CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 16 of 31.
- Question #751Security Architecture and Engineering
Which of the following wraps the decryption key of a full disk encryption implementation and ties the hard disk drive to a particular device?
Full disk encryptionTrusted Platform Module (TPM)Cryptographic key management - Question #752Security Assessment and Testing
The three PRIMARY requirements for a penetration test are
Penetration testingScope definitionManagement approval - Question #753Security Architecture and Engineering
Which of the following is an attacker MOST likely to target to gain privileged access to a system?
Privilege escalationAttack vectorsSystem vulnerabilities - Question #754Asset Security
Why is a system's criticality classification important in large organizations?
Asset classificationRisk managementPrioritizationSecurity operations - Question #755Communication and Network Security
By allowing storage communications to run on top of Transmission Control Protocol/Internet Protocol (TCP/IP) with a Storage Area Network (SAN), the
Storage Area Network (SAN)TCP/IP securityNetwork sniffingData-in-transit security - Question #756Security Operations
In Disaster Recovery (DR) and business continuity training, which BEST describes a functional drill?
Disaster Recovery (DR)Business Continuity Planning (BCP)DRP testingFunctional drill - Question #757Communication and Network Security
Which of the following does the Encapsulating Security Payload (ESP) provide?
IPsecEncapsulating Security Payload (ESP)ConfidentialityIntegrity - Question #758Identity and Access Management (IAM)
Which one of the following security mechanisms provides the BEST way to restrict the execution of privileged procedures?
Access controlRole-Based Access Control (RBAC)Privilege management - Question #759Asset Security
What is an effective practice when returning electronic storage media to third parties for repair?
Data sanitizationThird-party risk managementContractual agreementsAsset disposal - Question #760Security Architecture and Engineering
Which of the following BEST represents the principle of open design?
Security principlesOpen designSecurity through obscurity - Question #761Software Development Security
The BEST way to check for good security programming practices, as well as auditing for possible backdoors, is to conduct
code reviewsoftware securitybackdoorssecurity auditing - Question #762Security and Risk Management
An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the...
auditor interactionpassword policy enforcementsecurity compliancepreventative controls - Question #763Asset Security
When building a data center, site location and construction factors that increase the level of vulnerability to physical threats include
physical securitydata center locationsite selectionvulnerability assessment - Question #764Communication and Network Security
An organization allows ping traffic into and out of their network. An attacker has installed a program on the network that uses the payload portion of the ping packet to move data...
covert channelICMP tunnelingnetwork attacksdata exfiltration - Question #765Software Development Security
Which of the following can BEST prevent security flaws occurring in outsourced software development?
outsourced developmentsoftware securitycontractual agreementsvendor management - Question #766Security and Risk Management
Which of the following is the MAIN reason that system re-certification and re-accreditation are needed?
system re-certificationre-accreditationsecurity policy complianceongoing assurance - Question #767Communication and Network Security
An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective laye...
network segmentationdefense in depthpost-breach mitigationlateral movement - Question #768Security and Risk Management
A security consultant has been asked to research an organization's legal obligations to protect privacy-related information. What kind of reading material is MOST relevant to this...
legal obligationsprivacy regulationsdata protection lawscompliance - Question #769Security Assessment and Testing
According to best practice, which of the following groups is the MOST effective in performing an information security compliance audit?
compliance auditauditor independencebest practicesexternal audit - Question #770Software Development Security
When is security personnel involvement in the Systems Development Life Cycle (SDLC) process MOST beneficial?
SDLC securitysecurity by designrequirements analysisshift left security - Question #771Identity and Access Management
A large bank deploys hardware tokens to all customers that use their online banking system. The token generates and displays a six digit numeric password every 60 seconds. The cust...
synchronous tokenmulti-factor authenticationTOTPauthentication methods - Question #772Security Operations
Which of the following is the BEST reason to review audit logs periodically?
Audit logsSecurity monitoringAnomaly detectionIncident detection - Question #773Security and Risk Management
What is the PRIMARY reason for ethics awareness and related policy implementation?
organizational ethicsreputation riskpolicy importancebusiness impact - Question #774Security Operations
Which of the following is critical for establishing an initial baseline for software components in the operation and maintenance of applications?
configuration managementsoftware baseliningoperations securitychange management - Question #775Software Development Security
Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in a System Development Life Cycle (SDLC)?
vulnerability managementSDLC maintenancechange managementsecure coding principles - Question #776Communication and Network Security
Which of the following provides effective management assurance for a Wireless Local Area Network (WLAN)?
WLAN securityVPNdata confidentialitynetwork security architecture - Question #777Communication and Network Security
From a security perspective, which of the following is a best practice to configure a Domain Name Service (DNS) system?
DNS securityzone transferbest practicesnetwork hardening - Question #778Security Assessment and Testing
Which of the following is the MOST beneficial to review when performing an IT audit?
IT auditsecurity logsevidence collectionaudit evidence - Question #779Software Development Security
During an investigation of database theft from an organization's web site, it was determined that the Structured Query Language (SQL) injection technique was used despite input val...
SQL injectionserver-side validationinput validationweb application security - Question #780Asset Security
With data labeling, which of the following MUST be the key decision maker?
data ownerdata classificationdata labelingdata governance roles - Question #781Security and Risk Management
Which of the following is a critical factor for implementing a successful data classification program?
data classification programexecutive sponsorshipprogram implementationgovernance - Question #782Security and Risk Management
An organization's data policy MUST include a data retention period which is based on
data retentionregulatory compliancedata policylegal requirements - Question #783Identity and Access Management
What is the MOST important reason to configure unique user IDs?
unique IDsaccountabilityidentity managementaccess control principles - Question #784Software Development Security
What is the PRIMARY advantage of using automated application security testing tools?
automated security testingSASTDASTsoftware quality - Question #785Software Development Security
When using third-party software developers, which of the following is the MOST effective method of providing software development Quality Assurance (QA)?
third-party developmentcode reviewquality assurancevendor security - Question #786Software Development Security
What do Capability Maturity Models (CMM) serve as a benchmark for in an organization?
CMMCMMIsoftware development processmaturity models - Question #787Security Assessment and Testing
Which of the following is the MOST crucial for a successful audit plan?
audit planningaudit scopesecurity auditassessment methodology - Question #788Security Architecture and Engineering
An organization decides to implement a partial Public Key Infrastructure (PKI) with only the servers having digital certificates. What is the security benefit of this implementatio...
PKIdigital certificatesserver authenticationpublic key cryptography - Question #789Asset Security
Which of the following is the PRIMARY benefit of a formalized information classification program?
data classificationinformation governanceaudit processescompliance - Question #790Communication and Network Security
If an attacker in a SYN flood attack uses someone else's valid host address as the source address, the system under attack will send a large number of Synchronize/Acknowledge (SYN/...
SYN floodDoS attackIP spoofingTCP/IP - Question #791Security Architecture and Engineering
How is protection for hypervisor host and software administration functions BEST achieved?
hypervisor securityvirtualizationmanagement plane isolationnetwork segmentation - Question #792Security and Risk Management
To ensure compliance with the General Data Protection Regulation (GDPR), who in the organization should the help desk manager confer with before selecting a Software as a Service (...
GDPRData Protection OfficerDPOregulatory compliance - Question #793Security and Risk Management
An Information System Security Officer (ISSO) employed by a large corporation, while also freelancing in a similar role for a competitor, violates what canon of the (ISC)2 Code of...
(ISC)2 ethicsprofessional ethicsconflict of interestcode of conduct - Question #794Security Operations
Which is the FIRST action the Incident Response team should take when an incident is suspected?
incident responseincident identificationloggingfact-finding - Question #795Asset Security
A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adheri...
data classificationsensitive datainformation protectionPII - Question #796Software Development Security
A web application requires users to register before they can use its services. Users must choose a unique username and a password that contains a minimum of eight characters. Which...
password hashingsaltingkey stretchingsecure storage - Question #797Security Assessment and Testing
Which of the following is the PRIMARY objective of performing scans with an active discovery tool?
asset identificationinventory managementnetwork discoveryasset scanning - Question #798Communication and Network Security
A large law firm would like to enable employees to participate in a bring your own device (BYOD) program. Only devices with up-to-date antivirus and operating system (OS) patches w...
BYODNetwork Access ControlNACendpoint security - Question #799Security Operations
A security operations center (SOC) discovers a recently deployed router beaconing to a malicious website. Replacing the router fixes the issue. What is the MOST likely cause of the...
supply chain securitycounterfeit hardwareincident analysisroot cause analysis - Question #800Communication and Network Security
Which of the following methods can be used to achieve confidentiality and integrity for data in transit?
IPSecdata in transitconfidentialityintegrity