The Actual Exam Version included actual exam questions verified by IT Experts. We verified questions and updated frequently each month and also based on members’ feedback to keep updating with the real exam. We are offering money back immediately if questions in our Actual Exam Version do not appear in your exam. Highly recommend you take the Actual Exam Version then go to the exam as soon as possible.
CISSP Certified Information Systems Security Professional Actual Exam
QUESTION NO: 61
What is a common mistake in records retention?
A. Adopting a retention policy with the longest requirement period
B. Having the Human Resource (HR) department create a retention policy
C. Adopting a retention policy based on applicable organization requirements
D. Having the organization legal department create a retention policy
QUESTION NO: 62
Of the following, which BEST provides non-repudiation with regards to access to a server room?
A. Fob and Personal Identification Number (PIN)
B. Locked and secured cages
C. Biometric readers
D. Proximity readers
QUESTION NO: 63
What should an auditor do when conducting a periodic audit on media retention?
A. Check electronic storage media to ensure records are not retained past their destruction date
B. Ensure authorized personnel are in possession of paper copies containing Personally Identifiable
Information (PII)
C. Check that hard disks containing backup data that are still within a retention cycle are being destroyed correctly
D. Ensure that data shared with outside organizations is no longer on a retention schedule
QUESTION NO: 64
How should the retention period for an organization’s social media content be defined?
A. By the retention policies of each social media service
B. By the records retention policy of the organization
C. By the Chief Information Officer (CIO)
D. By the amount of available storage space
QUESTION NO: 65
What is the FIRST step required in establishing a records retention program?
A. Classify records based on sensitivity
B. Identify and inventory all records storage locations
C. Identify and inventory all records
D. Draft a records retention policy
QUESTION NO: 66
An organization is considering outsourcing applications and data to a Cloud Service Provider (CSP). Which of the following is the MOST important concern regarding privacy?
A. The CSP determines data criticality
B. The CSP provides end-to-end encryption services
C. The CSP’s privacy policy may be developed by the organization
D. The CSP may not be subject to the organization’s country legislation
QUESTION NO: 67
Which of the following will help prevent improper session handling?
A. Ensure JavaScript and plugin support is disabled
B. Ensure that certificates are valid and fail closed
C. Ensure that tokens are sufficiently long, complex, and pseudo-random
D. Ensure that all UIWebView calls do not execute without proper input validation
QUESTION NO: 68
Which of the following is the BEST defense against password guessing?
A. Limit external connections to the network
B. Disable the account after a limited number of unsuccessful attempts
C. Force the password to be changed after an invalid password has been entered
D. Require a combination of letters, numbers, and special characters in the password
QUESTION NO: 69
Which of the following is the MOST secure password technique?
A. Passphrase
B. One-time password
C. Cognitive password
D. Ciphertext
QUESTION NO: 70
To prevent inadvertent disclosure of restricted information, which of the following would be the
LEAST effective process for eliminating data prior to the media being discarded?
A. Multiple-pass overwriting
B. Degaussing
C. High-level formatting
D. Physical destruction
QUESTION NO: 71
An organization has implemented a new backup process which protects confidential data by encrypting the information stored on backup tapes. Which of the following is a MAJOR data confidentiality concern after the implementation of this new backup process?
A. Tape backup rotation
B. Pre-existing backup tapes
C. Tape backup compression
D. Backup tape storage location
QUESTION NO: 72
Which of the following objects should be removed FIRST prior to uploading code to public code repositories?
A. Security credentials
B. Inefficient algorithms
C. Coding mistakes
D. Known vulnerabilities
QUESTION NO: 73
Which media sanitization methods should be used for data with a high security categorization?
A. Clear or destroy
B. Clear or purge
C. Destroy or delete
D. Purge or destroy
QUESTION NO: 74
How is it possible to extract private keys securely stored on a cryptographic smartcard?
A. Bluebugging
B. Focused ion-beam
C. Bluejacking
D. Power analysis
QUESTION NO: 75
Which inherent password weakness does a One Time Password (OTP) generator overcome?
A. Static passwords are too predictable
B. Static passwords must be changed frequently
C. Static passwords are difficult to generate
D. Static passwords are easily disclosed
QUESTION NO: 76
Digital non-repudiation requires which of the following?
A. A trusted third-party
B. Appropriate corporate policies
C. Symmetric encryption
D. Multifunction access cards
Topic 3, Security Architecture and Engineering
QUESTION NO: 77
Which security service is served by the process of encrypting plaintext with the sender’s private key and decrypting ciphertext with the sender’s public key?
A. Confidentiality
B. Integrity
C. Identification
D. Availability
QUESTION NO: 78
Which of the following mobile code security models relies only on trust?
A. Code signing
B. Class authentication
C. Sandboxing
D. Type safety
QUESTION NO: 79
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
A. Hashing the data before encryption
B. Hashing the data after encryption
C. Compressing the data after encryption
D. Compressing the data before encryption
QUESTION NO: 80
What is the second phase of Public Key Infrastructure (PKI) key/certificate life-cycle management?
A. Implementation Phase
B. Initialization Phase
C. Cancellation Phase
D. Issued Phase
QUESTION NO: 81
Which component of the Security Content Automation Protocol (SCAP) specification contains the data required to estimate the severity of vulnerabilities identified in automated vulnerability assessments?
A. Common Vulnerabilities and Exposures (CVE)
B. Common Vulnerability Scoring System (CVSS)
C. Asset Reporting Format (ARF)
D. Open Vulnerability and Assessment Language (OVAL)
QUESTION NO: 82
Who in the organization is accountable for classification of data information assets?
A. Data owner
B. Data architect
C. Chief Information Security Officer (CISO)
D. Chief Information Officer (CIO)
QUESTION NO: 83
The use of private and public encryption keys is fundamental in the implementation of which of the following?
A. Diffie-Hellman algorithm
B. Secure Sockets Layer (SSL)
C. Advanced Encryption Standard (AES)
D. Message Digest 5 (MD5)
QUESTION NO: 84
Which of the following MUST be in place to recognize a system attack?
A. Stateful firewall
B. Distributed antivirus
C. Log analysis
D. Passive honeypot
QUESTION NO: 85
Which of the following is the GREATEST benefit of implementing a Role Based Access Control
(RBAC) system?
A. Integration using Lightweight Directory Access Protocol (LDAP)
B. Form-based user registration process
C. Integration with the organizations Human Resources (HR) system
D. A considerably simpler provisioning process
QUESTION NO: 86
Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?
A. identity provisioning
B. access recovery
C. multi-factor authentication (MFA)
D. user access review
QUESTION NO: 87
A minimal implementation of endpoint security includes which of the following?
A. Trusted platforms
B. Host-based firewalls
C. Token-based authentication
D. Wireless Access Points (AP)
QUESTION NO: 88
What is the expected outcome of security awareness in support of a security awareness program?
A. Awareness activities should be used to focus on security concerns and respond to those concerns accordingly
B. Awareness is not an activity or part of the training but rather a state of persistence to support the program
C. Awareness is training. The purpose of awareness presentations is to broaden attention to security.
D. Awareness is not training. The purpose of the awareness presentation is simply to focus attention on security.
QUESTION NO: 89
Which security modes is MOST commonly used in a commercial environment because it protects the integrity of financial and accounting data?
A. Biba
B. Graham-Denning
C. Clark-Wilson
D. Beil-LaPadula
QUESTION NO: 90
Why is planning in Disaster Recovery (DR) an interactive process?
A. It details off-site storage plans
B. It identifies omissions in the plan
C. It defines the objectives of the plan
D. It forms part of the awareness process
QUESTION NO: 91
Mandatory Access Controls (MAC) are based on:
A. security classification and security clearance
B. data segmentation and data classification
C. data labels and user access permissions
D. user roles and data encryption
QUESTION NO: 92
In Disaster Recovery (DR) and Business Continuity (DC) training, which BEST describes a functional drill?
A. a functional evacuation of personnel
B. a specific test by response teams of individual emergency response functions
C. an activation of the backup site
D. a full-scale simulation of an emergency and the subsequent response functions.
QUESTION NO: 93
What is the foundation of cryptographic functions?
A. Encryption
B. Cipher
C. Hash
D. Entropy
QUESTION NO: 94
Which of the following methods protects Personally Identifiable Information (PII) by use of a full replacement of the data element?
A. Data tokenization
B. Volume encryption
C. Transparent Data Encryption (TDE)
D. Column level database encryption
QUESTION NO: 95
The organization would like to deploy an authorization mechanism for an Information Technology (IT) infrastructure project with high employee turnover. Which access control mechanism would be preferred?
A. Attribute Based Access Control (ABAC)
B. Discretionary Access Control (DAC)
C. Mandatory Access Control (MAC)
D. Role-Based Access Control (RBAC)
QUESTION NO: 96
Which of the following management processes allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?
A. Configuration
B. Identity
C. Compliance
D. Patch
QUESTION NO: 97
Which security access policy contains fixed security attributes that are used by the system to determine a user’s access to a file or object?
A. Mandatory Access Control (MAC)
B. Access Control List (ACL)
C. Discretionary Access Control (DAC)
D. Authorized user control
QUESTION NO: 98
Which of the following is a common characteristic of privacy?
A. Provision for maintaining an audit trail of access to the private data
B. Notice to the subject of the existence of a database containing relevant credit card data
C. Process for the subject to inspect and correct personal data on-site
D. Database requirements for integration of privacy data
QUESTION NO: 99
At a MINIMUM, audits of permissions to individual or group accounts should be scheduled
A. annually
B. to correspond with staff promotions
C. to correspond with terminations
D. continually
QUESTION NO: 100
Which of the following MUST be part of a contract to support electronic discovery of data stored in a cloud environment?
A. identification of data location
B. integration with organizational directory services for authentication
accommodation of hybrid deployment models
D. tokenization of data
QUESTION NO: 101
Which of the following is part of a Trusted Platform Module (TPM)?
A. A non-volatile tamper-resistant storage for storing both data and signing keys in a secure fashion
B. A protected Pre-Basic Input/Output System (BIOS) which specifies a method or a metric for
“measuring” the state of a computing platform
C. A secure processor targeted at managing digital keys and accelerating digital signing
D. A platform-independent software interface for accessing computer functions
QUESTION NO: 102
In a change-controlled environment, which of the following is MOST likely to lead to unauthorized changes to production programs?
A. Modifying source code without approval
B. Promoting programs to production without approval
Developers checking out source code without approval
D. Developers using Rapid Application Development (RAD) methodologies without approval
QUESTION NO: 103
Which of the following combinations would MOST negatively affect availability?
A. Denial of Service (DoS) attacks and outdated hardware
B. Unauthorized transactions and outdated hardware
C. Fire and accidental changes to data
D. Unauthorized transactions and denial of service attacks
QUESTION NO: 104
Which of the following could be considered the MOST significant security challenge when adopting DevOps practices compared to a more traditional control framework?
A. Achieving Service Level Agreements (SLA) on how quickly patches will be released when a security flaw is found.
B. Maintaining segregation of duties.
Standardized configurations for logging, alerting, and security metrics.
D. Availability of security teams at the end of the design process to perform last-minute manual audits and reviews.
QUESTION NO: 105
A security compliance manager of a large enterprise wants to reduce the time it takes to perform network, system, and application security compliance audits while increasing quality and effectiveness of the results.
What should be implemented to BEST achieve the desired results?
A. Configuration Management Database (CMDB)
B. Source code repository
C. Configuration Management Plan (CMP)
D. System performance monitoring application
QUESTION NO: 106
Which of the following is a characteristic of an internal audit?
A. An internal audit is typically shorter in duration than an external audit.
B. The internal audit schedule is published to the organization well in advance.
C. The internal auditor reports to the Information Technology (IT) department
D. Management is responsible for reading and acting upon the internal audit results
QUESTION NO: 107
Which of the following is a responsibility of a data steward?
A. Ensure alignment of the data governance effort to the organization.
B. Conduct data governance interviews with the organization.
C. Document data governance requirements.
D. Ensure that data decisions and impacts are communicated to the organization.
QUESTION NO: 108
Which security approach will BEST minimize Personally Identifiable Information (PII) loss from a data breach?
A. End-to-end data encryption for data in transit
B. Continuous monitoring of potential vulnerabilities
C. A strong breach notification process
D. Limited collection of individuals’ confidential data
QUESTION NO: 109
What is the MAIN goal of information security awareness and training?
A. To inform users of the latest malware threats
B. To inform users of information assurance responsibilities
C. To comply with the organization information security policy
D. To prepare students for certification
QUESTION NO: 110
Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?
A. Mandatory Access Control (MAC) procedures
B. Discretionary Access Control (DAC) procedures
C. Segregation of duties
D. Data link encryption
QUESTION NO: 111
Proven application security principles include which of the following?
A. Minimizing attack surface area
B. Hardening the network perimeter
C. Accepting infrastructure security controls
D. Developing independent modules
QUESTION NO: 112
When developing a business case for updating a security program, the security program owner
MUST do which of the following?
A. Identify relevant metrics
B. Prepare performance test reports
C. Obtain resources for the security program
D. Interview executive management
QUESTION NO: 113
From a security perspective, which of the following assumptions MUST be made about input to an application?
A. It is tested
B. It is logged
C. It is verified
D. It is untrusted
QUESTION NO: 114
Which of the following is the BEST reason for writing an information security policy?
A. To support information security governance
B. To reduce the number of audit findings
C. To deter attackers
D. To implement effective information security controls
QUESTION NO: 115
What is the PRIMARY goal of fault tolerance?
A. Elimination of single point of failure
B. Isolation using a sandbox
C. Single point of repair
D. Containment to prevent propagation
QUESTION NO: 116
Which of the BEST internationally recognized standards for evaluating security products and systems?
A. Payment Card Industry Data Security Standards (PCI-DSS)
B. Common Criteria (CC)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Sarbanes-Oxley (SOX)
QUESTION NO: 117
Which one of the following data integrity models assumes a lattice of integrity levels?
A. Take-Grant
B. Biba
C. Harrison-Ruzzo
D. Bell-LaPadula
QUESTION NO: 118
Even though a particular digital watermark is difficult to detect, which of the following represents a way it might still be inadvertently removed?
A. Truncating parts of the data
B. Applying Access Control Lists (ACL) to the data
C. Appending non-watermarked data to watermarked data
D. Storing the data in a database
QUESTION NO: 119
Which of the following is the BEST way to mitigate circumvention of access controls?
A. Multi-layer access controls working in isolation
B. Multi-vendor approach to technology implementation
C. Multi-layer firewall architecture with Internet Protocol (IP) filtering enabled
D. Multi-layer access controls with diversification of technologies
QUESTION NO: 120
When are security requirements the LEAST expensive to implement?
A. When identified by external consultants
B. During the application rollout phase
C. During each phase of the project cycle
D. When built into application design
What next?
https://www.awslagi.com/cissp-certified-information-systems-security-professional-exam-question-part-1
https://www.awslagi.com/cissp-certified-information-systems-security-professional-exam-question-part-2
https://www.awslagi.com/cissp-certified-information-systems-security-professional-exam-question-part-3
