Risk and Control Selection Lab
Key Takeaways
- Scenario questions ask for the control that best reduces the stated risk, not the most expensive, most technical, or most exhaustive option.
- Administrative, technical, and physical controls layer together; the strongest CC answer usually pairs governance with one implementable control.
- Risk responses are mitigate, avoid, transfer, and accept; acceptance is only valid when an authorized risk owner approves the residual risk.
- Control choice weighs asset value, likelihood, impact, business need, and remaining residual risk, then keeps operations running.
- The October 1, 2025 CC outline weights the five domains 26, 10, 22, 24, and 18 percent; a new outline takes effect September 1, 2026, so integrated review must cross all domains.
How Integrated CC Questions Are Built
Integrated Certified in Cybersecurity (CC) questions give you a business problem first and a security term second. Read the asset, threat, vulnerability, impact, and constraint before you pick a control. The current CC exam outline is effective October 1, 2025; a revised outline takes effect September 1, 2026, adding a Security Governance domain and weaving AI concepts through all five domains. Today's exam uses computer adaptive testing (CAT), allows 120 minutes, delivers 100 to 125 items, and requires 700 out of 1000 to pass. ISC2 does not publish that as a percentage, so never convert 700/1000 into 70 percent.
Domain weights are Security Principles 26 percent, Business Continuity/DR/IR 10 percent, Access Control Concepts 22 percent, Network Security 24 percent, and Security Operations 18 percent. A single lab item can blend several of these, so build the habit of mapping each clue to a domain.
Lab Scenario
A small healthcare billing company stores customer invoices, payment details, and support tickets. Staff work both on-site and remotely. The firm has a limited budget, no dedicated security team, and a recent audit that found shared administrator passwords, untested backups, internet-exposed Remote Desktop Protocol (RDP), and no formal authority for accepting risk. Management asks for "the fastest way to be secure."
The best exam answer is never "buy one tool." The practical answer reduces the highest risks with controls that fit the environment. Shared admin passwords destroy accountability. Exposed RDP enlarges the network attack surface. Untested backups make recovery uncertain. Informal risk acceptance is a governance gap because no authorized owner has signed off on residual risk.
Finding-to-Control Decision Table
| Finding | Primary risk | Best first control | Control type | Why it fits |
|---|---|---|---|---|
| Shared administrator password | No accountability, broad misuse | Unique admin accounts, least privilege, MFA | Technical + administrative | Ties actions to individuals; cuts credential abuse |
| Internet-exposed RDP (TCP 3389) | Remote brute force or compromise | Block direct exposure; require VPN or managed access | Technical | Removes unnecessary external attack surface |
| Backups never restored | Recovery failure during ransomware/outage | Schedule restore tests; document results | Administrative + technical | Proves the availability control actually works |
| No risk owner | Unauthorized risk acceptance | Define risk-acceptance authority | Administrative | Makes residual risk a business decision |
| Visitor access to billing area | Unauthorized viewing or tampering | Badges, escort rules, locked rooms | Physical + administrative | Protects sensitive workspaces |
Risk Response Drill
Use the four response verbs precisely. Mitigate applies a control to lower likelihood or impact. Avoid stops the risky activity entirely. Transfer shifts some financial or operational impact, commonly through insurance or contract terms, while you still retain responsibility. Accept means living with residual risk after an authorized decision. A help-desk technician cannot accept enterprise risk alone simply because a fix is inconvenient.
For the billing company, leaving RDP open because "nothing bad has happened yet" is not responsible acceptance. Blocking RDP from the internet and requiring VPN with MFA is mitigation. Halting all remote administration would be avoidance, but it may not support operations. Cyber insurance may transfer some financial loss, yet it never replaces backups, access control, or incident response.
Five-Step Multi-Domain Chain
Many performance-based question (PBQ) prompts ask you to drag, match, or rank controls for a mixed environment. Run a short chain:
| Step | Question | Example answer |
|---|---|---|
| 1 | What asset matters most? | Billing records and payment data |
| 2 | What can go wrong? | Unauthorized access, ransomware, outage |
| 3 | Which CIA goal is most affected? | Confidentiality and availability |
| 4 | Which control directly reduces that risk? | MFA, least privilege, tested backups |
| 5 | What remains? | Residual risk approved by an authorized owner |
Quantifying Risk Without a Calculator
CC does not ask you to compute exact numbers, but it expects the relationships. Risk rises with both likelihood and impact, so a high-likelihood, high-impact finding outranks a rare, low-impact one. Exposed RDP combined with shared admin credentials is high on both axes: easy to find and severe if abused. Untested backups are high-impact (recovery could fail entirely) even if the triggering event is less frequent. When a prompt lists several findings, order them by combined likelihood and impact, then act on the top of that list first.
Remember the control families and how they reinforce one another:
- Administrative controls are policies, procedures, training, and approvals (for example, defining a risk-acceptance authority).
- Technical (logical) controls are software and hardware mechanisms such as MFA, firewalls, and encryption.
- Physical controls are badges, locks, guards, and barriers protecting facilities and equipment.
- Controls also serve functions: preventive (stop an event), detective (notice it), and corrective (recover from it). Tested backups are corrective; MFA is preventive; log review is detective.
Common Traps
When two answers look reasonable, prefer the one specific to the scenario. "Encrypt everything" helps confidentiality but does not fix shared admin accounts or prove backups restore. "Write a policy" may be necessary, yet a policy alone never blocks exposed RDP. Watch for distractors that are real controls aimed at the wrong risk, controls that exceed the stated budget, and any option that lets a low-authority role accept enterprise risk. Also reject answers that solve a future or theoretical problem while ignoring the active, stated finding.
The strongest CC answer pairs governance with an implementable control, matches the budget and team size described, and keeps the business operating while residual risk is formally owned.
A manager asks a help desk technician to formally accept the risk of leaving internet-exposed RDP enabled for convenience. What is the best response?
Which control most directly addresses the risk created by shared administrator passwords?
A company buys cyber insurance but does not test backups or remove unnecessary exposed services. Which risk response is insurance most closely associated with?