Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 21 of 31.

Question #1001Software Development Security
Which of the following does the security design process ensure within the System Development Life Cycle (SDLC)?
SDLCsecurity designsecurity controlssecurity objectives
Question #1002Security Assessment and Testing
An organization needs a general purpose document to prove that its internal controls properly address security, availability, processing integrity, confidentiality or privacy risks...
SOC 2 reportinternal controlssecurity auditing
Question #1003Asset Security
What is the BEST design for securing physical perimeter protection?
physical securityCPTEDperimeter security
Question #1004Communication and Network Security
Two computers, each with a single connection on the same physical 10 gigabit Ethernet network segment, need to communicate with each other. The first machine has a single Internet...
IP addressingCIDRsubnettingnetwork routing
Question #1005Security Operations
The security team is notified that a device on the network is infected with malware. Which of the following is MOST effective in enabling the device to be quickly located and remed...
incident responseasset managementITAMmalware remediation
Question #1006Security and Risk Management
A corporation does not have a formal data destruction policy. During which phase of a criminal legal proceeding will this have the MOST impact?
data retentiondata destructionlegal holde-discovery
Question #1007Security Architecture and Engineering
Which of the following is the MOST common use of the Online Certificate Status Protocol (OCSP)?
OCSPPKIcertificate revocationX.509
Question #1008Security and Risk Management
Why would a system be structured to isolate different classes of information from one another and segregate them by user jurisdiction?
data segregationdata localizationregulatory compliancejurisdiction
Question #1009Asset Security
A security professional needs to find a secure and efficient method of encrypting data on an endpoint. Which solution includes a root key?
endpoint encryptionBitLockerroot keydata at rest encryption
Question #1010Communication and Network Security
What method could be used to prevent passive attacks against secure voice communications between an organization and its vendor?
encryption in transitsecure communicationspassive attacksconfidentiality
Question #1011Security Operations
What is the MOST effective response to a hacker who has already gained access to a network and will attempt to pivot to other resources?
incident responsenetwork segmentationcontainmentlateral movement
Question #1012Security and Risk Management
A Chief Information Officer (CIO) has delegated responsibility of their system security to the head of the information technology (IT) department. While corporate policy dictates t...
security rolessystem ownersystem custodiandelegation of authority
Question #1013Security Operations
Which of the following is a term used to describe maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management deci...
continuous monitoringISCMrisk managementthreat intelligence
Question #1014Software Development Security
Which of the following is a secure design principle for a new product?
secure design principlesfault toleranceresiliencesystem design
Question #1015Security Assessment and Testing
An application developer receives a report back from the security team showing their automated tools were able to successfully enter unexpected data into the organization's custome...
Software testingNegative testingVulnerability assessment
Question #1016Software Development Security
An organization has determined that its previous waterfall approach to software development is not keeping pace with business demands. To adapt to the rapid changes required for pr...
Agile methodologySoftware development lifecycle (SDLC)Acceptance testing
Question #1017Security and Risk Management
A hospital enforces the Code of Fair Information Practices. What practice applies to a patient requesting their medical records from a web portal?
Fair Information Practices (FIP)Data privacyIndividual rightsCompliance
Question #1018Communication and Network Security
When designing a new Voice over Internet Protocol (VoIP) network, an organization's top concern is preventing unauthorized users accessing the VoIP network. Which of the following...
VoIP security802.1xNetwork access controlAuthentication
Question #1019Security Operations
What is the PRIMARY objective of the post-incident phase of the incident response process in the security operations center (SOC)?
Incident response (IR)Post-incident phaseContinuous improvement
Question #1020Security and Risk Management
An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the...
SaaS complianceCloud securityData privacySOC 2
Question #1021Asset Security
Which of the following actions should be undertaken prior to deciding on a physical baseline Protection Profile (PP)?
Physical securityProtection Profile (PP)Site surveyAsset classification
Question #1022Security and Risk Management
A criminal organization is planning an attack on a government network. Which of the following scenarios presents the HIGHEST risk to the organization?
Risk assessmentAttack vectorsImpact analysisNetwork compromise
Question #1023Security and Risk Management
A Certified Information Systems Security Professional (CISSP) with identity and access management (IAM) responsibilities is asked by the Chief Information Security Officer (CISO) t...
(ISC)² Code of EthicsProfessional CompetenceEthical Decision MakingProfessional Responsibility
Question #1024Identity and Access Management (IAM)
A large organization's human resources and security teams are planning on implementing technology to eliminate manual user access reviews and improve compliance. Which of the follo...
Identity and Access Management (IAM)User access reviewComplianceRBAC
Question #1025Software Development Security
A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software...
Vendor managementContract securitySLASoftware security
Question #1026Security and Risk Management
Which of the following is MOST important to follow when developing information security controls for an organization?
Information security controlsDue diligenceRisk managementIndustry standards
Question #1027Communication and Network Security
Which of the following is the MAIN difference between a network-based firewall and a host-based firewall?
Network firewallHost-based firewallNetwork securityTraffic filtering
Question #1028Identity and Access Management (IAM)
Which of the following system components enforces access controls on an object?
Access controlReference monitorSecurity kernelObject access
Question #1029Communication and Network Security
Building blocks for software-defined networks (SDN) require which of the following?
Software-defined networking (SDN)Network architectureClient-server
Question #1030Security and Risk Management
An organization outgrew its internal data center and is evaluating third-party hosting facilities. In this evaluation, which of the following is a PRIMARY factor for selection?
Third-party risk managementCloud hostingRisk assessmentData center selection
Question #1031Security and Risk Management
Which of the following is the name of an individual or group that is impacted by a change?
Change managementStakeholdersProject management
Question #1032Security Operations
What is the MINIMUM standard for testing a disaster recovery plan (DRP)?
Disaster recovery plan (DRP)DRP testingBusiness continuityEnvironmental stability
Question #1033Identity and Access Management (IAM)
What is the MOST significant benefit of role-based access control (RBAC)?
Role-Based Access Control (RBAC)Access control modelsAuthorization administrationLeast privilege
Question #1034Software Development Security
A software development company found odd behavior in some recently developed software, creating a need for a more thorough code review. What is the MOST effective argument for a mo...
Code reviewSoftware vulnerabilitiesSecure codingSDLC
Question #1035Communication and Network Security
A new site's gateway isn't able to form a tunnel to the existing site-to-site Internet Protocol Security (IPsec) virtual private network (VPN) device at headquarters. Devices at th...
IPsec VPNNAT-TraversalNetwork troubleshootingPrivate IP addressing
Question #1036Security and Risk Management
Which of the following examples is BEST to minimize the attack surface for a customer's private information?
attack surface reductiondata minimizationprivacy principlesdata protection
Question #1037Security and Risk Management
What are the essential elements of a Risk Assessment Report (RAR)?
Risk Assessment ReportReport structureDocumentation
Question #1038Security Operations
What is the PRIMARY benefit of incident reporting and computer crime investigations?
incident responsepost-incident analysisdamage controlprevention
Question #1039Communication and Network Security
Which of the following determines how traffic should flow based on the status of the infrastructure layer?
SDNcontrol planenetwork architecturetraffic management
Question #1040Security Architecture and Engineering
In a multi-tenant cloud environment, what approach will secure logical access to assets?
cloud securitymulti-tenancyvirtual private cloudlogical isolation
Question #1041Security Assessment and Testing
A company hired an external vendor to perform a penetration test ofa new payroll system. The company's internal test team had already performed an in-depth application and security...
interface testingpenetration testingsecure data transmissionapplication security testing
Question #1042Software Development Security
Which of the following is the MOST effective method of detecting vulnerabilities in web-based applications early in the secure Software Development Life Cycle (SDLC)?
SDLC securitycode reviewstatic analysisweb application security
Question #1043Asset Security
A malicious user gains access to unprotected directories on a web server. Which of the following is MOST likely the cause for this information disclosure?
Web server securitySecurity misconfigurationInformation disclosureDirectory traversal/listing
Question #1044Security Architecture and Engineering
Which of the following security objectives for industrial control systems (ICS) can be adapted to securing any Internet of Things (IoT) system?
ICS securityIoT securitycomponent protectionembedded systems
Question #1045Communication and Network Security
Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol?
WPA2wireless securityEAPauthentication protocols
Question #1046Software Development Security
A software development company has a short timeline in which to deliver a software product. The software development team decides to use open-source software libraries to reduce th...
open-source securitysoftware supply chainvulnerability managementSDLC risks
Question #1047Security and Risk Management
According to the (ISC)2 ethics canon "act honorably, honestly, justly, responsibly, and legally," which order should be used when resolving conflicts?
professional ethics(ISC)2 Code of Ethicsduty of careconflict resolution
Question #1048Communication and Network Security
When conducting a remote access session using Internet Protocol Security (IPSec), which Open Systems Interconnection (OSI) model layer does this connection use?
IPSecOSI modelVPNnetwork security protocols
Question #1049Software Development Security
Which of the following types of web-based attack is happening when an attacker is able to send a well-crafted, malicious request to an authenticated user without the user realizing...
CSRFweb application attackssession hijackingauthenticated users
Question #1050Software Development Security
When reviewing the security logs, the password shown for an administrative login event was ' OR ' '1'='1' --. This is an example of which of the following kinds of attack?
SQL InjectionWeb Application SecurityAttack TypesVulnerability

PreviousPage 21 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.