10/28/23, 7:41 PM - Official ISC2 CC Online Self-Paced Training - 1M - ISC2 - International Information System Security

Chapter 1: Security Principles Quiz

Your work has been saved and submitted

Your quiz has been submitted successfully.

Attempt Score 70 %
Overall Grade (Highest Attempt) 70 %

Question 1 1 / 1 point

A chief information security officer (CISO) at a large organization documented a policy that establishes the
acceptable use of cloud environments for all staff. This is an example of a: (D1, L1.3.1)

A) Management/Administrative control

B) Technical control

C) Physical control

D) Cloud control

Hide question 1 feedback

Correct. Policies, standards, processes, procedures and guidelines set by corporate administrative entities
(e.g., executive- and/or mid-level management) are management/administrative controls.

Question 2 1 / 1 point

Is it possible to avoid risk? (D1, L1.2.1)

https://learn.isc2.org/d2l/lms/quizzing/user/quiz_submissions_attempt.d2l?ou=9541&qi=26026&ai=3075068 1/5
10/28/23, 7:41 PM - Official ISC2 CC Online Self-Paced Training - 1M - ISC2 - International Information System Security

A) Yes

B) No

C) Sometimes

D) Never

Hide question 2 feedback

Correct. To avoid an identified risk, stop doing what you have identified as being too risky or dangerous and
not acceptable to the organization.

Question 3 0 / 1 point

What is meant by non-repudiation? (D1, L1.1.1)

A) If a user does something, they can't later claim that they didn't do it.

B) Controls to protect the organization's reputation from harm due to inappropriate social media
postings by employees, even if on their private accounts and personal time.

C) It is part of the rules set by administrative controls.

D) It is a security feature that prevents session replay attacks.

Hide question 3 feedback

Incorrect. This might be part of a brand management or reputation management function, it but would not
be part of information security programs.

Question 4 1 / 1 point

Which of the following is NOT one of the four typical ways of managing risk? (D1, L1.2.1)

A) Avoid

B) Accept

C) Mitigate

D) Conflate

Hide question 4 feedback

https://learn.isc2.org/d2l/lms/quizzing/user/quiz_submissions_attempt.d2l?ou=9541&qi=26026&ai=3075068 2/5
10/28/23, 7:41 PM - Official ISC2 CC Online Self-Paced Training - 1M - ISC2 - International Information System Security

Correct. Conflate is not a term used to describe a way to manage risk.

Question 5 1 / 1 point

Siobhan is deciding whether to make a purchase online; the vendor wants Siobhan to create a new user
account, and is requesting Siobhan's full name, home address, credit card number, phone number, email
address, the ability to send marketing messages to Siobhan, and permission to share this data with other
vendors. Siobhan decides that the item for sale is not worth the value of Siobhan's personal information,
and decides to not make the purchase.

What kind of risk management approach did Siobhan make? (D1, L1.2.2)

A) Avoidance

B) Acceptance

C) Mitigation

D) Transfer

Hide question 5 feedback

Correct. This is an example of avoidance; in order to avoid the risk of unauthorized use of the personal data,
Siobhan chose not to engage in the activity.

Question 6 1 / 1 point

Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with
writing a document that describes, step-by-step, how to securely install the operating system on a
new laptop. This document is an example of a ________. (D1, L1.4.1)

A) Policy

B) Standard

C) Procedure

D) Guideline

Hide question 6 feedback

Correct. A procedure (sometimes referred to as a "process" document) is a description of how to perform

Question 7 0 / 1 point

https://learn.isc2.org/d2l/lms/quizzing/user/quiz_submissions_attempt.d2l?ou=9541&qi=26026&ai=3075068 3/5
10/28/23, 7:41 PM - Official ISC2 CC Online Self-Paced Training - 1M - ISC2 - International Information System Security
Lankesh is the security administrator for a small food-distribution company. A new law is published by the
country in which Lankesh's company operates; the law conflicts with the company's policies. Which
governance element should Lankesh's company follow? (D1, L1.4.2)

A) The law

B) The policy

C) Any procedures the company has created for the particular activities affected by the law

D) Lankesh should be allowed to use personal and professional judgment to make the determination
of how to proceed

Hide question 7 feedback

Incorrect because policies do not outrank laws. Laws cannot be violated.

Question 8 0 / 1 point

Kristal is the security administrator for a large online service provider. Kristal learns that the company is
harvesting personal data of its customers and sharing the data with local governments where the company
operates, without the knowledge of the users, to allow the governments to persecute users on the basis of
their political and philosophical beliefs. The published user agreement states that the company will not
share personal user data with any entities without the users' explicit permission.

According to the (ISC)2 Code of Ethics, to whom does Kristal ultimately owe a duty in this situation? (D1,
L1.5.1)

A) The governments of the countries where the company operates

B) The company Kristal works for

C) The users

D) (ISC)2

Hide question 8 feedback

This is incorrect because the company is represented by the third Canon ("principals"), which is subservient
to the first Canon.

Question 9 1 / 1 point

While taking the certification exam for this certification, you notice another candidate for the certification
cheating. What should you do? (D1, L1.5.1)

https://learn.isc2.org/d2l/lms/quizzing/user/quiz_submissions_attempt.d2l?ou=9541&qi=26026&ai=3075068 4/5
10/28/23, 7:41 PM - Official ISC2 CC Online Self-Paced Training - 1M - ISC2 - International Information System Security

A) Nothing—each person is responsible for their own actions.

B) Yell at the other candidate for violating test security.

C) Report the candidate to (ISC)2.

D) Call local law enforcement.

Hide question 9 feedback

The Preamble to the (ISC)2 Code of Ethics requires that (ISC)2 membership "requires that we adhere, and
be seen to adhere, to the highest ethical standards of behavior." Cheating violates this standard. (ISC)2 has
enforcement mechanisms for ensuring membership complies with this requirement.

Question 10 1 / 1 point

The concept of "secrecy" is most related to which foundational aspect of security? (D1, L1.1.1)

A) Confidentiality

B) Integrity

C) Availability

D) Plausibility

Hide question 10 feedback

Correct. Confidentiality is about limiting access to information/assets and is therefore most similar
to secrecy.

Congratulations, you passed the quiz!

You've achieved an overall grade of 70% or higher and completed this activity.

Done

https://learn.isc2.org/d2l/lms/quizzing/user/quiz_submissions_attempt.d2l?ou=9541&qi=26026&ai=3075068 5/5