CISSP Topic 1
Q1. Physical assets defined in an organization’s business impact analysis (BIA) could include which of the following?
A. Personal belongings of organizational staff members
B. Disaster recovery (DR) line-item revenues
C. Cloud-based applications
D. Supplies kept off-site a remote facility
Hint Answer: D
Q2. When assessing the audit capability of an application, which of the following activities is MOST important?
A. Identify procedures to investigate suspicious activity.
B. Determine if audit records contain sufficient information.
C. Verify if sufficient storage is allocated for audit records.
D. Review security plan for actions to be taken in the event of audit failure.
Hint Answer: B
Q3. An organization would like to implement an authorization mechanism that would simplify the assignment of various system access permissions for many users with similar job responsibilities. Which type of authorization mechanism would be the BEST choice for the organization to implement?
A. Role-based access control (RBAC)
B. Discretionary access control (DAC)
C. Content-dependent Access Control
D. Rule-based Access Control
Hint Answer: A
Q4. What is the PRIMARY reason for criminal law being difficult to enforce when dealing with cybercrime?
A. Jurisdiction is hard to define.
B. Law enforcement agencies are understaffed.
C. Extradition treaties are rarely enforced.
D. Numerous language barriers exist.
Hint Answer: A
Q5. Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol?
A. Extensible Authentication Protocol (EAP)
B. Internet Protocol Security (IPsec)
C. Secure Sockets Layer (SSL)
D. Secure Shell (SSH)
Hint Answer: A
Q6. Which part of an operating system (OS) is responsible for providing security interfaces among the hardware, OS, and other parts of the computing system?
A. Reference monitor
B. Trusted Computing Base (TCB)
C. Time separation
D. Security kernel
Hint Answer: D
Q7. What process facilitates the balance of operational and economic costs of protective measures with gains in mission capability?
A. Performance testing
B. Risk assessment
C. Security audit
D. Risk management
Hint Answer: D
Q8. Clothing retailer employees are provisioned with user accounts that provide access to resources at partner businesses. All partner businesses use common identity and access management (IAM) protocols and differing technologies. Under the Extended Identity principle, what is the process flow between partner businesses to allow this IAM action?
A. Clothing retailer acts as User Self Service, confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.
B. Clothing retailer acts as identity provider (IdP), confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.
C. Clothing retailer acts as Service Provider, confirms identity of user using industry standards, then sends credentials to partner businesses that act as an identity provider (IdP) and allows access to resources.
D. Clothing retailer acts as Access Control Provider, confirms access of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to resources.
Hint Answer: B
Q9. Which of the following statements BEST describes least privilege principle in a cloud environment?
A. A single cloud administrator is configured to access core functions.
B. Internet traffic is inspected for all incoming and outgoing packets.
C. Routing configurations are regularly updated with the latest routes.
D. Network segments remain private if unneeded to access the internet.
Hint Answer: D
Q10. An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution?
A. Compression
B. Caching
C. Replication
D. Deduplication
Hint Answer: D
Q11. Which Wide Area Network (WAN) technology requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to make independent determinations?
A. Synchronous Optical Networking (SONET)
B. Multiprotocol Label Switching (MPLS)
C. Fiber Channel Over Ethernet (FCoE)
D. Session Initiation Protocol (SIP)
Hint Answer: B
Q12. Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?
A. File Integrity Checker
B. Security information and event management (SIEM) system
C. Audit Logs
D. Intrusion detection system (IDS)
Hint Answer: A
Q13. Which of the following is included in change management?
A. Technical review by business owner
B. User Acceptance Testing (UAT) before implementation
C. Cost-benefit analysis (CBA) after implementation
D. Business continuity testing
Hint Answer: B
Q14. A company is enrolled in a hard drive reuse program where decommissioned equipment is sold back to the vendor when it is no longer needed. The vendor pays more money for functioning drives than equipment that is no longer operational. Which method of data sanitization would provide the most secure means of preventing unauthorized data loss, while also receiving the most money from the vendor?
A. Pinning
B. Single-pass wipe
C. Multi-pass wipes
D. Degaussing
Hint Answer: C
Q15. When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?
A. SOC 1 Type 1
B. SOC 2 Type 1
C. SOC 2 Type 2
D. SOC 3
Hint Answer: C
Q16. Which application type is considered high risk and provides a common way for malware and viruses to enter a network?
A. Instant messaging or chat applications
B. Peer-to-Peer (P2P) file sharing applications
C. E-mail applications
D. End-to-end applications
Hint Answer: B
Q17. An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked?
A. 0
B. 1
C. 2
D. 3
Hint Answer: B
Q18. Which of the following is the BEST way to protect an organization’s data assets?
A. Encrypt data in transit and at rest using up-to-date cryptographic algorithms.
B. Monitor and enforce adherence to security policies.
C. Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).
D. Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts.
Hint Answer: B
Q19. Within a large organization, what business unit is BEST positioned to initiate provisioning and deprovisioning of user accounts?
A. Training department
B. Internal audit
C. Human resources
D. Information technology (IT)
Hint Answer: C
Q20. Which of the following is the PRIMARY purpose of installing a mantrap within a facility?
A. Control traffic
B. Control air flow
C. Prevent piggybacking
D. Prevent rapid movement
Hint Answer: C
Q21. In the “Do” phase of the Plan-Do-Check-Act model, which of the following is performed?
A. Maintain and improve the Business Continuity Management (BCM) system by taking corrective action, based on the results of management review.
B. Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.
C. Ensure the business continuity policy, controls, processes, and procedures have been implemented.
D. Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity have been established.
Hint Answer: C
Q22. What industry-recognized document could be used as a baseline reference that is related to data security and business operations or conducting a security assessment?
A. Service Organization Control (SOC) 1 Type 2
B. Service Organization Control (SOC) 1 Type 1
C. Service Organization Control (SOC) 2 Type 2
D. Service Organization Control (SOC) 2 Type 1
Hint Answer: D
Q23. A criminal organization is planning an attack on a government network. Which of the following scenarios presents the HIGHEST risk to the organization?
A. Organization loses control of their network devices.
B. Network is flooded with communication traffic by the attacker.
C. Network management communications is disrupted.
D. Attacker accesses sensitive information regarding the network topology.
Hint Answer: A
Q24. Which reporting type requires a service organization to describe its system and define its control objectives and controls that are relevant to users’ internal control over financial reporting?
A. Statement on Auditing Standards (SAS) 70
B. Service Organization Control 1 (SOC1)
C. Service Organization Control 2 (SOC2)
D. Service Organization Control 3 (SOC3)
Hint Answer: B
Q25. Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks?
A. Scheduled team review of coding style and techniques for vulnerability patterns
B. The regular use of production code routines from similar applications already in use
C. Using automated programs to test for the latest known vulnerability patterns
D. Ensure code editing tools are updated against known vulnerability patterns
Hint Answer: C
Q26. When resolving ethical conflicts, the information security professional MUST consider many factors. In what order should the considerations be prioritized?
A. Public safety, duties to individuals, duties to the profession, and duties to principals
B. Public safety, duties to principals, duties to the profession, and duties to individuals
C. Public safety, duties to principals, duties to individuals, and duties to the profession
D. Public safety, duties to the profession, duties to principals, and duties to individuals
Hint Answer: C
Q27. Which service management process BEST helps information technology (IT) organizations with reducing cost, mitigating risk, and improving customer service?
A. Kanban
B. Lean Six Sigma
C. Information Technology Service Management (ITSM)
D. Information Technology Infrastructure Library (ITIL)
Hint Answer: D
Q28. A company is attempting to enhance the security of its user authentication processes. After evaluating several options, the company has decided to utilize Identity as a Service (IDaaS). Which of the following factors leads the company to choose an IDaaS as their solution?
A. In-house team lacks resources to support an on-premise solution.
B. Third-party solutions are inherently more secure.
C. Third-party solutions are known for transferring the risk to the vendor.
D. In-house development provides more control.
Hint Answer: A
Q29. An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user’s browser executed a script upon visiting a compromised website. What type of attack MOST likely occurred?
A. SQL injection (SQLi)
B. Extensible Markup Language (XML) external entities
C. Cross-Site Scripting (XSS)
D. Cross-Site Request Forgery (CSRF)
Hint Answer: C
Q30. An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage of a victim’s existing browser session with a web application is an example of which of the following types of attack?
A. Clickjacking
B. Cross-site request forgery (CSRF)
C. Cross-Site Scripting (XSS)
D. Injection
Hint Answer: B
Q31. Which of the following encryption technologies has the ability to function as a stream cipher?
A. Cipher Block Chaining (CBC) with error propagation
B. Electronic Code Book (ECB)
C. Cipher Feedback (CFB)
D. Feistel cipher
Hint Answer: C
Q32. In a disaster recovery (DR) test, which of the following would be a trait of crisis management?
A. Process
B. Anticipate
C. Strategic
D. Wide focus
Hint Answer: A
Q33. Which of the following BEST describes the purpose of the reference monitor when defining access control to enforce the security model?
A. Strong operational security to keep unit members safe
B. Policies to validate organization rules
C. Cyber hygiene to ensure organizations can keep systems healthy
D. Quality design principles to ensure quality by design
Hint Answer: D
Q34. Which of the following is security control volatility?
A. A reference to the impact of the security control.
B. A reference to the likelihood of change in the security control.
C. A reference to how unpredictable the security control is.
D. A reference to the stability of the security control.
Hint Answer: B
Q35. When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-level audit phases?
A. Planning
B. Risk assessment
C. Due diligence
D. Requirements
Hint Answer: A
Q36. What is the term used to define where data is geographically stored in the cloud?
A. Data privacy rights
B. Data sovereignty
C. Data warehouse
D. Data subject rights
Hint Answer: B
Q37. Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)?
A. Proper security controls, security objectives, and security goals are properly initiated.
B. Security objectives, security goals, and system test are properly conducted.
C. Proper security controls, security goals, and fault mitigation are properly conducted.
D. Security goals, proper security controls, and validation are properly initiated.
Hint Answer: A
Q38. Which of the following is MOST important to follow when developing information security controls for an organization?
A. Use industry standard best practices for security controls in the organization.
B. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
C. Review all local and international standards and choose the most stringent based on location.
D. Perform a risk assessment and choose a standard that addresses existing gaps.
Hint Answer: B
Q39. When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery?
A. The RPO is the minimum amount of data that needs to be recovered.
B. The RPO is the amount of time it takes to recover an acceptable percentage of data lost.
C. The RPO is a goal to recover a targeted percentage of data lost.
D. The RPO is the maximum amount of time for which loss of data is acceptable.
Hint Answer: D
Q40. Which of the following attacks, if successful, could give an intruder complete control of a software-defined networking (SDN) architecture?
A. A brute force password attack on the Secure Shell (SSH) port of the controller
B. Sending control messages to open a flow that does not pass a firewall from a compromised host within the network
C. Remote Authentication Dial-In User Service (RADIUS) token replay attack
D. Sniffing the traffic of a compromised host inside the network
Hint Answer: B
Q41. Which of the following is the BEST option to reduce the network attack surface of a system?
A. Disabling unnecessary ports and services
B. Ensuring that there are no group accounts on the system
C. Uninstalling default software on the system
D. Removing unnecessary system user accounts
Hint Answer: A
Q42. The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the
BEST solution to securely store the private keys?
A. Physically secured storage device
B. Trusted Platform Module (TPM)
C. Encrypted flash drive
D. Public key infrastructure (PKI)
Hint Answer: B
Q43. The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards BEST describes this security approach?
A. Access control
B. Security information and event management (SIEM)
C. Defense-in-depth
D. Security perimeter
Hint Answer: D
Q44. A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal?
A. Purpose specification
B. Collection limitation
C. Use limitation
D. Individual participation
Hint Answer: D
Q45. A colleague who recently left the organization asked a security professional for a copy of the organization’s confidential incident management policy. Which of the following is the BEST response to this request?
A. Access the policy on a company-issued device and let the former colleague view the screen.
B. E-mail the policy to the colleague as they were already part of the organization and familiar with it.
C. Do not acknowledge receiving the request from the former colleague and ignore them.
D. Submit the request using company official channels to ensure the policy is okay to distribute.
Hint Answer: D
Q46. Which of the following BEST describes when an organization should conduct a black box security audit on a new software protect?
A. When the organization wishes to check for non-functional compliance
B. When the organization wants to enumerate known security vulnerabilities across their infrastructure
C. When the organization is confident the final source code is complete
D. When the organization has experienced a security incident
Hint Answer: C
Q47. In software development, which of the following entities normally signs the code to protect the code integrity?
A. The organization developing the code
B. The quality control group
C. The developer
D. The data owner
Hint Answer: C
Q48. Which of the following technologies can be used to monitor and dynamically respond to potential threats on web applications?
A. Field-level tokenization
B. Web application vulnerability scanners
C. Runtime application self-protection (RASP)
D. Security Assertion Markup Language (SAML)
Hint Answer: C
Q49. A security architect is developing an information system for a client. One of the requirements is to deliver a platform that mitigates against common vulnerabilities and attacks. What is the MOST efficient option used to prevent buffer overflow attacks?
A. Access control mechanisms
B. Process isolation
C. Address Space Layout Randomization (ASLR)
D. Processor states
Hint Answer: C
Q50. In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access reviews?
A. Implement bi-annual reviews.
B. Create policies for system access.
C. Implement and review risk-based alerts.
D. Increase logging levels.
Hint Answer: C