Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 25 of 31.

Question #1201Security and Risk Management
Which of the following goals represents a modern shift in risk management according to National Institute of Standards and Technology (NIST)?
NIST risk managementModern risk managementEvolving threatsDynamic environments
Question #1202Software Development Security
A web developer is completing a new web application security checklist before releasing the application to production. the task of disabling unecessary services is on the checklist...
Web application securitySecurity misconfigurationAttack surface reductionOWASP Top 10
Question #1203Security Architecture and Engineering
Which of the following is a limitation of the Bell-LaPadula model?
Bell-LaPadula modelSecurity modelsAccess control modelsConfidentiality model
Question #1204Security Architecture and Engineering
Which of the following is the BEST option to reduce the network attack surface of a system?
Network attack surfaceSystem hardeningVulnerability managementLeast privilege
Question #1205Security Operations
Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?
Audit logsLogging detailRoot cause analysisIncident investigation
Question #1206Software Development Security
A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst h...
Agile securityMVP security assessmentCode reviewSecure SDLC
Question #1207Identity and Access Management
When configuring Extensible Authentication Protocol (EAP) in a Voice over Internet Protocol (VoIP) network, which of the following authentication types is the MOST secure?
EAPVoIP securityAuthentication protocolsEAP-TLS
Question #1208Identity and Access Management
An organization would like to ensure that all new users have a predefined departmental access template applied upon creation. The organization would also like additional access for...
Access administrationRole-based access control (RBAC)Hybrid access modelIdentity management
Question #1209Asset Security
A firm within the defense industry has been directed to comply with contractual requirements for encryption of a government client's Controlled Unclassified Information (CUI). What...
Data at rest encryptionCUI protectionLogical separationVirtualization security
Question #1210Asset Security
A software developer installs a game on their organization-provided smartphone. Upon installing the game, the software developer is prompted to allow the game access to call logs,...
Mobile securityExcessive permissionsSmartphone vulnerabilityApplication security
Question #1211Software Development Security
A developer is creating an application that requires secure logging of all user activity. What is the BEST permission the developer should assign to the log file to ensure requirem...
File permissionsLog file securityAccess controlData integrity
Question #1212Security Assessment and Testing
What industry-recognized document could be used as a baseline reference that is related to data security and business operations for conducting a security assessment?
SOC reportsSecurity assessmentThird-party assuranceCompliance
Question #1213Security Operations
A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have ca...
Vulnerability managementPatch managementCompensating controlsRisk mitigation
Question #1214Asset Security
Which of the following would be the BEST guideline to follow when attempting to avoid the exposure of sensitive data?
Data minimizationSensitive data protectionData handlingPrivacy by design
Question #1215Communication and Network Security
Which application type is considered high risk and provides a common way for malware and viruses to enter a network?
Malware vectorsP2P security risksApplication securityNetwork threats
Question #1216Security Operations
In a disaster recovery (DR) test, which of the following would be a trait of crisis management?
Crisis managementDisaster recoveryBCP/DR terminologyStrategic response
Question #1217Security Architecture and Engineering
The existence of physical barriers, card and personal identification number (PIN) access systems, cameras, alarms, and security guards BEST describes this security approach?
Defense-in-depthPhysical securityLayered securityAccess controls
Question #1218Security Architecture and Engineering
A software architect has been asked to build a platform to distribute music to thousands of users on a global scale. The architect has been reading about content delivery networks...
CDNContent deliveryCachingNetwork architectureScalability
Question #1219Identity and Access Management (IAM)
Which of the following BEST describes centralized identity management?
Centralized identity managementIdentity Provider (IdP)Authentication
Question #1220Asset Security
A database server for a financial application is scheduled for production deployment. Which of the following controls will BEST prevent tampering?
Data integrityData validationDatabase securityTampering prevention
Question #1221Asset Security
What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
Data Loss Prevention (DLP)Data classificationInformation lifecycle management
Question #1222Security Architecture and Engineering
What is the benefit of an operating system (OS) feature that is designed to prevent an application from executing code from a non-executable memory region?
Memory protectionBuffer overflowExploit preventionOperating system security
Question #1223Software Development Security
What Hypertext Transfer Protocol (HTTP) response header can be used to disable the execution of inline JavaScript and the execution of eval()-type functions?
HTTP security headersContent Security Policy (CSP)Web application securityXSS prevention
Question #1224Security Assessment and Testing
Which section of the assessment report addresses separate vulnerabilities, weaknesses, and gaps?
Security assessment reportVulnerability reportingKey findings
Question #1225Security Operations
In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour a...
Privileged access managementAccess reviewRisk-based monitoringSecurity operations
Question #1226Security Operations
When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery?
Recovery Point Objective (RPO)Business continuityDisaster recovery
Question #1227Security Architecture and Engineering
The security operations center (SOC) has received credible intelligence that a threat actor is planning to attack with multiple variants of a destructive virus. After obtaining a s...
Address Space Layout Randomization (ASLR)Malware protectionEndpoint securityMemory exploitation
Question #1228Communication and Network Security
An information technology (IT) employee who travels frequently to various countries remotely connects to an organization's resources to troubleshoot problems. Which of the followin...
Remote access securityBastion hostDMZMulti-factor authentication (MFA)
Question #1229Security and Risk Management
What is the term used to define where data is geographically stored in the cloud?
Data sovereigntyCloud securityData privacy
Question #1230Asset Security
Assuming an individual has taken all of the steps to keep their internet connection private, which of the following is the BEST to browse the web privately?
Web privacyLocal storageBrowsing historyData privacy
Question #1231Communication and Network Security
Which of the following types of firewall only examines the "handshaking" between packets before forwarding traffic?
Firewall typesCircuit-level firewallNetwork security
Question #1232Identity and Access Management (IAM)
The security team plans on using automated account reconciliation in the corporate user access review process. Which of the following must be implemented for the BEST results with...
User access reviewAutomated account reconciliationProvisioning policiesIdentity and Access Management
Question #1233Security Operations
Which of the following is included in change management?
Change managementUser Acceptance Testing (UAT)Software development lifecycle
Question #1234Software Development Security
Which of the following technologies can be used to monitor and dynamically respond to potential threats on web applications?
Runtime Application Self-Protection (RASP)Web application securityThreat response
Question #1235Software Development Security
Before allowing a web application into the production environment, the security practitioner performs multiple types of tests to confirm that the web application performs as expect...
Misuse case testingSecurity testingWeb application testingSoftware quality assurance
Question #1236Security and Risk Management
When developing an organization's information security budget, it is important that the
Security budgetingRisk managementCost-benefit analysisResource allocation
Question #1237Communication and Network Security
A digitally-signed e-mail was delivered over a wireless network protected with Wired Equivalent Privacy (WEP) protocol. Which of the following principles is at risk?
WEP vulnerabilitiesConfidentialityWireless securityDigital signature
Question #1238Security Architecture and Engineering
When determining data and information asset handling, regardless of the specific toolset being used, which of the following is one of the common components of big data?
Big dataData collectionDistributed systemsData handling
Question #1239Software Development Security
In a DevOps environment, which of the following actions is MOST necessary to have confidence in the quality of the changes being made?
DevOpsautomated testingsoftware qualitycontinuous integration
Question #1240Identity and Access Management
Which of the following is TRUE for an organization that is using a third-party federated identity service?
federated identitytrust relationshipsidentity providerssingle sign-on (SSO)
Question #1241Security Operations
Computer forensics require which of the following are MAIN steps?
computer forensicsincident responseevidence collectiondata integrity
Question #1242Asset Security
Which of the following is the MAIN benefit of off-site storage?
off-site storagedata availabilitydisaster recoverybackup strategies
Question #1243Security Operations
Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?
DRP testingcutover testingdisaster recoveryoperational risk
Question #1244Identity and Access Management
If an employee transfers from one role to another, which of the following actions should this trigger within the identity and access management (IAM) lifecycle?
IAM lifecycleaccess managementrole-based access control (RBAC)user access review
Question #1245Security Operations
What is the PRIMARY objective of business continuity planning?
business continuity planning (BCP)mission-critical processesdisaster recoveryorganizational resilience
Question #1246Security Architecture and Engineering
What Is a risk of using commercial off-the-shelf (COTS) products?
COTS softwaresecurity requirementssoftware acquisitionrisk assessment
Question #1247Security and Risk Management
Which of the following is the FIRST step an organization's security professional performs when defining a cyber-security program based upon industry standards?
cybersecurity programrisk managementsecurity objectivessecurity strategy
Question #1248Security Operations
What are the PRIMARY responsibilities of security operations for handling and reporting violations and incidents?
security operationsincident responseevent monitoringincident containment
Question #1249Identity and Access Management
An internal audit for an organization recently identified malicious actions by a user account. Upon further investigation, it was determined the offending user account was used by...
shared accountsuser accountabilityunique identitiesaccess control
Question #1250Security Operations
Which of the following are all elements of a disaster recovery plan (DRP)?
disaster recovery plan (DRP)incident notificationemergency responsedocumentation

PreviousPage 25 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.