Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 18 of 31.

Question #851Identity and Access Management
The BEST method to mitigate the risk of a dictionary attack on a system is to
password securitydictionary attackpassphraseauthentication
Question #852Identity and Access Management
Which of the following is an advantage of on premise Credential Management Systems?
credential managementon-premise securitysystem controlidentity management
Question #853Identity and Access Management
Which of the following prevents improper aggregation of privileges in Role Based Access Control (RBAC)?
RBACseparation of dutiesprivilege aggregationaccess control
Question #854Identity and Access Management
The implementation of which features of an identity management system reduces costs and administration overhead while improving audit and accountability?
identity managementuser self-servicecost reductionauditability
Question #855Security Assessment and Testing
Which of the following is the BEST method to assess the effectiveness of an organization's vulnerability management program?
Vulnerability ManagementProgram AssessmentThird-Party AssessmentSecurity Effectiveness
Question #856Software Development Security
Which methodology is recommended for penetration testing to be effective in the development phase of the life-cycle process?
Penetration testingWhite-box testingSecure SDLCDevelopment phase
Question #857Security Operations
Which of the following is most helpful in applying the principle of LEAST privilege?
least privilegeprivileged access managementsecurity monitoringaccess control
Question #858Security and Risk Management
Which of the following explains why record destruction requirements are included in a data retention policy?
data retentiondata destructionlegal complianceregulatory requirements
Question #859Security Operations
What should happen when an emergency change to a system must be performed?
change managementemergency changesIT governancesecurity operations
Question #860Security and Risk Management
Which of the following is the BEST approach to take in order to effectively incorporate the concepts of business continuity into the organization?
business continuitytraining and awarenessorganizational cultureBCM
Question #861Security and Risk Management
Which of the following has the GREATEST impact on an organization's security posture?
security posturecomplianceregulatory requirementsrisk management
Question #862Security and Risk Management
The application of which of the following standards would BEST reduce the potential for data breaches?
ISO 27001information security management systemdata breachessecurity standards
Question #863Security and Risk Management
In order for a security policy to be effective within an organization, it MUST include
Security PolicyPolicy EnforcementGovernanceCompliance
Question #864Asset Security
Which of the following roles has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by...
data ownerdata governancethird-party risk managementdata responsibility
Question #865Security Operations
To protect auditable information, which of the following MUST be configured to only allow read access?
audit logslog integrityread-only accesssecurity monitoring
Question #866Communication and Network Security
What type of encryption is used to protect sensitive data in transit over a network?
data in transit encryptiontransport encryptionpayload encryptionnetwork security
Question #867Security and Risk Management
Which of the following entities is ultimately accountable for data remanence vulnerabilities with data replicated by a cloud service provider?
Data ownershipAccountabilityCloud securityData remanence
Question #868Communication and Network Security
Which of the following is a recommended alternative to an integrated email encryption system?
email encryptiondata securityattachmentssensitive data handling
Question #869Communication and Network Security
In the Open System Interconnection (OSI) model, which layer is responsible for the transmission of binary data over a communications network?
OSI modelphysical layerdata transmissionnetwork fundamentals
Question #870Communication and Network Security
What is the PRIMARY goal for using Domain Name System Security Extensions (DNSSEC) to sign records?
DNSSECDNS securitydata integritynetwork protocols
Question #871Asset Security
While inventorying storage equipment, it is found that there are unlabeled, disconnected, and powered off devices. Which of the following is the correct procedure for handling such...
Asset disposalData sanitizationOrganizational policyAsset inventory
Question #872Security Architecture and Engineering
Which of the following measures is the MOST critical in order to safeguard from a malware attack on a smartphone?
Mobile securityMalware preventionJailbreaking/RootingOS integrity
Question #873Communication and Network Security
Which of the following Secure Shell (SSH) remote access practices is MOST suited for scripted functions?
SSH securityPublic key authenticationScripted accessRemote access
Question #874Identity and Access Management
Which stage in the identity management (IdM) lifecycle constitutes the GREATEST risk for an enterprise if performed incorrectly?
Identity lifecycleDeprovisioningRisk managementOrphan accounts
Question #875Security Assessment and Testing
Which of the following reports provides the BEST attestation of detailed controls when evaluating an Identity as a Service (IDaaS) solution?
IDaaS evaluationSOC reportsThird-party riskVendor assessment
Question #876Identity and Access Management
Single sign-on (SSO) for federated identity management (FIM) must be implemented and managed so that authorization mechanisms protect access to privileged information using OpenID...
Federated identitySSOSAMLOIDCToken security
Question #877Security and Risk Management
For a victim of a security breach to prevail in a negligence claim, what MUST the victim establish?
Legal conceptsNegligenceBreachProximate cause
Question #878Security and Risk Management
A large international organization that collects information from its consumers has contracted with a Software as a Service (SaaS) cloud provider to process this data. The SaaS clo...
Cloud securitySaaSData processing agreementContractual terms
Question #879Communication and Network Security
A security engineer is conducting an audit of an organization's Voice over Internet Protocol (VoIP) phone network due to a large increase in charges from their phone provider. The...
VoIP securityToll fraudNetwork attacksCommunication security
Question #880Security Operations
An organization is looking to improve threat detection on their wireless network. The company goal is to automate alerts to improve response efforts. Which of the following best pr...
Wireless network securityThreat detectionIDSIncident response
Question #881Security Operations
Security personnel should be trained by emergency management personnel in what to do before and during a disaster, as well as their role in recovery efforts. Personnel should take...
Physical securityEmergency preparednessDisaster recoveryPersonnel training
Question #882Security and Risk Management
The principle that personally identifiable information (PII) should be kept up-to-date and relevant to the purposes for which they are to be used is attributed to which fair inform...
PIIData privacyOECD FIPsData quality
Question #883Software Development Security
Which of the following is considered a secure coding practice?
Secure codingSoftware integrityChecksumsCode review
Question #884Security Assessment and Testing
As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be perfo...
Negative testingInput validationWeb application securitySecurity testing methodologies
Question #885Security and Risk Management
Who has the PRIMARY responsibility to ensure that security objectives are aligned with organization goals?
Security governanceSenior managementOrganizational goalsRisk ownership
Question #886Security Architecture and Engineering
Which of the following alarm systems is recommended to detect intrusions through windows in a high-noise, occupied environment?
Physical securityIntrusion detectionAlarm systemsSensor technology
Question #887Identity and Access Management
Which of the following is the MOST effective practice in managing user accounts when an employee is terminated?
User lifecycle managementAccount deactivationEmployee terminationAutomated provisioning
Question #888Security Operations
Which of the following is the MOST important part of an awareness and training plan to prepare employees for emergency situations?
Emergency preparednessAwareness trainingDisaster recoveryTraining programs
Question #889Asset Security
What is the process of removing sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique?
Data sanitizationPurgingData destructionMedia disposal
Question #890Security and Risk Management
The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the end of which phase?
SDLCSecurity accreditationSystem implementationGovernance
Question #891Security and Risk Management
Which of the following is the BEST reason for the use of security metrics?
Security metricsPerformance measurementSecurity effectivenessGovernance
Question #892Identity and Access Management (IAM)
Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?
IAM solutionOrphan accountsIdentity lifecycleAccess management
Question #893Security and Risk Management
A control to protect from a Denial-of-Service (DoS) attach has been determined to stop 50% of attacks, and additionally reduces the impact of an attack by 50%. What is the residual...
Residual riskDoS protectionRisk calculationSecurity controls
Question #894Security and Risk Management
Which of the following entails identification of data and links to business processes, applications, and data stores as well as assignment of ownership responsibilities?
Risk assessmentData ownershipAsset identificationBusiness processes
Question #895Security and Risk Management
Which of the following mandates the amount and complexity of security controls applied to a security risk?
Risk toleranceSecurity controlsRisk management
Question #896Security and Risk Management
When determining who can accept the risk associated with a vulnerability, which of the following is the MOST important?
Risk acceptanceInformation ownershipVulnerability management
Question #897Security and Risk Management
A security professional determines that a number of outsourcing contracts inherited from a previous merger do not adhere to the current security requirements. Which of the followin...
Third-party riskMergers and acquisitionsContract reviewDue diligence
Question #898Security and Risk Management
Which of the following is a direct monetary cost of a security incident?
Security incident costsDirect costsBusiness impact
Question #899Software Development Security
Which of the following would MINIMIZE the ability of an attacker to exploit a buffer overflow?
Buffer overflowCode reviewSoftware vulnerabilitiesSecure coding
Question #900Software Development Security
Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?
CSRFAnti-CSRF tokenWeb application securitySession management

PreviousPage 18 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.