Take the Practise Exam Now! Test your knowledge and see if you are ready for the CISSP Exam! Welcome to your CISSP Practice Exam Questions Thank you for participating. To receive the result please ensure that your email is correct. First Name Last Name Email 1. Who is the PRIMARY audience for a Business Impact Analysis (BIA) assessment? Owners of time-critical business processes Information Technology (IT) management and all levels of systems administrations Organization as a whole Internal and external auditors 2. Management of deficiencies found from a risk assessment is an important step in the security auditing process for which of the following reasons? To demonstrate the need for a follow-up audit To demonstrate the recommendations are valid To prove more security funding is required for remediation To Prioritize remediation and avoid unnecessary costs 3. Which is the MOST important item to align with an organization's information security strategy? Key security controls Industry standards Organizational workflow Organizational objectives 4. The adoption of an enterprise-wide business continuity program requires which of the following? Formation of Disaster Recovery (DR) project team A completed Business Impact Analysis (BIA) Well-documented information asset classification Good communication throughout the organization 5. Which of the following actions will reduce risk to a laptop before traveling to a high risk area? Examine the device for physical tampering Implement more stringent baseline configurations Purge or re-image the hard disk drive Change access codes 6. Which of the following represents the GREATEST risk to data confidentiality? Network redundancies are not implemented Security awareness training is not completed Backup tapes are generated unencrypted Users have administrative privileges 7. What is the MOST important consideration from a data security perspective when an organization plans to relocate? Ensure the fire prevention and detection systems are sufficient to protect personnel Review the architectural plans to determine how many emergency exits are present Conduct a gap analysis of a new facilities against existing security requirements New OptionRevise the Disaster Recovery and Business Continuity (DR/BC) plan 8. A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, Application Storage Power Network 9. When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined? When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined? Only when standards are defined Only when controls are put in place Only procedures are defined 10. When presenting a security solution to executive management for approval, which of the following security aspects MUST be provided by the information security officer? Time and cost to implement the proposed solution Benefit and the residual risk after implementation Technical details and time of implementation Configuration parameters and cost of the proposed solutions 11. Which activity is contained in the code of ethics canon Protect Society, the Commonwealth, and the Infrastructure? Render only those services for which you are fully complement and qualified Promote the understanding and acceptance of prudent information security measures Observe all contacts and agreements, express or implied Take care not to injure the reputation of other professionals through malice or indifference 12. To control the scope of a Business Continuity Management (BCM) system, a security practitioner should identify which of the following? Business needs of the security organization Size, nature, and complexity of the organization Adaptation model for future recovery planning All possible risks 13. Which of the following is considered the last line of defense in regards to a Governance, Risk management, and Compliance (GRC) program? Risk management Board review Internal audit Internal controls 14. Which of the following is the MOST important activity an organization performs to ensure that security is part of the overall organization culture? Perform formal reviews of security incidents Ensure security policies are issued to all employees Manage a program of security audits Work with senior management to meet business goals 15. Copyright provides protection for which of the following? Ideas expressed in literary works Discoveries of natural phenomena A particular expression of an idea New and non-obvious interventions 16. Which of the following items is the PRIMARY requirement for a Business Continuity Plan (BCP)? The Policy and procedures manual An existing BCP from a similar organization A standard checklist of required items and objectives A review of the business processes and procedures 17. What is the threat modeling order using the Process for Attack Simulation and Threat Analysis (PASTA)? Risk/Impact analysis, application decomposition, threat analysis, vulnerability detection, attack enumeration Application decomposition, threat analysis, risk/Impact analysis, vulnerability detection, attack enumeration Threat analysis, vulnerability detection, application decomposition, attack enumeration, risk/Impact analysis Application decomposition, threat analysis, vulnerability detection, attack enumeration, risk/Impact analysis 18. The adoption of an enterprise-wide business continuity program requires which of the following? Formation of Disaster Recovery (DR) project team A completed Business Impact Analysis (BIA) Well-documented information asset classification Good communication throughout the organization 19. Management of deficiencies found from a risk assessment is an important step in the security auditing process for which of the following reasons? To Prioritize remediation and avoid unnecessary costs To demonstrate the need for a follow-up audit To demonstrate the recommendations are valid To prove more security funding is required for remediation 20. Intellectual property rights are PRIMARY concerned with which of the following? Right of the owner to enjoy their creation Owner's ability to realize financial gain Owner's ability to maintain copyright Right of the owner to control delivery method 21. Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas? Install mantraps at the building entrances Enclose the personnel entry area with polycarbonate plastic Hire a guard to protect the public area Supply a duress alarm for personnel exposed to the public 22. When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined? Only when standards are defined Only when controls are put in place Only when assets are clearly defined Only procedures are defined 23. A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with? Application Storage Power Network 24. What is the MOST important consideration from a data security perspective when an organization plans to relocate? Ensure the fire prevention and detection systems are sufficient to protect personnel Review the architectural plans to determine how many emergency exits are present Conduct a gap analysis of a new facilities against existing security requirements Revise the Disaster Recovery and Business Continuity (DR/BC) plan 25. Compared with hardware cryptography, software cryptography is generally More expensive and slower More expensive and faster Less expensive and faster Less expensive and slower 26. Which of the following protocols transmit User IDs and passwords in plain text? Secure Shell (SSH) Secure File Transfer Protocol (SFTP) Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) 27. Which of the following is MOST appropriate for protecting confidentiality of data stored on a hard disk? Secure Hash Algorithm 2 (SHA - 2) Triple Data Encryption Standard (3DES) Message Digest 5 (MD5) Advanced Encryption Standard (AES) 28. Which technique can be used to make an encryption scheme more resistant to a known plaintext attack? Hashing the data after encryption Hashing the data before encryption Compressing the data before encryption Compressing the data after encryption 29. Which security service is served by the process of encryption plaintext with the sender's private key and decrypting cipher text with the sender's public key? Confidentiality Integrity Identification Availability 30. Which of the following mobile code security models relies only on trust? Code signing Class authentication Sandboxing Type safety 31. Which technique can be used to make an encryption scheme more resistant to a known plaintext attack? Hashing the data before encryption Hashing the data after encryption Compressing the data after encryption Compressing the data before encryption 32. What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management? Implementation Phase Initialization Phase Cancellation Phase Issued Phase 33. Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified automated vulnerability assessments? Common Vulnerabilities and Exposures (CVE) Common Vulnerability Scoring System (CVSS) Asset Reporting Format (ARF) Open Vulnerability and Assessment Language (OVAL) 34. Who in the organization is accountable for classification of data information assets? Data owner Data architect Chief Information Security Officer (CISO) Chief Information Officer (CIO) 35. What is the term commonly used to refer to a technique of authenticating one machine to another by forging packets from a trusted source? Man-in-the-Middle (MITM) attack Session redirect Smurfing Spoofing 36. Which of the following is a common measure within a Local Area Network (LAN) to provide an additional level of security through segmentation? Implementing an Intrusion Detection System (IDS) Implementing a virus scanner Building Virtual Local Area Networks (VLAN) Building Demilitarized Zones (DMZ) 37. Which of the following MOST applies to Session Initiation Protocol (SIP) security? It reuses security mechanisms delivered from existing protocols It leverages Hypertext Transfer Protocol (HTTP) over Transport Layer Security (TLS) It requires a Public Key Infrastructure (PKI) It supports end to end security natively 38. Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/Internet Protocol (TCP/IP) traffic? Application-level firewall Packet-filter firewall Stateful inspection firewall Content-filtering web proxy 39. How is Remote Authentication Dial-In User Service (RADIUS) authentication accomplished? It uses clear text and firewall rules It relies on asymmetric encryption keys It uses clear text and shared keys It relies on Virtual Private Networks (VPN) 40. Which of the following was developed to support multiple protocols as well as provide login, password, and error correction capabilities? Point-to-Point Protocol (PPP) Password Authentication Protocol (PAP) Post Office Protocol (POP) Challenge Handshake Authentication Protocol (CHAP) 41. Which of the following are core categories of malicious attacks against Internet of Things ( IoT) devices? Node capture and Structured Query Language (SQL) injection Node capture and false data injection Packet capture and false data injection Packet capture and brute force attack 42. Which of the following techniques is MOST useful when dealing with Advanced Persistent Threatn (APT) intrusions on live virtualized environments? Logfile analysis Antivirus operations Reverse engineering Memory forensics 43. Which of the following is LEAST affected by electronic interference? Coaxial cable Shielded twisted pair Fiber optic cable Unshielded twisted pair 44. A security manager is informed of a massive malware infection suffered by a Service Provider (SP). Revoke any remote access to the network Trust the SP mitigation measures Review the endpoint patch application status Inform the users of the malware infection 45. What is the BEST way to establish identity over the internet? Remote Authentication Dial-In User Service (RADIUS) server with hardware tokens Internet Mail Access Protocol (IMAP) with Triple Data Encryption Standard (3DES) Remote user authentication via Simple Object Access Protocol (SOAP) Challenge Handshake Authentication Protocol (CHAP) and strong passwords 46. Digital certificates used in Transport Layer Security (TLS) support which of the following? Multi-Factor Authentication (MFA) Server identity and data confidentiality Non-repudiation controls and data encryption Information input validation 47. Which of the following is the GREATEST security risk associated with the use of Identity as a Service (IDaas) when an organization is developing its own software? Denial of access due to reduced availability Increased likelihood of confidentiality breach Security Assertion Markup Language (SAML) integration Incompatibility with Federated Identity Management (FIM) 48. Which of the following access management procedures would minimize the possibility of an organization's employees retaining access to secure work areas after change roles? User access modification User access provisioning User access termination User access recertification 49. Which of the following is based on open standards and provides access control for cloud environment resources in Identity and Access Management (IAM) services? Simple Object Access Protocol (SOAP) Extensible Access Control Markup Language (XACML) Hypertext Transfer Protocol Secure (HTTPS) Security Assertion Markup Language (SAML) 50. Which Web Services (WS-Security) specification maintains a single authenticated identity across multiple dissimilar environments? WS-Secure Conversation WS-Federation WS-Authorization WS-Policy WS-Privacy 51. When designing a networked Information System (IS) where there will be several different types of individual access, what is the FIRST step that should be taken to ensure all access control requirements are addressed? Develop a Role Based Access Control (RBAC) list Create a user profile Develop an Access Control List (ACL) Create a user access matrix 52. Which Single-Sign-On (SSO) framework can control user identities as an enterprise moves services and applications to different cloud providers? Hyper Text Markup Language (HTML) Lightweight Directory Access Protocol (LDAP) Extensible Markup Language (XML) Security Assertion Markup Language (SAML) 53. Which of the following assures that rules are followed in an identity management architecture? Policy enforcement point Policy database Policy decision point Digital signature 54. What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance? Audit logs Role-Based Access Control (RBAC) Two-factor authentication Application of least privilege 55. A vulnerability assessment report has been submitted to a client. The client indicates that one third of the hosts that were in scope are missing from the report. In which phase of the assessment was this error MOST likely made? Discovery Detection Reporting Enumeration 56. What is the MAIN purpose of a high-level security assessment? To prepare an executive summary for management To identify and prioritize mission-critical systems To gain an understanding of the control environment To develop security policies and standards 57. Which of the following statements is TRUE of the internal Audit process? The internal audit process begins with a audit charter Internal audit standards are governed by the National Institute of Standards and Technology (NIST) The Internal audit department is responsible for implementing recommended controls Internal audit is only concerned with administrative controls 58. When planning a penetration test, the tester will be MOST interested in which information? Job application handouts and tours The main network access points Places to install back doors Exploits that can attack weaknesses 59. Which of the following security testing strategies is BEST suited for companies with low to moderate security maturity? Load Testing Performance Black-box testing White-box testing 60. Which of the following is of GREATEST assistance to auditors when reviewing system configurations? Change management processes User administration procedures Operating System (OS) baselines System backup documentation 61. In which of the following programs is it MOST important to include the collection of security process data? Quarterly access reviews Security continuous monitoring Business continuity testing Annual security training 62. A Virtual Machine (VM) environment has five guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user's access to data files? Host VM monitor audit logs Guest OS access controls Host VM access controls Guest OS audit logs 63. Which of the following could cause a Denial of Service (DoS) against an authentication system? Encryption of audit logs No archiving of audit logs Hashing of audit logs Remote access audit logs 64. Which of the following is a characteristic of an operating system with all security patches applied? It is a trusted operating system It is no longer exposed to system architecture weaknesses It is no longer exposed to correctable vulnerabilities It is a hardened operating system 65. Which of the following is a characteristic of an operating system with all security patches applied? It is a trusted operating system It is no longer exposed to system architecture weaknesses It is no longer exposed to correctable vulnerabilities It is a hardened operating system 66. An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST probable cause? Absence of a Business Intelligence (BI) solution Inadequate cost modeling Improper deployment of the Service-Oriented Architecture (SOA) Insufficient Service Level Agreement (SLA) 67. Which of the following types of business continuity tests includes assessment of resilience to internal and external risks without endangering live operations? Walkthrough Second option Parallel White box 68. What is the PRIMARY reason for implementing change management? Certify and approve releases to the environment Provide version rollbacks for system changes Ensure that all applications are approved Ensure accountability for changes to the environment 69. Which of the following is a PRIMARY advantage of using a third-party identity service? Consolidation of multiple providers Directory synchronization Web based logon Automated account management 70. With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions? Continuously without exception for all security controls Before and after each change of the control At a rate concurrent with the volatility of the security control Only during system implementation and decommissioning 71. What should be the FIRST action to protect the chain of evidence when a desktop computer is involved? Take the computer to a forensic lab Make a copy of the hard drive Start documenting Turn off the computer 72. What should be the FIRST action to protect the chain of evidence when a desktop computer is involved? Take the computer to a forensic lab Make a copy of the hard drive Start documenting Turn off the computer 73. What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application? Disable all unnecessary services Ensure chain of custody Prepare another backup of the system Isolate the system from the network 74. A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following? Guaranteed recovery of all business functions Minimization of the need decision making during a crisis Insurance against litigation following a disaster Protection from loss of organization resources 75. What balance MUST be considered when web application developers determine how information error messages should be constructed? Confidentiality versus integrity Risk versus benefit Availability versus auditability Performance versus user satisfaction 76. Which of the following represents the level of confidence that software is free from international and accidental vulnerabilities? Due care Software assurance Vulnerability management Software Development Life Cycle (SDLC) 77. What is the PRIMARY role of a scrum master in agile development? To project manage the software delivery To match the software requirements to the delivery plan To choose the primary development language To choose the integrated development environment 78. What are the roles within a scrum methodology? Scrum master, quality assurance team, and scrum team Scrum master, requirements manager, and development team Product owner, scrum master, and scrum team System owner, scrum master, and development team 79. A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended? Least privilege Privilege escalation Defense in depth Privilege bracketing 80. Which of the following is the PRIMARY risk with using open source software in a commercial software construction? Lack of software documentation License agreements requiring release of modified code Expiration of the license agreement Costs associated with support of the software 81. Which of the following is the BEST method to prevent malware from being introduced into a production environment? Purchase software from a limited list of retailers Verify the hash key or certificate key of all updates Do not permit programs, patches, or updates from the Internet Test all new software in a segregated environment 82. The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)? System acquisition and development System operations and maintenance System initiation System implementation 83. What is the BEST approach to addressing security issues in legacy web applications? Debug the security issues Migrate to newer, supported applications where possible Conduct a security assessment Protect the legacy application with a web application firewall 84. Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs? Check arguments in function calls Test for the security patch level of the environment Include logging functions Digitally sign each application module 85. What balance MUST be considered when web application developers determine how information error messages should be constructed? Confidentiality versus integrity Risk versus benefit Availability versus auditability Performance versus user satisfaction 86. Which of the following represents the level of confidence that software is free from international and accidental vulnerabilities? Due care Software assurance Vulnerability management Software Development Life Cycle (SDLC) 87. What is the PRIMARY role of a scrum master in agile development? To project manage the software delivery To match the software requirements to the delivery plan To choose the primary development language To choose the integrated development environment 88. What are the roles within a scrum methodology? Scrum master, quality assurance team, and scrum team Scrum master, requirements manager, and development team Product owner, scrum master, and scrum team System owner, scrum master, and development team 89. Which of the following is the PRIMARY risk with using open source software in a commercial software construction? Lack of software documentation License agreements requiring release of modified code Expiration of the license agreement Costs associated with support of the software 90. Which of the following is the BEST method to prevent malware from being introduced into a production environment? Purchase software from a limited list of retailers Verify the hash key or certificate key of all updates Do not permit programs, patches, or updates from the Internet Test all new software in a segregated environment 91. The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)? System acquisition and development System operations and maintenance System initiation System implementation 92. What is the BEST approach to addressing security issues in legacy web applications? Debug the security issues Migrate to newer, supported applications where possible Conduct a security assessment Protect the legacy application with a web application firewall 93. Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs? Check arguments in function calls Test for the security patch level of the environment Include logging functions Digitally sign each application module