CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 22 of 31.
- Question #1051Security Assessment and Testing
An organization's internal audit team performed a security audit on the company's system and reported that the manufacturing application is rarely updated along with other issues c...
security audittest coverageaudit methodologyvulnerability detection - Question #1052Security Assessment and Testing
Which audit type is MOST appropriate for evaluating the effectiveness of a security program?
security auditsecurity program evaluationeffectiveness assessment - Question #1053Asset Security
The development team has been tasked with collecting data from biometric devices. The application will support a variety of collection data streams. During the testing phase, the t...
biometric datadata protectionPIIsecure testing environments - Question #1054Software Development Security
An attacker has intruded into the source code management system and is able to download but not modify the code. Which of the following aspects of the code theft has the HIGHEST se...
source code securitydata breachhard-coded credentialssupply chain attacks - Question #1055Identity and Access Management (IAM)
Which of the following statements BEST describes least privilege principle in a cloud environment?
least privilegecloud IAMrole-based access controlcloud security principles - Question #1056Security Architecture and Engineering
Which is the BEST control to meet the Statement on Standards for Attestation Engagements 18 (SSAE-18) confidentiality category?
SSAE-18confidentialitystorage encryptiondata at rest encryption - Question #1057Security and Risk Management
The initial security categorization should be done early in the system life cycle and should be reviewed periodically. Why is it important for this to be done correctly?
security categorizationsystem life cyclesecurity requirementsrisk management framework - Question #1058Software Development Security
Which of the following vulnerabilities can be BEST detected using automated analysis?
automated security testingSASTsource code analysisvulnerability detection - Question #1059Communication and Network Security
An organization wants to migrate to Session Initiation Protocol (SIP) to save on telephony expenses. Which of the following security related statements should be considered in the...
SIP securityVoIP securitynetwork protocolscommunication security controls - Question #1060Security and Risk Management
An organization's retail website provides its only source of revenue, so the disaster recovery plan (DRP) must document an estimated time for each step in the plan. Which of the fo...
Disaster Recovery PlanDRPDNS propagationbusiness continuity - Question #1061Security and Risk Management
Why is it important that senior management clearly communicates the formal Maximum Tolerable Downtime (MTD) decision?
Maximum Tolerable DowntimeMTDbusiness continuityrecovery planning - Question #1062Security Operations
Which of the following activities should a forensic examiner perform FIRST when determining the priority of digital evidence collection at a crime scene?
digital forensicsorder of volatilityevidence collectionincident response - Question #1063Security Assessment and Testing
When assessing web vulnerabilities, how can navigating the dark web add value to a penetration test?
penetration testingdark web intelligencevulnerability assessmentthreat intelligence - Question #1064Security and Risk Management
Which of the following is the top barrier for companies to adopt cloud technology?
cloud securitycloud adoptionrisk perception - Question #1065Asset Security
In which of the following scenarios is locking server cabinets and limiting access to keys preferable to locking the server room to prevent unauthorized access?
physical securityaccess controlserver cabinet securitydata center security - Question #1066Asset Security
Which of the following criteria ensures information is protected relative to its importance to the organization?
information classificationdata protectionlegal requirementsdata criticality - Question #1067Security and Risk Management
What is the FIRST step for an organization to take before allowing personnel to access social media from a corporate device or user account?
Acceptable Use PolicyAUPsocial media policysecurity policy - Question #1068Security and Risk Management
Which of the following is an indicator that a company's new user security awareness training module has been effective?
security awareness trainingphishing awarenesssecurity metricsincident reporting - Question #1069Communication and Network Security
An access control list (ACL) on a router is a feature MOST similar to which type of firewall?
Access Control ListACLpacket filtering firewallnetwork security - Question #1070Identity and Access Management
Which of the following is the BEST way to protect privileged accounts?
privileged access managementPAMmulti-factor authenticationMFA - Question #1071Security and Risk Management
Which of the following is the FIRST step for defining Service Level Requirements (SLR)?
Service Level RequirementsSLRService Level AgreementSLA - Question #1072Security Architecture and Engineering
Which software defined networking (SDN) architectural component is responsible for translating network requirements?
Software Defined NetworkingSDNSDN controllernetwork architecture - Question #1073Security and Risk Management
When MUST an organization's information security strategic plan be reviewed?
information security strategystrategic planningsecurity governancebusiness changes - Question #1074Identity and Access Management
A large human resources organization wants to integrate their identity management with a trusted partner organization. The human resources organization wants to maintain the creati...
federated identityidentity managementpartner integrationidentity provider - Question #1075Security Architecture and Engineering
Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a digitally signed document?
non-repudiationdigital signaturesasymmetric cryptographycryptography principles - Question #1076Software Development Security
The quality assurance (QA) department is short-staffed and is unable to test all modules before the anticipated release date of an application. What security control is MOST likely...
change managementSDLCquality assurancesecurity testing - Question #1077Security and Risk Management
Which is the PRIMARY mechanism for providing the workforce with the information needed to protect an agency's vital information resources?
security awarenesssecurity traininginformation security programhuman factors - Question #1078Security and Risk Management
What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?
continuous monitoringISCMrisk tolerancesecurity strategy - Question #1079Security Architecture and Engineering
Which of the following minimizes damage to information technology (IT) equipment stored in a data center when a false fire alarm event occurs?
fire suppressionpre-action systemdata center physical security - Question #1080Security Operations
Which of the following is the MOST effective corrective control to minimize the effects of a physical intrusion?
physical securitycorrective controlsintrusion response - Question #1081Identity and Access Management
Which type of access control includes a system that allows only users that are type=managers and department=sales to access employee records?
access control modelsRBACattribute-based access control - Question #1082Asset Security
Which of the following describes the BEST method of maintaining the inventory of software and hardware within the organization?
asset inventoryconfiguration managementnetwork management - Question #1083Communication and Network Security
Which of the following is a correct feature of a virtual local area network (VLAN)?
VLANnetwork segmentationLayer 3 routing - Question #1084Security and Risk Management
In the "Do" phase of the Plan-Do-Check-Act model, which of the following is performed?
PDCAbusiness continuity managementimplementation phase - Question #1085Software Development Security
Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?
COTS softwaresoftware securityvulnerability management - Question #1086Security Architecture and Engineering
What is the correct order of execution for security architecture?
security architecturegovernanceprogram managementproject delivery - Question #1087Security and Risk Management
Which of the following is the PRIMARY purpose of due diligence when an organization embarks on a merger or acquisition?
due diligencemergers and acquisitionsrisk assessment - Question #1088Security and Risk Management
What should be used to determine the risks associated with using Software as a Service (SaaS) for collaboration and email?
SaaS securitycloud securityrisk assessment frameworks - Question #1089Security Assessment and Testing
A federal agency has hired an auditor to perform penetration testing on a critical system as part of the mandatory, annual Federal Information Security Management Act (FISMA) secur...
penetration testingblack box testingnetwork sniffing - Question #1090Software Development Security
A software developer wishes to write code that will execute safely and only as intended. Which of the following programming language types is MOST likely to achieve this goal?
programming languagesstrongly typedcode security - Question #1091Identity and Access Management
A security professional has been assigned to assess a web application. The assessment report recommends switching to Security Assertion Markup Language (SAML). What is the PRIMARY...
SAMLsingle sign-onauthentication protocols - Question #1092Asset Security
What is the MOST common security risk of a mobile device?
mobile securitydata leakagedevice security - Question #1093Communication and Network Security
Which of the following protection is provided when using a Virtual Private Network (VPN) with Authentication Header (AH)?
VPNIPSecAuthentication Headernon-repudiation - Question #1094Asset Security
Which of the following poses the GREATEST privacy risk to personally identifiable information (PII) when disposing of an office printer or copier?
data disposalPIIhard drive sanitizationasset disposal - Question #1095Asset Security
Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake?
data governancedata stewarddata lakedata lifecycle - Question #1096Security Architecture and Engineering
Which of the following are the three MAIN categories of security controls?
security controlsadministrative controlstechnical controlsphysical controls - Question #1097Security and Risk Management
What part of an organization's strategic risk assessment MOST likely includes information on items affecting the success of the organization?
risk assessmentstrategic riskKPIorganizational success - Question #1098Communication and Network Security
An organization has implemented a protection strategy to secure the network from unauthorized external access. The new Chief Information Security Officer (CISO) wants to increase s...
NACport securityinternal network securityaccess control - Question #1099Identity and Access Management
What is the BEST way to restrict access to a file system on computing systems?
least privilegeaccess controlfile system security - Question #1100Security Assessment and Testing
During testing, where are the requirements to inform parent organizations, law enforcement, and a computer incident response team documented?
security assessment planincident response planningdocumentation