CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 20 of 31.
- Question #951Security Operations
A company receives an email threat informing of an Imminent Distributed Denial of Service (DDoS) attack targeting its web application, unless ransom is paid. Which of the following...
DDoS mitigationincident responseISP capabilitiesweb application security - Question #952Communication and Network Security
The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data
L2TPVPN protocolsPPPtunneling - Question #953Software Development Security
Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?
XSS mitigationsecure codinginput sanitizationweb application security - Question #954Security Assessment and Testing
Which of the following MOST accurately describes the Security Target (ST) in the Common Criteria framework?
Common CriteriaSecurity Target (ST)security evaluationcertification - Question #955Security Architecture and Engineering
An organization has approved deployment of a virtual environment for the development servers and has established controls for restricting access to resources. In order to implement...
Virtualization securityHypervisor securityNetwork segmentationSecure network design - Question #956Security Architecture and Engineering
Which of the following is a weakness of the Data Encryption Standard (DES)?
DESSymmetric encryptionKey lengthCryptographic weaknesses - Question #957Software Development Security
What are facets of trustworthy software in supply chain operations?
Trustworthy softwareSupply chain securitySoftware quality attributesSystem resilience - Question #958Software Development Security
In order to meet the project delivery deadline, a web application developer used readily available software components. Which is the BEST method for reducing the risk associated wi...
Supply chain securitySoftware componentsSecure developmentRisk mitigation - Question #959Asset Security
To ensure proper governance of information throughout the lifecycle, which of the following should be assigned FIRST?
Information governanceData classificationData lifecycleData ownership - Question #960Security and Risk Management
An effective information security strategy is PRIMARILY based upon which of the following?
Information security strategyRisk managementSecurity governanceFoundational principles - Question #961Security and Risk Management
One of Canada's leading pharmaceutical firms recently hired a Chief Data Officer (CDO) to oversee its data privacy program. The CDO has discovered the firm's marketing department h...
Data privacyPrivacy regulationsPIPEDALegal compliance - Question #962Identity and Access Management
An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which o...
Segregation of Duties (SoD)ERP securityAccess controlRole-based access control - Question #963Security Operations
Which type of log collection is focused on detecting and responding to attacks, malware infection, and data theft?
Log managementSecurity loggingThreat detectionIncident response - Question #964Communication and Network Security
A company is planning to implement a private cloud infrastructure. Which of the following recommendations will support the move to a cloud infrastructure?
Cloud infrastructurePrivate cloudSoftware-defined networking (SDN)Network architecture - Question #965Software Development Security
While performing a security review for a new product, an information security professional discovers that the organization's product development team is proposing to collect govern...
Data privacyPII protectionUnique identifiersData minimization - Question #966Security Operations
Which of the following is performed to determine a measure of success of a security awareness training program designed to prevent social engineering attacks?
Security awareness trainingSocial engineering preventionProgram evaluationSecurity metrics - Question #967Asset Security
What level of Redundant Array of Independent Disks (RAID) is configured PRIMARILY for high- performance data reads and writes?
RAIDData storagePerformance optimizationDisk configurations - Question #968Software Development Security
A retail company is looking to start a development project that will utilize open source components in its code for the first time. The development team has already acquired severa...
Open-source software (OSS) securitySoftware supply chainCompliance policyLegal risk - Question #969Security Assessment and Testing
Upon commencement of an audit within an organization, which of the following actions is MOST important for the auditor(s) to take?
Security auditingAudit planningStakeholder communicationAudit scope - Question #970Security Assessment and Testing
An organization is planning a penetration test that simulates the malicious actions of a former network administrator. What kind of penetration test is needed?
Penetration testingGrey box testingInsider threat simulationTesting methodologies - Question #971Asset Security
An organization has discovered that organizational data is posted by employees to data storage accessible to the general public. What is the PRIMARY step an organization must take...
Data classificationData loss prevention (DLP)Information governancePolicy implementation - Question #972Security Operations
What is the PRIMARY reason that a bit-level copy is more desirable than a file-level copy when replicating a hard drive's contents for an e-discovery investigation?
Digital forensicsE-discoveryBit-level imagingData preservation - Question #973Security and Risk Management
While reviewing the financial reporting risks of a third-party application, which of the following Service Organization Control (SOC) reports will be the MOST useful?
SOC reportsThird-party risk managementFinancial reporting controlsVendor assessment - Question #974Software Development Security
A large manufacturing organization arranges to buy an industrial machine system to produce a new line of products. The system includes software provided to the vendor by a thirdpar...
Software supply chain riskThird-party risk managementSoftware quality assuranceIndependent testing - Question #975Communication and Network Security
Which of the following types of hosts should be operating in the demilitarized zone (DMZ)?
DMZnetwork segmentationperimeter security - Question #976Security Architecture and Engineering
In systems security engineering, what does the security principle of modularity provide?
security principlesmodularitysystem design - Question #977Security Operations
Which of the following is MOST appropriate to collect evidence of a zero-day attack?
zero-dayhoneypotthreat detectionincident response - Question #978Security Architecture and Engineering
Which of the following is required to verify the authenticity of a digitally signed document?
digital signaturepublic key cryptographyauthenticityPKI - Question #979Security Operations
Which of the following is the BEST method to gather evidence from a computer's hard drive?
digital forensicsevidence collectiondisk imagingincident response - Question #980Software Development Security
Who should perform the design review to uncover security design flaws as part of the Software Development Life Cycle (SDLC)?
SDLCsecurity design reviewroles and responsibilitiessecurity SME - Question #981Security Assessment and Testing
During a penetration test, what are the three PRIMARY objectives of the planning phase?
penetration testingplanning phaserules of engagementmanagement approval - Question #982Asset Security
What term is commonly used to describe hardware and software assets that are stored in a configuration management database (CMDB)?
CMDBconfiguration itemasset managementITIL - Question #983Security Operations
Which of the following Disaster recovery (DR) testing processes is LEAST likely to disrupt normal business operations?
disaster recoveryDR testingbusiness continuitytabletop exercise - Question #984Software Development Security
The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM) allows organizations to implement a flexible software security strategy to measure orga...
OWASP SAMMsoftware securityrisk managementrisk tolerance - Question #985Security Architecture and Engineering
The security architect is designing and implementing an internal certification authority to generate digital certificates for all employees. Which of the following is the BEST solu...
PKIprivate key storageTPMcertificate authority - Question #986Communication and Network Security
Which of the following is a common risk with fiber optical communications, and what is the associated mitigation measure?
fiber opticslight leakageeavesdroppingphysical security - Question #987Security and Risk Management
During an internal audit of an organizational Information Security Management System (ISMS), nonconformities are identified. In which of the following management stages are nonconf...
ISMSauditnonconformitycontinual improvement - Question #988Security and Risk Management
What is the BEST reason to include supply chain risks in a corporate risk register?
risk registersupply chain riskrisk managementrisk classification - Question #989Asset Security
An employee's home address should be categorized according to which of the following references?
data classificationpersonal dataasset securityprivacy - Question #990Identity and Access Management
Why is authentication by ownership stronger than authentication by knowledge?
authentication factorsownershipknowledgemulti-factor authentication - Question #991Communication and Network Security
A network security engineer needs to ensure that a security solution analyzes traffic for protocol manipulation and various sorts of common attacks. In addition, all Uniform Resour...
application-level proxyURL filteringtraffic inspectionnetwork security device - Question #992Asset Security
Which of the following is the BEST way to protect an organization's data assets?
data protectionencryptiondata at restdata in transitcryptography - Question #993Security and Risk Management
Which of the following would qualify as an exception to the "right to be forgotten" of the General Data Protection Regulation's (GDPR)?
GDPRright to be forgottenprivacy regulationslegal claims - Question #994Asset Security
Which of the following is a benefit of implementing data-in-use controls?
data-in-usedata protectionDLPaccess control - Question #995Communication and Network Security
Which of the following secure transport protocols is often used to secure Voice over Internet Protocol (VoIP) communications on a network from end to end?
VoIP securitySRTPsecure protocols - Question #996Security Architecture and Engineering
Which of the following is a MUST for creating a new custom-built, cloud-native application designed to be horizontally scalable?
cloud computingPaaScloud-native applicationshorizontal scalability - Question #997Identity and Access Management
Which of the following access control mechanisms characterized subjects and objects using a set of encoded security-relevant properties?
access controlABAC - Question #998Software Development Security
Which kind of dependencies should be avoided when implementing secure design principles in software-defined networking (SDN)?
SDN securitysecure design principlessystem dependencies - Question #999Security Architecture and Engineering
Which mechanism provides the BEST protection against buffer overflow attacks in memory?
buffer overflowASLRmemory protection - Question #1000Security and Risk Management
An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the ri...
risk assessmentsecurity management programbusiness processes