This PDF contains a set of carefully selected practice questions for the

CISSP exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some CISSP exam online questions below.
1. A security practitioner has been asked to model best practices for disaster recovery (DR) and
business continuity. The practitioner has decided that a formal committee is needed to establish a
business continuity policy .
Which of the following BEST describes this stage of business continuity development?
A. Project Initiation and Management
B. Risk Evaluation and Control
C. Developing and Implementing business continuity plans (BCP)
D. Business impact analysis (BIA)
Answer: D

2. Which of the following is a strategy of grouping requirements in developing a Security Test and
Evaluation (ST&E)?
A. Tactical, strategic, and financial
B. Management, operational, and technical
C. Documentation, observation, and manual
D. Standards, policies, and procedures
Answer: B

3. An organization has determined that its previous waterfall approach to software development is not
keeping pace with business demands.
To adapt to the rapid changes required for product delivery, the organization has decided to move
towards an Agile software development and release cycle. In order to ensure the success of the Agile
methodology, who is MOST critical in creating acceptance tests or acceptance criteria for each
release?
A. Project managers
B. Software developers
C. Independent testers
D. Business customers
Answer: D

4. If an employee transfers from one role to another, which of the following actions should this trigger
within the identity and access management (IAM) lifecycle?
A. New account creation
B. User access review and adjustment
C. Deprovisioning
D. System account access review and adjustment
Answer: B

5. Which of the following questions can be answered using user and group entitlement reporting?
A. When a particular file was last accessed by a user
B. Change control activities for a particular group of users
C. The number of failed login attempts for a particular user
D. Where does a particular user have access within the network
Answer: D
6. Which of the following BEST mitigates a replay attack against a system using identity federation
and Security Assertion Markup Language (SAML) implementation?
A. Two-factor authentication
B. Digital certificates and hardware tokens
C. Timed sessions and Secure Socket Layer (SSL)
D. Passwords with alpha-numeric and special characters
Answer: C

7. A large corporation is locking for a solution to automate access based on where on request is
coming from, who the user is, what device they are connecting with, and what time of day they are
attempting this access .
What type of solution would suit their needs?
A. Discretionary Access Control (DAC)
B. Role Based Access Control (RBAC)
C. Mandater Access Control (MAC)
D. Network Access Control (NAC)
Answer: D

8. An organization lacks a data retention policy. Of the following, who is the BEST person to consult
for such requirement?
A. Application Manager
B. Database Administrator
C. Privacy Officer
D. Finance Manager
Answer: C

9. What is the MOST important element when considering the effectiveness of a training program for
Business Continuity (BC) and Disaster Recovery (DR)?
A. Management support
B. Consideration of organizational need
C. Technology used for delivery
D. Target audience
Answer: B

10. Which security access policy contains fixed security attributes that are used by the system to
determine a user’s access to a file or object?
A. Mandatory Access Control (MAC)
B. Access Control List (ACL)
C. Discretionary Access Control (DAC)
D. Authorized user control
Answer: A

11. In order to provide dual assurance in a digital signature system, the design MUST include which
of the following?
A. The public key must be unique for the signed document.
B. signature process must generate adequate authentication credentials.
C. The hash of the signed document must be present.
D. The encrypted private key must be provided in the signing certificate.
Answer: B

12. A web developer is completing a new web application security checklist before releasing the
application to production. the task of disabling unecessary services is on the checklist .
Which web application threat is being mitigated by this action?
A. Security misconfiguration
B. Sensitive data exposure
C. Broken access control
D. Session hijacking
Answer: B

13. Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network
data leakage prevention and/or monitoring?
A. Cross Origin Resource Sharing (CORS)
B. WebSockets
C. Document Object Model (DOM) trees
D. Web Interface Definition Language (IDL)
Answer: B

14. What is the P R IM A R Y reason criminal law is difficult to enforce when dealing with cyber-
crime?
A. Extradition treaties are rarely enforced.
B. Numerous language barriers exist.
C. Law enforcement agencies are understaffed.
D. Jurisdiction is hard to define.
Answer: D

15. Changes to a Trusted Computing Base (TCB) system that could impact the security posture of
that system and trigger a recertification activity are documented in the
A. security impact analysis.
B. structured code review.
C. routine self assessment.
D. cost benefit analysis.
Answer: A

16. While impersonating an Information Security Officer (ISO), an attacker obtains information from
company employees about their User IDs and passwords .
Which method of information gathering has the attacker used?
A. Trusted path
B. Malicious logic
C. Social engineering
D. Passive misuse
Answer: C
17. Which evidence collecting technique would be utilized when it is believed an attacker is employing
a rootkit and a quick analysis is needed?
A. Memory collection
B. Forensic disk imaging
C. Malware analysis
D. Live response
Answer: A

18. What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?
A. Establish Maximum Tolerable Downtime (MTD) Information Systems (IS).
B. Define the variable cost for extended downtime scenarios.
C. Identify potential threats to business availability.
D. Establish personnel requirements for various downtime scenarios.
Answer: C

19. Which of the following is a characteristic of an internal audit?

A. An internal audit is typically shorter in duration than an external audit.
B. The internal audit schedule is published to the organization well in advance.
C. The internal auditor reports to the Information Technology (IT) department
D. Management is responsible for reading and acting upon the internal audit results
Answer: D

20. What is an advantage of Elliptic Curve Cryptography (ECC)?

A. Cryptographic approach that does not require a fixed-length key
B. Military-strength security that does not depend upon secrecy of the algorithm
C. Opportunity to use shorter keys for the same level of security
D. Ability to use much longer keys for greater security
Answer: C

21. Where can the Open Web Application Security Project (OWASP) list of associated vulnerabilities
be found?
A. OWASP Top 10 Project
B. OWASP Software Assurance Maturity Model (SAMM) Project
C. OWASP Guide Project
D. OWASP Mobile Project
Answer: A

22. “Stateful” differs from “Static” packet filtering firewalls by being aware of which of the following?
A. Difference between a new and an established connection
B. Originating network location
C. Difference between a malicious and a benign packet payload
D. Originating application session
Answer: A

23. Which of the following is a benefit in implementing an enterprise Identity and Access Management
(IAM) solution?
A. Password requirements are simplified.
B. Risk associated with orphan accounts is reduced.
C. Segregation of duties is automatically enforced.
D. Data confidentiality is increased.
Answer: A

24. What do Capability Maturity Models (CMM) serve as a benchmark for in an organization?
A. Experience in the industry
B. Definition of security profiles
C. Human resource planning efforts
D. Procedures in systems development
Answer: D

25. Which of the following is a PRIMARY advantage of using a third-party identity service?
A. Consolidation of multiple providers
B. Directory synchronization
C. Web based logon
D. Automated account management
Answer: D

26. Which of the following could be considered the MOST significant security challenge when
adopting DevOps practices compared to a more traditional control framework?
A. Achieving Service Level Agreements (SLA) on how quickly patches will be released when a
security flaw is found.
B. Maintaining segregation of duties.
C. Standardized configurations for logging, alerting, and security metrics.
D. Availability of security teams at the end of design process to perform last-minute manual audits
and reviews.
Answer: B

27. Why do certificate Authorities (CA) add value to the security of electronic commerce transactions?
A. They maintain the certificate revocation list.
B. They maintain the private keys of transition parties.
C. They verify the transaction parties' private keys.
D. They provide a secure communication enamel to the transaction parties.
Answer: D

28. Which access control method is based on users issuing access requests on system resources,
features assigned to those resources, the operational or situational context, and a set of policies
specified in terms of those features and context?
A. Mandatory Access Control (MAC)
B. Role Based Access Control (RBAC)
C. Discretionary Access Control (DAC)
D. Attribute Based Access Control (ABAC)
Answer: B
29. What is the FIRST step required in establishing a records retention program?
A. Identify and inventory all records storage locations.
B. Classify records based on sensitivity.
C. Identify and inventory all records.
D. Draft a records retention policy.
Answer: D

30. Which of the following BEST describes a rogue Access Point (AP)?
A. An AP that is not protected by a firewall
B. An AP not configured to use Wired Equivalent Privacy (WEP) with Triple Data Encryption Algorithm
(3DES)
C. An AP connected to the wired infrastructure but not under the management of authorized network
administrators
D. An AP infected by any kind of Trojan or Malware
Answer: C

31. DRAG DROP

Order the below steps to create an effective vulnerability management process.

Answer:
32. When conducting a third-party risk assessment of a new supplier, which of the following reports
should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality,
and privacy trust principles?
A. Service Organization Control (SOC) 1, Type 2
B. Service Organization Control (SOC) 2, Type 2
C. International Organization for Standardization (ISO) 27001
D. International Organization for Standardization (ISO) 27002
Answer: B

33. Why is authentication by ownership stronger than authentication by knowledge?

A. It is easier to change.
B. It can be kept on the user's person.
C. It is more difficult to duplicate.
D. It is simpler to control.
Answer: B

34. Which of the following explains why classifying data is an important step in performing a Risk
assessment?
A. To provide a framework for developing good security metrics
B. To justify the selection of costly security controls
C. To classify the security controls sensitivity that helps scope the risk assessment
D. To help determine the appropriate level of data security controls
Answer: D

35. What are the three key benefits that application developers should derive from the northbound
application programming interface (API) of software defined networking (SDN)?
A. Familiar syntax, abstraction of network topology, and definition of network protocols
B. Network syntax, abstraction of network flow, and abstraction of network protocols
C. Network syntax, abstraction of network commands, and abstraction of network protocols
D. Familiar syntax, abstraction of network topology, and abstraction of network protocols
Answer: C

36. Which of the following needs to be tested to achieve a Cat 6a certification for a company's data
cabling?
A. RJ11
B. LC ports
C. Patch panel
D. F-type connector
Answer: C

37. Which of the following is the BEST way to protect an organization's data assets?
A. Monitor and enforce adherence to security policies.
B. Encrypt data in transit and at rest using up-to-date cryptographic algorithms.
C. Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts.
D. Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).
Answer: B

38. Refer to the information below to answer the question.

An organization has hired an information security officer to lead their security department. The officer
has adequate people resources but is lacking the other necessary components to have an effective
security program. There are numerous initiatives requiring security involvement.
Which of the following is considered the MOST important priority for the information security officer?
A. Formal acceptance of the security strategy
B. Disciplinary actions taken against unethical behavior
C. Development of an awareness program for new employees
D. Audit of all organization system configurations for faults
Answer: A

39. Which of the following determines how traffic should flow based on the status of the infrastructure
layer?
A. Traffic plane
B. Application plane
C. Data plane
D. Control plane
Answer: A

40. Which one of the following activities would present a significant security risk to organizations
when employing a Virtual Private Network (VPN) solution?
A. VPN bandwidth
B. Simultaneous connection to other networks
C. Users with Internet Protocol (IP) addressing conflicts
D. Remote users with administrative rights
Answer: B
41. Which is the MOST effective countermeasure to prevent electromagnetic emanations on
unshielded data cable?
A. Move cable are away from exterior facing windows
B. Encase exposed cable runs in metal conduit
C. Enable Power over Ethernet (PoE) to increase voltage
D. Bundle exposed cables together to disguise their signals
Answer: B

42. Single Sign-On (SSO) is PRIMARILY designed to address which of the following?
A. Confidentiality and Integrity
B. Availability and Accountability
C. Integrity and Availability
D. Accountability and Assurance
Answer: D

43. A security professional has been assigned to assess a web application. The assessment report
recommends switching to Security Assertion Markup Language (SAML) .
What is the PRIMARY security benefit in switching to SAML?
A. It uses Transport Layer Security (TLS) to address confidentiality.
B. it enables single sign-on (SSO) for web applications.
C. The users’ password Is not passed during authentication.
D. It limits unnecessary data entry on web forms.
Answer: B

44. Which of the following is a common feature of an Identity as a Service (IDaaS) solution?
A. Single Sign-On (SSO) authentication support
B. Privileged user authentication support
C. Password reset service support
D. Terminal Access Controller Access Control System (TACACS) authentication support
Answer: A

45. Which one of the following is a fundamental objective in handling an incident?

A. To restore control of the affected systems
B. To confiscate the suspect's computers
C. To prosecute the attacker
D. To perform full backups of the system
Answer: A

46. A small office is running WiFi 4 APs, and neighboring offices do not want to increase the
throughput to associated devices .
Which of the following is the MOST cost-efficient way for the office to increase network performance?
A. Add another AP.
B. Disable the 2.4GHz radios
C. Enable channel bonding.
D. Upgrade to WiFi 5.
Answer: C
47. In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software
inventories is a critical part of
A. systems integration.
B. risk management.
C. quality assurance.
D. change management.
Answer: D

48. DRAG DROP

Match the types of e-authentication tokens to their description.
Drag each e-authentication token on the left to its corresponding description on the right.

Answer:

49. Which Redundant Array c/ Independent Disks (RAID) Level does the following diagram
represent?
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 10
Answer: D

50. When can a security program be considered effective?

A. Audits are rec/party performed and reviewed.
B. Vulnerabilities are proactively identified.
C. Risk is lowered to an acceptable level.
D. Badges are regulatory performed and validated
Answer: C

51. A security practitioner is tasked with securing the organization’s Wireless Access Points (WAP) .
Which of these is the MOST effective way of restricting this environment to authorized users?
A. Enable Wi-Fi Protected Access 2 (WPA2) encryption on the wireless access point
B. Disable the broadcast of the Service Set Identifier (SSID) name
C. Change the name of the Service Set Identifier (SSID) to a random value not associated with the
organization
D. Create Access Control Lists (ACL) based on Media Access Control (MAC) addresses
Answer: D

52. What is the second step in the identity and access provisioning lifecycle?
A. Provisioning
B. Review
C. Approval
D. Revocation
Answer: B
53. Which of the following represents the GREATEST risk to data confidentiality?
A. Network redundancies are not implemented
B. Security awareness training is not completed
C. Backup tapes are generated unencrypted
D. Users have administrative privileges
Answer: C

54. A client has reviewed a vulnerability assessment report and has stated it is Inaccurate. The client
states that the vulnerabilities listed are not valid because the host’s Operating System (OS) was not
properly detected.
Where in the vulnerability assessment process did the erra MOST likely occur?
A. Detection
B. Enumeration
C. Reporting
D. Discovery
Answer: A

55. Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?
A. Cutover
B. Walkthrough
C. Tabletop
D. Parallel
Answer: C

56. Functional security testing is MOST critical during which phase of the system development life
cycle (SDLC)?
A. Operations / Maintenance
B. Implementation
C. Acquisition / Development
D. Initiation
Answer: B

57. Which of the following media sanitization techniques is MOST likely to be effective for an
organization using public cloud services?
A. Low-level formatting
B. Secure-grade overwrite erasure
C. Cryptographic erasure
D. Drive degaussing
Answer: B

58. An attacker has intruded into the source code management system and is able to download but
not modify the code .
Which of the following aspects of the code theft has the HIGHEST security impact?
A. The attacker could publicly share confidential comments found in the stolen code.
B. Competitors might be able to steal the organization's ideas by looking at the stolen code.
C. A competitor could run their own copy of the organization's website using the stolen code.
D. Administrative credentials or keys hard-coded within the stolen code could be used to access
sensitive data.
Answer: A

59. What is the FINAL step in the waterfall method for contingency planning?
A. Maintenance
B. Testing
C. Implementation
D. Training
Answer: A

60. Which of the following presents the PRIMARY concern to an organization when setting up a
federated single sign-on (SSO) solution with another
A. Sending assertions to an identity provider
B. Requesting Identity assertions from the partners domain
C. defining the identity mapping scheme
D. Having the resource provider query the Identity provider
Answer: C

61. A security analyst for a large financial institution is reviewing network traffic related to an incident.
The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the
analyst also finds that an applications data, which included full credit card cardholder data, is
transferred in clear text between the server and user’s desktop. The analyst knows this violates the
Payment Card Industry Data Security Standard (PCI-DSS) .
Which of the following is the analyst’s next step?
A. Send the log file co-workers for peer review
B. Include the full network traffic logs in the incident report
C. Follow organizational processes to alert the proper teams to address the issue.
D. Ignore data as it is outside the scope of the investigation and the analyst’s role.
Answer: C
Explanation:
Section: Security Operations

62. What is the MOST critical factor to achieve the goals of a security program?
A. Capabilities of security resources
B. Executive management support
C. Effectiveness of security management
D. Budget approved for security resources
Answer: B

63. Retaining system logs for six months or longer can be valuable for what activities?
A. Disaster recovery and business continuity
B. Forensics and incident response
C. Identity and authorization management
D. Physical and logical access control
Answer: B
64. Which of the following four iterative steps are conducted on third-party vendors in an on-going
basis?
A. Investigate, Evaluate, Respond, Monitor
B. Frame, Assess, Respond, Monitor
C. Frame, Assess, Remediate, Monitor
D. Investigate, Assess, Remediate, Monitor
Answer: C

65. When conducting a security assessment of access controls, which activity is port of the data
analysis phase?
A. Collect logs and reports.
B. Present solutions to address audit exceptions.
C. Categorize and Identify evidence gathered during the audit
D. Conduct statiscal sampling of data transactions.
Answer: C

66. Which of the following should exist in order to perform a security audit?
A. Industry framework to audit against
B. External (third-party) auditor
C. Internal certified auditor
D. Neutrality of the auditor
Answer: D

67. Which of the following is the MOST crucial for a successful audit plan?
A. Defining the scope of the audit to be performed
B. Identifying the security controls to be implemented
C. Working with the system owner on new controls
D. Acquiring evidence of systems that are not compliant
Answer: A

68. According to the Capability Maturity Model Integration (CMMI), which of the following levels is
identified by a managed process that is tailored from the organization's set of standard processes
according to the organization's tailoring guidelines?
A. Level 0: Incomplete
B. Level 1: Performed
C. Level 2: Managed
D. Level 3: Defined
Answer: D

69. In a disaster recovery (DR) test, which of the following would be a trait of crisis management?
A. Wide focus
B. Strategic
C. Anticipate
D. Process
Answer: D
70. After acquiring the latest security updates, what must be done before deploying to production
systems?
A. Use tools to detect missing system patches
B. Install the patches on a test system
C. Subscribe to notifications for vulnerabilities
D. Assess the severity of the situation
Answer: B

71. Which of the following is the BEST way to reduce the impact of an externally sourced flood
attack?
A. Have the service provider block the soiree address.
B. Have the soiree service provider block the address.
C. Block the source address at the firewall.
D. Block all inbound traffic until the flood ends.
Answer: C

72. Which of the following is included in the Global System for Mobile Communications (GSM)
security framework?
A. Public-Key Infrastructure (PKI)
B. Symmetric key cryptography
C. Digital signatures
D. Biometric authentication
Answer: C

73. Which of the following describes the order in which a digital forensic process is usually
conducted?
A. Ascertain legal authority, agree upon examination strategy, conduct examination, and report
results
B. Ascertain legal authority, conduct investigation, report results, and agree upon examination
strategy
C. Agree upon examination strategy, ascertain legal authority, conduct examination, and report
results
D. Agree upon examination strategy, ascertain legal authority, report results, and conduct
examination
Answer: A

74. An information security administrator wishes to block peer-to-peer (P2P) traffic over Hypertext
Transfer Protocol (HTTP) tunnels .
Which of the following layers of the Open Systems Interconnection (OSI) model requires inspection?
A. Presentation
B. Transport
C. Session
D. Application
Answer: A

75. Which of the following is the BEST reason to review audit logs periodically?
A. Verify they are operating properly
B. Monitor employee productivity
C. Identify anomalies in use patterns
D. Meet compliance regulations
Answer: C

76. What does the term “100-year floodplain” mean to emergency preparedness officials?
A. The area is expected to be safe from flooding for at least 100 years.
B. The odds of a flood at this level are 1 in 100 in any given year.
C. The odds are that the next significant flood will hit within the next 100 years.
D. The last flood of any kind to hit the area was more than 100 years ago.
Answer: B

77. An input validation and exception handling vulnerability has been discovered on a critical web-
based system .
Which of the following is MOST suited to quickly implement a control?
A. Add a new rule to the application layer firewall
B. Block access to the service
C. Install an Intrusion Detection System (IDS)
D. Patch the application source code
Answer: A

78. The Chief Executive Officer (CEO) wants to implement an internal audit of the company's
information security posture. The CEO wants to avoid any bias in the audit process; therefore, has
assigned the Sales Director to conduct the audit. After significant interaction over a period of weeks
the audit concludes that the company's policies and procedures are sufficient, robust and well
established. The CEO then moves on to engage an external penetration testing company in order to
showcase the organization's robust information security stance. This exercise reveals significant
failings in several critical security controls and shows that the incident response processes remain
undocumented .
What is the MOST likely reason for this disparity in the results of the audit and the external
penetration test?
A. The external penetration testing company used custom zero-day attacks that could not have been
predicted.
B. The information technology (IT) and governance teams have failed to disclose relevant information
to the internal audit team leading to an incomplete assessment being formulated.
C. The scope of the penetration test exercise and the internal audit were significantly different.
D. The audit team lacked the technical experience and training to make insightful and objective
assessments of the data provided to them.
Answer: C

79. An organization's retail website provides its only source of revenue, so the disaster recovery plan
(DRP) must document an estimated time for each step in the plan.
Which of the following steps in the DRP will list the GREATEST duration of time for the service to be
fully operational?
A. Update the Network Address Translation (NAT) table.
B. Update Domain Name System (DNS) server addresses with domain registrar.
C. Update the Border Gateway Protocol (BGP) autonomous system number.
D. Update the web server network adapter configuration.
Answer: B

80. A company receives an email threat informing of an Imminent Distributed Denial of Service
(DDoS) attack targeting its web application, unless ransom is paid .
Which of the following techniques BEST addresses that threat?
A. Deploying load balancers to distribute inbound traffic across multiple data centers
B. Set Up Web Application Firewalls (WAFs) to filter out malicious traffic
C. Implementing reverse web-proxies to validate each new inbound connection
D. Coordinate with and utilize capabilities within Internet Service Provider (ISP)
Answer: D

81. Which of the following factors should be considered characteristics of Attribute Based Access
Control (ABAC) in terms of the attributes used?
A. Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
B. Discretionary Access Control (DAC) and Access Control List (ACL)
C. Role Based Access Control (RBAC) and Mandatory Access Control (MAC)
D. Role Based Access Control (RBAC) and Access Control List (ACL)
Answer: D

82. Which is the PRIMARY mechanism for providing the workforce with the information needed to
protect an agency’s vital information resources?
A. Incorporating security awareness and training as part of the overall information security program
B. An information technology (IT) security policy to preserve the confidentiality, integrity, and
availability of systems
C. Implementation of access provisioning process for coordinating the creation of user accounts
D. Execution of periodic security and privacy assessments to the organization
Answer: A

83. Which of the following types of business continuity tests includes assessment of resilience to
internal and external risks without endangering live operations?
A. Walkthrough
B. Simulation
C. Parallel
D. White box
Answer: C

84. A security professional needs to find a secure and efficient method of encrypting data on an
endpoint .
Which solution includes a root key?
A. Bitlocker
B. Trusted Platform Module (TPM)
C. Virtual storage array network (VSAN)
D. Hardware security module (HSM)
Answer: D

85. A security professional has been requested by the Board of Directors and Chief Information
Security Officer (CISO) to perform an internal and external penetration test .
What is the BEST course of action?
A. Review data localization requirements and regulations.
B. Review corporate security policies and procedures,
C. With notice to the Configuring a Wireless Access Point (WAP) with the same Service Set Identifier
external test.
D. With notice to the organization, perform an external penetration test first, then an internal test.
Answer: D

86. The Rivest-Shamir-Adleman (RSA) algorithm is BEST suited for which of the following
operations?
A. Bulk data encryption and decryption
B. One-way secure hashing for user and message authentication
C. Secure key exchange for symmetric cryptography
D. Creating digital checksums for message integrity
Answer: C

87. When network management is outsourced to third parties, which of the following is the MOST
effective method of protecting critical data assets?
A. Provide links to security policies
B. Log all activities associated with sensitive systems
C. Employ strong access controls
D. Confirm that confidentiality agreements are signed
Answer: C

88. In which identity management process is the subject’s identity established?

A. Trust
B. Provisioning
C. Authorization
D. Enrollment
Answer: D

89. From an asset security perspective, what is the BEST countermeasure to prevent data theft due
to data remanence when a sensitive data storage media is no longer needed?
A. Return the media to the system owner.
B. Delete the sensitive data from the media.
C. Physically destroy the retired media.
D. Encrypt data before it Is stored on the media.
Answer: C

90. Which of the following value comparisons MOST accurately reflects the agile development
approach?
A. Processes and toots over individuals and interactions
B. Contract negotiation over customer collaboration
C. Following a plan over responding to change
D. Working software over comprehensive documentation
Answer: D
91. When conducting a forensic criminal investigation on a computer had drive, what should be dene
PRIOR to analysis?
A. Create a backup copy of all the important files on the drive.
B. Power off the computer and wait for assistance.
C. Create a forensic image of the hard drive.
D. Install forensic analysis software.
Answer: C

92. Which layer handle packet fragmentation and reassembly in the Open system interconnection
(OSI) Reference model?
A. Session
B. Transport
C. Data Link
D. Network
Answer: B

93. Which of the following entities is ultimately accountable for data remanence vulnerabilities with
data replicated by a cloud service provider?
A. Data owner
B. Data steward
C. Data custodian
D. Data processor
Answer: A

94. Which of the following wraps the decryption key of a full disk encryption implementation and ties
the hard disk drive to a particular device?
A. Trusted Platform Module (TPM)
B. Preboot eXecution Environment (PXE)
C. Key Distribution Center (KDC)
D. Simple Key-Management for Internet Protocol (SKIP)
Answer: A

95. A network security engineer needs to ensure that a security solution analyzes traffic for protocol
manipulation and various sorts of common attacks. In addition, all Uniform Resource Locator (URL)
traffic must be inspected and users prevented from browsing inappropriate websites .
Which of the following solutions should be implemented to enable administrators the capability to
analyze traffic, blacklist external sites, and log user traffic for later analysis?
A. Intrusion detection system (IDS)
B. Circuit-Level Proxy
C. Application-Level Proxy
D. Host-based Firewall
Answer: B

96. Which of the following are effective countermeasures against passive network-layer attacks?
A. Federated security and authenticated access controls
B. Trusted software development and run time integrity controls
C. Encryption and security enabled applications
D. Enclave boundary protection and computing environment defense
Answer: C

97. When using third-party software developers, which of the following is the MOST effective method
of providing software development Quality Assurance (QA)?
A. Retain intellectual property rights through contractual wording.
B. Perform overlapping code reviews by both parties.
C. Verify that the contractors attend development planning meetings.
D. Create a separate contractor development environment.
Answer: B

98. Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an
organization network?
A. Provide vulnerability reports to management.
B. Validate vulnerability remediation activities.
C. Prevent attackers from discovering vulnerabilities.
D. Remediate known vulnerabilities.
Answer: B

99. Which application type is considered high risk and provides a common way for malware and
viruses to enter a network?
A. Instant messaging or chat applications
B. E-mail applications
C. Peer-to-Peer (P2P) file sharing applications
D. End-to-end applications
Answer: A

100. Which of the following is a remote access protocol that uses a static authentication?
A. Point-to-Point Tunneling Protocol (PPTP)
B. Routing Information Protocol (RIP)
C. Password Authentication Protocol (PAP)
D. Challenge Handshake Authentication Protocol (CHAP)
Answer: C

101. Which testing method requires very limited or no information about the network infrastructure?
A. While box
B. Static
C. Black box
D. Stress
Answer: C

102. The security team is notified that a device on the network is infected with malware .
Which of the following is MOST effective in enabling the device to be quickly located and remediated?
A. Data loss protection (DLP)
B. Intrusion detection
C. Vulnerability scanner
D. Information Technology Asset Management (ITAM)
Answer: D

103. Which of the following is a security weakness in the evaluation of common criteria (CC)
products?
A. The manufacturer can state what configuration of the product is to be evaluated.
B. The product can be evaluated by labs m other countries.
C. The Target of Evaluation's (TOE) testing environment is identical to the operating environment
D. The evaluations are expensive and time-consuming to perform.
Answer: A

104. Which of the following is the PRIMARY purpose of installing a mantrap within a facility?
A. Control traffic
B. Prevent rapid movement
C. Prevent plggybacking
D. Control air flow
Answer: C

105. Which of the following is established to collect information Se eee ee ee nation readily available
in part through implemented security controls?
A. Security Assessment Report (SAR)
B. Organizational risk tolerance
C. Information Security Continuous Monitoring (ISCM)
D. Risk assessment report
Answer: D

106. An internal audit for an organization recently identified malicious actions by a user account.
Upon further investigation, it was determined the offending user account was used by multiple people
at multiple locations simultaneously for various services and applications .
What is the BEST method to prevent this problem in the future?
A. Ensure the security information and event management (SIEM) is set to alert.
B. Inform users only one user should be using the account at a time.
C. Ensure each user has their own unique account,
D. Allow several users to share a generic account.
Answer: A

107. A Denial of Service (DoS) attack on a syslog server exploits weakness in which of the following
protocols?
A. Point-to-Point Protocol (PPP) and Internet Control Message Protocol (ICMP)
B. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)
C. Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP)
D. Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
Answer: B
108. When dealing with shared, privilaged accounts, especially those for emergencies, what is the
BEST way to assure non-repudiation of logs?
A. Regularity change the passwords,
B. implement a password vaulting solution.
C. Lock passwords in tamperproof envelopes in a safe.
D. Implement a strict access control policy.
Answer: B

109. What is the PRIMARY benefit of relying on Security Content Automation Protocol (SCAP)?
A. Save security costs for the organization.
B. Improve vulnerability assessment capabilities.
C. Standardize specifications between software security products.
D. Achieve organizational compliance with international standards.
Answer: C

110. Which of the following processes has the PRIMARY purpose of identifying outdated software
versions, missing patches, and lapsed system updates?
A. Penetration testing
B. Vulnerability management
C. Software Development Life Cycle (SDLC)
D. Life cycle management
Answer: B
Explanation:
Reference: https://resources.infosecinstitute.com/category/certifications-
training/cissp/domains/security-operations/vulnerability-and-patch-management/#gref

111. Although code using a specific program language may not be susceptible to a buffer overflow
attack,
A. most calls to plug-in programs are susceptible.
B. most supporting application code is susceptible.
C. the graphical images used by the application could be susceptible.
D. the supporting virtual machine could be susceptible.
Answer: C

112. Which one of the following is an advantage of an effective release control strategy form a
configuration control standpoint?
A. Ensures that a trace for all deliverables is maintained and auditable
B. Enforces backward compatibility between releases
C. Ensures that there is no loss of functionality between releases
D. Allows for future enhancements to existing features
Answer: A

113. The PRIMARY security concern for handheld devices is the

A. strength of the encryption algorithm.
B. spread of malware during synchronization.
C. ability to bypass the authentication mechanism.
D. strength of the Personal Identification Number (PIN).
Answer: C

114. Which layer of the Open systems Interconnection (OSI) model is being targeted in the event of a
Synchronization (SYN) flood attack?
A. Session
B. Transport
C. Network
D. Presentation
Answer: B

115. A user is allowed to access the file labeled “Financial Forecast,” but only between 9:00 a.m. and
5:00 p.m., Monday through Friday .
Which type of access mechanism should be used to accomplish this?
A. Minimum access control
B. Rule-based access control
C. Limited role-based access control (RBAC)
D. Access control list (ACL)
Answer: B

116. In Disaster Recovery (DR) and business continuity training, which BEST describes a functional
drill?
A. A full-scale simulation of an emergency and the subsequent response functions
B. A specific test by response teams of individual emergency response functions
C. A functional evacuation of personnel
D. An activation of the backup site
Answer: C

117. When developing the entitlement review process, which of the following roles is responsible for
determining who has a need for the information?
A. Data Custodian
B. Data Owner
C. Database Administrator
D. Information Technology (IT) Director
Answer: B

118. Data leakage of sensitive information is MOST often concealed by which of the following?
A. Secure Sockets Layer (SSL)
B. Secure Hash Algorithm (SHA)
C. Wired Equivalent Privacy (WEP)
D. Secure Post Office Protocol (POP)
Answer: A

119. In a change-controlled environment, which of the following is MOST likely to lead to

unauthorized changes to production programs?
A. Modifying source code without approval
B. Promoting programs to production without approval
C. Developers checking out source code without approval
D. Developers using Rapid Application Development (RAD) methodologies without approval
Answer: A

120. Which of the following virtual network configuration options is BEST to protect virtual machines
(VM)?
A. Traffic filtering
B. Data encryption
C. Data segmentation
D. Traffic throttling
Answer: D

121. Which of the following violates identity and access management best practices?
A. User accounts
B. System accounts
C. Generic accounts
D. Privileged accounts
Answer: C

122. A company wants to store data related to users on an offsite server .

What method can be deployed to protect the privacy of the user’s information while maintaining the
field-level configuration of the database?
A. {Encryption
B. Encoding
C. Tokenization
D. Hashing
Answer: A

123. For a service provider, which of the following MOST effectively addresses confidentiality
concerns for customers using cloud computing?
A. Hash functions
B. Data segregation
C. File system permissions
D. Non-repudiation controls
Answer: B

124. What is the MOST efficient way to secure a production program and its data?
A. Disable default accounts and implement access control lists (ACL)
B. Harden the application and encrypt the data
C. Disable unused services and implement tunneling
D. Harden the servers and backup the data
Answer: B

125. Why would a security architect specify that a default route pointing to a sinkhole be injected into
internal networks?
A. To have firewalls route all network traffic
B. To detect the traffic destined to non-existent network destinations
C. To exercise authority over the network department
D. To re-inject the route into external networks
Answer: B

126. Which of the following MUST a security professional do in order to quantify the value of a
security program to organization management?
A. Report using metrics.
B. Rank priorities as high, medium, or low.
C. Communicate compliance obstacles.
D. Report en employee activities
Answer: A

127. How should the retention period for an organization's social media content be defined?
A. By the retention policies of each social media service
B. By the records retention policy of the organization
C. By the Chief Information Officer (CIO)
D. By the amount of available storage space
Answer: B

128. Why must all users be positively identified prior to using multi-user computers?
A. To provide access to system privileges
B. To provide access to the operating system
C. To ensure that unauthorized persons cannot access the computers
D. To ensure that management knows what users are currently logged on
Answer: C

129. What are the steps of a risk assessment?

A. identification, analysis, evaluation
B. analysis, evaluation, mitigation
C. classification, identification, risk management
D. identification, evaluation, mitigation
Answer: A
Explanation:
Section: Security Assessment and Testing

130. What is the term commonly used to refer to a technique of authenticating one machine to
another by forging packets from a trusted source?
A. Man-in-the-Middle (MITM) attack
B. Smurfing
C. Session redirect
D. Spoofing
Answer: D

131. Which of the following alarm systems is recommended to detect intrusions through windows in a
high-noise, occupied environment?
A. Acoustic sensor
B. Motion sensor
C. Shock sensor
D. Photoelectric sensor
Answer: C

132. Physical Access Control Systems (PACS) allow authorized security personnel to manage and
monitor access control for subjects through which function?
A. Remote access administration
B. Personal Identity Verification (PIV)
C. Access Control List (ACL)
D. Privileged Identity Management (PIM)
Answer: B

133. What is the PRIMARY objective of the post-incident phase of the incident response process in
the security operations center (SOC)?
A. improve the IR process.
B. Communicate the IR details to the stakeholders.
C. Validate the integrity of the IR.
D. Finalize the IR.
Answer: A

134. Which of the following is the name of an individual or group that is impacted by a change?
A. Change agent
B. Stakeholder
C. Sponsor
D. End User
Answer: B

135. Information Security Continuous Monitoring (1SCM) is defined as maintaining ongoing

awareness of information security, vulnerabilities, and threats to support organizational risk
management decisions .
Which of the following is the FIRST step in developing an ISCM strategy and implementing an ISCM
program?
A. Define a strategy based on risk tolerance that maintains clear visibility into assets, awareness of
vulnerabilities, up-to-date threat information, and mission/business impacts.
B. Conduct a vulnerability assessment to discover current threats against the environment and
incorporate them into the program.
C. Respond to findings with technical management, and operational mitigating activities or
acceptance, transference/sharing, or avoidance/rejection.
D. Analyze the data collected and report findings, determining the appropriate response. It may be
necessary to collect additional information to clarify or supplement existing monitoring data.
Answer: A

136. For a federated identity solution, a third-party Identity Provider (IdP) is PRIMARILY responsible
for which of the following?
A. Access Control
B. Account Management
C. Authentication
D. Authorization
Answer: C

137. Which of the following would BEST describe the role directly responsible for data within an
organization?
A. Data custodian
B. Information owner
C. Database administrator
D. Quality control
Answer: A

138. Which of the following is a MAJOR consideration in implementing a Voice over IP (VoIP)
network?
A. Use of a unified messaging.
B. Use of separation for the voice network.
C. Use of Network Access Control (NAC) on switches.
D. Use of Request for Comments (RFC) 1918 addressing.
Answer: A

139. A risk assessment report recommends upgrading all perimeter firewalls to mitigate a particular
finding .
Which of the following BEST supports this recommendation?
A. The inherent risk is greater than the residual risk.
B. The Annualized Loss Expectancy (ALE) approaches zero.
C. The expected loss from the risk exceeds mitigation costs.
D. The infrastructure budget can easily cover the upgrade costs.
Answer: C

140. Which of the following methods provides the MOST protection for user credentials?
A. Forms-based authentication
B. Digest authentication
C. Basic authentication
D. Self-registration
Answer: B

141. Which of the following is the PRIMARY security consideration for how an organization should
handle Information Technology (IT) assets?
A. The monetary value of the asset
B. The controls implemented on the asset
C. The physical form factor of the asset
D. The classification of the data on the asset
Answer: D

142. Which of the following is a characteristic of a challenge/response authentication process?

A. Using a password history blacklist
B. Transmitting a hash based on the user's password
C. Presenting distorted gravies of text for authentication
D. Requiring the use of non-consecutive numeric characters
Answer: C

143. What technique BEST describes antivirus software that detects viruses by watching anomalous
behavior?
A. Signature
B. Inference
C. Induction
D. Heuristic
Answer: D

144. Which of the following is a common term for log reviews, synthetic transactions, and code
reviews?
A. Security control testing
B. Application development
C. Spiral development functional testing
D. DevOps Integrated Product Team (IPT) development
Answer: B

145. Write Once, Read Many (WORM) data storage devices are designed to BEST support which of
the following core security concepts?
A. lntegrity
B. Scalability
C. Availability
D. Confidentiality
Answer: A

146. While classifying credit card data related to Payment Card Industry Data Security Standards
(PCI-DSS), which of the following is a PRIMARY security requirement?
A. Processor agreements with card holders
B. Three-year retention of data
C. Encryption of data
D. Specific card disposal methodology
Answer: C

147. Which of the following authorization standards is built to handle Application programming
Interface (API) access for federated Identity management (FIM)?
A. Remote Authentication Dial-In User Service (RADIUS)
B. Terminal Access Controller Access Control System Plus (TACACS+)
C. Open Authentication (OAuth)
D. Security Assertion Markup Language (SAML)
Answer: C
148. Refer to the information below to answer the question.
A large, multinational organization has decided to outsource a portion of their Information Technology
(IT) organization to a third-party provider’s facility. This provider will be responsible for the design,
development, testing, and support of several critical, customer-based applications used by the
organization.
The organization should ensure that the third party's physical security controls are in place so that
they
A. are more rigorous than the original controls.
B. are able to limit access to sensitive information.
C. allow access by the organization staff at any time.
D. cannot be accessed by subcontractors of the third party.
Answer: B

149. Which methodology is recommended for penetration testing to be effective in the development
phase of the life-cycle process?
A. White-box testing
B. Software fuzz testing
C. Black-box testing
D. Visual testing
Answer: A

150. Which of the following is the MOST important element of change management documentation?
A. List of components involved
B. Number of changes being made
C. Business case justification
D. A stakeholder communication
Answer: C

151. What is the most effective form of media sanitization to ensure residual data cannot be
retrieved?
A. Clearing
B. Destroying
C. Purging
D. Disposal
Answer: B

152. A colleague who recently left the organization asked a security professional for a copy of the
organization's confidential incident management policy .
Which of the following is the BEST response to this request?
A. Email the policy to the colleague as they were already part of the organization and familiar with it.
B. Do not acknowledge receiving the request from the former colleague and ignore them.
C. Access the policy on a company-issued device and let the former colleague view the screen.
D. Submit the request using company official channels to ensure the policy is okay to distribute.
Answer: B

153. Which of the following would an information security professional use to recognize changes to
content, particularly unauthorized changes?
A. File Integrity Checker
B. Security information and event management (SIEM) system
C. Audit Logs
D. Intrusion detection system (IDS)
Answer: A

154. Which is the BEST control to meet the Statement on Standards for Attestation Engagements 18
(SSAE-18) confidentiality category?
A. Data processing
B. Storage encryption
C. File hashing
D. Data retention policy
Answer: C

155. Refer to the information below to answer the question.

An organization experiencing a negative financial impact is forced to reduce budgets and the number
of Information Technology (IT) operations staff performing basic logical access security administration
functions. Security processes have been tightly integrated into normal IT operations and are not
separate and distinct roles.
Which of the following will be the PRIMARY security concern as staff is released from the
organization?
A. Inadequate IT support
B. Loss of data and separation of duties
C. Undocumented security controls
D. Additional responsibilities for remaining staff
Answer: B

156. An organization’s security policy delegates to the data owner the ability to assign which user
roles have access to a particular resource .
What type of authorization mechanism is being used?
A. Discretionary Access Control (DAC)
B. Role Based Access Control (RBAC)
C. Media Access Control (MAC)
D. Mandatory Access Control (MAC)
Answer: A

157. Which one of the following data integrity models assumes a lattice of integrity levels?
A. Take-Grant
B. Biba
C. Harrison-Ruzzo
D. Bell-LaPadula
Answer: B

158. In Federated Identity Management (FIM), which of the following represents the concept of
federation?
A. Collection of information logically grouped into a single entity
B. Collection, maintenance, and deactivation of user objects and attributes in one or more systems,
directories or applications
C. Collection of information for common identities in a system
D. Collection of domains that have established trust among themselves
Answer: D

159. Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can
create information leakage?
A. Transference
B. Covert channel
C. Bleeding
D. Cross-talk
Answer: D

160. The key benefits of a signed and encrypted e-mail include

A. confidentiality, authentication, and authorization.
B. confidentiality, non-repudiation, and authentication.
C. non-repudiation, authorization, and authentication.
D. non-repudiation, confidentiality, and authorization.
Answer: B

161. A network administrator is designing a new datacenter in a different region that will need to
communicate to the old datacenter with a secure connection .
Which of the following access methods would provide the BEST security for this new datacenter?
A. Virtual network computing
B. Secure Socket Shell
C. in-band connection
D. Site-to-site VPN
Answer: D

162. Which of the following is critical if an employee is dismissed due to violation of an organization's
Acceptable Use Policy (ALP)?
A. Privilege suspension
B. Internet access logs
C. Proxy records
D. Appropriate documentation
Answer: B

163. Which of the following is the BEST example of weak management commitment to the protection
of security assets and resources?
A. poor governance over security processes and procedures
B. immature security controls and procedures
C. variances against regulatory requirements
D. unanticipated increases in security incidents and threats
Answer: A

164. The Open Web Application Security Project’s (OWASP) Software Assurance Maturity Model
(SAMM) allows organizations to implement a flexible software security strategy to measure
organizational impact based on what risk management aspect?
A. Risk tolerance
B. Risk exception
C. Risk treatment
D. Risk response
Answer: D

165. A malicious user gains access to unprotected directories on a web server .

Which of the following is MOST likely the cause for this information disclosure?
A. Security misconfiguration
B. Cross-site request forgery (CSRF)
C. Structured Query Language injection (SQLi)
D. Broken authentication management
Answer: A

166. Which of the following is the BEST method to reduce the effectiveness of phishing attacks?
A. User awareness
B. Two-factor authentication
C. Anti-phishing software
D. Periodic vulnerability scan
Answer: A

167. An organization has discovered that organizational data is posted by employees to data storage
accessible to the general public .
What is the PRIMARY step an organization must take
to ensure data is properly protected from public release?
A. Implement a data classification policy.
B. Implement a data encryption policy.
C. Implement a user training policy.
D. Implement a user reporting policy.
Answer: C

168. An international trading organization that holds an International Organization for Standardization
(ISO) 27001 certification is seeking to outsource their security monitoring to a managed security
service provider (MSSP), The trading organization's security officer is tasked with drafting the
requirements that need to be included in the outsourcing contract.
Which of the following MUST be included in the contract?
A. A detailed overview of all equipment involved in the outsourcing contract
B. The MSSP having an executive manager responsible for information security
C. The right to perform security compliance tests on the MSSP's equipment
D. The right to audit the MSSP's security process
Answer: C

169. An organization needs a general purpose document to prove that its internal controls properly
address security, availability, processing integrity, confidentiality or privacy risks .
Which of the following reports is required?
A. A Service Organization Control (SOC) 3 report
B. The Statement on Standards for Attestation Engagements No. 18 (SSAE 18)
C. A Service Organization Control (SOC) 2 report
D. The International Organization for Standardization (ISO) 27001
Answer: C

170. Which of the following provides the BEST method to verify that security baseline configurations
are maintained?
A. Perform regular system security testing.
B. Design security early in the development cycle.
C. Analyze logs to determine user activities.
D. Perform quarterly risk assessments.
Answer: A

171. Which of the following would be the BEST mitigation practice for man-in-the-middle (MITM)
Voice over Internet Protocol (VoIP) attacks?
A. Use Media Gateway Control Protocol (MGCP)
B. Use Transport Layer Security (TLS) protocol
C. Use File Transfer Protocol (FTP)
D. Use Secure Shell (SSH) protocol
Answer: B

172. Continuity of operations is BEST supported by which of the following?

A. Confidentiality, availability, and reliability
B. Connectivity, reliability, and redundancy
C. Connectivity, reliability, and recovery
D. Confidentiality, integrity, and availability
Answer: B

173. Which of the following provides the GREATEST level of data security for a Virtual Private
Network (VPN) connection?
A. Internet Protocol Payload Compression (IPComp)
B. Internet Protocol Security (IPSec)
C. Extensible Authentication Protocol (EAP)
D. Remote Authentication Dial-In User Service (RADIUS)
Answer: B

174. DRAG DROP

What is the correct order of steps in an information security assessment?
Place the information security assessment steps on the left next to the numbered boxes on the right
in the correct order.
Answer:

175. Which of the following is considered a secure coding practice?

A. Use concurrent access for shared variables and resources
B. Use checksums to verify the integrity of libraries
C. Use new code for common tasks
D. Use dynamic execution functions to pass user supplied data
Answer: B
176. An application team is running tests to ensure that user entry fields will not accept invalid input of
any length .
What type of negative testing is this an example of?
A. Reasonable data
B. Population of required fields
C. Allowed number of characters
D. Session testing
Answer: C
Explanation:
Reference: https://www.softwaretestinghelp.com/what-is-negative-testing/

177. What is the BEST method if an investigator wishes to analyze a hard drive which may be used
as evidence?
A. Leave the hard drive in place and use only verified and authenticated Operating Systems (OS)
utilities ...
B. Log into the system and immediately make a copy of all relevant files to a Write Once, Read Many
...
C. Remove the hard drive from the system and make a copy of the hard drive's contents using
imaging hardware.
D. Use a separate bootable device to make a copy of the hard drive before booting the system and
analyzing the hard drive.
Answer: C

178. The development team has been tasked with collecting data from biometric devices. The
application will support a variety of collection data streams. During the testing phase, the team utilizes
data from an old production database in a secure testing environment .
What principle has the team taken into consideration?
A. biometric data cannot be changed.
B. Separate biometric data streams require increased security.
C. The biometric devices are unknown.
D. Biometric data must be protected from disclosure.
Answer: A

179. Which of the following management process allows ONLY those services required for users to
accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?
A. Configuration
B. Identity
C. Compliance
D. Patch
Answer: A

180. In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible
for negotiating and establishing a connection with another node?
A. Transport layer
B. Application layer
C. Network layer
D. Session layer
Answer: A

181. Two computers, each with a single connection on the same physical 10 gigabit Ethernet network
segment, need to communicate with each other. The first machine has a single Internet Protocol (IP)
Classless Inter-Domain Routing (CIDR) address of 192.168.1.3/30 and the second machine has an
IP/CIDR address 192.168.1.6/30 .
Which of the following is correct?
A. Since each computer is on a different layer 3 network, traffic between the computers must be
processed by a network bridge in order to communicate.
B. Since each computer is on the same layer 3 network, traffic between the computers may be
processed by a network bridge in order to communicate.
C. Since each computer is on the same layer 3 network, traffic between the computers may be
processed by a network router in order to communicate.
D. Since each computer is on a different layer 3 network, traffic between the computers must be
processed by a network router in order to communicate.
Answer: B

182. What is an effective practice when returning electronic storage media to third parties for repair?
A. Ensuring the media is not labeled in any way that indicates the organization's name.
B. Disassembling the media and removing parts that may contain sensitive datA.
C. Physically breaking parts of the media that may contain sensitive datA.
D. Establishing a contract with the third party regarding the secure handling of the mediA.
Answer: D

183. Which of the following open source software issues pose the MOST risk to an application?
A. The software is beyond end of life and the vendor is out of business.
B. The software is not used or popular in the development community.
C. The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are
remediated.
D. The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are
classified as low risks.
Answer: D

184. The stringency of an Information Technology (IT) security assessment will be determined by the
A. system's past security record.
B. size of the system's database.
C. sensitivity of the system's data.
D. age of the system.
Answer: C

185. Limiting the processor, memory, and Input/output (I/O) capabilities of mobile code is known as
A. code restriction.
B. on-demand compile.
C. sandboxing.
D. compartmentalization.
Answer: C
186. DRAG DROP
A software security engineer is developing a black box-based test plan that will measure the system's
reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match the
functional testing techniques on the left with the correct input parameters on the right.

Answer:

187. A company developed a web application which is sold as a Software as a Service (SaaS)
solution to the customer. The application is hosted by a web server running on a ‘specific operating
system (OS) on a virtual machine (VM). During the transition phase of the service, it is determined
that the support team will need access to the application logs .
Which of the following privileges would be the MOST suitable?
A. Administrative privileges on the OS
B. Administrative privileges on the web server
C. Administrative privileges on the hypervisor
D. Administrative privileges on the application folders
Answer: D

188. Refer to the information below to answer the question.

An organization experiencing a negative financial impact is forced to reduce budgets and the number
of Information Technology (IT) operations staff performing basic logical access security administration
functions. Security processes have been tightly integrated into normal IT operations and are not
separate and distinct roles.
Which of the following will MOST likely allow the organization to keep risk at an acceptable level?
A. Increasing the amount of audits performed by third parties
B. Removing privileged accounts from operational staff
C. Assigning privileged functions to appropriate staff
D. Separating the security function into distinct roles
Answer: C

189. A security professional should ensure that clients support which secondary algorithm for digital
signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?
A. Triple Data Encryption Standard (3DES)
B. Advanced Encryption Standard (AES)
C. Digital Signature Algorithm (DSA)
D. Rivest-Shamir-Adieman (RSA)
Answer: C

190. Which security architecture strategy could be applied to secure an operating system (OS)
baseline for deployment within the corporate enterprise?
A. Principle of Least Privilege
B. Principle of Separation of Duty
C. Principle of Secure Default
D. principle of Fail Secure
Answer: D

191. Which of the following actions MUST be taken if a vulnerability is discovered during the
maintenance stage in a System Development Life Cycle (SDLC)?
A. Make changes following principle and design guidelines.
B. Stop the application until the vulnerability is fixed.
C. Report the vulnerability to product owner.
D. Monitor the application and review code.
Answer: C

192. When constructing an Information Protection Policy (IPP), it is important that the stated rules are
necessary, adequate, and
A. flexible.
B. confidential.
C. focused.
D. achievable.
Answer: D

193. Which of the following is the BIGGEST weakness when using native Lightweight Directory
Access Protocol (LDAP) for authentication?
A. Authorizations are not included in the server response
B. Unsalted hashes are passed over the network
C. The authentication session can be replayed
D. Passwords are passed in cleartext
Answer: D

194. Which of the following is the BEST identity-as-a-service (IDaaS) solution for validating users?
A. Lightweight Directory Access Protocol (LDAP)
B. Security Assertion Markup Language (SAM.)
C. Single Sign-on (SSO)
D. Open Authentication (OAuth)
Answer: A

195. Which of the following is the MOST challenging issue in apprehending cyber criminals?
A. They often use sophisticated method to commit a crime.
B. It is often hard to collect and maintain integrity of digital evidence.
C. The crime is often committed from a different jurisdiction.
D. There is often no physical evidence involved.
Answer: C

196. For the purpose of classification, which of the following is used to divide trust domain and trust
boundaries?
A. Network architecture
B. Integrity
C. Identity Management (IdM)
D. Confidentiality management
Answer: A

197.1.Intellectual property rights are PRIMARY concerned with which of the following?
A. Owner’s ability to realize financial gain
B. Owner’s ability to maintain copyright
C. Right of the owner to enjoy their creation
D. Right of the owner to control delivery method
Answer: C

198. A database server for a financial application is scheduled for production deployment .
Which of the following controls will BEST prevent tampering?
A. Service accounts removal
B. Data validation
C. Logging and monitoring
D. Data sanitization
Answer: B

199. An organization allows ping traffic into and out of their network. An attacker has installed a
program on the network that uses the payload portion of the ping packet to move data into and out of
the network .
What type of attack has the organization experienced?
A. Data leakage
B. Unfiltered channel
C. Data emanation
D. Covert channel
Answer: A

200. How can a security engineer maintain network separation from a secure environment while
allowing remote users to work in the secure environment?
A. Use a Virtual Local Area Network (VLAN) to segment the network
B. Implement a bastion host
C. Install anti-virus on all enceinte
D. Enforce port security on access switches
Answer: A

201. Which of the following security tools monitors devices and records the information in a central
database for further analysis?
A. Security orchestration automation and response
B. Host-based intrusion detection system (HIDS)
C. Antivirus
D. Endpoint detection and response (EDR)
Answer: A

202. Which of the following is mobile device remote fingerprinting?

A. Installing an application to retrieve common characteristics of the device
B. Storing information about a remote device in a cookie file
C. Identifying a device based on common characteristics shared by all devices of a certain type
D. Retrieving the serial number of the mobile device
Answer: C

203. When designing on Occupent Emergency plan (OEP) for United states (US) Federal government
facilities, what factor must be considered?
A. location of emergency exits in building
B. Average age of the agency employees
C. Geographical location and structural design of building
D. Federal agency for which plan is being drafted
Answer: A
204. As a design principle, which one of the following actors is responsible for identifying and
approving data security requirements in a cloud ecosystem?
A. Cloud broker
B. Cloud provider
C. Cloud consumer
D. Cloud auditor
Answer: C

205. Compared with hardware cryptography, software cryptography is generally

A. less expensive and slower.
B. more expensive and faster.
C. more expensive and slower.
D. less expensive and faster.
Answer: A
Explanation:
Reference: https://www.ontrack.com/uk/blog/making-data-simple/hardware-encryption-vs-software-
encryption-the-simple-guide/

206. What access control scheme uses fine-grained rules to specify the conditions under which
access to each data item or applications is granted?
A. Mandatory Access Control (MAC)
B. Discretionary Access Control (DAC)
C. Role Based Access Control (RBAC)
D. Attribute Based Access Control (ABAC)
Answer: D
Explanation:
Reference: https://en.wikipedia.org/wiki/Attribute-based_access_control

207. Why should Open Web Application Security Project (OWASP) Application Security Verification
standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?
A. ASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats.
B. Opportunistic attackers will look for any easily exploitable vulnerable applications.
C. Most regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications.
D. Securing applications at ASVS Level 1 provides adequate protection for sensitive data.
Answer: B

208. The organization would like to deploy an authorization mechanism for an Information Technology
(IT) infrastructure project with high employee turnover.
Which access control mechanism would be preferred?
A. Attribute Based Access Control (ABAC)
B. Discretionary Access Control (DAC)
C. Mandatory Access Control (MAC)
D. Role-Based Access Control (RBAC)
Answer: D

209. Refer to the information below to answer the question.

A new employee is given a laptop computer with full administrator access. This employee does not
have a personal computer at home and has a child that uses the computer to send and receive e-
mail, search the web, and use instant messaging. The organization’s Information Technology (IT)
department discovers that a peer-to-peer program has been installed on the computer using the
employee's access.
Which of the following documents explains the proper use of the organization's assets?
A. Human resources policy
B. Acceptable use policy
C. Code of ethics
D. Access control policy
Answer: B

210. An organization operates a legacy Industrial Control System (ICS) to support its core business
service, which carrot be replaced. Its management MUST be performed remotely through an
administrative console software, which in tum depends on an old version of the Java Runtime
Environment (JPE) known to be vulnerable to a number of attacks.
How is this risk BEST managed?
A. Isolate the full ICS by moving It onto its own network segment
B. Air-gap and harden the host used for management purposes
C. Convince the management to decommission the ICS and mitigate to a modem technology
D. Deploy a restrictive proxy between all clients and the vulnerable management station
Answer: B

211. Refer to the information below to answer the question.

During the investigation of a security incident, it is determined that an unauthorized individual
accessed a system which hosts a database containing financial information.
Aside from the potential records which may have been viewed, which of the following should be the
PRIMARY concern regarding the database information?
A. Unauthorized database changes
B. Integrity of security logs
C. Availability of the database
D. Confidentiality of the incident
Answer: A

212. An Intrusion Detection System (IDS) is generating alarms that a user account has over 100
failed login attempts per minute. A sniffer is placed on the network, and a variety of passwords for that
user are noted .
Which of the following is MOST likely occurring?
A. A dictionary attack
B. A Denial of Service (DoS) attack
C. A spoofing attack
D. A backdoor installation
Answer: A

213. An organization wants to enable uses to authenticate across multiple security domains. To
accomplish this they have decided to use Federated Identity Management (F1M) .
Which of the following is used behind the scenes in a FIM deployment?
A. Standard Generalized Markup Language (SGML)
B. Extensible Markup Language (XML)
C. Security Assertion Markup Language (SAML)
D. Transaction Authority Markup Language (XAML)
Answer: C

214. When developing an external facing web-based system, which of the following would be the
MAIN focus of the security assessment prior to implementation and production?
A. Assessing the Uniform Resource Locator (URL)
B. Ensuring Secure Sockets Layer (SSL) certificates are signed by a certificate authority
C. Ensuring that input validation is enforced
D. Ensuring Secure Sockets Layer (SSL) certificates are internally signed
Answer: B

215. Which of the following are the three MAIN categories of security controls?
A. Administrative, technical, physical
B. Corrective, detective, recovery
C. Confidentiality, integrity, availability
D. Preventative, corrective, detective
Answer: A

216. The application owner of a system that handles confidential data leaves an organization. It is
anticipated that a replacement will be hired in approximately six months.
During that time, which of the following should the organization do?
A. Gram temporary access to the former application owner's account
B. Assign a temporary application owner to the system.
C. Restrict access to the system until a replacement application owner rs hired.
D. Prevent changes to the confidential data until a replacement application owner is hired.
Answer: B

217. Which of the following is an important requirement when designing a secure remote access
system?
A. Configure a Demilitarized Zone (DMZ) to ensure that user and service traffic is separated.
B. Provide privileged access rights to computer files and systems.
C. Ensure that logging and audit controls are included.
D. Reduce administrative overhead through password self service.
Answer: C

218. An information technology (IT) employee who travels frequently to various ies remotely to an
organization’ the following solutions BEST serves as a secure control mechanism to meet the
organization's requirements?
to troubleshoot p.
Which of the following solutions BEST serves as a secure control mechanisn to meet the
organization's requirements?
A. Update the firewall rules to include the static Internet Protocol (IP) addresses of the locations
where the employee connects from.
B. Install a third-party screen sharing solution that provides remote connection from a public website.
C. Implement a Dynamic Domain Name Services (DDNS) account to initiate a virtual private network
(VPN) using the DDNS record.
D. Install a bastion host in the demilitarized zone (DMZ) and allow multi-factor authentication (MFA)
access.
Answer: D

219. What process facilitates the balance of operational and economic costs of protective measures
with gains in mission capability?
A. Risk assessment
B. Performance testing
C. Security audit
D. Risk management
Answer: D

220. What does the Maximum Tolerable Downtime (MTD) determine?

A. The estimated period of time a business critical database can remain down before customers are
affected.
B. The fixed length of time a company can endure a disaster without any Disaster Recovery (DR)
planning
C. The estimated period of time a business can remain interrupted beyond which it risks never
recovering
D. The fixed length of time in a DR process before redundant systems are engaged
Answer: C

221. An enterprise is developing a baseline cybersecurity standard its suppliers must meet before
being awarded a contract .
Which of the following statements is TRUE about the baseline cybersecurity standard?
A. It should be expressed as general requirements.
B. It should be expressed in legal terminology.
C. It should be expressed in business terminology.
D. It should be expressed as technical requirements.
Answer: D

222. A company is moving from the V model to Agile development .

How can the information security department BEST ensure that secure design principles are
implemented in the new methodology?
A. All developers receive a mandatory targeted information security training.
B. The non-financial information security requirements remain mandatory for the new model.
C. The information security department performs an information security assessment after each
sprint.
D. Information security requirements are captured in mandatory user stories.
Answer: D

223. An organization is trying to secure instant messaging (IM) communications through its network
perimeter .
Which of the following is the MOST significant challenge?
A. IM clients can interoperate between multiple vendors.
B. IM clients can run without administrator privileges.
 C. IM clients can utilize random port numbers.
D. IM clients can run as executable that do not require installation.
Answer: B

224. What type of risk is related to the sequences of value-adding and managerial activities
undertaken in an organization?
A. Demand risk
B. Process risk
C. Control risk
D. Supply risk
Answer: B

Get CISSP exam dumps full version.

Powered by TCPDF (www.tcpdf.org)