Browse Exams Pricing

ExamsCISSPQuestions

CISSP Exam Questions

1,535 real CISSP exam questions with expert-verified answers and explanations. Page 29 of 31.

Question #1401Security and Risk Management
What action should be taken by a business line that is unwilling to accept the residual risk in a system after implementing compensating controls?
risk managementresidual riskrisk mitigationrisk transfer
Question #1402Security Architecture and Engineering
Which of the following BEST represents a defense in depth concept?
defense in depthlayered securitysecurity architectureNIDS
Question #1403Communication and Network Security
Which of the following statements BEST distinguishes a stateful packet inspection firewall from a stateless packet filter firewall?
firewallstateful firewallstateless firewallnetwork security
Question #1404Identity and Access Management
A client server infrastructure that provides user-to-server authentication describes which one of the following?
authenticationKerberossingle sign-onnetwork authentication
Question #1405Security and Risk Management
An organization has developed a way for customers to share information from their wearable devices with each other. Unfortunately, the users were not informed as to what informatio...
privacy by designdata privacyuser consenttechnical controls
Question #1406Software Development Security
In which process MUST security be considered during the acquisition of new software?
software acquisitionRFPsupply chain securitySDLC
Question #1407Security Assessment and Testing
An organization contracts with a consultant to perform a System Organization Control (SOC) 2 audit on their internal security controls. An auditor documents a finding related to an...
SOC 2Trust Service Principlesprocessing integrityauditing
Question #1408Identity and Access Management
A company needs to provide shared access of sensitive data on a cloud storage to external business partners. Which of the following identity models is the BEST to blind identity pr...
federated identityproxied federationidentity providersdata privacy
Question #1409Security Architecture and Engineering
Which algorithm gets its security from the difficulty of calculating discrete logarithms in a finite field and is used to distribute keys, but cannot be used to encrypt or decrypt...
Diffie-Hellmankey exchangecryptographydiscrete logarithm
Question #1410Communication and Network Security
Which Wide Area Network (WAN) technology requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to...
MPLSWAN technologiesnetwork routingpacket forwarding
Question #1411Software Development Security
An organization recently suffered from a web-application attack that resulted in stolen user session cookie information. The attacker was able to obtain the information when a user...
XSSweb application securitysession hijackingscript injection
Question #1412Security Operations
An organization recently upgraded to a Voice over Internet Protocol (VoIP) phone system. Management is concerned with unauthorized phone usage. Security consultant is responsible f...
VoIP securityaccess controlPIN policiessecurity operations
Question #1413Security and Risk Management
Which of the following regulations dictates how data breaches are handled?
GDPRdata breach notificationregulationsprivacy law
Question #1414Software Development Security
Which of the following is fundamentally required to address potential security issues when initiating software development?
SDLCsecurity by designsecure codingsoftware development
Question #1415Software Development Security
Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-systems gracefully handle invalid input?
negative testinginput validationsoftware testingsecure coding
Question #1416Communication and Network Security
An information security administrator wishes to block peer-to-peer (P2P) traffic over Hypertext Transfer Protocol (HTTP) tunnels. Which of the following layers of the Open Systems...
OSI modelapplication layerP2P trafficnetwork security
Question #1417Asset Security
An organization has requested storage area network (SAN) disks for a new project. What Redundant Array of Independent Disks (RAID) level provides the BEST redundancy and fault tole...
RAIDfault tolerancedata redundancystorage security
Question #1418Security Operations
An organization has implemented a password complexity and an account lockout policy enforcing five incorrect logins tries within ten minutes. Network users have reported significan...
availabilityaccount lockoutsecurity principlesCIA triad
Question #1419Security and Risk Management
In the last 15 years a company has experienced three electrical failures. The cost associated with each failure is listed below. Which of the following would be a reasonable annual...
Annual Loss Expectancy (ALE)quantitative risk analysisrisk assessment
Question #1420Software Development Security
Which of the following addresses requirements of security assessments during software acquisition?
software assurancesoftware acquisitionsecurity policy
Question #1421Security Assessment and Testing
Which of the following BEST obtains an objective audit of security controls?
security auditindependent auditthird-party assessment
Question #1422Security Operations
Which of the following is established to collect information Se eee ee ee nation readily available in part through implemented security controls?
continuous monitoringISCMsecurity controls
Question #1423Security Architecture and Engineering
In order to provide dual assurance in a digital signature system, the design MUST include which of the following?
digital signaturehashingnon-repudiation
Question #1424Communication and Network Security
Which of the following attacks, if successful, could give an intruder complete control of a software-defined networking (SDN) architecture?
SDN securitycontroller compromisebrute force attack
Question #1425Security and Risk Management
What type of investigation applies when malicious behavior is suspected between two organizations?
legal investigationcivil laworganizational disputes
Question #1426Security Operations
The Chief Information Security Officer (CISO) of a small organization is making a case for building a security operations center (SOC). While debating between an in-house, fully ou...
SOC planningsecurity operationsservice catalog
Question #1427Communication and Network Security
What are the three key benefits that application developers should derive from the northbound application-programming interface (API) of software-defined networking (SDN)?
SDN APIsnetwork abstractionsoftware-defined networking
Question #1428Security Architecture and Engineering
What security principle addresses the issue of "Security by Obscurity"?
security by obscurityopen designsecurity principles
Question #1429Identity and Access Management
In Federated Identity Management (FIM), which of the following represents the concept of federation?
Federated Identity Managementidentity federationtrust domains
Question #1430Software Development Security
A software engineer uses automated tools to review application code and search for application flaws, back doors, or other malicious code. Which of the following is the FIRST Softw...
SDLC securitystatic code analysisdevelopment phase
Question #1431Security Assessment and Testing
Which of the following vulnerability assessment activities BEST exemplifies the Examine method of assessment?
vulnerability assessmentassessment methodsexamine method
Question #1432Asset Security
Which of the following is the MOST appropriate control for asset data labeling procedures?
asset labelingdata classificationphysical inventory
Question #1433Security and Risk Management
What BEST describes the confidentiality, integrity, availability triad?
CIA triadinformation security principlessecurity goals
Question #1434Software Development Security
When developing an external facing web-based system, which of the following would be the MAIN focus of the security assessment prior to implementation and production?
web application securityinput validationsecurity assessment
Question #1435Security and Risk Management
What type of risk is related to the sequences of value-adding and managerial activities undertaken in an organization?
process riskoperational riskrisk types
Question #1436Communication and Network Security
In an environment where there is not full administrative control over all network connected endpoints, such as a university where non-corporate devices are used, what is the BEST w...
NACclientless NACnetwork access controlBYOD security
Question #1437Software Development Security
Which of the following threats would be MOST likely mitigated by monitoring assets containing open source libraries for vulnerabilities?
open source securityvulnerability managementsoftware supply chain security
Question #1438Security Operations
Which of the following is the BEST way to determine the success of a patch management process?
patch managementsecurity auditingprocess assessment
Question #1439Identity and Access Management
A company needs to provide employee access to travel services, which are hosted by a third- party service provider, Employee experience is important, and when users are already aut...
SAMLFederated identitySingle Sign-On (SSO)Third-party access
Question #1440Security and Risk Management
Why is data classification control important to an organization?
Data classificationRisk managementSecurity controlsOrganizational policies
Question #1441Asset Security
Which of the following is the strongest physical access control?
Physical access controlMulti-factor authenticationBiometricsBadge reader
Question #1442Security Operations
While dealing with the consequences of a security incident, which of the following security controls are MOST appropriate?
Incident responseSecurity controlsCorrective controlsRecovery controls
Question #1443Security and Risk Management
A Chief Information Security Officer (CISO) of a firm which decided to migrate to cloud has been tasked with ensuring an optimal level of security. Which of the following would be...
Cloud securityRisk assessmentData classificationSecurity strategy
Question #1444Software Development Security
Which technique helps system designers consider potential security concerns of their systems and applications?
Threat modelingSystem designSecurity by designSDLC
Question #1445Security Assessment and Testing
What is the MOST important goal of conducting security assessments?
Security assessmentVulnerability managementRisk mitigationSecurity program
Question #1446Security Architecture and Engineering
A hospital's building controls system monitors and operates the environmental equipment to maintain a safe and comfortable environment. Which of the following could be used to mini...
Operational Technology (OT) securityCritical infrastructureResilienceUtility supply
Question #1447Asset Security
To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the MOST effective control?
Physical securityPerimeter securityGround sensorsSecurity monitoring
Question #1448Software Development Security
What is the BEST method to use for assessing the security impact of acquired software?
Software acquisition securityThreat modelingSupply chain securityRisk assessment
Question #1449Communication and Network Security
Which of the following is the MOST effective way to ensure the endpoint devices used by remote users are compliant with an organization's approved policies before being allowed on...
Endpoint securityNetwork Access Control (NAC)Remote accessCompliance
Question #1450Identity and Access Management
Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?
Attribute Based Access Control (ABAC)Role Based Access Control (RBAC)Access Control List (ACL)Access control models

PreviousPage 29 of 31Next

study smarter, certify faster.

Product

Browse Exams
Pricing
PDF Downloads

Resources

Blog
Glossary
Topics
FAQ
Contact Us

Legal

Terms of Service
Privacy Policy
Cookie Policy
DMCA
Refund Policy

Company

About
Contact

© 2026 NerdExam. All rights reserved.Built for IT professionals

NerdExam is a trading name of WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234). Registered office: Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong.

CompTIA, AWS, Cisco, Microsoft, Google Cloud, Oracle, VMware, and other certification names referenced on this site are trademarks of their respective owners. NerdExam is not affiliated with, endorsed by, or sponsored by any certification vendor.