Skip to content

Appendix: Self-Test

Chapter 2: Domain 1: Security and Risk Management

  1. Which of the following would be an example of a policy statement?
    A. Protect PII by hardening servers
    B. Harden Windows 11 by first installing the pre-hardened OS image
    C. You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols
    D. Download the CISecurity Windows benchmark and apply it

Correct Answer and Explanation: A. Answer A is correct; policy is high level and avoids technology specifics.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. B is a procedural statement. C is a guideline. D is a baseline.

  1. Which of the following describes the money saved by implementing a security control?
    A. Total Cost of Ownership
    B. Asset Value
    C. Return on Investment
    D. Control Savings

Correct Answer and Explanation: C. Answer C is correct; Return on Investment (ROI) is the amount of money saved by protecting an asset with a security control.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. Total Cost of Ownership is the cost of implementing a security control. Asset Value is the value of the protected asset. Control Savings is a distracter answer that describes ROI without using the proper term.

  1. According to the General Data Protection Regulation (GDPR), what is the maximum fine for a breach?
    A. €20 million or 4% of global revenue (whichever is lower)
    B. €20 million or 4% of global revenue (whichever is higher)
    C. €20 million or 4% of global profit (whichever is lower)
    D. €20 million or 4% of global profit (whichever is higher)

Correct Answer and Explanation: B. Answer B is correct; the maximum GDPR fine is €20 million or 4% of global revenue (whichever is higher).

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are incorrect. The maximum fine is the higher of the two, and is based on global revenue, not profit.

  1. Which of the following proves an identity claim?
    A. Authentication
    B. Authorization
    C. Accountability
    D. Auditing

Correct Answer and Explanation: A. Answer A is correct; authentication proves an identity claim.

Incorrect Answers and Explanations: B, C, and D. Answers B, C, and D are incorrect. Authorization describes the actions a subject is allowed to take. Accountability holds users accountable by providing audit data. Auditing verifies compliance within an information security framework.

  1. Which of the following protects against unauthorized changes to data?
    A. Confidentiality
    B. Integrity
    C. Availability
    D. Alteration

Correct Answer and Explanation: B. Answer B is correct; integrity protects against unauthorized changes to data.

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are incorrect. Confidentiality protects against unauthorized disclosure of data. Availability means systems are available for normal business use. Alteration is unauthorized changes to data: the opposite of integrity.