Free Practice Questions for ISC CC Exam

Qualitative risk analysis evaluates risk using descriptive categories such aslow,medium, andhighinstead of numerical values. This approach relies on expert judgment, experience, and contextual understanding rather than precise financial or statistical calculations. According to NIST SP 800-30, qualitative analysis is especially useful when numerical data is unavailable or when rapid risk prioritization is required.

Unlike quantitative risk analysis, which assigns monetary values and probabilities, qualitative analysis focuses on relative severity and likelihood. It is commonly used during early stages of risk management, policy development, and executive decision-making. While less precise, qualitative risk analysis is easier to communicate to stakeholders and helps organizations focus resources on the most critical risks.

IPv6 was introduced primarily due toIPv4 address exhaustion, enabling vastly expanded address space.

The four primary risk response strategies areaccept, avoid, mitigate (reduce), and transfer. Monitoring is an ongoing activity, not a formal risk treatment option.

Abotis malware that allows attackers to remotely control infected systems, often forming botnets used for DDoS attacks, spam, or credential theft.

Mandatory Access Control (MAC) enforces centrally managed security labels and clearances, making it suitable for classified and government systems.

Access control ensures that only authorized users can access specific resources. It includes authentication, authorization, and enforcement mechanisms.

Encryption protects data confidentiality, firewalls control network traffic, and antivirus detects malware. Only access control directly governs who can access sensitive information.

Standards define mandatory technical or operational requirements that must be followed to comply with policy. Guidelines are optional, and procedures provide step-by-step instructions.

Antivirus softwareis apreventive security controldesigned to stop known malware threats before they can execute or spread within a system. Antivirus solutions use signature-based detection, heuristic analysis, and increasingly behavior-based techniques to block malicious code such as viruses, worms, trojans, and ransomware.

In contrast,IDS (Intrusion Detection Systems)andHIDS (Host-based IDS)are primarilydetective controls. They monitor systems and networks for suspicious activity but do not inherently block threats.SIEMplatforms aggregate and analyze logs for visibility and correlation; they support detection and response but do not directly prevent threats.

According to NIST SP 800-53, preventive controls are designed to stop incidents from occurring, while detective controls identify events after or during occurrence. Therefore, antivirus is the correct choice as it directly prevents threats.

Asecurity incidentis an event or series of events that indicates a possible compromise of confidentiality, integrity, or availability of information systems or data. According to NIST SP 800-61, incidents include attempted or successful unauthorized access, misuse, modification, or denial of service.

Not all incidents result in breaches, but all breaches are incidents. Incidents trigger incident response processes, investigations, and potential escalation depending on severity.

Platform as a Service (PaaS) provides customers with an environment tobuild, deploy, and manage applicationswithout managing underlying infrastructure. PaaS includes operating systems, middleware, runtime environments, and development tools.

SaaS delivers fully managed applications, while IaaS provides raw infrastructure. PaaS best balances flexibility and operational efficiency for software development.