Free Cybersecurity-Architecture-and-Engineering Practice Test Questions 2026

Summary:
This question tests the understanding of the core stages of the Information Processing Cycle (Input, Processing, Storage, Output). Raw data consists of unorganized facts and figures. For this data to become meaningful information, it must be transformed. This transformation occurs through a specific operation that involves manipulation, calculation, or organization.

Correct Option:

D. Processing:
Processing is the stage where the computer performs operations on the raw data.

This includes actions like sorting, calculating, analyzing, formatting, or summarizing the data.

It is this active manipulation that adds context and meaning, thereby converting raw input data into useful, interpretable information.

Incorrect Option:

A. Input:
Input is the stage of entering raw data into the computer system. It is the starting point but does not itself change the data's form or meaning.

B. Output:
Output is the stage of presenting the already-processed information from the computer to the user (e.g., on a screen or report). The conversion has already happened by this stage.

C. Storage:
Storage involves saving data or information for future use, either before or after processing. It preserves data but does not perform the conversion.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-160 Vol. 1 (Systems Security Engineering): This publication discusses the system life cycle and the transformation of data into information. It emphasizes that the value and meaning are added through processing functions, and securing this processing stage is critical to ensuring the integrity and usefulness of the resulting information.

Summary:
This question tests the fundamental knowledge of computer hardware categories. An input device is any hardware component that allows a user to enter data or instructions into a computer. The core function is sending data to the computer system. This is distinct from an output device, which presents data from the computer to the user, and storage devices, which hold data.

Correct Option:

D. Scanner:
A scanner is a classic input device.

It converts physical documents, images, or photographs into a digital format (data) that can be stored and manipulated on a computer.

It sends this digitized data into the computer system, fulfilling the definition of an input device.

Incorrect Option:

A. Printer:
A printer is an output device. It receives digital data from the computer and produces a physical hard copy (output) on paper.

B. Flash Drive:
A flash drive is a storage device. It is used to store data and transfer it between computers. It is not primarily used for direct data entry.

C. CD (Compact Disc):
A CD is a storage medium. Like a flash drive, it holds data but does not itself function as an input device for entering new data into the computer.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations): Control families like PE-3 (Physical Access Control) and MP (Media Protection) differentiate between system components. Understanding what constitutes an input device is foundational for applying appropriate physical and logical controls, as input devices can be potential vectors for introducing malicious data into a system.

Summary
This question addresses the classic "build vs. buy" decision in software acquisition. Purchasing Commercial Off-The-Shelf (COTS) software is typically driven by factors like cost, time, and resource efficiency. The key advantage of buying is leveraging a pre-built, tested, and supported solution to meet business needs quickly, avoiding the significant time and investment required for internal development.

Correct Option:

C. When there is a short timeline:
Developing software in-house is a time-consuming process involving requirements gathering, design, coding, testing, and deployment.

Purchasing an existing product allows for immediate or rapid implementation, drastically reducing the time-to-solution.

This makes it the preferable strategy when business needs must be met under a tight deadline.

Incorrect Option:

A. When the company has very specific needs:
This is a primary reason to build in-house. COTS software is designed for a broad market and may lack the customization required for highly unique or specific business processes.

B. When the company wants internal growth:
Building a solution in-house is a direct way to grow internal development teams and expertise. Purchasing software does not contribute to this goal.

D. When the company wants to develop the skill sets of its internal IT staff:
This is a reason to build a solution. A development project provides hands-on experience that upskills the IT staff, whereas purchasing software offers no such developmental benefit.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-64 (Security Considerations in the System Development Life Cycle): This guide discusses the phases of the SDLC. It notes that using existing, accredited COTS products can significantly shorten the development and implementation phases of the life cycle, which aligns with the scenario of having a short timeline.

Summary
This question focuses on the mechanisms and interfaces that enable an application program to communicate with a database. The connection requires a standardized interface or protocol that can translate application requests into commands the database understands. These are often specific APIs or connectivity standards, not the database system itself or a general user interface.

Correct Option
The two correct options are specific connectivity APIs designed for this purpose:

B. Java Database Connectivity (JDBC):
This is an API for the Java programming language that defines how a client may access a database. It provides methods to query and update data in a database and is a standard for Java applications.

D. Open Database Connectivity (ODBC):
This is a standard API for accessing database management systems (DBMS). It allows applications to access data from various DBMSs using SQL, regardless of the operating system or the specific database product.

Incorrect Option:

A. Structured Query Language (SQL):
SQL is the language used to communicate with a database to perform operations like querying or updating data. It is the "what," not the "how." An application uses a connectivity driver (like JDBC/ODBC) to send SQL commands.

C. Database management system (DBMS):
The DBMS (e.g., Oracle, MySQL) is the software that manages the database. The application connects to the DBMS using a driver like JDBC or ODBC; the DBMS itself is the endpoint, not the access method.

E. Graphical user interface (GUI):
A GUI is a type of user interface that allows users to interact with an application through graphical icons. While a GUI application might use JDBC or ODBC to access a database, the GUI itself is not the access mechanism.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations): Controls such as SC-8 (Transmission Confidentiality and Integrity) and IA-5 (Authenticator Management) are relevant to the secure configuration of database connectivity interfaces like ODBC and JDBC, as these are common channels through which data is accessed and must be protected.

Summary:
This question addresses the fundamental logical model used to structure data in modern databases. While various models exist (hierarchical, network, object-oriented), one model has become the overwhelmingly dominant standard for organizing data due to its efficiency, flexibility, and simplicity. This model structures data into tables (relations) consisting of rows and columns.

Correct Option:

C. Relational:
The Relational model is the de facto standard for organizing data in most business and administrative databases.

Data is logically structured in two-dimensional tables (relations) with rows (tuples/records) and columns (attributes/fields).

Relationships between tables are established through shared keys (primary and foreign keys), which maintain data integrity and avoid redundancy.

Incorrect Option:

A. Selective:
"Selective" is not a recognized database model. It may describe a query operation (SELECT in SQL) but not the core organizing principle of the database itself.

B. Projection:
"Projection" is a fundamental operation in relational algebra (and SQL) used to choose specific columns from a table. It is an operation performed on a database, not the principle used to organize it.

D. Modular:
"Modular" is a software design principle where a system is broken down into separate, interchangeable components. While a Database Management System (DBMS) might be built with a modular architecture, it does not describe how the data within the database is logically organized.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-73 (Interfaces for Personal Identity Verification): This specification, which defines data structures for PIV cards, relies on a highly structured data model. The logical data model it uses for organizing identity credentials is fundamentally based on the relational paradigm, with defined objects, attributes, and relationships.

Summary:
This question focuses on the physical components used in a backup strategy. The statement lists various tangible and virtual storage destinations—CDs, DVDs, hard drives, and cloud storage. These are all different types of hardware or storage services used to hold the copied (backed-up) data. The aspect being described is the physical or logical medium onto which the backup is written.

Correct Option:

D. Backup media:
Backup media refers to the physical or virtual storage location where the backup data is recorded and stored.

The listed items (CDs, DVDs, hard drives, cloud storage) are all examples of different types of backup media.

The choice of media involves trade-offs between cost, capacity, durability, access speed, and portability.

Incorrect Option:

A. Data mirroring:
This is a real-time redundancy technique where data is written simultaneously to two or more disks, creating an exact, live copy. It is for high availability, not a scheduled backup to removable or cloud media.

B. Incremental backups:
This describes a method of backup that only copies data that has changed since the last backup. It is a strategy for what data to copy, not the medium it is stored on.

C. Image backups:
This describes a type of backup that creates a complete sector-by-sector copy of an entire disk or partition. It is a strategy for what is being copied (the entire system image), not the specific media used to store that image.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-34 (Contingency Planning Guide for Federal Information Systems): This guide discusses backup storage strategies and explicitly differentiates between backup methods (like incremental) and backup storage media and locations (e.g., tape, disk, off-site, cloud), which must be selected based on the system's recovery requirements.

Summary:
This question tests knowledge of a common project management challenge. Scope creep refers to the uncontrolled and often unplanned expansion of a project's goals and deliverables after the project has begun. It typically occurs when new features, functions, or requirements are added without corresponding adjustments to the project's timeline, budget, or resources, leading to inefficiency and potential failure.

Correct Option:

D. Small changes in a project that lead to bigger changes:
This is the most accurate definition of scope creep.

It often starts with minor, seemingly reasonable requests or additions that accumulate over time.

These incremental changes collectively expand the project's scope beyond its original objectives, causing delays, budget overruns, and strain on resources.

Incorrect Option:

A. Realization that the organization staffing is inadequate:
This describes a resource allocation or capacity planning issue, not scope creep. While scope creep can cause inadequate staffing, they are not the same thing.

C. The extent of the project that lacks needed requirements:
This describes a project with incomplete initial planning or requirement gathering. Scope creep, by contrast, involves adding to the requirements after they have been formally established and agreed upon.

E. When the project is completed in less than the required time:
This describes a project that is ahead of schedule, which is generally seen as a positive outcome and is unrelated to the uncontrolled growth of project deliverables.

Reference:
National Institute of Standards and Technology (NIST) Special Publication 800-160 Vol. 1 (Systems Security Engineering): This guide discusses the importance of well-defined and managed requirements throughout the system development life cycle. It emphasizes that uncontrolled changes to requirements (scope creep) can introduce security risks, undermine system design integrity, and lead to project failure, highlighting the need for formal change control processes.

Summary:
This question focuses on the defining characteristic of an intranet. An intranet is a private network that uses internet technologies (like web servers and browsers) to serve the internal needs of an organization. The key differentiator is its accessibility and hosting location; it is confined within the organization's own network boundaries and is not accessible from the public internet.

Correct Option:

B. Hosted in the internal business network
This is the core characteristic of an intranet application.

The software and data are hosted on servers physically or logically located within the organization's private network infrastructure.

Access is typically restricted to authorized employees, partners, or others within the organization's trust boundary, often requiring a connection to the internal network or a VPN.

Incorrect Option:

A. Hosted by an outsourced provider:
This describes a hosted or cloud service model. While it could be configured for private access, it is not inherently an intranet, which is defined by its private network scope, not its ownership.

C. Hosted by a third-party web portal:
This describes an external, public-facing or partner-facing (extranet) service. An intranet is specifically internal and not hosted on a third-party's public portal.

D. Hosted on an individual computer:
This describes a standalone or desktop application. Intranet applications are network-based and shared, serving multiple users from a central server within the business network.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations): Controls such as SC-7 (Boundary Protection) are critical for defining and protecting the network perimeter. An intranet resides inside this protected boundary, and its identification is fundamental for applying the correct level of network segmentation and access control

Summary:
This question tests the fundamental definition of an algorithm in computer science. An algorithm is a finite, step-by-step set of well-defined instructions designed to solve a specific problem or perform a computation. Its core characteristics ensure it is a reliable and effective procedure that can be translated into a computer program.

Correct Option:

C. Unambiguous rules:
This is a primary characteristic of a proper algorithm.

Each step must be precisely defined and clear, leaving no room for misinterpretation. This allows the algorithm to be executed consistently by a human or a machine.

Ambiguity would lead to incorrect or unpredictable outcomes, defeating the purpose of a defined procedure.

Incorrect Option:

A. No starting or stopping point:
An algorithm must be finite. It must have a clear starting point and a defined ending point (termination) after a finite number of steps. An infinite loop is a flaw, not a characteristic.

B. Random instructions:
Algorithms are deterministic and structured. While an algorithm might use randomness (e.g., a random number generator), the instructions that define the algorithm itself are logical and deliberate, not random.

D. Constantly changing:
An algorithm is a fixed sequence of steps for solving a given problem. If the instructions are constantly changing, it is not a single, defined algorithm but rather an evolving process or a different algorithm altogether.

Reference:
National Institute of Standards and Technology (NIST) Special Publication 800-90A (Recommendation for Random Number Generation): This publication details algorithms for generating random numbers. It emphasizes that these algorithms are unambiguous, deterministic procedures with defined starting points (seeds) and stopping points, whose every step is precisely specified to ensure predictable and verifiable operation, even when generating randomness.

Summary:
This question addresses the core distinction between data and information in information systems. Data refers to raw, unorganized facts and figures (e.g., numbers, text). Information is data that has been processed, organized, structured, or presented in a given context to make it meaningful, useful, and informative for decision-making.

Correct Option:

D. Processed:
Data becomes information when it has been processed.

Processing involves actions like sorting, calculating, summarizing, or contextualizing raw data.

This transformation adds meaning, relevance, and purpose, converting isolated facts into useful knowledge that can support conclusions or actions.

Incorrect Option:

A. Raw:
Raw data is in its initial, unrefined state. Without processing, it lacks context and is not yet information.

B. Input:
The input stage is when raw data is entered into a system for processing. The data is still unprocessed at this point.

C. Unprocessed:
This is synonymous with "raw." Unprocessed data has not been transformed and therefore has not yet become information.

Reference:
National Institute of Standards and Technology (NIST) Special Publication 800-160 Vol. 1 (Systems Security Engineering): This guide discusses the transformation of data into information within system life cycle processes. It emphasizes that value and meaning are added through processing functions, and the security of this processing stage is critical to ensuring the integrity, confidentiality, and usefulness of the resulting information.

Summary:
This question tests the fundamental definition of an operating system (OS). The OS is the most critical software on a computer, acting as an intermediary between the hardware and the user/applications. Its primary role is to manage the computer's hardware resources (CPU, memory, storage) and provide common services that application programs need to run.

Correct Option:

B. It is a software program that directly supports the computer itself.
The operating system is system software, not firmware or hardware.

Its core function is to manage the computer's hardware resources, such as the CPU, memory, and disk drives.

It provides a stable, consistent way for applications to interact with the hardware without needing to know the precise hardware details.

Incorrect Option:

A. It is a firmware burned onto the computer mother board:
This describes the BIOS or UEFI, which is low-level software that initializes the hardware during boot-up and loads the operating system. The OS itself is stored on a hard drive or SSD.

C. It is a hardware component of the computer system:
The OS is software, not physical hardware. Hardware components are the physical parts like the motherboard, RAM, and CPU.

D. It is an application program similar to word processors:
Application software (like word processors) are programs that perform specific tasks for the user. They run on top of the operating system, which manages the resources they use.

Reference
National Institute of Standards and Technology (NIST) Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations): Control families like SI-7 (Software, Firmware, and Information Integrity) differentiate between the operating system (software), firmware, and applications. The OS is identified as the foundational software platform that must be secured to protect all other software running on the system.

Summary:
This question focuses on the specific mechanisms and interfaces that enable an application program to communicate with a database. The connection requires a standardized interface or protocol that can translate application requests into commands the database understands. These are often specific APIs or connectivity standards, not the database system itself or the query language.

Correct Option:
The two correct options are specific connectivity APIs designed for this purpose:

B. Java Database Connectivity (JDBC):
This is an API for the Java programming language that defines how a client may access a database. It provides methods to query and update data in a database and is a standard for Java applications.

D. Open Database Connectivity (ODBC):
This is a standard API for accessing database management systems (DBMS). It allows applications to access data from various DBMSs using SQL, regardless of the operating system or the specific database product.

Incorrect Option:

A. Structured Query Language (SQL):
SQL is the language used to communicate with a database to perform operations like querying or updating data. It is the "what," not the "how." An application uses a connectivity driver (like JDBC/ODBC) to send SQL commands.

C. Database management system (DBMS):
The DBMS (e.g., Oracle, MySQL) is the software that manages the database. The application connects to the DBMS using a driver like JDBC or ODBC; the DBMS itself is the endpoint, not the access method.

Reference:
National Institute of Standards and Technology (NIST) Special Publication 800-53 (Security and Privacy Controls for Information Systems and Organizations): Controls such as SC-8 (Transmission Confidentiality and Integrity) and IA-5 (Authenticator Management) are relevant to the secure configuration of database connectivity interfaces like ODBC and JDBC, as these are common channels through which data is accessed and must be protected.