ISC2 CC Certified in Cybersecurity Exam Questions 2025

A hybrid cloud is a computing environment that combines an on-premise data center (often considered a private cloud) with a public cloud, allowing data and applications to be shared between them. This model gives businesses greater flexibility and more data deployment options by enabling them to keep sensitive or critical workloads on-premise while leveraging the public cloud for scalable, less-sensitive computing resources. The key characteristic is the integration and orchestration between the two distinct environments (on-premise and cloud).

B. Private cloud: This model is provisioned for exclusive use by a single organization and does not inherently include resources from a public cloud provider.

C. Community cloud: This infrastructure is shared by several organizations with common concerns, not a single company mixing on-premise and public cloud resources.

D. Multi-tenant: This describes an architecture where a single software instance serves multiple customers; it is a characteristic of public clouds, not a deployment model itself.

1. Mell

P.

& Grance

T. (2011). The NIST Definition of Cloud Computing (NIST Special Publication 800-145). National Institute of Standards and Technology. On page 3

Section 2

"Deployment Models

" it defines Hybrid Cloud as "a composition of two or more distinct cloud infrastructures (private

community

or public)..." This directly supports the concept of combining on-premise (private) and cloud (public) resources.

2. Armbrust

M.

Fox

A.

Griffith

R.

Joseph

A. D.

Katz

R.

Konwinski

A.

... & Zaharia

M. (2010). A view of cloud computing. Communications of the ACM

53(4)

50-58. In Section 3

"Classes of Utility Computing

" the paper discusses how a private cloud can be surged into a public cloud for additional capacity

which is a primary use case for the hybrid model. (DOI: https://doi.org/10.1145/1721654.1721672)

A worm is a standalone malware program that replicates itself to spread to other computers, typically over a network. Its defining characteristic is its ability to propagate automatically without requiring any human action or a host program. It exploits vulnerabilities in the target system or network to spread, making it distinct from other malware types that rely on user interaction or attachment to legitimate files.

A. Rootkits: A rootkit's primary purpose is to gain and maintain privileged access to a system while hiding its presence, not to self-replicate.

C. Trojan: A Trojan disguises itself as legitimate software to trick a user into installing it. It does not self-replicate; its spread relies on social engineering.

D. Virus: A virus replicates by attaching itself to a host program or file. It requires human action, such as running the infected program, to spread.

1. National Institute of Standards and Technology (NIST). (2021). NISTIR 7298 Revision 3: Glossary of Key Information Security Terms. U.S. Department of Commerce.

Worm (p. 211): "A self-replicating

self-propagating

self-contained program that uses networking mechanisms to spread itself."

Virus (p. 208): "A computer program that can copy itself and infect a computer... A virus requires a host program."

Trojan Horse (p. 199): "A computer program that appears to have a useful function

but also has a hidden and potentially malicious function..."

Rootkit (p. 166): "A set of software tools that enable an unauthorized user to gain control of a computer system without being detected."

2. Saltzer

J. H.

& Kaashoek

M. F. (2014). 6.858 Computer Systems Security

Fall 2014 - Lecture 15: Malware. MIT OpenCourseWare.

The lecture notes explicitly differentiate the two: "Virus: human-assisted propagation (e.g.

email attachment

infected USB stick). Worm: automatic propagation without human assistance."

3. Stallings

W.

& Brown

L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson.

Chapter 6

Section 6.1 "Malicious Software": "Worms are programs that replicate themselves from computer to computer across network connections... A network worm exhibits the same characteristics as a computer virus... with the difference that a worm can run by itself; it is a self-contained program."

Security controls are often categorized by their scope of implementation within an organization. The NIST framework, a foundational source for cybersecurity principles, defines three types based on this scope: common, system-specific, and hybrid. Common controls apply to multiple systems (e.g., a firewall protecting the entire network). System-specific controls are unique to a particular system (e.g., an application-level access rule). Hybrid controls have both common and system-specific components. "Storage controls" is not a formal classification in this context; rather, it describes a functional area where controls (like encryption or access restrictions) are applied, not a type of control itself.

A. System-specific controls: This is a valid type of security control that is implemented for and unique to a specific information system.

B. Common controls: This is a valid type of security control that is implemented once for an organization and inherited by multiple information systems.

D. Hybrid controls: This is a valid type of security control that has both common (organization-wide) and system-specific implementation components.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5).

Page 233

Appendix A: Defines Common Control as "A security or privacy control that is inheritable by one or more organizational systems."

Page 241

Appendix A: Defines System-Specific Control as "A security or privacy control for a system that is not designated as a common control or a hybrid control."

Page 236

Appendix A: Defines Hybrid Control as "A security or privacy control where one part of the control is common and another part of the control is system-specific."

The term "Storage controls" is not defined as a control type in this publication.

The (ISC)² Code of Ethics is built upon four mandatory canons that all certified members must adhere to. The fourth canon is "Advance and protect the profession." This canon requires members to contribute to the cybersecurity field through activities like mentoring, sharing knowledge, and upholding the reputation of the profession. The other options, while representing good ethical principles, do not accurately state one of the four official canons in its required form.

A. Prevent and detect unauthorized use of digital assets in a society

This describes a general goal of cybersecurity professionals but is not a direct quote of any of the four canons.

C. Act always in the best interest of your client

This is a common ethical principle, but the (ISC)² canons use the term "principals" and are worded differently, such as "Act honorably, honestly, justly, responsibly, and legally."

D. Provide diligent and competent services to stakeholders

This is a close paraphrase of the third canon, but it incorrectly uses the term "stakeholders." The official canon is "Provide diligent and competent service to principals."

---

1. (ISC)². (2024). Code of Ethics. (ISC)²

Inc. Retrieved from https://www.isc2.org/Ethics. The four canons are listed as:

Protect society

the common good

necessary public trust and confidence

and the infrastructure.

Act honorably

honestly

justly

responsibly

and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.

2. University of Fairfax. (2022). IAG 591: Legal and Ethical Issues in Information Assurance Syllabus. Page 4. Retrieved from https://www.ufairfax.edu/wp-content/uploads/2022/08/IAG-591-Syllabus-2022-08-01.pdf. This university course syllabus explicitly lists the four (ISC)² Code of Ethics canons

confirming the exact wording.

3. Harris

S.

& Maymi

F. (2021). CISSP All-in-One Exam Guide

Ninth Edition. McGraw-Hill. Chapter 1

"Security Governance Through Principles and Policies

" Section: "(ISC)² Code of Professional Ethics." This academic and professional text details the four canons

confirming that "Advance and protect the profession" is the fourth canon.

Transmission Control Protocol (TCP) is a core protocol of the Internet Protocol suite designed to provide a reliable, ordered, and error-checked stream of data between two applications. It is a connection-oriented protocol, meaning it establishes a session using a three-way handshake before any data is sent. This process, along with mechanisms like sequence numbers, acknowledgments, and retransmissions, guarantees that data is delivered completely and in the correct order. The phrase "no time constraint" in the question makes TCP the ideal choice, as its reliability mechanisms introduce overhead and latency, which are acceptable when speed is not the primary concern.

A. DHCP is an application-layer protocol used to dynamically assign IP addresses and other network configuration parameters to devices, not for general-purpose data transfer.

B. UDP (User Datagram Protocol) is a connectionless protocol that prioritizes speed over reliability. It does not guarantee packet delivery, order, or integrity.

D. SNMP (Simple Network Management Protocol) is an application-layer protocol used for managing and monitoring network devices, not for establishing a reliable data connection between two peers.

1. Postel

J. (1981). RFC 793: Transmission Control Protocol. Internet Engineering Task Force (IETF). Section 1.5

"Operation

" states

"To provide this service on top of a less reliable internet communication system requires facilities in the following areas: ... Reliability".

2. Kurose

J. F.

& Ross

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. In Chapter 3.5

"Connection-Oriented Transport: TCP

" the text describes TCP as providing a "reliable data transfer service" through mechanisms like flow control

sequence numbers

acknowledgments

and timers.

3. Postel

J. (1980). RFC 768: User Datagram Protocol. Internet Engineering Task Force (IETF). The abstract explicitly states

"This protocol provides a procedure for application programs to send messages to other programs with a minimum of protocol mechanism. The protocol is transaction oriented

and delivery and duplicate protection are not guaranteed."

4. Saltzer

J. H.

Kaashoek

M. F. (2018). 6.033 Computer System Engineering

Spring 2018 Lecture Notes. Massachusetts Institute of Technology: MIT OpenCourseWare. Lecture 11

"The Network

" p. 11-10

contrasts UDP's "best-effort" delivery with TCP's reliable stream service

which uses acknowledgments and retransmissions to ensure data arrives correctly.

The CIA Triad is a foundational model in information security used to guide policies for information security within an organization. The three principles are:

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. It is often enforced through mechanisms like encryption and access control.

Integrity: The property of safeguarding the accuracy and completeness of assets. It ensures that data has not been tampered with or altered by unauthorized parties.

Availability: The property of being accessible and usable upon demand by an authorized entity. It ensures that systems and data are operational and accessible when needed.

A. "Accessibility" is not the standard term; "Availability" is the correct principle, focusing on ensuring systems are operational for authorized users.

B. "Concealment" and "Authentication" are security concepts, but they are not the core, universally recognized principles of the CIA Triad.

C. "Identity" is a critical element in security for authentication and authorization, but it is not one of the three foundational principles of the triad.

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53

Revision 5). Appendix D

"Glossary".

Confidentiality: "Preserving authorized restrictions on information access and disclosure

including means for protecting personal privacy and proprietary information." (Page 231)

Integrity: "Guarding against improper information modification or destruction

and includes ensuring information non-repudiation and authenticity." (Page 237)

Availability: "Ensuring timely and reliable access to and use of information." (Page 229)

2. Ross

R.

et al. (2020). The Security and Privacy Controls Assessment (NIST Special Publication 800-53A

Revision 5). Section 2.2

"Fundamental Concepts

" Paragraph 1.

"The three fundamental security objectives for information and information systems are confidentiality

integrity

and availability."

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM

18(7)

387-408. Section I.A.1

"Design Principles".

This foundational paper discusses the core goals of information protection which directly map to the CIA triad: preventing unauthorized disclosure (Confidentiality)

unauthorized modification (Integrity)

and denial of use (Availability).

4. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2014). 6.858 Computer Systems Security

Fall 2014. Lecture 1: Introduction & Threat Models

Slide 10.

The lecture slide explicitly lists the "Three key security properties (CIA)" as "Confidentiality

" "Integrity

" and "Availability

" providing definitions for each.

The TCP/IP model, as defined in foundational documents like RFC 1122, is structured with four layers: Application, Transport, Internet, and Network Access (or Link). The "Physical" layer is not a named layer within this model. Instead, it is explicitly defined as Layer 1 of the seven-layer Open Systems Interconnection (OSI) model. The TCP/IP model's lowest layer, the Network Access layer, encompasses the functions of both the Physical and Data Link layers of the OSI model, abstracting the details of physical transmission.

A. Transport: This is a core layer in the TCP/IP model, responsible for host-to-host communication using protocols like TCP and UDP.

B. Internet: This is a fundamental layer in the TCP/IP model that handles logical addressing and routing of packets via the Internet Protocol (IP).

C. Application: This is the top layer of the TCP/IP model, containing protocols (e.g., HTTP, SMTP) that network-aware applications use.

1. Braden

R. (Ed.). (1989). RFC 1122: Requirements for Internet Hosts -- Communication Layers. IETF. Section 1.3.2

"The Layer Model

" outlines the TCP/IP architecture as consisting of the Application

Transport

Internet

and Link Layers.

2. Saltzer

J. H.

Reed

D. P.

& Clark

D. D. (1984). End-to-end arguments in system design. ACM Transactions on Computer Systems

2(4)

277–288. This foundational paper discusses the principles underlying the TCP/IP architecture

which abstracts the physical network into a lower layer. https://doi.org/10.1145/357401.357402

3. MIT OpenCourseWare. (2018). 6.033 Computer System Engineering

Spring 2018. Lecture 11: The Network Layer. The course materials present the Internet architecture with four layers: Application

Transport

Network (Internet)

and Link

distinguishing it from the seven-layer OSI model.

The primary goal of a Disaster Recovery Plan (DRP) is the technical restoration of information technology (IT) systems, applications, and data at an alternate site after a major disruption or disaster. A DRP is a component of the overall Business Continuity Plan (BCP). While the BCP focuses on maintaining critical business functions during an event, the DRP is enacted after the event to recover the technological infrastructure to its last-known reliable operational state. This restoration is crucial for enabling the business processes to resume normal operations.

A. This describes the primary goal of a Business Continuity Plan (BCP), which is broader and focuses on keeping essential business processes running during a disruption.

B. This is the purpose of an Emergency Response Plan (ERP), which addresses immediate threats to life, safety, and property during the initial moments of a disaster.

C. This is an overarching strategic objective of the entire business continuity and disaster recovery program, not the specific, primary goal of the DRP itself.

1. National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems.

Section 2.3

Page 11: "The primary objective of disaster recovery is to implement critical processes and to recover critical IT systems

applications

and data to allow an organization to resume normal business operations." This directly supports the concept of restoration as the primary goal.

Section 2.3

Page 9: "BCP focuses on sustaining an organization’s mission/business processes during and after a disruption... DRP provides detailed procedures to facilitate recovery of capabilities at an alternate site." This clearly distinguishes the roles of BCP (maintaining functions) and DRP (restoring capabilities).

2. Purdue University

ITaP Business Continuity and Disaster Recovery Plan.

Section 1.1

Purpose: "The purpose of the ITaP Disaster Recovery Plan is to recover from a disaster and to restore business operations to an acceptable condition." This aligns with the goal of restoring operations.

3. Carnegie Mellon University

Software Engineering Institute

Defining and Differentiating BCDR (2017).

Page 2

"Disaster Recovery": "Disaster recovery (DR) is the process an organization uses to recover access to its software

data

and/or hardware that are needed to resume the performance of normal

critical business functions after a natural or human-induced disaster." This emphasizes recovery and restoration of IT assets.

Authentication is the process of verifying a claimed identity. When a user provides a user ID, they are making a claim about who they are. The password serves as a secret piece of information (a knowledge factor) to prove that claim. The system then compares these credentials against its stored records to confirm the user's identity. This verification process is the fundamental definition of authentication within the Identity and Access Management (IAM) framework.

A. Validation is a generic term for checking data correctness; it is not the specific security function for verifying a user's identity.

B. Authorization is the process of granting permissions to resources, which occurs after a user has been successfully authenticated.

C. Login is a user-facing term for the overall process of gaining access, but the specific technical function being performed is authentication.

1. National Institute of Standards and Technology (NIST). (2017). Special Publication 800-63-3: Digital Identity Guidelines. Section 1.2

"Introduction to Digital Identity". The document states

"Authentication is the process of verifying a claimant’s identity."

2. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Communications of the ACM

18(7)

377–408. Section I.A.2

"Authentication". This foundational paper defines authentication as the mechanism for "associating a unique system-identifier with that principal." The use of a password is a primary example. (DOI: https://doi.org/10.1145/361011.361062)

3. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2014). 6.857 Computer and Network Security

Lecture 2: Control of Information. The lecture notes clearly distinguish authentication ("Who are you?") from authorization ("What are you allowed to do?").

Policies are high-level, formal documents that establish management's intent, expectations, and strategic direction for security within an organization. They define the scope of the security program, assign responsibilities, and state the organization's position on specific issues. By setting these overarching goals and principles, policies provide the necessary context and authority for the creation of more detailed standards, procedures, and guidelines. They answer the "what" and "why" of security, thereby setting the strategic priorities for the entire enterprise.

A. Regulations: These are mandatory requirements imposed by external governmental or legal bodies, not an organization's internally-developed strategic direction.

B. Standards: These are mandatory, specific requirements for technology or processes that support policies; they are tactical, not strategic.

C. Procedures: These are detailed, step-by-step instructions for performing a task; they are operational and represent the lowest level of documentation.

1. National Institute of Standards and Technology (NIST) Special Publication 800-12 Revision 1

An Introduction to Information Security. Section 4.1

"Policy

Standards

and Practices

" states: "Policies are the high-level documents that set the strategic direction

course

and tone for an organization’s security program." (Page 27

Paragraph 2).

2. National Institute of Standards and Technology (NIST) Special Publication 800-100

Information Security Handbook: A Guide for Managers. Section 2.2

"Security Policy

" describes policy as the "foundation of a security program" and notes that it "sets the strategic direction for security." (Page 10

Paragraph 1).

3. University of California

Berkeley

Information Security Office

Policy Program. The documentation on "Policy

Standard

Guideline

and Procedure Definitions" states: "A policy is a statement of intent and is implemented as a procedure or protocol. Policies are the 'what' and the 'why'." This aligns with the strategic

context-setting role of policies.