CISSP Topic 2
Q51. A corporation does not have a formal data destruction policy. During which phase of a criminal legal proceeding will this have the MOST impact?
A. Sentencing
B. Trial
C. Discovery
D. Arraignment
C
Q52. What is considered the BEST explanation when determining whether to provide remote network access to a third-party security service?
A. Contract negotiation
B. Supplier request
C. Business need
D. Vendor demonstration
C
Q53. The acquisition of personal data being obtained by a lawful and fair means is an example of what principle?
A. Collection Limitation Principle
B. Openness Principle
C. Purpose Specification Principle
D. Data Quality Principle
A
Q54. Which of the following is the MOST appropriate control for asset data labeling procedures?
A. Categorizing the types of media being used
B. Logging data media to provide a physical inventory control
C. Reviewing off-site storage access controls
D. Reviewing audit trails of logging records
A
Q55. What is the BEST approach to anonymizing personally identifiable information (PII) in a test environment?
A. Swapping data
B. Randomizing data
C. Encoding data
D. Encrypting data
B
Q56. Which of the following departments initiates the request, approval, and provisioning business process?
A. Operations
B. Security
C. Human resources (HR)
D. Information technology (IT)
C
Q57. An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP?
A. Security controls driven assessment that focuses on controls management
B. Business processes based risk assessment with a focus on business goals
C. Asset driven risk assessment with a focus on the assets
D. Data driven risk assessment with a focus on data
B
Q58. Which technique helps system designers consider potential security concerns of their systems and applications?
A. Threat modeling
B. Manual inspections and reviews
C. Source code review
D. Penetration testing
A
Q59. A security professional can BEST mitigate the risk of using a Commercial Off-The-Shelf (COTS) solution by deploying the application with which of the following controls in place?
A. Network segmentation
B. Blacklisting application
C. Whitelisting application
D. Hardened configuration
D
Q60. Which of the following BEST describes centralized identity management?
A. Service providers perform as both the credential and identity provider (IdP).
B. Service providers identify an entity by behavior analysis versus an identification factor.
C. Service providers agree to integrate identity system recognition across organizational boundaries.
D. Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and identifiers.
C
Q61. What is the MOST significant benefit of role-based access control (RBAC)?
A. Reduces inappropriate access
B. Management of least privilege
C. Most granular form of access control
D. Reduction in authorization administration overhead
B
Q62. What is the MOST common security risk of a mobile device?
A. Data spoofing
B. Malware infection
C. Insecure communications link
D. Data leakage
D
Q63. What level of Redundant Array of Independent Disks (RAID) is configured PRIMARILY for high-performance data reads and writes?
A. RAID-0
B. RAID-1
C. RAID-5
D. RAID-6
A
Q64. What type of risk is related to the sequences of value-adding and managerial activities undertaken in an organization?
A. Control risk
B. Demand risk
C. Supply risk
D. Process risk
D
Q65. International bodies established a regulatory scheme that defines how weapons are exchanged between the signatories. It also addresses cyber weapons, including malicious software, Command and Control (C2) software, and internet surveillance software. This is a description of which of the following?
A. International Traffic in Arms Regulations (ITAR)
B. Palermo convention
C. Wassenaar arrangement
D. General Data Protection Regulation (GDPR)
C
Q66. An organization has implemented a protection strategy to secure the network from unauthorized external access. The new Chief Information Security Officer
(CISO) wants to increase security by better protecting the network from unauthorized internal access. Which Network Access Control (NAC) capability BEST meets this objective?
A. Port security
B. Two-factor authentication (2FA)
C. Strong passwords
D. Application firewall
B
Q67. Which section of the assessment report addresses separate vulnerabilities, weaknesses, and gaps?
A. Findings definition section
B. Risk review section
C. Executive summary with full details
D. Key findings section
B
Q68. Why is data classification control important to an organization?
A. To enable data discovery
B. To ensure security controls align with organizational risk appetite
C. To ensure its integrity, confidentiality and availability
D. To control data retention in alignment with organizational policies and regulation
B
Q69. To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the MOST effective control?
A. Fencing around the facility with closed-circuit television (CCTV) cameras at all entry points
B. Ground sensors installed and reporting to a security event management (SEM) system
C. Regular sweeps of the perimeter, including manual inspection of the cable ingress points
D. Steel casing around the facility ingress points
B
Q70. An enterprise is developing a baseline cybersecurity standard its suppliers must meet before being awarded a contract. Which of the following statements is TRUE about the baseline cybersecurity standard?
A. It should be expressed as general requirements.
B. It should be expressed as technical requirements.
C. It should be expressed in business terminology.
D. It should be expressed in legal terminology.
B
Q71. Which access control method is based on users issuing access requests on system resources, features assigned to those resources, the operational or situational context, and a set of policies specified in terms of those features and context?
A. Mandatory Access Control (MAC)
B. Attribute Based Access Control (ABAC)
C. Role Based Access Control (RBAC)
D. Discretionary Access Control (DAC)
B
Q72. What is a security concern when considering implementing software-defined networking (SDN)?
A. It has a decentralized architecture.
B. It increases the attack footprint.
C. It uses open source protocols.
D. It is cloud based.
B
Q73. What is the BEST way to restrict access to a file system on computing systems?
A. Use least privilege at each level to restrict access.
B. Restrict access to all users.
C. Allow a user group to restrict access.
D. Use a third-party tool to restrict access.
A
Q74. Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?
A. Avoid lengthy audit reports
B. Enable generation of corrective action reports
C. Facilitate a root cause analysis (RCA)
D. Lower costs throughout the System Development Life Cycle (SDLC)
C
Q75. What is the correct order of execution for security architecture?
A. Governance, strategy and program management, operations, project delivery
B. Governance, strategy and program management, project delivery, operations
C. Strategy and program management, project delivery, governance, operations
D. Strategy and program management, governance, project delivery, operations
C
Q76. An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the organization use to assess the international code security and data privacy of the solution?
A. Service Organization Control (SOC) 2
B. Information Assurance Technical Framework (IATF)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Payment Card Industry (PCI)
A
Q77. An authentication system that uses challenge and response was recently implemented on an organization’s network, because the organization conducted an annual penetration test showing that testers were able to move laterally using authenticated credentials. Which attack method was MOST likely used to achieve this?
A. Hash collision
B. Pass the ticket
C. Brute force
D. Cross-Site Scripting (XSS)
B
Q78. Which of the following would qualify as an exception to the “right to be forgotten” of the General Data Protection Regulation (GDPR)?
A. For the establishment, exercise, or defense of legal claims
B. The personal data has been lawfully processed and collected
C. For the reasons of private interest
D. The personal data remains necessary to the purpose for which it was collected
A
Q79. Dumpster diving is a technique used in which stage of penetration testing methodology?
A. Attack
B. Reporting
C. Planning
D. Discovery
D
Q80. Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?
A. Employee evaluation of the training program
B. Internal assessment of the training program’s effectiveness
C. Multiple choice tests to participants
D. Management control of reviews
B
Q81. The security team is notified that a device on the network is infected with malware. Which of the following is MOST effective in enabling the device to be quickly located and remediated?
A. Data loss protection (DLP)
B. Intrusion detection
C. Vulnerability scanner
D. Information Technology Asset Management (ITAM)
D
Q82. Which of the following threats would be MOST likely mitigated by monitoring assets containing open source libraries for vulnerabilities?
A. Distributed denial-of-service (DDoS) attack
B. Advanced persistent threat (APT) attempt
C. Zero-day attack
D. Phishing attempt
C
Q83. As a design principle, which one of the following actors is responsible for identifying and approving data security requirement in a cloud ecosystem?
A. Cloud auditor
B. Cloud broker
C. Cloud provider
D. Cloud consumer
D
Q84. Which of the following is the MOST effective way to ensure the endpoint devices used by remote users are compliant with an organization’s approved policies before being allowed on the network?
A. Network Access Control (NAC)
B. Privileged Access Management (PAM)
C. Group Policy Object (GPO)
D. Mobile Device Management (MDM)
D
Q85. Which one of the following BEST protects vendor accounts that are used for emergency maintenance?
A. Vendor access should be disabled until needed
B. Frequent monitoring of vendor access
C. Role-based access control (RBAC)
D. Encryption of routing tables
A
Q86. Which event magnitude is defined as deadly, destructive, and disruptive when a hazard interacts with human vulnerability?
A. Crisis
B. Catastrophe
C. Accident
D. Disaster
B
Q87. Which of the following BEST describes the purpose of software forensics?
A. To analyze possible malicious intent of malware
B. To perform cyclic redundancy check (CRC) verification and detect changed applications
C. To determine the author and behavior of the code
D. To review program code to determine the existence of backdoors
C
Q88. A web developer is completing a new web application security checklist before releasing the application to production. The task of disabling unnecessary services is on the checklist. Which web application threat is being mitigated by this action?
A. Session hijacking
B. Security misconfiguration
C. Broken access control
D. Sensitive data exposure
B
Q89. What is the BEST method to use for assessing the security impact of acquired software?
A. Threat modeling
B. Common vulnerability review
C. Software security compliance validation
D. Vendor assessment
A
Q90. Which of the following ensures old log data is not overwritten?
A. Log retention
B. Implement Syslog
C. Increase log file size
D. Log preservation
A
Q91. Under the General Data Protection Regulation (GDPR), what is the maximum amount of time allowed for reporting a personal data breach?
A. 24 hours
B. 48 hours
C. 72 hours
D. 96 hours
C
Q92. A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess?
A. The software has been signed off for release by the product owner.
B. The software had been branded according to corporate standards.
C. The software has the correct functionality.
D. The software has been code reviewed.
D
Q93. An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization’s customer service portal, causing the site to crash. This is an example of which type of testing?
A. Performance
B. Positive
C. Non-functional
D. Negative
D
Q94. Which of the following is the MOST effective strategy to prevent an attacker from disabling a network?
A. Design networks with the ability to adapt, reconfigure, and fail over.
B. Test business continuity and disaster recovery (DR) plans.
C. Follow security guidelines to prevent unauthorized network access.
D. Implement network segmentation to achieve robustness.
A
Q95. What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
A. Policy creation
B. Information Rights Management (IRM)
C. Data classification
D. Configuration management (CM)
C
Q96. Which change management role is responsible for the overall success of the project and supporting the change throughout the organization?
A. Change driver
B. Project manager
C. Program sponsor
D. Change implementer
B
Q97. A company needs to provide shared access of sensitive data on a cloud storage to external business partners. Which of the following identity models is the BEST to blind identity providers (IdP) and relying parties (RP) so that subscriber lists of other parties are not disclosed?
A. Proxied federation
B. Dynamic registration
C. Federation authorities
D. Static registration
A
Q98. A security professional needs to find a secure and efficient method of encrypting data on an endpoint. Which solution includes a root key?
A. Bitlocker
B. Trusted Platform Module (TPM)
C. Virtual storage array network (VSAN)
D. Hardware security module (HSM)
D
Q99. Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?
A. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits)
B. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Rivest-Shamir-Adleman (RSA) (1024 bits)
C. Diffie-hellman (DH) key exchange: DH (<=1024 bits) Symmetric Key: Blowfish Digital Signature: Rivest-Shamir-Adleman (RSA) (>=2048 bits)
D. Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) < 128 bits Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) (>=256 bits)
A
Q100. What is the PRIMARY purpose of creating and reporting metrics for a security awareness, training, and education program?
A. Measure the effect of the program on the organization’s workforce.
B. Make all stakeholders aware of the program’s progress.
C. Facilitate supervision of periodic training events.
D. Comply with legal regulations and document due diligence in security practices.
A