CISSP Certified Information Systems Security Professionals Questions + Answers Part 1
Posted: Mon Mar 07, 2022 7:54 am
QUESTION 1
All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that
A. determine the risk of a business interruption occurring
B. determine the technological dependence of the business processes C. Identify the operational impacts of a business interruption
D. Identify the financial impacts of a business interruption
Correct Answer: B
Section: Security and Risk Management Explanation
Reference: https://www.google.com/url?sa=t&rct=j&q ... EwjbktbTp- LaAhVIr48KHZuhB0UQFggmMAA&url=http%3A%2F%2Fwww.oregon.gov%2Fdas%2FProcurement%2FGuiddoc% 2FBusImpAnalysQs.doc&usg=AOvVaw1wBxcnLP8ceI_yhv2rsI9h
QUESTION 2
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
A. Examine the device for physical tampering
B. Implement more stringent baseline configurations C. Purge or re-image the hard disk drive
D. Change access codes
Correct Answer: B
Section: Security and Risk Management Explanation
QUESTION 3
What is the MOST important consideration from a data security perspective when an organization plans to relocate?
A. Ensure the fire prevention and detection systems are sufficient to protect personnel B. Review the architectural plans to determine how many emergency exits are present C. Conduct a gap analysis of a new facilities against existing security requirements
D. Revise the Disaster Recovery and Business Continuity (DR/BC) plan
Correct Answer: C
Section: Security and Risk Management Explanation
QUESTION 4
Intellectual property rights are PRIMARY concerned with which of the following?
A. Owner’s ability to realize financial gain
B. Owner’s ability to maintain copyright
C. Right of the owner to enjoy their creation
D. Right of the owner to control delivery method
Correct Answer: A
Section: Security and Risk Management Explanation
QUESTION 5
A control to protect from a Denial-of-Service (DoS) attach has been determined to stop 50% of attacks, and additionally reduces the impact of an attack by 50%. What is the residual risk?
A. 25% B. 50% C. 75%
D. 100%
Correct Answer: A
Section: Security and Risk Management Explanation
QUESTION 6
What is the term commonly used to refer to a technique of authentication one machine to another by forging packets from a trusted source?
A. Smurfing
B. Man-in-the-Middle (MITM) attack C. Session redirect
D. Spoofing
Correct Answer: D
Section: Security and Risk Management Explanation
QUESTION 7
Which of the following entails identification of data and links to business processes, applications, and data stores as well as assignment of ownership responsibilities?
A. Security governance
B. Risk management
C. Security portfolio management D. Risk assessment
Correct Answer: B
Section: Security and Risk Management Explanation
QUESTION 8
Which of the following would MINIMIZE the ability of an attacker to exploit a buffer overflow?
A. Memory review B. Code review
C. Message division D. Buffer division
Correct Answer: B
Section: Security and Risk Management Explanation
QUESTION 9
Which of the following is MOST important when assigning ownership of an asset to a department?
A. The department should report to the business owner B. Ownership of the asset should be periodically reviewed C. Individual accountability should be ensured
D. All members should be trained on their responsibilities
Correct Answer: B Section: Asset Security Explanation
QUESTION 10
Which of the following BEST describes the responsibilities of a data owner?
A. Ensuring quality and validation through periodic audits for ongoing data integrity
B. Maintaining fundamental data availability, including data storage and archiving
C. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security D. Determining the impact the information has on the mission of the organization
Correct Answer: C
Section: Asset Security Explanation
Reference: http://resources.infosecinstitute.com/c ... ship/#gref
QUESTION 11
An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
A. Platform as a Service (PaaS) B. Identity as a Service (IDaaS) C. Desktop as a Service (DaaS) D. Software as a Service (SaaS)
Correct Answer: B Section: Asset Security Explanation
QUESTION 12
When implementing a data classification program, why is it important to avoid too much granularity?
A. The process will require too many resources
B. It will be difficult to apply to both hardware and software C. It will be difficult to assign ownership to the data
D. The process will be perceived as having value
Correct Answer: A Section: Asset Security Explanation
Reference: http://www.ittoday.info/AIMS/DSM/82-02-55.pdf QUESTION 13
In a data classification scheme, the data is owned by the
A. system security managers
B. business managers
C. Information Technology (IT) managers D. end users
Correct Answer: B Section: Asset Security Explanation
QUESTION 14
Which factors MUST be considered when classifying information and supporting assets for risk management, legal discovery, and compliance?
A. System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements B. Data stewardship roles, data handling and storage standards, data lifecycle requirements
C. Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements D. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements
Correct Answer: A Section: Asset Security Explanation
QUESTION 15
When network management is outsourced to third parties, which of the following is the MOST effective method of protecting critical data assets?
A. Log all activities associated with sensitive systems B. Provide links to security policies
C. Confirm that confidentially agreements are signed D. Employ strong access controls
Correct Answer: D Section: Asset Security
Explanation
QUESTION 16
Which of the following is the MOST appropriate action when reusing media that contains sensitive data?
A. Erase
B. Sanitize C. Encrypt D. Degauss
Correct Answer: B Section: Asset Security Explanation
QUESTION 17
An organization recently conducted a review of the security of its network applications. One of the vulnerabilities found was that the session key used in encrypting sensitive information to a third party server had been hard-coded in the client and server applications. Which of the following would be MOST effective in mitigating this vulnerability?
A. Diffle-Hellman (DH) algorithm
B. Elliptic Curve Cryptography (ECC) algorithm C. Digital Signature algorithm (DSA)
D. Rivest-Shamir-Adleman (RSA) algorithm
Correct Answer: A Section: Asset Security Explanation
QUESTION 18
Which of the following methods of suppressing a fire is environmentally friendly and the MOST appropriate for a data center?
A. Inert gas fire suppression system B. Halon gas fire suppression system C. Dry-pipe sprinklers
D. Wet-pipe sprinklers
Correct Answer: A Section: Asset Security Explanation
QUESTION 19
Unused space in a disk cluster is important in media analysis because it may contain which of the following?
A. Residual data that has not been overwritten
B. Hidden viruses and Trojan horses
C. Information about the File Allocation table (FAT)
D. Information about patches and upgrades to the system
Correct Answer: A Section: Asset Security Explanation
QUESTION 20
Which of the following is MOST appropriate for protecting confidentially of data stored on a hard drive?
A. Triple Data Encryption Standard (3DES) B. Advanced Encryption Standard (AES) C. Message Digest 5 (MD5)
D. Secure Hash Algorithm 2(SHA-2)
Correct Answer: B Section: Asset Security Explanation
QUESTION 21
Which of the following is the MOST effective method to mitigate Cross-Site Scripting (XSS) attacks?
A. Use Software as a Service (SaaS) B. Whitelist input validation
C. Require client certificates
D. Validate data output
Correct Answer: B Section: Asset Security Explanation
QUESTION 22
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
A. Hashing the data before encryption
B. Hashing the data after encryption
C. Compressing the data after encryption D. Compressing the data before encryption
Correct Answer: D
Section: Security Architecture and Engineering Explanation
QUESTION 23
Who in the organization is accountable for classification of data information assets?
A. Data owner
B. Data architect
C. Chief Information Security Officer (CISO)
D. Chief Information Officer (CIO)
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 24
The use of private and public encryption keys is fundamental in the implementation of which of the following?
A. Diffie-Hellman algorithm
B. Secure Sockets Layer (SSL)
C. Advanced Encryption Standard (AES) D. Message Digest 5 (MD5)
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 25
Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?
A. identity provisioning
B. access recovery
C. multi-factor authentication (MFA) D. user access review
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 26
A minimal implementation of endpoint security includes which of the following?
A. Trusted platforms
B. Host-based firewalls
C. Token-based authentication D. Wireless Access Points (AP)
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 27
Why is planning in Disaster Recovery (DR) an interactive process?
A. It details off-site storage plans
B. It identifies omissions in the plan
C. It defines the objectives of the plan
D. It forms part of the awareness process
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 28
Mandatory Access Controls (MAC) are based on:
A. security classification and security clearance B. data segmentation and data classification
C. data labels and user access permissions
D. user roles and data encryption
Correct Answer: A
Section: Security Architecture and Engineering
Explanation
All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that
A. determine the risk of a business interruption occurring
B. determine the technological dependence of the business processes C. Identify the operational impacts of a business interruption
D. Identify the financial impacts of a business interruption
Correct Answer: B
Section: Security and Risk Management Explanation
Reference: https://www.google.com/url?sa=t&rct=j&q ... EwjbktbTp- LaAhVIr48KHZuhB0UQFggmMAA&url=http%3A%2F%2Fwww.oregon.gov%2Fdas%2FProcurement%2FGuiddoc% 2FBusImpAnalysQs.doc&usg=AOvVaw1wBxcnLP8ceI_yhv2rsI9h
QUESTION 2
Which of the following actions will reduce risk to a laptop before traveling to a high risk area?
A. Examine the device for physical tampering
B. Implement more stringent baseline configurations C. Purge or re-image the hard disk drive
D. Change access codes
Correct Answer: B
Section: Security and Risk Management Explanation
QUESTION 3
What is the MOST important consideration from a data security perspective when an organization plans to relocate?
A. Ensure the fire prevention and detection systems are sufficient to protect personnel B. Review the architectural plans to determine how many emergency exits are present C. Conduct a gap analysis of a new facilities against existing security requirements
D. Revise the Disaster Recovery and Business Continuity (DR/BC) plan
Correct Answer: C
Section: Security and Risk Management Explanation
QUESTION 4
Intellectual property rights are PRIMARY concerned with which of the following?
A. Owner’s ability to realize financial gain
B. Owner’s ability to maintain copyright
C. Right of the owner to enjoy their creation
D. Right of the owner to control delivery method
Correct Answer: A
Section: Security and Risk Management Explanation
QUESTION 5
A control to protect from a Denial-of-Service (DoS) attach has been determined to stop 50% of attacks, and additionally reduces the impact of an attack by 50%. What is the residual risk?
A. 25% B. 50% C. 75%
D. 100%
Correct Answer: A
Section: Security and Risk Management Explanation
QUESTION 6
What is the term commonly used to refer to a technique of authentication one machine to another by forging packets from a trusted source?
A. Smurfing
B. Man-in-the-Middle (MITM) attack C. Session redirect
D. Spoofing
Correct Answer: D
Section: Security and Risk Management Explanation
QUESTION 7
Which of the following entails identification of data and links to business processes, applications, and data stores as well as assignment of ownership responsibilities?
A. Security governance
B. Risk management
C. Security portfolio management D. Risk assessment
Correct Answer: B
Section: Security and Risk Management Explanation
QUESTION 8
Which of the following would MINIMIZE the ability of an attacker to exploit a buffer overflow?
A. Memory review B. Code review
C. Message division D. Buffer division
Correct Answer: B
Section: Security and Risk Management Explanation
QUESTION 9
Which of the following is MOST important when assigning ownership of an asset to a department?
A. The department should report to the business owner B. Ownership of the asset should be periodically reviewed C. Individual accountability should be ensured
D. All members should be trained on their responsibilities
Correct Answer: B Section: Asset Security Explanation
QUESTION 10
Which of the following BEST describes the responsibilities of a data owner?
A. Ensuring quality and validation through periodic audits for ongoing data integrity
B. Maintaining fundamental data availability, including data storage and archiving
C. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security D. Determining the impact the information has on the mission of the organization
Correct Answer: C
Section: Asset Security Explanation
Reference: http://resources.infosecinstitute.com/c ... ship/#gref
QUESTION 11
An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests.
Which contract is BEST in offloading the task from the IT staff?
A. Platform as a Service (PaaS) B. Identity as a Service (IDaaS) C. Desktop as a Service (DaaS) D. Software as a Service (SaaS)
Correct Answer: B Section: Asset Security Explanation
QUESTION 12
When implementing a data classification program, why is it important to avoid too much granularity?
A. The process will require too many resources
B. It will be difficult to apply to both hardware and software C. It will be difficult to assign ownership to the data
D. The process will be perceived as having value
Correct Answer: A Section: Asset Security Explanation
Reference: http://www.ittoday.info/AIMS/DSM/82-02-55.pdf QUESTION 13
In a data classification scheme, the data is owned by the
A. system security managers
B. business managers
C. Information Technology (IT) managers D. end users
Correct Answer: B Section: Asset Security Explanation
QUESTION 14
Which factors MUST be considered when classifying information and supporting assets for risk management, legal discovery, and compliance?
A. System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements B. Data stewardship roles, data handling and storage standards, data lifecycle requirements
C. Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements D. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements
Correct Answer: A Section: Asset Security Explanation
QUESTION 15
When network management is outsourced to third parties, which of the following is the MOST effective method of protecting critical data assets?
A. Log all activities associated with sensitive systems B. Provide links to security policies
C. Confirm that confidentially agreements are signed D. Employ strong access controls
Correct Answer: D Section: Asset Security
Explanation
QUESTION 16
Which of the following is the MOST appropriate action when reusing media that contains sensitive data?
A. Erase
B. Sanitize C. Encrypt D. Degauss
Correct Answer: B Section: Asset Security Explanation
QUESTION 17
An organization recently conducted a review of the security of its network applications. One of the vulnerabilities found was that the session key used in encrypting sensitive information to a third party server had been hard-coded in the client and server applications. Which of the following would be MOST effective in mitigating this vulnerability?
A. Diffle-Hellman (DH) algorithm
B. Elliptic Curve Cryptography (ECC) algorithm C. Digital Signature algorithm (DSA)
D. Rivest-Shamir-Adleman (RSA) algorithm
Correct Answer: A Section: Asset Security Explanation
QUESTION 18
Which of the following methods of suppressing a fire is environmentally friendly and the MOST appropriate for a data center?
A. Inert gas fire suppression system B. Halon gas fire suppression system C. Dry-pipe sprinklers
D. Wet-pipe sprinklers
Correct Answer: A Section: Asset Security Explanation
QUESTION 19
Unused space in a disk cluster is important in media analysis because it may contain which of the following?
A. Residual data that has not been overwritten
B. Hidden viruses and Trojan horses
C. Information about the File Allocation table (FAT)
D. Information about patches and upgrades to the system
Correct Answer: A Section: Asset Security Explanation
QUESTION 20
Which of the following is MOST appropriate for protecting confidentially of data stored on a hard drive?
A. Triple Data Encryption Standard (3DES) B. Advanced Encryption Standard (AES) C. Message Digest 5 (MD5)
D. Secure Hash Algorithm 2(SHA-2)
Correct Answer: B Section: Asset Security Explanation
QUESTION 21
Which of the following is the MOST effective method to mitigate Cross-Site Scripting (XSS) attacks?
A. Use Software as a Service (SaaS) B. Whitelist input validation
C. Require client certificates
D. Validate data output
Correct Answer: B Section: Asset Security Explanation
QUESTION 22
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?
A. Hashing the data before encryption
B. Hashing the data after encryption
C. Compressing the data after encryption D. Compressing the data before encryption
Correct Answer: D
Section: Security Architecture and Engineering Explanation
QUESTION 23
Who in the organization is accountable for classification of data information assets?
A. Data owner
B. Data architect
C. Chief Information Security Officer (CISO)
D. Chief Information Officer (CIO)
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 24
The use of private and public encryption keys is fundamental in the implementation of which of the following?
A. Diffie-Hellman algorithm
B. Secure Sockets Layer (SSL)
C. Advanced Encryption Standard (AES) D. Message Digest 5 (MD5)
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 25
Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?
A. identity provisioning
B. access recovery
C. multi-factor authentication (MFA) D. user access review
Correct Answer: A
Section: Security Architecture and Engineering Explanation
QUESTION 26
A minimal implementation of endpoint security includes which of the following?
A. Trusted platforms
B. Host-based firewalls
C. Token-based authentication D. Wireless Access Points (AP)
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 27
Why is planning in Disaster Recovery (DR) an interactive process?
A. It details off-site storage plans
B. It identifies omissions in the plan
C. It defines the objectives of the plan
D. It forms part of the awareness process
Correct Answer: B
Section: Security Architecture and Engineering Explanation
QUESTION 28
Mandatory Access Controls (MAC) are based on:
A. security classification and security clearance B. data segmentation and data classification
C. data labels and user access permissions
D. user roles and data encryption
Correct Answer: A
Section: Security Architecture and Engineering
Explanation