CISSP-ISSEP Exam Questions
220 real CISSP-ISSEP exam questions with expert-verified answers and explanations. Page 4 of 5.
- Question #151Security Planning and Design
DoD 8500.2 establishes IA controls for information systems according to the Mission Assurance Categories (MAC) and confidentiality levels. Which of the following MAC levels require...
DoD 8500.2Mission Assurance CategoriesCIA TriadIA Controls - Question #152Risk Management
There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event?
Risk response strategiesNegative riskRisk managementProject risk management - Question #153Systems Development and Acquisition
You work as a systems engineer for BlueWell Inc. You want to communicate the quantitative and qualitative system characteristics to all stakeholders. Which of the following documen...
Concept of Operations (CONOPS)Systems engineering documentationStakeholder communicationSystem definition - Question #154Security Operations
Which of the following agencies provides command and control capabilities and enterprise infrastructure to continuously operate and assure a global net-centric enterprise in direct...
DoD AgenciesDISAEnterprise InfrastructureCommand and Control - Question #155Governance and Training
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of poli...
Security PoliciesPolicy TypesInformation Security Governance - Question #156Governance and Training
Which of the following acts is used to recognize the importance of information security to the economic and national security interests of the United States?
FISMAInformation Security LawU.S. RegulationsNational Security - Question #157Governance and Training
Under which of the following CNSS policies, NIACAP is mandatory for all the systems that process USG classified information?
CNSS PoliciesNIACAPCertification & AccreditationGovernment Compliance - Question #158Governance and Training
Which of the following terms describes the measures that protect and support information and information systems by ensuring their availability, integrity, authentication, confiden...
Information AssuranceSecurity principlesFoundational conceptsAICANN - Question #159Security Planning and Design
Which of the following is an Information Assurance (IA) model that protects and defends information and information systems by ensuring their availability, integrity, authenticatio...
Information Assurance (IA)Security modelsFive Pillars of IASecurity principles - Question #160Systems Development and Acquisition
You work as an ISSE for BlueWell Inc. You want to break down user roles, processes, and information until ambiguity is reduced to a satisfactory degree. Which of the following tool...
Information ManagementSystem AnalysisProcess ModelingRequirements Engineering - Question #161Risk Management
The National Information Assurance Certification and Accreditation Process (NIACAP) is the minimum standard process for the certification and accreditation of computer and telecomm...
NIACAPCertification and AccreditationAccreditation types - Question #162Risk Management
FIPS 199 defines the three levels of potential impact on organizations low, moderate, and high. Which of the following are the effects of loss of confidentiality, integrity, or ava...
FIPS 199Impact AnalysisCIARisk Assessment - Question #163Governance and Training
Which of the following individuals are part of the senior management and are responsible for authorization of individual systems, approving enterprise solutions, establishing secur...
Senior Management RolesAuthorizationSecurity GovernanceRisk Management - Question #164Governance and Training
Which of the following laws is the first to implement penalties for the creator of viruses, worms, and other types of malicious code that causes harm to the computer systems?
Legal frameworksCybercrime lawsComputer Fraud and Abuse ActMalicious code - Question #165Governance and Training
Which of the following DoD policies establishes policies and assigns responsibilities to achieve DoD IA through a defense-in-depth approach that integrates the capabilities of pers...
Information AssuranceDefense-in-depthDoD PolicyGovernance - Question #166Systems Development and Acquisition
Which of the following are the functional analysis and allocation tools? Each correct answer represents a complete solution. Choose all that apply.
Functional AnalysisFunctional AllocationSystems Engineering ToolsSystem Design - Question #167Security Planning and Design
Which of the following types of cryptography defined by FIPS 185 describes a cryptographic algorithm or a tool accepted as a Federal Information Processing Standard?
Cryptography typesFIPS standardsNISTGovernment standards - Question #168Systems Development and Acquisition
Which of the following are the benefits of SE as stated by MIL-STD-499B? Each correct answer represents a complete solution. Choose all that apply.
System EngineeringMIL-STD-499BBenefits of SESystem Acquisition - Question #169Governance and Training
Which of the following requires all general support systems and major applications to be fully certified and accredited before these systems and applications are put into productio...
FISMACertification & Accreditation (C&A)Assessment & Authorization (A&A)Information Security Governance - Question #170Systems Development and Acquisition
John works as a security engineer for BlueWell Inc. He wants to identify the different functions that the system will need to perform to meet the documented missionbusiness needs....
Functional requirementsSystem requirementsRequirements engineeringSDLC - Question #171Security Planning and Design
Registration Task 5 identifies the system security requirements. Which of the following elements of Registration Task 5 defines the type of data processed by the system?
Data ClassificationSystem Security RequirementsSecurity PlanningInformation Security Management - Question #172Systems Development and Acquisition
Which of the following security controls will you use for the deployment phase of the SDLC to build secure software? Each correct answer represents a complete solution. Choose all...
SDLC SecurityDeployment ControlsVulnerability TestingCertification & Accreditation - Question #173Governance and Training
Which of the following types of CNSS issuances establishes criteria, and assigns responsibilities?
CNSSSecurity PoliciesInformation Security Governance - Question #174Security Planning and Design
Which of the following types of cryptography defined by FIPS 185 describes a cryptographic algorithm or a tool accepted by the National Security Agency for protecting classified in...
Cryptography typesType I cryptographyNSAClassified information - Question #175Risk Management
Which of the following are the major tasks of risk management? Each correct answer represents a complete solution. Choose two.
Risk Management ProcessRisk IdentificationRisk ControlSecurity Principles - Question #176Risk Management
You are working as a project manager in your organization. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activ...
Risk Monitoring and ControlProject Risk ManagementChange Management - Question #177Risk Management
Continuous Monitoring is the fourth phase of the security certification and accreditation process. What activities are performed in the Continuous Monitoring process? Each correct...
Continuous MonitoringCertification and Accreditation (C&A)Risk Management Framework (RMF)Security Controls - Question #179Governance and Training
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF...
FITSAFSecurity Assessment FrameworksSecurity Controls TestingMaturity Models - Question #180Security Operations
Which of the following is a type of security management for computers and networks in order to identify security breaches?
Intrusion Detection SystemNetwork SecuritySecurity MonitoringBreach Identification - Question #181Security Planning and Design
Which of the following types of firewalls increases the security of data packets by remembering the state of connection at the network and the session layers as they pass through t...
Firewall typesStateful inspectionNetwork securityPacket filtering - Question #182Governance and Training
Which of the following federal laws is designed to protect computer data from theft?
Federal LawsComputer CrimeData TheftCFAA - Question #183Systems Development and Acquisition
Which of the following is used to indicate that the software has met a defined quality level and is ready for mass distribution either by electronic means or by physical media?
Software Development Life Cycle (SDLC)Release ManagementSoftware QualityTerminology - Question #184Systems Development and Acquisition
Part of your change management plan details what should happen in the change control system for your project. Theresa, a junior project manager, asks what the configuration managem...
Configuration ManagementChange ManagementSystems Development Life CycleProject Management - Question #185Risk Management
Which of the following professionals is responsible for starting the Certification & Accreditation (C&A) process?
C&A processRMFroles and responsibilitiesinformation system owner - Question #186Security Planning and Design
Which of the following security controls is a set of layered security services that address communications and data security problems in the emerging Internet and intranet applicat...
Security ArchitectureData SecurityCommunication SecurityInternet Security - Question #187Security Operations
Which of the following protocols is used to establish a secure terminal to a remote network device?
Secure Remote AccessNetwork ProtocolsSSHTerminal Services - Question #188Security Planning and Design
Which of the following elements of Registration task 4 defines the system's external interfaces as well as the purpose of each external interface, and the relationship between the...
System interfacesExternal interfacesSystem registrationSystem documentation - Question #189Security Planning and Design
Which of the following guidelines is recommended for engineering, protecting, managing, processing, and controlling national security and sensitive (although unclassified) informat...
NIST Special PublicationsControlled Unclassified Information (CUI)Federal Information Security GuidelinesSecurity Engineering - Question #190Risk Management
Which of the following individuals is an upper-level manager who has the power and capability to evaluate the mission, business case, and budgetary needs of the system while also c...
DAADesignated Approving AuthorityRisk AcceptanceSystem Authorization - Question #191Security Planning and Design
Which of the following rated systems of the Orange book has mandatory protection of the TCB?
Orange BookTCSECMandatory Access Control (MAC)Trusted Computing Base (TCB) - Question #192Systems Development and Acquisition
Which of the following categories of system specification describes the technical requirements that cover a service, which is performed on a component of the system?
System specificationsProcess specificationRequirements engineeringSystems acquisition - Question #193Risk Management
Which of the following DITSCAPNIACAP model phases is used to show the required evidence to support the DAA in accreditation process and conclude in an Approval To Operate (ATO) ?
Certification and AccreditationDITSCAP/NIACAPApproval To OperateSecurity Assessment - Question #194Systems Development and Acquisition
Which of the following is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology?
Clinger-Cohen ActFederal IT AcquisitionGovernment RegulationsInformation Technology Management - Question #195Risk Management
An Authorizing Official plays the role of an approver. What are the responsibilities of an Authorizing Official? Each correct answer represents a complete solution. Choose all that...
Authorizing OfficialRisk ManagementATOGovernance - Question #196Security Planning and Design
Which of the following areas of information system, as separated by Information Assurance Framework, is a collection of local computing devices, regardless of physical location, th...
Information Assurance FrameworkEnclave BoundariesSecurity PolicySystem Architecture - Question #197Security Planning and Design
Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs?
Certification and AccreditationIS program managerSystem life cycleSecurity requirements - Question #198Risk Management
In 2003, NIST developed a new Certification & Accreditation (C&A) guideline known as FIPS 199. What levels of potential impact are defined by FIPS 199? Each correct answer represen...
FIPS 199Impact levelsSecurity categorizationC&A - Question #199Governance and Training
Which of the following federal agencies coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produces foreign intelligence infor...
NSA/CSSFederal agenciesInformation protectionForeign intelligence - Question #200Security Planning and Design
Which of the following firewall types operates at the Network layer of the OSI model and can filter data by port, interface address, source address, and destination address?
Packet FilteringFirewall ArchitecturesOSI ModelPort-based Filtering - Question #201Security Operations
The Phase 4 of DITSCAP C&A is known as Post Accreditation. This phase starts after the system has been accredited in Phase 3. What are the process activities of this phase? Each co...
DITSCAP Phase 4Post AccreditationC&A complianceSSAA maintenance