CISSP - Domain 8
QUESTION: 336 A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the most probable security feature of Java preventing the program from operating as intended? A. Least privilege B. Privilege escalation C. Defense in depth D. Privilege bracketing
A
QUESTION: 342 Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs? A. Check arguments in function calls B. Test for the security patch level of the environment C. Include logging functions D. Digitally sign each application module
A
QUESTION: 343 An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects a flood of malformed packets. Which of the following best describes what has occurred? A. Denial of Service (DoS) attack B. Address Resolution Protocol (ARP) spoof C. Buffer overflow D. Ping flood attack
A
QUESTION: 344 Which of the following command line tools can be used in the reconnaissance phase of a network vulnerability assessment? A. dig B. ipconfig C. ifconfig D. nbstat
A
QUESTION: 345 In configuration management, what baseline configuration information must be maintained for each computer system? A. Operating system and version, patch level, applications running, and versions. B. List of system changes, test reports, and change approvals C. Last vulnerability assessment report and initial risk assessment report D. Date of last update, test report, and accreditation certificate CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
A
QUESTION: 353 An application developer is deciding on the amount of idle session time that the application allows before a timeout. The best reason for determining the session timeout requirement is ___________ A. organization policy. B. industry best practices. C. industry laws and regulations. D. management feedback.
A
QUESTION: 361 What is a characteristic of Secure Socket Layer (SSL) and Transport Layer Security (TLS)? A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP). B. SSL and TLS provide nonrepudiation by default. C. SSL and TLS do not provide security for most routed protocols. D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP).
A
QUESTION: 364 Which of the following best represents the concept of least privilege? A. Access to an object is denied unless access is specifically allowed. B. Access to an object is only available to the owner. C. Access to an object is allowed unless it is protected by the information security policy. D. Access to an object is only allowed to authenticated users via an Access Control List (ACL).
A
QUESTION: 367 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! Which of the following best describes Recovery Time Objective (RTO)? A. Time of application resumption after disaster B. Time of application verification after disaster. C. Time of data validation after disaster. D. Time of data restoration from backup after disaster.
A
QUESTION: 369 Which of the following is the best method to reduce the effectiveness of phishing attacks? A. User awareness B. Two-factor authentication C. Anti-phishing software D. Periodic vulnerability scan
A
QUESTION: 371 Which of the following is a weakness of Wired Equivalent Privacy (WEP)? A. Length of Initialization Vector (IV) B. Protection against message replay C. Detection of message tampering D. Built-in provision to rotate keys
A
QUESTION: 501 Which of the following is the primary advantage of segmenting Virtual Machines (VM) using physical networks? A. Simplicity of network configuration and network monitoring B. Removes the need for decentralized management solutions C. Removes the need for dedicated virtual security controls D. Simplicity of network configuration and network redundancy
A
QUESTION: 447 What capability would typically be included in a commercially available software package designed for access control? A. Password encryption B. File encryption C. Source library control D. File authentication
A
QUESTION: 506 Change management policies and procedures belong to which of the following types of controls? A. Directive B. Detective C. Corrective D. Preventative CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
A
QUESTION: 511 In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented first as part of a comprehensive testing framework? A. Source code review B. Acceptance testing C. Threat modeling D. Automated testing
A
QUESTION: 514 Which of the following encryption types is used in Hash Message Authentication Code (HMAC) for key distribution? A. Symmetric B. Asymmetric C. Ephemeral D. Permanent
A
QUESTION: 515 Compared with hardware cryptography, software cryptography is generally: A. less expensive and slower. B. more expensive and faster. C. more expensive and slower. D. less expensive and faster. CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
A
QUESTION: 516 A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation? A. No, because the encryption solution is internal to the cloud provider. B. Yes, because the cloud provider meets all regulations requirements. C. Yes, because the cloud provider is GDPR compliant. D. No, because the cloud provider is not certified to host government data.
A
QUESTION: 524 When should the software Quality Assurance (QA) team feel confident that testing is complete? A. When release criteria are met B. When the time allocated for testing the software is met C. When senior management approves the test results D. When the software has zero security vulnerabilities
A
QUESTION: 528 What information will best assist security and financial analysts in determining if a security control is cost effective to mitigate a vulnerability? A. Annualized Loss Expectancy (ALE) and the cost of the control B. Single Loss Expectancy (SLE) and the cost of the control C. Annual Rate of Occurrence (ARO) and the cost of the control D. Exposure Factor (EF) and the cost of the control
A
QUESTION: 530 Which step of the Risk Management Framework (RMF) identifies the initial set of baseline security controls? A. Selection B. Monitoring C. Implementation CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. Assessment
A
QUESTION: 531 How can an attacker exploit a stack overflow to execute arbitrary code? A. Modify a function's return address. B. Move the stack pointer C. Substitute elements in the stack. D. Alter the address of the stack.
A
QUESTION: 534 What is a consideration when determining the potential impact an organization faces in the event of the loss of confidentiality of Personally Identifiable Information (PII)? A. Quantity B. Availability C. Quality D. Criticality
A
QUESTION: 536 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A security team member was selected as a member of a Change Control Board (CCB) for an organization. Which of the following is one of their responsibilities? A. Approving or disapproving the change B. Determining the impact of the change C. Carrying out the requested change D. Logging the change
A
QUESTION: 539 A data owner determines the appropriate job-based access for an employee to perform their duties. Which type of access control is this? A. Discretionary Access Control (DAC) B. Non-discretionary access control C. Mandatory Access Control (MAC) D. Role-based access control (RBAC)
A
QUESTION: 547 Which of the following is a credible source to validate that security testing of Commercial Off- The-Shelf (COTS) software has been performed with international standards? A. Common Criteria (CC) B. Evaluation Assurance Level (EAL) C. National Information Assurance Partnership (NIAP) D. International Standards Organization (ISO)
A
QUESTION: 549 Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)? A. How the information is to be maintained B. Why the information is to be collected C. What information is to be destroyed D. Where the information is to be stored
A
QUESTION: 550 An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization's general Information Technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas. Which of the following is the most probable attack vector used in the security breach? A. Buffer overflow B. Distributed Denial of Service (DDoS) C. Cross-Site Scripting (XSS) D. Weak password due to lack of complexity rules
A
QUESTION: 552 Which of the following is the first thing to consider when reviewing Information Technology (IT) internal controls? A. The risk culture of the organization B. The impact of the control C. The nature of the risk D. The cost of the control
A
QUESTION: 559 Where would an organization typically place an endpoint security solution? A. Web server and individual devices B. Intrusion Detection System (IDS) and web server C. Central server and individual devices D. Intrusion Detection System (IDS) and central sever
A
QUESTION: 378 Which of the following is the most important consideration when developing a Disaster Recovery Plan (DRP)? A. The dynamic reconfiguration of systems B. The cost of downtime C. A recovery strategy for all business processes D. A containment strategy
B
QUESTION: 380 Which of the following restricts the ability of an individual to carry out all the steps of a particular process? A. Job rotation B. Separation of duties C. Least privilege D. Mandatory vacations
B
QUESTION: 388 Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)? A. Tactical, strategic, and financial B. Management, operational, and technical C. Documentation, observation, and manual D. Standards, policies, and procedures
B
QUESTION: 389 Which one of the following activities would present a significant security risk to organizations when employing a Virtual Private Network (VPN) solution? A. VPN bandwidth B. Simultaneous connection to other networks C. Users with Internet Protocol (IP) addressing conflicts D. Remote users with administrative rights
B
QUESTION: 392 Which of the following is the primary reason to perform regular vulnerability scanning of an organization network? A. Provide vulnerability reports to management. B. Validate vulnerability remediation activities. C. Prevent attackers from discovering vulnerabilities. D. Remediate known vulnerabilities.
B
QUESTION: 393 Which of the following would best describe the role directly responsible for data within an organization? A. Data custodian B. Information owner C. Database administrator CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. Quality control
B
QUESTION: 401 Reciprocal backup site agreements are considered to be A. a better alternative than the use of warm sites. B. difficult to test for complex systems. C. easy to implement for similar types of organizations. D. easy to test and implement for complex systems.
B
QUESTION: 405 An organization regularly conducts its own penetration tests. Which of the following scenarios must be covered for the test to be effective? A. Third-party vendor with access to the system B. System administrator access compromised C. Internal attacker with access to the system D. Internal user accidentally accessing data
B
QUESTION: 409 What operations role is responsible for protecting the enterprise from corrupt or contaminated media? A. Information security practitioner B. Information librarian C. Computer operator D. Network administrator
B
QUESTION: 410 Which of the following is a characteristic of the initialization vector when using Data Encryption Standard (DES)? A. It must be known to both sender and receiver. B. It can be transmitted in the clear as a random number. C. It must be retained until the last block is transmitted. D. It can be used to encrypt and decrypt information.
B
QUESTION: 415 Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a communications device? A. Transport and Session B. Data-Link and Transport C. Network and Session D. Physical and Data-Link
B
QUESTION: 418 Which of the following information must be provided for user account provisioning? A. Full name B. Unique identifier C. Security question D. Date of birth
B
QUESTION: 419 Which of the following adds end-to-end security inside a Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security (IPSec) connection? CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A. Temporal Key Integrity Protocol (TKIP) B. Secure Hash Algorithm (SHA) C. Secure Shell (SSH) D. Transport Layer Security (TLS)
B
QUESTION: 423 The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would ___________ A. require an update of the Protection Profile (PP). B. require recertification. C. retain its current EAL rating. D. reduce the product to EAL 3.
B
QUESTION: 424 Which of the following media sanitization techniques is most likely to be effective for an organization using public cloud services? A. Low-level formatting B. Secure-grade overwrite erasure C. Cryptographic erasure D. Drive degaussing
B
QUESTION: 425 What type of wireless network attack best describes an Electromagnetic Pulse (EMP) attack? CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A. Radio Frequency (RF) attack B. Denial of Service (DoS) attack C. Data modification attack D. Application-layer attack
B
QUESTION: 430 Which of the following is considered a secure coding practice? A. Use concurrent access for shared variables and resources B. Use checksums to verify the integrity of libraries C. Use new code for common tasks D. Use dynamic execution functions to pass user supplied data
B
QUESTION: 551 A security engineer is tasked with implementing a new identity solution. The client doesn't want to install or maintain the infrastructure. Which of the following would qualify as the best solution? A. Microsoft Identity Manager (MIM) B. Azure Active Directory (AD) C. Active Directory Federation Services (ADFS) D. Active Directory (AD)
B
QUESTION: 556 Which concept might require users to use a second access token or to re-enter passwords to gain elevated access rights in the identity and access provisioning life cycle? A. Time-based B. Enrollment C. Least privilege D. Access review
B
QUESTION: 558 Which of the following global privacy legislation principles ensures that data handling policies and the name of the data controller are easily accessible to the public? A. Use limitation B. Openness C. Purpose specification D. Individual participation
B
QUESTION: 560 Security categorization of a new system takes place during which phase of the Systems Development Life Cycle (SDLC)? A. System implementation B. System initiation C. System operations and maintenance D. System acquisition and development
B
a password is designed to increase the difficulty of cracking which of the following? A. Specific password B. Password hash function C. Password algorithm D. Maximum password length
B
QUESTION: 546 What is the best approach to annual safety training? A. Base safety training requirements on staff member job descriptions. B. Safety training should address any gaps in a staff member's skill set. C. Ensure that staff members in positions with known safety risks are given proper training. D. Ensure that all staff members are provided with identical safety training.
C
QUESTION: 347 An organization's information security strategic plan must be reviewed A. whenever there are significant changes to a major application. B. quarterly, when the organization's strategic plan is updated. C. whenever there are major changes to the business. D. every three years, when the organization's strategic plan is updated.
C
QUESTION: 349 Which technology is a prerequisite for populating the cloud-based directory in a federated identity solution? A. Notification tool B. Message queuing tool C. Security token tool D. Synchronization tool
C
QUESTION: 350 What is an advantage of Elliptic Curve Cryptography (ECC)? A. Cryptographic approach that does not require a fixed-length key B. Military-strength security that does not depend upon secrecy of the algorithm C. Opportunity to use shorter keys for the same level of security D. Ability to use much longer keys for greater security
C
QUESTION: 354 Knowing the language in which an encrypted message was originally produced might help a cryptanalyst to perform a ____________ A. clear-text attack. B. known cipher attack. C. frequency analysis. D. stochastic assessment.
C
QUESTION: 356 When evaluating third-party applications, which of the following is the greatest responsibility of Information Security? A. Accept the risk on behalf of the organization. B. Report findings to the business to determine security gaps. C. Quantify the risk to the business for product selection. D. Approve the application that best meets security requirements.
C
QUESTION: 358 The goal of a Business Impact Analysis (BIA) is to determine which of the following? A. Cost effectiveness of business recovery B. Cost effectiveness of installing software security patches C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD) D. Which security measures should be implemented
C
QUESTION: 359 An organization publishes and periodically updates its employee policies in a file on their intranet. Which of the following is a primary security concern? A. Ownership B. Confidentiality C. Availability D. Integrity
C
QUESTION: 360 What does the Maximum Tolerable Downtime (MTD) determine? A. The estimated period of time a business critical database can remain down before customers are affected. B. The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning C. The estimated period of time a business can remain interrupted beyond which it risks never recovering D. The fixed length of time in a DR process before redundant systems are engaged CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
C
QUESTION: 362 How does a Host Based Intrusion Detection System (HIDS) identify a potential attack? A. Examines log messages or other indications on the system. B. Monitors alarms sent to the system administrator C. Matches traffic patterns to virus signature files D. Examines the Access Control List (ACL)
C
QUESTION: 363 From a cryptographic perspective, the service of non-repudiation includes which of the following features? A. Validity of digital certificates B. Validity of the authorization rules C. Proof of authenticity of the message D. Proof of integrity of the message
C
QUESTION: 372 When writing security assessment procedures, what is the main purpose of the test outputs and reports? A. To force the software to fail and document the process B. To find areas of compromise in confidentiality and integrity C. To allow for objective pass or fail decisions D. To identify malware or hidden code within the test results
C
QUESTION: 381 Although code using a specific program language may not be susceptible to a buffer overflow attack, __________ A. most calls to plug-in programs are susceptible. B. most supporting application code is susceptible. C. the graphical images used by the application could be susceptible. D. the supporting virtual machine could be susceptible.
C
QUESTION: 383 Which of the following are effective countermeasures against passive network-layer attacks? A. Federated security and authenticated access controls B. Trusted software development and run time integrity controls C. Encryption and security enabled applications D. Enclave boundary protection and computing environment defense
C
QUESTION: 387 Which of the following is the most important goal of information asset valuation? A. Developing a consistent and uniform method of controlling access on information assets CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! B. Developing appropriate access control policies and guidelines C. Assigning a financial value to an organization's information assets D. Determining the appropriate level of protection
C
QUESTION: 394 The restoration priorities of a Disaster Recovery Plan (DRP) are based on which of the following documents? A. Service Level Agreement (SLA) B. Business Continuity Plan (BCP) C. Business Impact Analysis (BIA) D. Crisis management plan
C
QUESTION: 400 Which of the following is needed to securely distribute symmetric cryptographic keys? A. Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates B. Officially approved and compliant key management technology and processes C. An organizationally approved communication protection policy and key management plan D. Hardware tokens that protect the user's private key.
C
QUESTION: 404 At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled? A. Transport Layer B. Data-Link Layer C. Network Layer D. Application Layer
C
QUESTION: 416 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test? A. Reversal B. Gray box C. Blind D. White box
C
QUESTION: 417 Which of the following countermeasures is the most effective in defending against a social engineering attack? A. Mandating security policy acceptance B. Changing individual behavior C. Evaluating security awareness training D. Filtering malicious e-mail content
C
QUESTION: 422 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! As a best practice, the Security Assessment Report (SAR) should include which of the following sections? A. Data classification policy B. Software and hardware inventory C. Remediation recommendations D. Names of participants
C
QUESTION: 429 Determining outage costs caused by a disaster can best be measured by the ________ A. cost of redundant systems and backups. B. cost to recover from an outage. C. overall long-term impact of the outage. D. revenue lost during the outage.
C
QUESTION: 432 Who has the primary responsibility to ensure that security objectives are aligned with organization goals? A. Senior management B. Information security department C. Audit committee D. All users
C
QUESTION: 433 Which of the following alarm systems is recommended to detect intrusions through windows in a high-noise, occupied environment? A. Acoustic sensor B. Motion sensor C. Shock sensor D. Photoelectric sensor
C
QUESTION: 435 Which of the following is the most important part of an awareness and training plan to prepare employees for emergency situations? A. Having emergency contacts established for the general employee population to get information B. Conducting business continuity and disaster recovery training for those who have a direct role in the recovery C. Designing business continuity and disaster recovery training programs for different audiences D. Publishing a corporate business continuity and disaster recovery plan on the corporate website
C
QUESTION: 437 Which one of the following considerations has the least impact when considering transmission security? A. Network availability B. Node locations C. Network bandwidth D. Data integrity
C
QUESTION: 446 What is the primary role of a scrum master in agile development? A. To choose the primary development language B. To choose the integrated development environment C. To match the software requirements to the delivery plan D. To project manage the software delivery
C
QUESTION: 452 Attack trees are most useful for which of the following? A. Determining system security scopes B. Generating attack libraries C. Enumerating threats D. Evaluating Denial of Service (DoS) attacks
C
QUESTION: 455 The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity? A. Application authentication B. Input validation C. Digital signing D. Device encryption
C
QUESTION: 460 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! Which of the following practices provides the development team with a definition of security and identification of threats in designing software? A. Penetration testing B. Stakeholder review C. Threat modeling D. Requirements review
C
QUESTION: 461 What is the highest priority in agile development? A. Selecting appropriate coding language B. Managing costs of product delivery C. Early and continuous delivery of software D. Maximizing the amount of code delivered
C
QUESTION: 463 Which of the following steps should be conducted during the first phase of software assurance in a generic acquisition process? CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A. Establishing and consenting to the contract work schedule B. Issuing a Request for Proposal (RFP) with a work statement C. Developing software requirements to be included in work statement D. Reviewing and accepting software deliverables
C
QUESTION: 469 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities? A. Manual inspections and reviews B. Penetration testing C. Threat modeling D. Source code review
C
QUESTION: 477 Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services? A. The acquiring organization B. The service provider C. The risk executive (function) D. The IT manager CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
C
QUESTION: 479 Which of the following is a process in the access provisioning lifecycle that will most likely identify access aggregation issues? A. Test B. Assessment C. Review D. Peer review
C
QUESTION: 554 Which layer of the Open System Interconnection (OSI) model is reliant on other layers and is concerned with the structure, interpretation and handling of information? A. Presentation Layer B. Session Layer C. Application Layer D. Transport Layer
C
QUESTION: 555 When conveying the results of a security assessment, which of the following is the primary audience? A. Information System Security Officer (ISSO) B. Authorizing Official (AO) C. Information System Security Manager (ISSM) D. Security Control Assessor (SCA)
C
QUESTION: 561 What is the motivation for use of the Online Certificate Status Protocol (OCSP)? A. To return information on multiple certificates B. To control access to Certificate Revocation List (CRL) requests C. To provide timely up-to-date responses to certificate queries D. To issue X.509v3 certificates more quickly
C
QUESTION: 482 Which of the following is mobile device remote fingerprinting? A. Installing an application to retrieve common characteristics of the device B. Storing information about a remote device in a cookie file C. Identifying a device based on common characteristics shared by all devices of a certain type D. Retrieving the serial number of the mobile device
C
QUESTION: 484 Which of the following open source software issues pose the most risk to an application? A. The software is beyond end of life and the vendor is out of business. B. The software is not used or popular in the development community. C. The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are remediated. D. The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are classified as low risks.
C
QUESTION: 485 Which of the following is the primary mechanism used to limit the range of objects available to a given subject within different execution domains? A. Process isolation B. Data hiding and abstraction C. Use of discrete layering and Application Programming Interfaces (API) D. Virtual Private Network (VPN)
C
QUESTION: 491 Which of the following is most effective in detecting information hiding in Transmission Control Protocol/Internet Protocol (TCP/IP) traffic? A. Packet-filter firewall B. Content-filtering web proxy C. Stateful inspection firewall D. Application-level firewall
C
QUESTION: 493 An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario best validates the functionality of the application? A. Reasonable data testing B. Input validation testing C. Web session testing D. Allowed data bounds and limits testing
C
QUESTION: 497 What principle requires that changes to the plaintext affect many parts of the ciphertext? A. Encapsulation B. Permutation C. Diffusion D. Obfuscation
C
QUESTION: 498 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process? A. Select and procure supporting technologies. B. Determine a budget and cost analysis for the program. C. Measure effectiveness of the program's stated goals. D. Educate and train key stakeholders.
C
QUESTION: 500 Which of the following best describes how access to a system is granted to federated user accounts? A. With the federation assurance level B. Based on defined criteria by the Relying Party (RP) C. Based on defined criteria by the Identity Provider (IdP) D. With the identity assurance level
C
QUESTION: 509 Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities? A. Definitions for each exposure type B. Vulnerability attack vectors C. Asset values for networks CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. Exploit code metrics
C
QUESTION: 519 Which of the following offers the best security functionality for transmitting authentication tokens? A. JavaScript Object Notation (JSON) B. Terminal Access Controller Access Control System (TACACS) C. Security Assertion Markup Language (SAML) D. Remote Authentication Dial-In User Service (RADIUS)
C
QUESTION: 523 Which of the following is the best reason to apply patches manually instead of automated patch management? A. The cost required to install patches will be reduced. B. The time during which systems will remain vulnerable to an exploit will be decreased. C. The target systems reside within isolated networks. D. The ability to cover large geographic areas is increased.
C
QUESTION: 526 Which of the following must a security policy include to be effective within an organization? A. A list of all standards that apply to the policy B. Owner information and date of last revision C. Disciplinary measures for non-compliance D. Strong statements that clearly define the problem
C
QUESTION: 527 What is the most efficient way to verify the integrity of database backups? A. Test restores on a regular basis. B. Restore every file in the system to check its health. C. Use checksum as part of the backup operation to make sure that no corruption has occurred. CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. Run DBCC CHECKDB on a regular basis to check the logical and physical integrity of the database objects.
C
QUESTION: 529 Which of the following are the first two steps to securing employees from threats involving workplace violence and acts of terrorism? A. Physical barriers impeding unauthorized access and security guards at each entrance B. Physical barriers and the ability to identify people as they enter the workplace C. Security guards and metal detectors posted at each entrance D. Metal detectors and the ability to identify people as they enter the workplace
C
QUESTION: 532 What is the main reason for having a developer sign a Non-Disclosure Agreement (NDA)? A. Signing the NDA always gives consent to the developer to access tools and privileged company information to do their work. B. Signing the NDA allows the developer to use their developed coding methods. C. Signing the NDA protects confidential, technical, or Intellectual Property (IP) from disclosure to others. D. Signing the NDA is legally binding for up to one year of employment.
C
QUESTION: 533 Which of the following provides for the strongest protection of data confidentiality in a Wi-Fi environment? A. Wi-Fi Protected Access (WPA) + Temporal Key Integrity Protocol (TKIP) B. Wi-Fi Protected Access 2 (WPA2) + Advanced Encryption Standard (AES) C. Wi-Fi Protected Access 2 (WPA2) + Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. Wired Equivalent Privacy (WEP) + Advanced Encryption Standard (AES)
C
QUESTION: 535 A security practitioner has just been assigned to address an ongoing Denial of Service (DoS) attack against the company's network, which includes an e- commerce web site. The strategy has to include defenses for any size of attack without rendering the company network unusable. Which of the following should be a primary concern when addressing this issue? A. Deal with end user education and training. B. Pay more for a dedicated path to the Internet. C. Allow legitimate connections while blocking malicious connections. D. Ensure the web sites are properly backed up on a daily basis.
C
QUESTION: 538 A group of organizations follows the same access standards and practices. One manages the verification and due diligence processes for the others. For a user to access a resource from one of the organizations, a check is made to see if that user has been certified. Which Federated Identity Management (FIM) process is this an example of? A. One-time authentication B. Web based access management C. Cross-certification model D. Bridge model
C
QUESTION: 544 Which of the following does Secure Sockets Layer (SSL) encryption protect? A. Data availability B. Data at rest C. Data in transit D. Data integrity
C
QUESTION: 337 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! Which of the following is the primary risk with using open source software in a commercial software construction? A. Lack of software documentation B. License agreements requiring release of modified code C. Expiration of the license agreement D. Costs associated with support of the software
D
QUESTION: 553 What is the first action a security professional needs to take while assessing an organization's asset security in order to properly classify and protect access to data? A. Verify the various data classification models implemented for different environments. B. Determine the level of access for the data and systems. C. Verify if confidential data is protected with cryptography. D. Determine how data is accessed in the organization. CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
D
QUESTION: 521 Why might a network administrator choose distributed virtual switches instead of stand-alone switches for network segmentation? A. To standardize on a single vendor B. To ensure isolation of management traffic C. To maximize data plane efficiency D. To reduce the risk of configuration errors
D
QUESTION: 525 A system administration office desires to implement the following rules: - An administrator that is designated as a skill level 3, with 5 years of experience, is allowed to perform system backups, upgrades, and local administration. - An administrator that is designated as a skill level 5, with 10 years of experience, is permitted to perform all actions related to system administration. Which of the following access control methods must be implemented to achieve this goal? A. Discretionary Access Control (DAC) B. Role Based Access Control (RBAC) C. Mandatory Access Control (MAC) D. Attribute Based Access Control (ABAC)
D
QUESTION: 541 Which of the following is the most relevant risk indicator after a penetration test? A. Lists of hosts vulnerable to remote exploitation attacks B. Details of vulnerabilities and recommended remediation C. Lists of target systems on the network identified and scanned for vulnerabilities D. Details of successful vulnerability exploitations
D
QUESTION: 542 Which of the following benefits does Role Based Access Control (RBAC) provide for the access review process? A. Lowers the amount of access requests after review B. Gives more control into the revocation phase C. Gives more fine-grained access analysis to accesses D. Lowers the number of items to be reviewed
D
QUESTION: 545 Lack of which of the following options could cause a negative effect on an organization's reputation, revenue, and result in legal action, if the organization fails to perform due diligence? A. Threat modeling methodologies B. Service Level Requirement (SLR) C. Service Level Agreement (SLA) D. Third-party risk management
D
QUESTION: 548 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain confidence in a service organization's systems? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 D. SOC 3
D
QUESTION: 557 Why are mobile devices sometimes difficult to investigate in a forensic examination? A. There are no forensics tools available for examination. B. They may contain cryptographic protection. C. They have password-based security at logon. D. They may have proprietary software installed to protect them.
D
QUESTION: 376 A user sends an e-mail request asking for read-only access to files that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the most suitable approach that the administrator should take? A. Administrator should request data owner approval to the user access B. Administrator should request manager approval for the user access CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! C. Administrator should directly grant the access to the non-sensitive files D. Administrator should assess the user access need and either grant or deny the access
A
QUESTION: 384 What is the most important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)? A. Management support B. Consideration of organizational need C. Technology used for delivery D. Target audience
A
QUESTION: 390 Which of the following best describes a chosen plaintext attack? A. The cryptanalyst can generate ciphertext from arbitrary text. B. The cryptanalyst examines the communication being sent back and forth. C. The cryptanalyst can choose the key and algorithm to mount the attack. CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. The cryptanalyst is presented with the ciphertext from which the original message is determined.
A
QUESTION: 396 A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This indicates that which of the following properties are being prioritized? A. Confidentiality B. Integrity C. Availability CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! D. Accessibility
A
QUESTION: 397 A vulnerability in which of the following components would be most difficult to detect? A. Kernel B. Shared libraries C. Hardware D. System application
A
QUESTION: 398 During which of the following processes is least privilege implemented for a user account? A. Provision B. Approve C. Request D. Review
A
QUESTION: 406 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually? A. Asset Management, Business Environment, Governance and Risk Assessment B. Access Control, Awareness and Training, Data Security and Maintenance C. Anomalies and Events, Security Continuous Monitoring and Detection Processes D. Recovery Planning, Improvements and Communications
A
QUESTION: 407 What is the difference between media marking and media labeling? A. Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures. B. Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures. C. Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy. D. Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.
A
QUESTION: 408 What balance must be considered when web application developers determine how informative application error messages should be constructed? A. Risk versus benefit B. Availability versus auditability C. Confidentiality versus integrity D. Performance versus user satisfaction CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
A
QUESTION: 412 In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is main purpose of the DMZ? A. Reduced risk to internal systems. B. Prepare the server for potential attacks. C. Mitigate the risk associated with the exposed server. D. Bypass the need for a firewall.
A
QUESTION: 413 Network-based logging has which advantage over host-based logging when reviewing malicious activity about a victim machine? A. Addresses and protocols of network-based logs are analyzed. B. Host-based system logging has files stored in multiple locations. C. Properly handled network-based logs may be more reliable and valid. D. Network-based systems cannot capture users logging into the console.
A
QUESTION: 420 A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance? A. Enterprise asset management framework B. Asset baseline using commercial off the shelf software C. Asset ownership database using domain login records D. A script to report active user logins on assets
A
QUESTION: 427 Which of the following is a remote access protocol that uses a static authentication? A. Point-to-Point Tunneling Protocol (PPTP) B. Routing Information Protocol (RIP) C. Password Authentication Protocol (PAP) D. Challenge Handshake Authentication Protocol (CHAP)
A
QUESTION: 428 Which of the following sets of controls should allow an investigation if an attack is not blocked by preventive controls or detected by monitoring? A. Logging and audit trail controls to enable forensic analysis B. Security incident response lessons learned procedures C. Security event alert triage done by analysts using a Security Information and Event Management (SIEM) system D. Transactional controls focused on fraud prevention
A
QUESTION: 436 What is the process of removing sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique? A. Purging B. Encryption C. Destruction D. Clearing
A
QUESTION: 443 Which of the following are important criteria when designing procedures and acceptance criteria for acquired software? A. Code quality, security, and origin B. Architecture, hardware, and firmware C. Data quality, provenance, and scaling D. Distributed, agile, and bench testing
A
QUESTION: 444 Which of the following steps should be performed first when purchasing Commercial Off-The- Shelf (COTS) software? A. undergo a security assessment as part of authorization process B. establish a risk management strategy C. harden the hosting server, and perform hosting and application vulnerability scans D. establish policies and procedures on system and services acquisition
A
QUESTION: 448 An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contractual agreement potential longterm risks associated with creating this dependency? A. A source code escrow clause B. Right to request an independent review of the software source code C. Due diligence form requesting statements of compliance with security requirements D. Access to the technical documentation
A
QUESTION: 453 Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections? A. Automated dynamic analysis B. Automated static analysis C. Manual code review D. Fuzzing
A
QUESTION: 454 Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint? A. Ensures that a trace for all deliverables is maintained and auditable B. Enforces backward compatibility between releases C. Ensures that there is no loss of functionality between releases D. Allows for future enhancements to existing features
A
QUESTION: 457 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! Which of the following is the best technique to facilitate secure software development? A. Adhere to secure coding practices for the software application under development B. Conduct penetrating testing for the software application under development C. Develop a threat modeling review for the software application under development D. Perform a code review process for the software application under development
A
QUESTION: 458 What is the purpose of code signing? A. The signer verifies that the software being loaded is the software originated by the signer B. The vendor certifies the software being loaded is free of malicious code and that it was originated by the signer C. The signer verifies that the software being loaded is free of malicious code D. Both vendor and the signer certify the software being loaded is free of malicious code and it was originated by the signer
A
QUESTION: 464 What is the final step in the waterfall method for contingency planning? A. Maintenance B. Testing C. Implementation D. Training
A
QUESTION: 465 As users switch roles within an organization, their accounts are given additional permissions to perform the duties of their new position. After a recent audit, it was discovered that many of these accounts maintained their old permissions as well. The obsolete permissions identified by the audit have been remediated and accounts have only the appropriate permissions to complete their jobs. Which of the following is the best way to prevent access privilege creep? A. Implementing Identity and Access Management (IAM) solution B. Time-based review and certification C. Internet audit D. Trigger-based review and certification
A
QUESTION: 470 Which of the following is the most important activity an organization performs to ensure that security is part of the overall organization culture? A. Perform formal reviews of security incidents. B. Work with senior management to meet business goals. C. Ensure security policies are issued to all employees. D. Manage a program of security audits.
A
QUESTION: 471 Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security? A. Peer authentication B. Payload data encryption C. Session encryption D. Hashing digest
A
QUESTION: 474 What determines the level of security of a combination lock? A. Complexity of combination required to open the lock B. Amount of time it takes to brute force the combination C. The number of barrels associated with the internal mechanism D. The hardness score of the metal lock material
A
QUESTION: 475 A user downloads a file from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the following is the most likely reason for doing so? A. It verifies the integrity of the file. B. It checks the file for malware. C. It ensures the entire file downloaded. D. It encrypts the entire file.
A
QUESTION: 478 Which of the following is the best definition of Cross-Site Request Forgery (CSRF)? A. An attack which forces an end user to execute unwanted actions on a web application in which they are currently authenticated B. An attack that injects a script into a web page to execute a privileged command C. An attack that makes an illegal request across security zones and thereby forges itself into the security database of the system D. An attack that forges a false Structure Query Language (SQL) command across systems
A
QUESTION: 486 Once the types of information have been identified, who should an information security practitioner work with to ensure that the information is properly categorized? A. Information Owner (IO) B. System Administrator C. Business Continuity (BC) Manager D. Chief Information Officer (CIO) CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
A
QUESTION: 488 Which of the following needs to be taken into account when assessing vulnerability? A. Risk identification and validation B. Threat mapping C. Risk acceptance criteria D. Safeguard selection
A
QUESTION: 489 For the purpose of classification, which of the following is used to divide trust domain and trust boundaries? A. Network architecture B. Integrity C. Identity Management (IdM) D. Confidentiality management
A
QUESTION: 492 An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of? A. Reasonable data B. Population of required fields C. Allowed number of characters D. Session testing
A
QUESTION: 494 Which of the following techniques best prevents buffer overflows? A. Boundary and perimeter offset B. Character set encoding C. Code auditing D. Variant type and bit length
A
QUESTION: 499 Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process? A. Build and test B. Implement security controls C. Categorize Information System (IS) D. Select security controls
A
QUESTION: 385 DRAG DROP Match the name of access control model with its associated restriction.( Drag each access control model to its appropriate restriction access on the right.) CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
Answer:
QUESTION: 411 DRAG DROP Match the access control type to the example of the control type. (Drag each access control type net to its corresponding example.) CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
Answer:
QUESTION: 426 DRAG DROP Match the types of e-authentication tokens to their description. (Drag each e-authentication token on the left to its corresponding description on the right.)
Answer:
QUESTION: 439 DRAG DROP Drag the following Security Engineering terms on the left to the best definition on the right.
Answer:
QUESTION: 522 DRAG DROP Match the following generic software testing methods with their major focus and objective. Drag each testing method next to its corresponding set of testing objectives.
Answer:
QUESTION: 340 The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)? A. System acquisition and development B. System operations and maintenance C. System initiation D. System implementation
B
QUESTION: 351 Backup information that is critical to the organization is identified through a A. Vulnerability Assessment (VA). B. Business Continuity Plan (BCP). C. Business Impact Analysis (BIA). D. data recovery analysis.
B
QUESTION: 352 CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the GRE header inserted? A. Into the options field B. Between the delivery header and payload C. Between the source and destination addresses D. Into the destination address
B
QUESTION: 365 Which of the following is an advantage of on-premise Credential Management Systems? A. Lower infrastructure capital costs B. Control over system configuration C. Reduced administrative overhead D. Improved credential interoperability
B
QUESTION: 368 Which of the following is the primary benefit of a formalized information classification program? A. It minimized system logging requirements. B. It supports risk assessment. C. It reduces asset vulnerabilities. D. It drives audit processes.
B
QUESTION: 370 The primary purpose of accreditation is to: A. comply with applicable laws and regulations. CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! B. allow senior management to make an informed decision regarding whether to accept the risk of operating the system. C. protect an organization's sensitive data. D. verify that all security controls have been implemented properly and are operating in the correct manner.
B
QUESTION: 374 Which of the following is best suited for exchanging authentication and authorization messages in a multi-party decentralized environment? A. Lightweight Directory Access Protocol (LDAP) B. Security Assertion Markup Language (SAML) C. Internet Mail Access Protocol D. Transport Layer Security (TLS)
B
QUESTION: 375 Which of the following is most important when deploying digital certificates? A. Validate compliance with X.509 digital certificate standards B. Establish a certificate life cycle management framework C. Use a third-party Certificate Authority (CA) D. Use no less than 256-bit strength encryption when creating a certificate
B
QUESTION: 377 How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted? A. Use an impact-based approach. B. Use a risk-based approach. C. Use a criticality-based approach. D. Use a threat-based approach.
B
QUESTION: 434 Which of the following is the most effective practice in managing user accounts when an employee is terminated? A. Implement processes for automated removal of access for terminated employees. B. Delete employee network and system IDs upon termination. C. Manually remove terminated employee user-access to all systems and applications. D. Disable terminated employee network ID to remove all access.
B
QUESTION: 449 When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be specified? A. Implementation B. Initiation C. Review D. Development
B
QUESTION: 450 Which of the following is the most important security goal when performing application interface testing? A. Confirm that all platforms are supported and function properly B. Evaluate whether systems or components pass data and control correctly to one another C. Verify compatibility of software, hardware, and network connections D. Examine error conditions related to external interfaces to prevent application details leakage
B
QUESTION: 451 Which of the following is the most common method of memory protection? A. Compartmentalization B. Segmentation C. Error correction D. Virtual Local Area Network (VLAN) tagging
B
QUESTION: 467 Continuity of operations is best supported by which of the following? A. Confidentiality, availability, and reliability B. Connectivity, reliability, and redundancy C. Connectivity, reliability, and recovery D. Confidentiality, integrity, and availability
B
QUESTION: 468 Which of the following is true of Service Organization Control (SOC) reports? A. SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization's controls B. SOC 2 Type 2 reports include information of interest to the service organization's management C. SOC 2 Type 2 reports assess internal controls for financial reporting D. SOC 3 Type 2 reports assess internal controls for financial reporting
B
QUESTION: 472 What is the most common component of a vulnerability management framework? CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! A. Risk analysis B. Patch management C. Threat analysis D. Backup management
B
QUESTION: 473 A new Chief Information Officer (CIO) created a group to write a data retention policy based on applicable laws. Which of the following is the primary motivation for the policy? A. To back up data that is used on a daily basis B. To dispose of data in order to limit liability C. To reduce costs by reducing the amount of retained data D. To classify data according to what it contains
B
QUESTION: 476 An organization that has achieved a Capability Maturity Model Integration (CMMI) level of 4 has done which of the following? A. Achieved optimized process performance B. Achieved predictable process performance C. Addressed the causes of common process variance D. Addressed continuous innovative process improvement
B
QUESTION: 480 Which of the following is the primary reason a sniffer operating on a network is collecting packets only from its own host? A. An Intrusion Detection System (IDS) has dropped the packets. B. The network is connected using switches. CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! C. The network is connected using hubs. D. The network's firewall does not allow sniffing.
B
QUESTION: 481 Which of the following is the final phase of the identity and access provisioning lifecycle? A. Recertification B. Revocation C. Removal D. Validation
B
QUESTION: 503 Which of the following processes has the primary purpose of identifying outdated software versions, missing patches, and lapsed system updates? A. Penetration testing B. Vulnerability management C. Software Development Life Cycle (SDLC) D. Life cycle management
B
QUESTION: 504 A development operations team would like to start building new applications delegating the cybersecurity responsibility as much as possible to the service provider. Which of the following environments best fits their need? A. Cloud Virtual Machines (VM) B. Cloud application container within a Virtual Machine (VM) C. On premises Virtual Machine (VM) D. Self-hosted Virtual Machine (VM)
B
QUESTION: 508 Why is planning the most critical phase of a Role Based Access Control (RBAC) implementation? A. The criteria for measuring risk is defined. B. User populations to be assigned to each role is determined. C. Role mining to define common access patterns is performed. D. The foundational criteria are defined.
B
QUESTION: 512 Physical assets defined in an organization's Business Impact Analysis (BIA) could include which of the following? A. Personal belongings of organizational staff members B. Supplies kept off-site at a remote facility CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! C. Cloud-based applications D. Disaster Recovery (DR) line-item revenues
B
QUESTION: 513 What is the best way for mutual authentication of devices belonging to the same organization? A. Token B. Certificates C. User ID and passwords D. Biometric
B
QUESTION: 517 An employee receives a promotion that entities them to access higher-level functions on the company's accounting system, as well as keeping their access to the previous system that is no longer needed or applicable. What is the name of the process that tries to remove this excess privilege? A. Access provisioning B. Segregation of Duties (SoD) C. Access certification D. Access aggregation
B
QUESTION: 537 Which action is most effective for controlling risk and minimizing maintenance costs in the software supply chain? A. Selecting redundant suppliers B. Selecting suppliers based on business requirements C. Selecting fewer, more reliable suppliers D. Selecting software suppliers with the fewest known vulnerabilities
B
QUESTION: 543 Which of the following is the best type of authentication and encryption for a Secure Shell (SSH) implementation when network traffic traverses between a host and an infrastructure device? A. Lightweight Directory Access Protocol (LDAP) B. Public-key cryptography C. Remote Authentication Dial-In User Service (RADIUS) D. Private-key cryptography
B
QUESTION: 520 What is the main purpose for writing planned procedures in the design of Business Continuity Plans (BCP)? A. Establish lines of responsibility. B. Minimize the risk of failure. C. Accelerate the recovery process. D. Eliminate unnecessary decision making.
D
QUESTION: 338 When in the Software Development Life Cycle (SDLC) must software security functional requirements be defined? A. After the system preliminary design has been developed and the data security categorization has been performed B. After the vulnerability analysis has been performed and before the system detailed design begins C. After the system preliminary design has been developed and before the data security categorization begins D. After the business functional analysis and the data security categorization have been performed
D
QUESTION: 339 Which of the following is the best method to prevent malware from being introduced into a production environment? A. Purchase software from a limited list of retailers B. Verify the hash key or certificate key of all updates C. Do not permit programs, patches, or updates from the Internet D. Test all new software in a segregated environment
D
QUESTION: 341 What is the best approach to addressing security issues in legacy web applications? A. Debug the security issues B. Migrate to newer, supported applications where possible C. Conduct a security assessment D. Protect the legacy application with a web application firewall
D
QUESTION: 346 Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage? A. Transference B. Covert channel C. Bleeding D. Cross-talk
D
QUESTION: 348 When building a data classification scheme, which of the following is the primary concern? A. Purpose B. Cost effectiveness C. Availability D. Authenticity
D
QUESTION: 355 During the Security Assessment and Authorization process, what is the primary purpose for conducting a hardware and software inventory? A. Calculate the value of assets being accredited. B. Create a list to include in the Security Assessment and Authorization package. C. Identify obsolete hardware and software. D. Define the boundaries of the information system.
D
QUESTION: 357 An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the best action to take? A. Revoke access temporarily. B. Block user access and delete user account after six months. C. Block access to the offices immediately. D. Monitor account usage temporarily.
D
QUESTION: 366 Which of the following approaches is the most effective way to dispose of data on multiple hard drives? A. Delete every file on each drive. B. Destroy the partition table for each drive using the command line. C. Degauss each drive individually. D. Perform multiple passes on each drive using approved formatting methods.
D
QUESTION: 373 Which of the following is the main reason for using configuration management? A. To provide centralized administration B. To reduce the number of changes CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!! C. To reduce errors during upgrades D. To provide consistency in security controls
D
QUESTION: 379 A proxy firewall operates at what layer of the Open System Interconnection (OSI) model? A. Transport B. Data link C. Network D. Application CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
D
QUESTION: 382 What is the best way to encrypt web application communications? A. Secure Hash Algorithm 1 (SHA-1) B. Secure Sockets Layer (SSL) C. Cipher Block Chaining Message Authentication Code (CBC-MAC) D. Transport Layer Security (TLS)
D
QUESTION: 386 A database administrator is asked by a high-ranking member of management to perform specific changes to the accounting system database. The administrator is specifically instructed to not track or evidence the change in a ticket. Which of the following is the best course of action? A. Ignore the request and do not perform the change. B. Perform the change as requested, and rely on the next audit to detect and report the situation. C. Perform the change, but create a change ticket regardless to ensure there is complete traceability. D. Inform the audit committee or internal audit directly using the corporate whistleblower process.
D
QUESTION: 391 For network based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies? A. Alert data B. User data C. Content data D. Statistical data
D
QUESTION: 395 The primary outcome of a certification process is that it provides documented A. interconnected systems and their implemented security controls. B. standards for security assessment, testing, and process evaluation. C. system weakness for remediation. D. security analyses needed to make a risk-based decision.
D
QUESTION: 399 Which of the following is a document that identifies each item seized in an investigation, including date and time seized, full name and signature or initials of the person who seized the item, and a detailed description of the item? A. Property book B. Chain of custody form C. Search warrant return D. Evidence tag CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
D
QUESTION: 402 In which identity management process is the subject's identity established? A. Trust B. Provisioning C. Authorization D. Enrollment
D
QUESTION: 403 In order to assure authenticity, which of the following are required? A. Confidentiality and authentication B. Confidentiality and integrity C. Authentication and non-repudiation D. Integrity and non-repudiation
D
QUESTION: 414 Which of the following is the primary reason for employing physical security personnel at entry points in facilities where card access is in operation? A. To verify that only employees have access to the facility. B. To identify present hazards requiring remediation. C. To monitor staff movement throughout the facility. D. To provide a safe environment for employees.
D
QUESTION: 421 In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of A. systems integration. B. risk management. C. quality assurance. D. change management.
D
QUESTION: 518 Which of the following is primarily adopted for ensuring the integrity of information is preserved? A. Data at rest protection B. Transport Layer Security (TLS) C. Role Based Access Control (RBAC) D. One-way encryption
D
QUESTION: 431 As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed? A. Use a web scanner to scan for vulnerabilities within the website. B. Perform a code review to ensure that the database references are properly addressed. C. Establish a secure connection to the web server to validate that only the approved ports are open. D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.
D
QUESTION: 438 The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the end of which phase? A. System acquisition and development B. System operations and maintenance C. System initiation D. System implementation
D
QUESTION: 440 Which of the following is the best reason for the use of security metrics? A. They ensure that the organization meets its security objectives. B. They provide an appropriate framework for Information Technology (IT) governance. C. They speed up the process of quantitative risk assessment. D. They quantify the effectiveness of security processes.
D
QUESTION: 441 Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution? A. Password requirements are simplified. B. Risk associated with orphan accounts is reduced. C. Segregation of duties is automatically enforced. D. Data confidentiality is increased.
D
QUESTION: 442 Which of the following statements is true regarding state-based analysis as a functional software testing technique? A. It is characterized by the stateless behavior of a process implemented in a function B. Test inputs are obtained from the derived boundaries of the given functional specifications C. An entire partition can be covered by considering only one representative value from that partition D. It is useful for testing communications protocols and graphical user interfaces
D
QUESTION: 445 An organization has outsourced its financial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses? A. The Data Protection Authority (DPA) B. The Cloud Service Provider (CSP) C. The application developers D. The data owner
D
QUESTION: 456 Why is lexical obfuscation in software development discouraged by many organizations? A. Problems compiling the code B. Problems writing test cases C. Problems maintaining data connections D. Problems recovering systems after disaster
D
QUESTION: 459 Which of the following is used to support the concept of defense in depth during the development phase of a software product? A. Maintenance hooks B. Polyinstantiation C. Known vulnerability list D. Security auditing
D
QUESTION: 462 Which of the following value comparisons most accurately reflects the agile development approach? A. Processes and tools over individuals and interactions B. Contract negotiation over customer collaboration C. Following a plan over responding to change D. Working software over comprehensive documentation
D
QUESTION: 466 Which of the following is the most important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)? A. The likelihood and impact of a vulnerability B. Application interface entry and endpoints C. Countermeasures and mitigations for vulnerabilities D. A data flow diagram for the application and attack surface analysis
D
QUESTION: 483 Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider's customers? A. Security B. Privacy C. Access D. Availability CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
D
QUESTION: 487 What should be the first action for a security administrator who detects an intrusion on the network based on precursors and other indicators? A. Isolate and contain the intrusion. B. Notify system and application owners. C. Apply patches to the Operating Systems (OS). D. Document and verify the intrusion.
D
QUESTION: 490 Which of the following is the key requirement for test results when implementing forensic procedures? A. The test results must be cost-effective. B. The test result must be authorized. C. The test results must be quantifiable. D. The test results must be reproducible.
D
QUESTION: 495 A security architect is responsible for the protection of a new home banking system. Which of the following solutions can best improve the confidentiality and integrity of this external system? A. Intrusion Prevention System (IPS) B. Denial of Service (DoS) protection solution C. One-time Password (OTP) token D. Web Application Firewall (WAF) CISSP Practice Exam Questions 100% Pass-Guaranteed or Your Money Back!!!
D
QUESTION: 496 A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following best describes the benefits of this approach? A. Reduce application development costs. B. Potential threats are addressed later in the Software Development Life Cycle (SDLC). C. Improve user acceptance of implemented security controls. D. Potential threats are addressed earlier in the Software Development Life Cycle (SDLC).
D
QUESTION: 502 Which of the following would an internal technical security audit best validate? A. Whether managerial controls are in place B. Support for security programs by executive management C. Appropriate third-party system hardening D. Implementation of changes to a system
D
QUESTION: 505 Which of the following processes is used to align security controls with business functions? A. Data mapping B. Standards selection C. Scoping D. Tailoring
D
QUESTION: 507 What access control scheme uses fine-grained rules to specify the conditions under which access to each data item or applications is granted? A. Mandatory Access Control (MAC) B. Discretionary Access Control (DAC) C. Role Based Access Control (RBAC) D. Attribute Based Access Control (ABAC)
D
QUESTION: 510 Which of the following Service Organization Control (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 Type 1 D. SOC 2 Type 2
D
