google Cloud Documentation, "What is an API?". The official documentation states: "An API is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact." This definition aligns perfectly with the chosen answer.

3. Red Hat Official Documentation, "What is an API?". The documentation defines an API as: "a set of definitions and protocols for building and integrating application software." This reinforces that an API is more than just one component, encompassing definitions (which include routines and standards) and protocols.

B. This description is too general. While data masking does protect sensitive data, this statement could also describe encryption, tokenization, or access controls. It lacks the specificity of creating a substitute dataset.

C. This describes a specific masking technique known as truncation or partial masking (e.g., showing only the last four digits of a credit card), not the overarching concept of data masking.

D. This describes the "nulling out" or redaction technique, which is only one of many methods used in data masking. It is not a comprehensive definition of the entire process.

1. Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v4.0.7, Control ID: DSP-10 (Data Masking and Obfuscation). The control specification states, "Data masking, obfuscation, or anonymization shall be used to protect sensitive data (e.g., PII) in non-production environments (e.g., development, testing)." This directly supports the use case described in option A.

2. NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Section 5.4.2, discusses de-identification techniques. It describes masking as a method to "replace PII with fictitious data that has a similar format and data type to the original PII." This aligns with creating inauthentic but structurally similar datasets.

3. Kadlag, S., & Jadhav, S. A. (2015). Data Masking as a Service. International Journal of Computer Applications, 116(19), 1-4. The paper states, "The main reason for applying data masking is to protect sensitive data, while providing a functional substitute for occasions when the real data is not required. For example, in user training, or software testing." (Page 1, Section 1: Introduction). DOI: 10.5120/20443-2821.

B. This describes a specific use case for a sandbox (malware analysis), not the best overall definition of what a sandbox is.

C. This describes a secure enclave or a specific transactional security mechanism, which is a different concept from a general-purpose sandbox for code execution.

D. A core principle of sandboxing for testing and development is to keep it separate from the production environment to prevent any risk of compromise or instability.

1. National Institute of Standards and Technology (NIST). (n.d.). Sandbox. In CSRC Glossary. Retrieved from https://csrc.nist.gov/glossary/term/sandbox. The glossary defines a sandbox as: "A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except for the isolated resources permitted." This supports the concept of an isolated, safe space.

2. Parno, B. (2004). The Security Architecture of the MVM Framework. Stanford University, Computer Science Department. In Section 2.1, "Sandboxing," it is stated: "The goal of a sandbox is to provide a restricted environment in which to run untrusted code. The sandbox is responsible for ensuring that the untrusted code cannot perform any malicious actions..." This aligns with the principle of a safe, isolated environment for untrusted code.

3. Zeldovich, N., & Kaashoek, F. (2014). 6.858 Computer Systems Security, Lecture 4: Confinement. Massachusetts Institute of Technology: MIT OpenCourseWare. The lecture notes state the goal of sandboxing is to "confine a process, so it can't do bad things... Run process in a restricted environment." This emphasizes the isolation and safety aspects, separate from a main system.

A. UPS: An Uninterruptible Power Supply (UPS) only provides short-term backup power for brief outages and is not a solution for a broader disaster.

B. Generators: Generators address longer-term power failures but are a costly capital investment and only mitigate a single type of incident, not a comprehensive disaster.

D. Strict adherence to applicable regulations: This is a mandatory compliance activity, not a disaster recovery strategy. While it may improve resilience, it does not provide a direct mechanism for recovery.

1. National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Section 4.3.2, "Alternate Site," discusses reciprocal agreements as a low-cost option, stating, "Reciprocal agreements are typically the lowest-cost option to implement; however, they are very difficult to enforce." This supports the "cost-effective" nature of the solution.

2. Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook, Business Continuity Management Booklet. Appendix D, "Alternate Site Options," describes reciprocal agreements: "A reciprocal agreement is typically a no-cost or low-cost option for business continuity... The primary advantage of a reciprocal agreement is the low cost to initiate and maintain the agreement."

3. ISO/IEC 27031:2011, Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity. Section 6.4.3, "Recovery facilities," outlines various options for recovery. Mutual agreements are presented as an alternative to more expensive options like dedicated internal or external commercial sites, highlighting their role in a cost-benefit analysis for BC/DR planning.

A. Breach alert: This is a function of security information and event management (SIEM) or intrusion detection/prevention systems (IDS/IPS), not a power management device.

B. Confidentiality: This is a data security control, typically achieved through encryption and access control mechanisms, and is unrelated to power supply functions.

C. Communication redundancy: This is a network availability strategy that involves multiple, independent communication links or paths to prevent a single point of failure.

1. Massachusetts Institute of Technology (MIT) Lincoln Laboratory. (2011). Uninterruptible Power Supply (UPS) Systems. In Engineering Division Design and Engineering Standards, Section 10.1. On page 10.1-2, it states, "A UPS is used to provide clean, conditioned, and uninterrupted AC power to a critical load." It further details how different UPS types handle power conditioning.

2. Rassool, N., & Manyage, M. (2017). A review of uninterruptible power supplies. 2017 IEEE AFRICON, Cape Town, South Africa, pp. 1114-1119. In Section II, "UPS Topologies," the paper describes how line-interactive and online UPS systems "provide power conditioning" and "filter the input power," contrasting them with the more basic standby UPS. (DOI: 10.1109/AFRICON.2017.8095601)

3. Schneider Electric. (2011). The Different Types of UPS Systems (White Paper 1, Rev. 7). In the section "Line-interactive UPS" (p. 4), it states, "This type of UPS is also able to correct minor power fluctuations (under-voltages and over-voltages) without switching to battery." This voltage regulation is a key aspect of line conditioning.

A. Disk space: Insufficient disk space can halt system operations, prevent applications from writing temporary files, and cause severe performance degradation, making it essential to monitor.

B. Disk I/O usage: High disk input/output (I/O) is a primary cause of performance bottlenecks, directly affecting application speed and data access times.

C. CPU usage: This is one of the most critical metrics for performance, as sustained high CPU utilization indicates the system is overloaded and cannot process tasks efficiently.

1. Amazon Web Services (AWS) Documentation: The official AWS documentation for Amazon CloudWatch, the monitoring service for AWS cloud resources, lists key metrics for EC2 instances (virtual servers). These include CPUUtilization, DiskReadOps, DiskWriteOps, and metrics for storage volumes. Print spooling is not included as a standard monitored metric for OS performance.

Source: Amazon Web Services, "Amazon EC2 CloudWatch Metrics," Amazon CloudWatch User Guide. (Specifically, the section on "Instance metrics").

2. Microsoft Azure Documentation: Similarly, Azure Monitor for VMs collects performance data from guest operating systems. Standard metrics include "% Processor Time" (CPU), "Logical Disk Bytes/sec" (Disk I/O), and "Logical Disk Free Space." Monitoring for a specific service like a print spooler is considered custom and not a default performance counter.

Source: Microsoft, "Overview of Azure Monitor for VMs," Microsoft Docs. (Specifically, the section on "Performance").

3. University Courseware: University-level operating systems courses emphasize the monitoring of core hardware resource utilization as the basis for performance evaluation. Lectures on system performance consistently focus on CPU scheduling, memory management, and I/O efficiency as the primary areas of concern.

Source: Ousterhout, J., "Lecture 1: Introduction," CS 140: Operating Systems, Stanford University, Winter 2018, pp. 21-23. (Discusses OS goals of performance, which are tied to managing CPU, memory, and I/O).

A. This is incomplete. IAM includes identity verification (authentication) and lifecycle management, not just authorization.

C. This is incomplete. IAM also determines what resources an authenticated user is permitted to access (authorization).

D. This is the antithesis of IAM's purpose. IAM is designed to prevent unauthorized users from gaining access.

1. National Institute of Standards and Technology (NIST). (n.d.). What is Identity and Access Management (IAM)? NIST Computer Security Resource Center. Retrieved from https://csrc.nist.gov/projects/iam. In the overview, NIST states, "Identity and Access Management (IAM) is the security discipline that makes it possible for the right entities to use the right resources when they need to, without interference, using the devices they want to use."

2. Perrin, C. (2018). Foundations of Identity and Access Management. University of California, Berkeley, Information Security Office. In the "What is Identity and Access Management?" section, the document describes IAM as a framework for "ensuring the right people have the right access to the right resources at the right time."

3. Al-Khouri, A. M. (2012). Identity and Access Management. International Journal of Computer Science Issues (IJCSI), 9(5), 497-509. On page 498, the paper defines IAM as "a framework of policies and technologies for ensuring that the right users have the appropriate access to technology resources."

A. Removing instances from the active production pool is a standard procedure to prevent users from accessing a system undergoing maintenance and to ensure a stable environment for the changes.

B. Continuous logging is crucial during maintenance to audit privileged activities, track changes, and ensure accountability, which is a fundamental security principle.

D. Preventing new logins is essential to protect data integrity and avoid disrupting user sessions while the system is in a potentially unstable state.

1. NIST Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. The Maintenance (MA) control family, particularly MA-2 "Controlled Maintenance," outlines requirements for scheduling, performing, and documenting maintenance. The focus is on authorization, control, and review of maintenance activities, not on adding enhanced controls. The standard emphasizes maintaining a secure state through procedural controls. (See Section: MA-2, Page 203).

2. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Domain 5: "Cloud Security Operations" discusses the importance of a formal change management process. This process includes "logging and monitoring of privileged user activities" and ensuring changes are authorized. It does not mandate enhancing security controls during the maintenance window itself; rather, it requires that security is managed throughout the process. (See Domain 5, Page 103).

3. ISO/IEC 27017:2015, Code of practice for information security controls based on ISO/IEC 27002 for cloud services. Section 12.1.2, "Protection against malware," and 12.2, "Backup," imply that operational procedures, including maintenance, must be conducted in a way that preserves security. The guidance focuses on preventing the introduction of vulnerabilities and ensuring system integrity through controlled procedures, which aligns with logging and preventing access, but not necessarily enhancing controls.