Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 1 of 31.

Question #1Governance, Risk, and Compliance
A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?
BCPDRPcrisis managementbusiness continuity
Question #2Governance, Risk, and Compliance
When is a Business Continuity Plan (BCP) considered to be valid?
BCP validationDRP testingdisaster recovery exercisesbusiness continuity
Question #3Governance, Risk, and Compliance
Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?
DRP strategiesbusiness objectivescost-benefit analysisrisk management
Question #4Security Operations
Which of the following is the FIRST step in the incident response process?
incident responseincident handlingpreparationdetection
Question #5Governance, Risk, and Compliance
A continuous information security-monitoring program can BEST reduce risk through which of the following?
continuous monitoringrisk reductionsecurity programpeople, process, technology
Question #6Governance, Risk, and Compliance
What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization's systems cannot be unavailable for more than 24 hours?
DR site typesRTOrecovery strategiescost-effectiveness
Question #7Security Engineering
A Java program is being developed to read a file from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST prob...
least privilegeapplication securityJava security modelsecure coding
Question #8Governance, Risk, and Compliance
Which of the following is the PRIMARY risk with using open source software in a commercial software construction?
open source securitylicensing compliancelegal risksupply chain risk
Question #9Security Engineering
When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?
SDLC securitysecurity requirementsdata classificationsecurity by design
Question #10Security Engineering
Which of the following is the BEST method to prevent malware from being introduced into a production environment?
malware preventionsoftware testingproduction environment securitysegregation of duties
Question #11Security Operations
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
configuration managementC&ASDLCsystem maintenance
Question #12Security Architecture
What is the BEST approach to addressing security issues in legacy web applications?
legacy application securityapplication modernizationrisk mitigationsecurity strategy
Question #13Security Engineering
Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?
web application securityOS patchingvulnerability managementsecurity controls
Question #14Security Engineering
Which of the following methods protects Personally Identifiable Information (PII) by use of a full replacement of the data element?
PII protectiondata tokenizationdata maskingencryption
Question #15Governance, Risk, and Compliance
Which of the following elements MUST a compliant EU-US Safe Harbor Privacy Policy contain?
privacy policySafe Harbordata privacycompliance
Question #16Security Engineering
What is the MOST effective countermeasure to a malicious code attack against a mobile system?
mobile securitymalicious codesandboxingendpoint protection
Question #17Security Operations
Which of the following is the BEST mitigation from phishing attacks?
phishing mitigationsecurity awarenesssocial engineeringuser education
Question #18Asset Security
Which of the following is a physical security control that protects Automated Teller Machines (ATM) from skimming?
ATM securityphysical security controlsskimming prevention
Question #19Identity and Access Management
Which of the following is an essential element of a privileged identity lifecycle management?
privileged identity managementaccount lifecycleaccount revalidationidentity governance
Question #20Security Operations
Which of the following is ensured when hashing files during chain of custody handling?
hashingchain of custodydata integrityforensics
Question #21Software Development Security
Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network data leakage prevention and/or monitoring?
HTML5 securityWebSocketsdata leakage preventionnetwork monitoring
Question #22Security Assessment and Testing
Which of the following statements is TRUE of black box testing?
black box testingpenetration testingvulnerability assessmentsoftware testing
Question #23Software Development Security
A software scanner identifies a region within a binary image having high entropy. What does this MOST likely indicate?
binary analysiscode obfuscationentropy analysismalware analysis
Question #24Security Assessment and Testing
Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?
CVSSvulnerability scoringcode reviewrisk assessment
Question #25Security and Risk Management
Which of the following is the MOST important consideration when storing and processing Personally Identifiable Information (PII)?
PII protectiondata privacyregulatory compliancedata governance
Question #26Security Assessment and Testing
Which of the following assessment metrics is BEST used to understand a system's vulnerability to potential exploits?
vulnerability assessmentexploit likelihoodsecurity flawssystem assessment
Question #27Asset Security
Which of the following is an effective method for avoiding magnetic media data remanence?
data remanencedegaussingdata sanitizationmagnetic media
Question #28Security and Risk Management
Which of the following MUST be part of a contract to support electronic discovery of data stored in a cloud environment?
e-discoverycloud securitydata locationlegal compliancecontractual agreements
Question #29Communication and Network Security
When transmitting information over public networks, the decision to encrypt it should be based on
data encryptionconfidentialitypublic networksdata classification
Question #30Identity and Access Management
Logical access control programs are MOST effective when they are
logical access controloperating system securityaccess control mechanisms
Question #31Communication and Network Security
Which one of the following considerations has the LEAST impact when considering transmission security?
transmission securitynetwork securitynetwork availabilitydata integrity
Question #32Security Architecture and Engineering
What principle requires that changes to the plaintext affect many parts of the ciphertext?
cryptographydiffusionplaintextciphertext
Question #33Asset Security
Which one of these risk factors would be the LEAST important consideration in choosing a building site for a new computer facility?
physical securitysite selectionrisk assessmentfacility security
Question #34Communication and Network Security
Which one of the following transmission media is MOST effective in preventing data interception?
transmission mediafiber opticsdata interceptionnetwork security
Question #35Security Operations
Which security action should be taken FIRST when computer personnel are terminated from their jobs?
offboarding proceduresaccess revocationinsider threatHR security
Question #36Identity and Access Management
A practice that permits the owner of a data object to grant other users access to that object would usually provide
access control modelsDACdata ownershippermissions
Question #37Identity and Access Management
The type of authorized interactions a subject can have with an object is
permissionsaccess controlsubject-object interaction
Question #38Identity and Access Management
Why MUST a Kerberos server be well protected from unauthorized access?
Kerberosauthenticationkey managementKDC security
Question #39Communication and Network Security
Which one of the following effectively obscures network addresses from external exposure when implemented on a firewall or router?
NATfirewallnetwork securityIP addressing
Question #40Security and Risk Management
While impersonating an Information Security Officer (ISO), an attacker obtains information from company employees about their User IDs and passwords. Which method of information ga...
social engineeringimpersonationcredential theft
Question #41Identity and Access Management
Why must all users be positively identified prior to using multi-user computers?
user identificationaccess controlunauthorized access
Question #42Security Architecture and Engineering
The birthday attack is MOST effective against which one of the following cipher technologies?
birthday attackcryptographic hashcollision
Question #43Communication and Network Security
An advantage of link encryption in a communications network is that it
link encryptionnetwork encryptionheader encryption
Question #44Identity and Access Management
Which one of the following is the MOST important in designing a biometric access system if it is essential that no one other than authorized individuals are admitted?
biometricsFalse Acceptance Rate (FAR)access controlsystem design
Question #45Communication and Network Security
What is the term commonly used to refer to a technique of authenticating one machine to another by forging packets from a trusted source?
spoofingpacket forgingnetwork attack
Question #46Security and Risk Management
The PRIMARY purpose of a security awareness program is to
security awarenesssecurity policyemployee education
Question #47Asset Security
As one component of a physical security system, an Electronic Access Control (EAC) token is BEST known for its ability to
physical securityaccess control tokenkey management
Question #48Security Operations
Which one of the following is a fundamental objective in handling an incident?
incident responsesystem restorationcontainment
Question #49Security and Risk Management
In the area of disaster planning and recovery, what strategy entails the presentation of information about the plan?
disaster recoverybusiness continuitycommunication
Question #50Identity and Access Management
The process of mutual authentication involves a computer system authenticating a user and authenticating the
mutual authenticationauthentication protocolstrust

Page 1 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.