CISSP Exam Questions
1,535 real CISSP exam questions with expert-verified answers and explanations. Page 26 of 31.
- Question #1251Security Architecture and Engineering
Which of the following BEST ensures the integrity of transactions to intended recipients?
PKIdigital signaturestransaction integritynon-repudiation - Question #1252Asset Security
A breach investigation found a website was exploited through an open source component. What is the FIRST step in the process that could have prevented this breach?
software inventoryasset managementvulnerability managementopen-source security - Question #1253Communication and Network Security
Which of the following statements is TRUE about Secure Shell (SSH)?
SSHport forwardingsecure protocolstunneling - Question #1254Security Architecture and Engineering
What type of database attack would allow a customer service employee to determine quarterly sales results before they are publically announced?
database securityinference attackdata aggregationinformation leakage - Question #1255Security Assessment and Testing
Which of the following frameworks provides vulnerability metrics and characteristics to support the National Vulnerability Database (NVD)?
CVSSvulnerability scoringNVDvulnerability management - Question #1256Communication and Network Security
Which of the following would be the BEST mitigation practice for man-in-the-middle (MITM) Voice over Internet Protocol (VoIP) attacks?
MITM attackVoIP securityTLSprotocol security - Question #1257Software Development Security
Which of the following should be included in a good defense-in-depth strategy provided by object- oriented programming for software deployment?
OOP securityencapsulationdefense-in-depthsoftware development security - Question #1258Security and Risk Management
Which of the following documents specifies services from the client's viewpoint?
service level requirements (SLR)service level agreement (SLA)business continuity planningservice management - Question #1259Security Assessment and Testing
An organization is planning to have an it audit of its as a Service (SaaS) application to demonstrate to external parties that the security controls around availability are designe...
SOC reportsSaaS securityaudit typesoperational effectiveness - Question #1260Communication and Network Security
Which Open Systems Interconnection (OSI) layer(s) BEST corresponds to the network access layer in the Transmission Control Protocol/Internet Protocol (TCP/IP) model?
OSI modelTCP/IP modelnetwork layersnetwork access layer - Question #1261Security Architecture and Engineering
An organization is considering partnering with a third-party supplier of cloud services. The organization will only be providing the data and the third-party supplier will be provi...
cloud service modelsSaaSshared responsibility model - Question #1262Security Assessment and Testing
Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availabilit...
security audit standardsSOC 2Trust Services Criteriavendor assessment - Question #1263Asset Security
Which of the following is the MOST appropriate technique for destroying magnetic platter style hard disk drives (HDD) containing data with a "HIGH" security categorization?
data destructionHDD destructionphysical securitydata sanitization - Question #1264Security and Risk Management
employee training, risk management, and data handling procedures and policies could be characterized as which type of security measure?
security controlsadministrative controlssecurity awareness trainingrisk management - Question #1265Security Assessment and Testing
The Chief Information Security Officer (CISO) of an organization has requested that a Service Organization Control (SOC) report be created to outline the security and availability...
SOC reportssecurity auditavailability controlsoperational effectiveness - Question #1266Communication and Network Security
A security practitioner needs to implementation solution to verify endpoint security protections and operating system (0S) versions. Which of the following is the BEST solution to...
Network Access Control (NAC)endpoint securitysecurity solutionspatch management - Question #1267Security and Risk Management
A new employee formally reported suspicious behavior to the organization security team. The report claims that someone not affiliated with the organization was inquiring about the...
security awarenesssocial engineeringincident reportinghuman factors - Question #1268Asset Security
The MAIN purpose of placing a tamper seal on a computer system's case is to:
physical securitytamper detectionsecurity controls - Question #1269Asset Security
An organization is preparing to achieve General Data Protection Regulation (GDPR) compliance. The Chief Information Security Officer (CISO) is reviewing data protection methods. Wh...
data protectionGDPR complianceencryptiondata confidentiality - Question #1270Security Operations
Which of the following describes the order in which a digital forensic process is usually conducted?
digital forensicsforensic processincident response - Question #1271Communication and Network Security
Compared to a traditional network, which of the following is a security-related benefit that software-defined networking (SDN) provides?
Software-Defined Networking (SDN)network securitycentralized controlnetwork architecture - Question #1272Security and Risk Management
Which of the following are mandatory canons for the (ISC)* Code of Ethics?
(ISC)² Code of Ethicsprofessional ethicssecurity professionalism - Question #1273Security Architecture and Engineering
Which of the following is the MOST significant key management problem due to the number of keys created?
key managementsymmetric encryptioncryptography scaling - Question #1274Security Assessment and Testing
When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availabil...
third-party risk assessmentSOC 2Trust Services Criteriavendor risk management - Question #1275Software Development Security
Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-system gracefully handle invalid input?
software testingnegative testinginput validationsecure coding - Question #1276Communication and Network Security
Which of the following determines how traffic should flow based on the status of the infrastructure true?
network architecturecontrol planetraffic flow - Question #1277Security and Risk Management
Which of the (ISC) Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?
(ISC)² Code of Ethicsprofessional ethicsconflict of interest - Question #1278Security Operations
The security organization is loading for a solution that could help them determine with a strong level of confident that attackers have breached their network. Which solution is MO...
honeypotbreach detectionthreat intelligencesecurity monitoring - Question #1279Security Architecture and Engineering
Which of the following techniques evaluates the secure design principles of network OF software architectures?
Threat modelingSecure design principlesSoftware architecture security - Question #1280Security and Risk Management
When designing a business continuity plan (BCP), what is the formula to determine the Maximum Tolerable Downtime (MTD)?
Business continuity planningMaximum Tolerable DowntimeRecovery Time ObjectiveWork Recovery Time - Question #1281Identity and Access Management
A company wants to implement two-factor authentication (2FA) to protect their computers from unauthorized users. Which solution provides the MOST secure means of authentication and...
Two-factor authenticationMulti-factor authenticationHardware tokenAuthentication security - Question #1282Security Assessment and Testing
Which of the following is the MOST important first step in preparing for a security audit?
Security auditAudit planningScope definition - Question #1283Software Development Security
An attacker is able to remain indefinitely logged into a exploiting to remain on the web service?
Session managementSession hijackingWeb application security - Question #1284Communication and Network Security
Which of the following attack types can be used to compromise the integrity of data during transmission?
Packet sniffingData integrityNetwork attacksMan-in-the-middle - Question #1285Identity and Access Management
A recent information security risk assessment identified weak system access controls on mobile devices as a high me In order to address this risk and ensure only authorized staff a...
Multi-factor authenticationMobile device securityAccess controlRisk mitigation - Question #1286Software Development Security
Which of the following addresses requirements of security assessment during software acquisition?
Software acquisitionSoftware assuranceSecurity requirements - Question #1287Security Operations
Which of the following MUST the administrator of a security information and event management (SIEM) system ensure?
SIEMLog managementTime synchronizationSecurity operations - Question #1288Identity and Access Management
Which of the following terms BEST describes a system which allows a user to log in and access multiple related servers and applications?
Single sign-onSSOIdentity managementAccess management - Question #1289Identity and Access Management
After the INITIAL input o f a user identification (ID) and password, what is an authentication system that prompts the user for a different response each time the user logs on?
Authentication methodsChallenge-response authenticationDynamic authentication - Question #1290Security and Risk Management
What is the PRIMARY reason criminal law is difficult to enforce when dealing with cyber-crime?
CybercrimeJurisdictionLegal complianceInternational law - Question #1291Security and Risk Management
Which of the following are the B EST characteristics of security metrics?
Security metricsQuantitative measurementPerformance indicators - Question #1292Software Development Security
At which phase of the software assurance life cycle should risks associated with software acquisition strategies be identified?
Software assurance lifecycleSoftware acquisitionRisk identificationPlanning phase - Question #1293Security Operations
Which of the following would be considered an incident if reported by a security information and event management (SIEM) system?
Security incidentSIEM alertsLog monitoringIncident detection - Question #1294Identity and Access Management
a large organization uses biometrics to allow access to its facilities. It adjusts the biometric value for incorrectly granting or denying access so that the two numbers are the sa...
BiometricsEqual error rateFalse Acceptance RateFalse Rejection Rate - Question #1295Asset Security
Spyware is BEST described as
SpywareMalwareData miningPrivacy threats - Question #1296Security and Risk Management
If traveling abroad and a customs official demands to examine a personal computer, which of the following should be assumed?
Data privacyTravel securityDigital forensicsLegal implications - Question #1297Identity and Access Management
What are the first two components of logical access control?
IdentificationAuthenticationAccess controlLogical access - Question #1298Security Assessment and Testing
What is the MAIN purpose of a security assessment plan?
Security assessment planControl assessmentsAssessment objectivesRoadmap - Question #1299Security and Risk Management
What is the MAIN purpose of conducting a business impact analysis (BIA)?
Business Impact Analysis (BIA)business continuityrisk management - Question #1300Security and Risk Management
Which of the following is the FIRST requirement a data owner should consider before implementing a data retention policy?
data retention policylegal compliancedata governance