Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 2 of 31.

Question #51Software Development Security
What maintenance activity is responsible for defining, implementing, and testing updates to application systems?
program change controlSDLCapplication updates
Question #52Identity and Access Management (IAM)
Which one of the following describes granularity?
GranularityAccess ControlIAMPermissions
Question #53Communication and Network Security
In a basic SYN flood attack, what is the attacker attempting to achieve?
SYN floodDoS attackTCP/IP handshakenetwork attack
Question #54Security and Risk Management
The FIRST step in building a firewall is to
risk analysisfirewall policysecurity architecture
Question #55Asset Security
A system has been scanned for vulnerabilities and has been found to contain a number of communication ports that have been opened without authority. To which of the following might...
Trojan horsebackdoorvulnerability scanmalware
Question #56Security Architecture and Engineering
Which type of control recognizes that a transaction amount is excessive in accordance with corporate policy?
detective controltransaction monitoringsecurity controls
Question #57Communication and Network Security
Which of the following defines the key exchange for Internet Protocol Security (IPSec)?
IPSecInternet Key Exchange (IKE)key exchangeVPN
Question #58Security Assessment and Testing
The overall goal of a penetration test is to determine a system's
penetration testingvulnerability assessmentattack simulation
Question #59Security and Risk Management
When constructing an Information Protection Policy (IPP), it is important that the stated rules are necessary, adequate, and
Information Protection Policypolicy attributessecurity governance
Question #60Communication and Network Security
Which of the following is a security limitation of File Transfer Protocol (FTP)?
FTP securityunencrypted authenticationprotocol vulnerabilities
Question #61Security and Risk Management
In Business Continuity Planning (BCP), what is the importance of documenting business processes?
Business Continuity PlanningBCP documentationorganizational interdependencies
Question #62Identity and Access Management
The Structured Query Language (SQL) implements Discretionary Access Controls (DAC) using
SQL securityDiscretionary Access ControlGRANT/REVOKE
Question #63Communication and Network Security
Which layer of the Open Systems Interconnections (OSI) model implementation adds information concerning the logical connection between the sender and receiver?
OSI modelTransport layerlogical connection
Question #64Security Operations
Which of the following is a network intrusion detection technique?
Intrusion Detection SystemNIDSstatistical anomaly detection
Question #65Communication and Network Security
Internet Protocol (IP) source address spoofing is used to defeat
IP spoofingaddress-based authenticationnetwork attacks
Question #66Identity and Access Management
Which of the following is an authentication protocol in which a new random number is generated uniquely for each login session?
authentication protocolsCHAPreplay attacks
Question #67Security and Risk Management
What security management control is MOST often broken by collusion?
separation of dutiescollusionsecurity controls
Question #68Security Operations
An Intrusion Detection System (IDS) is generating alarms that a user account has over 100 failed login attempts per minute. A sniffer is placed on the network, and a variety of pas...
dictionary attackintrusion detectionpassword attacksincident analysis
Question #69Security and Risk Management
An engineer in a software company has created a virus creation tool. The tool can generate thousands of polymorphic viruses. The engineer is planning to use the tool in a controlle...
ethics in securitysoftware development securityrisk assessmentresponsible disclosure
Question #70Security and Risk Management
Which of the following Disaster Recovery (DR) sites is the MOST difficult to test?
Disaster Recovery sitescold siteDR testing
Question #71Communication and Network Security
Which of the following statements is TRUE for point-to-point microwave transmissions?
microwave transmissionphysical securityinterception
Question #72Communication and Network Security
The key benefits of a signed and encrypted e-mail include
email securitydigital signaturesencryptionconfidentiality
Question #73Asset Security
Copyright provides protection for which of the following?
copyrightintellectual propertyexpression of ideas
Question #74Security and Risk Management
Which of the following is TRUE about Disaster Recovery Plan (DRP) testing?
Disaster Recovery PlanDRP testingtesting best practices
Question #75Security Assessment and Testing
Which of the following is the FIRST step of a penetration test plan?
penetration testingauthorizationethical hackingtest planning
Question #76Security Operations
Which of the following actions should be performed when implementing a change to a database schema in a production system?
change managementdatabase schema changesback-out strategyproduction systems
Question #77Software Development Security
Which of the following is a method used to prevent Structured Query Language (SQL) injection attacks?
SQL injectiondata validationinput sanitizationweb application security
Question #78Security Assessment and Testing
The BEST method of demonstrating a company's security level to potential customers is
security assuranceexternal auditthird-party assessmentcompliance reporting
Question #79Communication and Network Security
Which of the following does Temporal Key Integrity Protocol (TKIP) support?
TKIPWPAwireless securitynetwork protocols
Question #80Security Assessment and Testing
The stringency of an Information Technology (IT) security assessment will be determined by the
security assessment scopedata sensitivityrisk assessment
Question #81Security Operations
What should be the INITIAL response to Intrusion Detection System/Intrusion Prevention System (IDS/IPS) alerts?
incident responseIDS/IPS alertsthreat verificationattack scope
Question #82Security Operations
At a MINIMUM, a formal review of any Disaster Recovery Plan (DRP) should be conducted
DRP reviewdisaster recovery planningbusiness continuity
Question #83Communication and Network Security
Checking routing information on e-mail to determine it is in a valid format and contains valid information is an example of which of the following anti-spam approaches?
anti-spamemail securityheader analysisnetwork security
Question #84Security Operations
During an audit of system management, auditors find that the system administrator has not been trained. What actions need to be taken at once to ensure the integrity of systems?
security audit findingssystem integrityunauthorized personnelremediation
Question #85Security and Risk Management
An internal Service Level Agreement (SLA) covering security is signed by senior managers and is in place. When should compliance to the SLA be reviewed to ensure that a good securi...
SLA compliancesecurity posturecontinuous monitoringgovernance
Question #86Security Operations
Which of the following is the best practice for testing a Business Continuity Plan (BCP)?
BCP testingbusiness continuityenvironmental changesresilience
Question #87Security and Risk Management
Which of the following MUST be done when promoting a security awareness program to senior management?
security awareness programsenior management buy-incommunication strategyrisk communication
Question #88Identity and Access Management
Which of the following is a security feature of Global Systems for Mobile Communications (GSM)?
GSM securitySIM authenticationmobile securitycellular technology
Question #89Security Architecture and Engineering
A disadvantage of an application filtering firewall is that it can lead to
application filtering firewallfirewall performancenetwork latencysecurity controls
Question #90Security Operations
What is the MOST important purpose of testing the Disaster Recovery Plan (DRP)?
DRP testingdisaster recoveryplan validationeffectiveness
Question #91Security Assessment and Testing
Following the completion of a network security assessment, which of the following can BEST be demonstrated?
network security assessmentcontrol effectivenesssecurity metricsvulnerability management
Question #92Asset Security
Passive Infrared Sensors (PIR) used in a non-climate controlled environment should
PIR sensorsphysical securityenvironmental controlsintrusion detection
Question #93Security Architecture and Engineering
The use of strong authentication, the encryption of Personally Identifiable Information (PII) on database servers, application security reviews, and the encryption of data transmit...
defense in depthlayered securitysecurity controlsauthenticationencryption
Question #94Security and Risk Management
An organization is selecting a service provider to assist in the consolidation of multiple computing sites including development, implementation and ongoing support of various comp...
third-party risk managementvendor selectionsecurity requirementsdue diligence
Question #95Asset Security
Which of the following is an appropriate source for test data?
test data managementdata sanitizationPII protectiondata lifecycle
Question #96Security Assessment and Testing
What is the FIRST step in developing a security test and its evaluation?
security testing methodologytest planningsecurity requirementsassessment scope
Question #97Security Operations
How can a forensic specialist exclude from examination a large percentage of operating system files residing on a copy of the target system?
digital forensicshash analysisknown file filteringoperating system files
Question #98Software Development Security
Which one of the following is a threat related to the use of web-based client side input validation?
client-side validationweb securityinput validationsecurity vulnerabilities
Question #99Asset Security
To prevent inadvertent disclosure of restricted information, which of the following would be the LEAST effective process for eliminating data prior to the media being discarded?
data sanitizationdata remanencemedia disposaldata destruction
Question #100Software Development Security
Multi-threaded applications are more at risk than single-threaded applications to
multi-threadingrace conditionsconcurrency vulnerabilitiesapplication security

PreviousPage 2 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.